security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1457 Commits

Author SHA1 Message Date
Florian Roth f0a4aede24 Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
megan201296 34f9d17b26 Create win_mal_ursnif.yml 2019-02-13 15:22:57 -06:00
Tareq AlKhatib cd3cdc9451 Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
Florian Roth 8d819cfeea Rule: fixed bug in Renamed PowerShell rule 2019-02-13 13:23:02 +01:00
Florian Roth c2eda887fa Rule: Suspicious Windows NT 9 UA 2019-02-12 10:33:33 +01:00
james dickenson b16bb4bf9b Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml 2019-02-11 21:10:49 -08:00
Florian Roth be26ada875 Rule: Suspicious csc.exe parents 2019-02-11 13:50:51 +01:00
Florian Roth 74e3c79f40 Rule: Suspicious PowerShell keywords 2019-02-11 13:02:38 +01:00
Thomas Patzke 01570f88db YAML fixes 2019-02-10 00:16:27 +01:00
Thomas Patzke 6dd4b4775a Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2 2019-02-10 00:15:25 +01:00
Thomas Patzke ff5081f186 Merge branch 'yt0ng-development' 2019-02-10 00:09:29 +01:00
Thomas Patzke 14769938e9 Fixed condition keyword 2019-02-10 00:07:30 +01:00
Thomas Patzke d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke 3cd6de2864 Merge pull request #240 from neu5ron/master 
new rule and updated false positive note
 2019-02-09 23:57:39 +01:00
Thomas Patzke d9aceeb7eb Merge pull request #228 from keepwatch/ssp-regkey-detection 
SSP added to LSA configuration
 2019-02-09 23:44:55 +01:00
Florian Roth aab703a4b4 Suspicious calc.exe usage 2019-02-09 14:03:23 +01:00
Florian Roth efb223b147 Merge pull request #245 from kpolley/master 
2nd method to call downloadString or downloadFile in Powershell
 2019-02-09 09:35:19 +01:00
Florian Roth 7e732a2a89 Merge pull request #232 from TareqAlKhatib/duplicate_filters 
Duplicate filters
 2019-02-09 09:23:57 +01:00
Florian Roth d2743351e7 Minor fix: indentation 2019-02-09 09:19:40 +01:00
Kyle Polley c8c06763b4 added keywords & source to sysmon_powershell_download.yml 2019-02-07 18:25:04 -08:00
Nate Guagenti d151deaa29 Rename win_susp_bcdedit to win_susp_bcdedit.yml 2019-02-07 00:21:57 -05:00
Nate Guagenti 91862f284b Create win_susp_bcdedit 
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than https://github.com/Neo23x0/sigma/blob/3288f6425b1a868c66f6f0a255956f8f041bc666/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
 2019-02-07 00:19:38 -05:00
Florian Roth adb6690c80 Rule: Suspicious GUP.exe usage 2019-02-06 19:21:16 +01:00
Florian Roth f0f0bdae40 Rule: fixed date - wrong year 2019-02-06 19:21:16 +01:00
keepwatch e6217928f3 Added '/' prefix, -encode switch, better renamed certutil coverage 2019-02-06 10:45:32 -05:00
Unknown 2f66ba25f0 adjusted MITRE ATTCK tag 2019-02-06 11:27:51 +01:00
Unknown a9731d211d removed my garbage 2019-02-06 11:16:40 +01:00
Unknown 4d048c71bb adjusted spaces 2019-02-06 11:10:42 +01:00
Unknown 54ec01bcdd adjusted space 2019-02-06 11:10:00 +01:00
Unknown a0bac993ed adjusted spaces 2019-02-06 11:07:09 +01:00
t0x1c-1 04f1edd171 added reverted base64 with dosfuscation 2019-02-06 10:59:09 +01:00
Unknown 22b67a67ac Initial Commit Cobalt Malleable for OneDrive 2019-02-06 10:59:02 +01:00
Unknown 353f66dd7c CobaltStrike Malleable OCSP) Profile with Typo (OSCP) in URL 2019-02-06 10:58:48 +01:00
t0x1c-1 150499d151 Detects Executables without FileVersion,Description,Product,Company likely created with py2exe 2019-02-06 10:58:37 +01:00
Unknown c78ac9333c adjusted formatting 2019-02-06 10:54:12 +01:00
t0x1c-1 21f34ab8ba suspicious behaviour 2019-02-06 10:52:41 +01:00
neu5ron 35ebcff543 add new rule 2019-02-05 18:56:24 -05:00
neu5ron 65e4ba5aba added false positive possibility 2019-02-05 18:45:53 -05:00
keepwatch bad80ffa78 Update sysmon_ssp_added_lsa_config.yml 
Syntax fix
 2019-02-05 16:28:06 -05:00
Florian Roth 5092b1e603 Rule: removed overlapping strings in Linux rule 2019-02-05 16:12:07 +01:00
Florian Roth 32c098294f Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00
Florian Roth 8f684ddd06 Rule: FP in WMI persistence with SCCM 2019-02-05 15:57:54 +01:00
Florian Roth dfd4ce878f Rule: limiting rule to DHCP log 2019-02-05 14:35:23 +01:00
Florian Roth 5b92790e3f Rule: WMI Persistence - FPs 2019-02-05 14:35:23 +01:00
Florian Roth abf5a5088e Rule: more malicious UAs 2019-02-05 14:35:23 +01:00
Thomas Patzke 3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke 6440bc962b CACTUSTORCH detection 2019-02-01 23:27:53 +01:00
Thomas Patzke 6436cb3ae1 Added missing conditions 2019-02-01 23:02:03 +01:00
Florian Roth 27c2684a0f Rule: Chafer malware proxy pattern 2019-01-31 12:31:48 +01:00
Florian Roth a8d1e7c62b Rule: Fixed ntdsutil rule field in 4688 events 2019-01-29 15:59:39 +01:00