security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1457 Commits

Author SHA1 Message Date
Florian Roth 83841ea117 Merge pull request #411 from nikotin69/master 
compliance rules by SOC prime
 2019-08-05 20:53:02 +02:00
Florian Roth 302ae9c5d0 Added level 2019-08-05 19:51:22 +02:00
Florian Roth 4dbf392562 Title, Level adjusted 2019-08-05 19:48:56 +02:00
Florian Roth fdb9b351d0 Level to low 2019-08-05 19:48:21 +02:00
Florian Roth 317c0bd07a Removed "Detects" keyword from title 2019-08-05 19:47:46 +02:00
Florian Roth 2af8cb0d0e Update cleartext_protocols.yml 2019-08-05 19:47:03 +02:00
Florian Roth c7ec45c0ff Update workstation_was_locked.yml 2019-08-05 19:44:14 +02:00
Florian Roth e64fcb32a2 Update group_modification_logging.yml 2019-08-05 19:43:59 +02:00
Florian Roth 5caf4f5f14 Update default_credentials_usage.yml 2019-08-05 19:43:46 +02:00
Florian Roth 10cc1de4c9 Fixed global rule syntax 2019-08-05 19:43:15 +02:00
Florian Roth dcdd021dc6 Duplicate port 3306 2019-08-05 19:36:50 +02:00
Karneades 42e6c9149b Remove unneeded event code 2019-08-05 19:13:39 +02:00
Karneades 0e3cc042f4 Add more exclusions to mmc process rule 2019-08-05 18:53:33 +02:00
Karneades 5caa951b8f Add new rule for detecting MMC spawning a shell 
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml. And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml.
 2019-08-05 18:42:31 +02:00
nikotin 780d9223e6 compliance rules by SOC prime 2019-08-05 19:42:19 +03:00
Karneades cfe44ad17d Fix win_susp_mmc_source to match what title says 
Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.
 2019-08-05 16:21:56 +02:00
Florian Roth 6a8adc72ac rule: reworked vssadmin rule 2019-08-04 11:27:17 +02:00
Florian Roth d32fc2b2cf fix: fixing rule win_cmstp_com_object_access 
https://github.com/Neo23x0/sigma/issues/408
 2019-07-31 14:16:52 +02:00
Florian Roth 0657f29c99 Rule: reworked win_susp_powershell_enc_cmd 2019-07-30 14:36:30 +02:00
Florian Roth 9143e89f3e Rule: renamed and reworked hacktool Ruler rule 2019-07-26 14:49:09 +02:00
Florian Roth f3fb2b41b2 Rule: FP filters extended 2019-07-23 14:58:36 +02:00
Florian Roth 2c57b443e4 docs: modification date in rule 2019-07-17 09:21:35 +02:00
Florian Roth de74eb4eb7 Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix 
Win susp dhcp config failed fix
 2019-07-17 09:20:25 +02:00
yugoslavskiy e8b9a6500e author string modified 2019-07-17 07:02:59 +03:00
yugoslavskiy a295334355 win_susp_dhcp_config_failed fixed 2019-07-17 07:01:58 +03:00
yugoslavskiy bb1c040b1b rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved 2019-07-17 06:19:18 +03:00
yugoslavskiy 803f2d4074 changed logic to detect events related to sid history adding 2019-07-17 04:28:21 +03:00
yugoslavskiy 310e3b7a44 rules/windows/builtin/win_susp_add_sid_history.yml improved 2019-07-17 03:55:02 +03:00
Nate Guagenti e2050404bc prevent EventID collision for dhcp 
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
 2019-07-16 15:30:52 -04:00
Tareq AlKhatib d08a993159 Fixed commandline to detect any shim install from any location 2019-07-08 12:31:18 +03:00
Christophe Tafani-Dereeper 5bc10a4855 Include Github raw URLs in suspicious downloads detection rule 2019-07-05 09:01:35 +00:00
Florian Roth 0b883a90b6 fix: null value in separate expression 2019-07-02 20:14:45 +02:00
Florian Roth f5a8a81ff7 fix: linux cmds rule 2019-07-02 15:22:26 +02:00
Florian Roth ce43d600e3 fix: added null value / application to 4688 problem 2019-07-02 10:51:48 +02:00
Tareq AlKhatib 15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Vasiliy Burov 2f123f64a7 Added command that stops services. 2019-06-28 19:46:34 +03:00
Vasiliy Burov 3813d277a6 Ryuk Ransomware commands from real case 2019-06-28 19:26:05 +03:00
Florian Roth ad386474bf fix: removed unusable extensions in proc exec context 2019-06-26 17:03:01 +02:00
Florian Roth 708f3ef002 fix: fixed duplicate element in new double extension rule 2019-06-26 16:00:58 +02:00
Florian Roth 41dc076959 Rule: suspicious double extension 2019-06-26 15:57:25 +02:00
Florian Roth 39b5eddfc7 Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00
Florian Roth 26036e0d35 fix: fixed image in taskmgr rule 2019-06-21 17:15:53 +02:00
Thomas Patzke ff7128209e Adjusted level 2019-06-20 00:03:48 +02:00
Thomas Patzke 0f8849a652 Rule fixes 
* tagging
* removed spaces
* converted to generic log source
* typos/case
 2019-06-20 00:01:56 +02:00
Thomas Patzke f4c86f15b8 Merge branch 'master' of https://github.com/mgreen27/sigma into mgreen27-master 2019-06-19 23:49:20 +02:00
Thomas Patzke 429c29ed5a Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing 
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
 2019-06-19 23:43:10 +02:00
Thomas Patzke 960cd69d50 Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4 2019-06-19 23:34:25 +02:00
Thomas Patzke e4e8ebbf95 Merge pull request #368 from JayPowerUser/web-source-code-enumeration 
Web Source Code Enumeration via .git
 2019-06-19 23:27:37 +02:00
Thomas Patzke dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Thomas Patzke d14f5c3436 Merge pull request #371 from savvyspoon/issue285 
CAR tagging
 2019-06-19 23:21:43 +02:00