security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 7311d727ba Rule: AV alerts - password dumper 2018-09-09 11:04:27 +02:00
Florian Roth 84b8eb5154 Rule: AV alerts - exploiting frameworks 2018-09-09 11:04:27 +02:00
Florian Roth 82916f0cff Merge pull request #159 from t0x1c-1/t0x1c-devel 
Suspicious SYSVOL Domain Group Policy Access
 2018-09-08 15:56:54 +02:00
Florian Roth 1294af4a71 Merge pull request #166 from yt0ng/master 
Malleable Amazon Profile
 2018-09-08 15:56:22 +02:00
yt0ng 48254f7a7e Merge pull request #1 from yt0ng/apt/rules 
Malleable Amazon Profile
 2018-09-08 11:54:29 +02:00
Florian Roth 6f5a73b2e2 style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
Florian Roth 68896d9294 style: renamed rule files to all lower case 2018-09-08 10:25:20 +02:00
Florian Roth 788678feb8 Merge pull request #165 from JohnLaTwC/patch-1 
Create win_susp_powershell_hidden_b64_cmd.yml
 2018-09-08 10:23:05 +02:00
Florian Roth 5d714ab44e Rule: Added malware UA 2018-09-08 10:22:26 +02:00
Florian Roth d0f2fbb6d6 Merge pull request #161 from megan201296/patch-12 
Fix typo
 2018-09-08 10:21:20 +02:00
Florian Roth 3f444b5fc2 Merge pull request #162 from megan201296/patch-13 
Added .yml extension and fix typo
 2018-09-08 10:21:00 +02:00
Florian Roth 69e65c0bdc Merge pull request #164 from yt0ng/apt/rules 
Adding CMStar user-agent "O/9.27 (W; U; Z)"
 2018-09-08 10:19:41 +02:00
Unknown 7a74e86819 Merge remote-tracking branch 'origin/apt/rules' into apt/rules 2018-09-08 09:35:57 +02:00
Unknown 863736587c Adding ATTCK 2018-09-08 09:34:27 +02:00
Unknown 4bb01a8c24 ATTCK Tags 2018-09-08 09:29:54 +02:00
John Lambert 7ce5b3515b Create win_susp_powershell_hidden_b64_cmd.yml 
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
 2018-09-07 20:23:11 -07:00
Unknown d866097c07 CobaltStrike Malleable Amazon browsing traffic profile 2018-09-07 19:52:35 +02:00
Unknown cf48a77d5a Adding CMStar user-agent "O/9.27 (W; U; Z)" 2018-09-07 09:07:24 +02:00
megan201296 3154be82f3 Added .yml extension and fix typo 2018-09-06 20:28:22 -05:00
megan201296 525326d15f Fix typo 2018-09-06 20:20:11 -05:00
Thomas Patzke 13e41f29d6 Added CI test for tag filtering 2018-09-06 01:05:31 +02:00
Thomas Patzke f3c60a6309 Added tag filtering to sigmac 2018-09-06 00:57:54 +02:00
Thomas Patzke 7f875af1ca Fixed WDATP backend 
It never generated any output due to missing return in generate()
method.
 2018-09-06 00:31:40 +02:00
Florian Roth ec1bd77f2e Rule: Proxy UA rule update - from Kaspersky report 
https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
 2018-09-05 20:39:19 +02:00
Lurkkeli 30fc4bd030 powershell xor commandline 
New rule to detect -bxor usage in a powershell commandline.
 2018-09-05 09:21:15 +02:00
Florian Roth 49f7da6412 style: changed title casing and minor fixes 2018-09-04 16:15:41 +02:00
Florian Roth 3c240be8a8 fix: more duplicate 'tag' keys in rules 2018-09-04 16:15:02 +02:00
Florian Roth 9c878bef79 fix: duplicate 'tag' key in rule 2018-09-04 16:05:21 +02:00
t0x1c-1 afadda8c04 Suspicious SYSVOL Domain Group Policy Access 2018-09-04 15:52:25 +02:00
Florian Roth d94c1d2046 fix: duplicate 'tag' key in rule 2018-09-04 14:56:55 +02:00
Florian Roth 1c87f77223 Rule: Fixed false positive in suspicious UA rule 2018-09-04 11:33:05 +02:00
Florian Roth 9cb78558d3 Rule: excluded false positives in rule 2018-09-03 12:02:42 +02:00
Florian Roth b57f3ded64 Rule: GRR false positives 2018-09-03 11:50:34 +02:00
Florian Roth 2a0fcf6bea Rule: PowerShell encoded command JAB 2018-09-03 10:08:29 +02:00
Florian Roth 7a3890ad76 Rule: SysInternals EULA accept improved and renamed 2018-08-30 13:16:28 +02:00
Florian Roth d83f124f5f Rule: Suspicious communication endpoints 2018-08-30 10:12:12 +02:00
Florian Roth e70395744b Rule: Improved Github communication rule 2018-08-30 10:12:12 +02:00
Thomas Patzke d17cc5c07d Merge pull request #157 from yt0ng/development 
Added Detection of Sysinternals Tools via eulaaccepted registry key
 2018-08-28 22:37:00 +02:00
Unknown 75d72344ca Added Detection of Sysinternals Tools via eulaaccepted registry key 2018-08-28 17:36:22 +02:00
Thomas Patzke a722fcd2b0 Merge pull request #156 from yt0ng/yt0ng-devel 
Adding LSASS Access Detected via Attack Surface Reduction
 2018-08-27 23:50:42 +02:00
Thomas Patzke ee15b451b4 Fixed log source name 2018-08-27 23:45:30 +02:00
Thomas Patzke f2fd3b9443 Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-08-27 23:41:41 +02:00
Thomas Patzke 6e7208553a Revert "removing for new pull request" 
This reverts commit ca7e8d6468.
 2018-08-27 23:39:29 +02:00
Unknown 2f256aa1ef Adding LSASS Access Detected via Attack Surface Reduction 2018-08-27 10:38:45 +02:00
Thomas Patzke 1d7722c1cb Added configuration and field mapping chains 
Missing: field name mapping of log source conditions.
 2018-08-27 00:17:27 +02:00
Thomas Patzke 8308cd6c1a Rule fix 2018-08-26 22:35:35 +02:00
Thomas Patzke 87e39b8768 Fixed rules 2018-08-26 22:30:47 +02:00
Thomas Patzke 60a5922582 Merge branch 'master' of https://github.com/yt0ng/sigma into yt0ng-master 2018-08-26 22:12:19 +02:00
Florian Roth 5b3175d1d6 Rule: Suspicious procdump use on lsass process 2018-08-26 19:53:57 +02:00
yt0ng df9f6688eb Added Deskop Location, RunOnce and ATTCK 
Added C:\Users\tst01\Desktop\unprotected.vbs as seen by FIN7
 2018-08-25 17:32:34 +02:00