security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,327 Commits 1 Branch 57 Tags
ae62acf3d232de8b9be994e20bdf2b2ff20c2f5e
Commit Graph

1327 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tareq AlKhatib ae62acf3d2 Added a test for duplicate filters and a test for Source: Eventlog 2019-02-18 21:05:58 +03:00
Tareq AlKhatib 2e3a2b9ba6 Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental' 2019-02-18 21:03:53 +03:00
Tareq AlKhatib 97b28f4308 Added a test for unnecessary use of '1 of them' in condition 2019-02-13 21:27:27 +03:00
Tareq AlKhatib cd3cdc9451 Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
Florian Roth 8d819cfeea Rule: fixed bug in Renamed PowerShell rule 2019-02-13 13:23:02 +01:00
Florian Roth 004497075d fix: spark source config bug 2019-02-12 23:27:38 +01:00
Florian Roth c2eda887fa Rule: Suspicious Windows NT 9 UA 2019-02-12 10:33:33 +01:00
Florian Roth be26ada875 Rule: Suspicious csc.exe parents 2019-02-11 13:50:51 +01:00
Florian Roth 74e3c79f40 Rule: Suspicious PowerShell keywords 2019-02-11 13:02:38 +01:00
Thomas Patzke a5af134bfe Merge branch 'neu5ron-patch-2' 2019-02-10 00:16:55 +01:00
Thomas Patzke 01570f88db YAML fixes 2019-02-10 00:16:27 +01:00
Thomas Patzke 6dd4b4775a Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2 2019-02-10 00:15:25 +01:00
Thomas Patzke ff5081f186 Merge branch 'yt0ng-development' 2019-02-10 00:09:29 +01:00
Thomas Patzke 14769938e9 Fixed condition keyword 2019-02-10 00:07:30 +01:00
Thomas Patzke d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke 3cd6de2864 Merge pull request #240 from neu5ron/master 
new rule and updated false positive note
 2019-02-09 23:57:39 +01:00
Thomas Patzke 01dfc23a26 Merge pull request #234 from juju4/devel-sumo 
Sumologic support update
 2019-02-09 23:54:23 +01:00
Thomas Patzke d9aceeb7eb Merge pull request #228 from keepwatch/ssp-regkey-detection 
SSP added to LSA configuration
 2019-02-09 23:44:55 +01:00
Thomas Patzke 5866d8eb71 Merge pull request #238 from sisecbe/patch-1 
Adapt count function when aggfield not present
 2019-02-09 23:38:20 +01:00
juju4 4429d7564f remove 'escape' of '_' - not needed 2019-02-09 12:57:43 -05:00
juju4 a815b7eb9b add custom cleanValue function for wildcards in keyvalue: OK with lists, NOK with string 2019-02-09 12:57:07 -05:00
Florian Roth aab703a4b4 Suspicious calc.exe usage 2019-02-09 14:03:23 +01:00
Florian Roth 05424883dd Added Info Graphic to README 2019-02-09 09:38:01 +01:00
Florian Roth efb223b147 Merge pull request #245 from kpolley/master 
2nd method to call downloadString or downloadFile in Powershell
 2019-02-09 09:35:19 +01:00
Florian Roth 7e732a2a89 Merge pull request #232 from TareqAlKhatib/duplicate_filters 
Duplicate filters
 2019-02-09 09:23:57 +01:00
Florian Roth d2743351e7 Minor fix: indentation 2019-02-09 09:19:40 +01:00
Kyle Polley c8c06763b4 added keywords & source to sysmon_powershell_download.yml 2019-02-07 18:25:04 -08:00
Nate Guagenti d151deaa29 Rename win_susp_bcdedit to win_susp_bcdedit.yml 2019-02-07 00:21:57 -05:00
Nate Guagenti 91862f284b Create win_susp_bcdedit 
This is a more general rule for possible boot/mbr value edits using bcdedit that I have seen in the wild.
It is different than https://github.com/Neo23x0/sigma/blob/3288f6425b1a868c66f6f0a255956f8f041bc666/rules/windows/malware/win_mal_wannacry.yml
because it is not specific to anyone family (of malware) and also has different CLI options
 2019-02-07 00:19:38 -05:00
Kyle Polley 423fdca32c Merge pull request #1 from Neo23x0/master 
Get updates from head repo
 2019-02-06 17:02:41 -08:00
Florian Roth adb6690c80 Rule: Suspicious GUP.exe usage 2019-02-06 19:21:16 +01:00
Florian Roth f0f0bdae40 Rule: fixed date - wrong year 2019-02-06 19:21:16 +01:00
Florian Roth 7192f149a3 Merge pull request #243 from keepwatch/broadening-suspicious-certutil 
Added '/' prefix, -encode switch, better renamed certutil coverage
 2019-02-06 16:58:27 +01:00
keepwatch e6217928f3 Added '/' prefix, -encode switch, better renamed certutil coverage 2019-02-06 10:45:32 -05:00
Unknown 2f66ba25f0 adjusted MITRE ATTCK tag 2019-02-06 11:27:51 +01:00
Unknown a9731d211d removed my garbage 2019-02-06 11:16:40 +01:00
Unknown 4d048c71bb adjusted spaces 2019-02-06 11:10:42 +01:00
Unknown 54ec01bcdd adjusted space 2019-02-06 11:10:00 +01:00
Unknown a0bac993ed adjusted spaces 2019-02-06 11:07:09 +01:00
t0x1c-1 04f1edd171 added reverted base64 with dosfuscation 2019-02-06 10:59:09 +01:00
Unknown 22b67a67ac Initial Commit Cobalt Malleable for OneDrive 2019-02-06 10:59:02 +01:00
Unknown 353f66dd7c CobaltStrike Malleable OCSP) Profile with Typo (OSCP) in URL 2019-02-06 10:58:48 +01:00
t0x1c-1 150499d151 Detects Executables without FileVersion,Description,Product,Company likely created with py2exe 2019-02-06 10:58:37 +01:00
Unknown c78ac9333c adjusted formatting 2019-02-06 10:54:12 +01:00
t0x1c-1 21f34ab8ba suspicious behaviour 2019-02-06 10:52:41 +01:00
neu5ron 35ebcff543 add new rule 2019-02-05 18:56:24 -05:00
neu5ron 65e4ba5aba added false positive possibility 2019-02-05 18:45:53 -05:00
keepwatch bad80ffa78 Update sysmon_ssp_added_lsa_config.yml 
Syntax fix
 2019-02-05 16:28:06 -05:00
Florian Roth cc8a89b679 Merge pull request #239 from neu5ron/master 
update helk config
 2019-02-05 20:01:28 +01:00
neu5ron 046510f021 updated HELK Destination IP name 2019-02-05 13:11:06 -05:00