security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,483 Commits 1 Branch 57 Tags
b2acd800981e1c8d9f747173eb7803f0405cebd6
Commit Graph

27 Commits

Author SHA1 Message Date
phantinuss dfed136f16 Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002 
chore: update MITRE tag t1219 to t1219.002
 2025-06-13 10:00:52 +02:00
david-syk 3eaaa050b7 Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules 
chore: update the MITRE ATT&CK tags for multiple rules
 2025-06-04 14:39:25 +02:00
david-syk a869abc3cc Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:05:21 +02:00
Arnim Rupp 243003c21a Merge PR #5068 from @ruppde - Update rules in the Antivirus category with additional strings and signature names 
update: Antivirus Hacktool Detection - Add additional hacktools signature names.
update: Antivirus Password Dumper Detection - Add additional password dumpers such as "DumpPert", "Lazagne", "pypykatz", etc.
update: Antivirus Ransomware Detection - Add additional ransomware signature names.
fix: Antivirus Relevant File Paths Alerts - Remove the path "\Client" as it is too generic for a detection rule.
fix: Antivirus Web Shell Detection - Removed overlapping strings "ASP/Agent", "PHP/Agent", "JSP/Agent". 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-04 11:45:07 +01:00
Arnim Rupp 7ddc551605 Merge PR #5040 from @ruppde - Update Antivirus Password Dumper Detection 
update: Antivirus Password Dumper Detection - Add `DCSync` string to cover MS Defender traffic detections
 2024-10-08 23:04:44 +02:00
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
 2024-08-12 12:02:50 +02:00
Florian Roth 49f757197a Merge PR #4917 from @Neo23x0 - Update antivirus related rules 
update: Antivirus Exploitation Framework Detection - Add additional keywords and strings to enhance coverage
update: Antivirus Hacktool Detection - Add additional keywords and strings to enhance coverage
update: Antivirus Password Dumper Detection - Add additional keywords and strings to enhance coverage
update: Antivirus Ransomware Detection - Add additional keywords and strings to enhance coverage
update: Antivirus Relevant File Paths Alerts - Add additional keywords and strings to enhance coverage
update: Antivirus Web Shell Detection - Add additional keywords and strings to enhance coverage
update: Relevant Anti-Virus Signature Keywords In Application Log - Add additional keywords and strings to enhance coverage 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-07-17 16:35:51 +02:00
Arnim Rupp 0ccbda753a Merge PR #4873 from @ruppde - Add the string "mikatz" to relevant rules 
update: Antivirus Hacktool Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
update: Antivirus Password Dumper Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
update: Relevant Anti-Virus Signature Keywords In Application Log - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-06-05 23:17:16 +02:00
github-actions[bot] a6e7cce606 Merge PR #4533 from @nasbench - Promote experimental rules 
chore: promote older rules status from `experimental` to `test`

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-11-02 10:48:45 +01:00
Nasreddine Bencherchali 52e39113b9 Merge PR #4503 from @nasbench - Multiple Updates & Fixes 
fix: Suspicious Sysmon as Execution Parent - Typo and restructure
update: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
update: Antivirus Relevant File Paths Alerts
update: Dump Ntds.dit To Suspicious Location
update: MSI Installation From Suspicious Locations
update: PowerShell Profile Modification - Reduce rule level to medium
update: Obfuscated IP Download Activity

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-10-28 12:55:32 +02:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
phantinuss 12cd1f989e feat: map antivirus categoriy to Windows Defender logs 2023-05-19 14:27:56 +02:00
Florian Roth 791d3a8e9a Merge pull request #4006 from SigmaHQ/rule-devel 
refactor: AV signature rules updated
 2023-02-03 17:13:56 +01:00
Florian Roth 2b8b5f62f4 refactor: AV signature rules updated 2023-02-03 15:22:19 +01:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
Nasreddine Bencherchali 02e4a5112d fix: fp found in testing 2023-01-18 18:41:07 +01:00
Arnim Rupp d0443c35eb fix2 2023-01-13 17:51:37 +01:00
Arnim Rupp 92b0ce1857 fix falsepositives 2023-01-13 17:44:55 +01:00
Arnim Rupp f58358b037 Fix rule using list with only 1 element 2023-01-13 17:36:38 +01:00
Nasreddine Bencherchali c798375a56 Merge branch 'master' into master 2023-01-13 17:23:22 +01:00
Arnim Rupp d0234a7f5d several improvements in rules/category/antivirus/* 2023-01-13 17:16:59 +01:00
Nasreddine Bencherchali 055f33a386 fix: add missing modified date 2023-01-13 17:13:17 +01:00
Florian Roth d088dc447d docs: changes to status in AV rules 2023-01-13 12:39:49 +01:00
Nasreddine Bencherchali 7df1bd1a40 fix: remove duplicate entry 2023-01-13 00:26:38 +01:00
Arnim Rupp 9868c00cc6 Add more ransomware strings 2023-01-13 00:08:55 +01:00
Arnim Rupp 15e7271488 small fix for MS defender, uses e.g. Trojan:PHP/... 2023-01-12 23:46:52 +01:00
frack113 f9e1419760 Order file 2023-01-10 06:24:48 +01:00