security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,483 Commits 1 Branch 57 Tags
b2acd800981e1c8d9f747173eb7803f0405cebd6
Commit Graph

65 Commits

Author SHA1 Message Date
frack113 d804e9cba1 Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac 
update: GALLIUM IOCs - remove custom dedicated hash fields
update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
update: HackTool Named File Stream Created - remove custom dedicated hash fields
update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
update: PUA - System Informer Driver Load - remove custom dedicated hash fields
update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
update: WinDivert Driver Load - remove custom dedicated hash fields
update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
update: Hacktool Execution - Imphash - remove custom dedicated hash fields
update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
update: HackTool - Impersonate Execution - remove custom dedicated hash fields
update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
update: HackTool - PCHunter Execution - remove custom dedicated hash fields
update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
update: MpiExec Lolbin - remove custom dedicated hash fields
update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Nimgrab Execution - remove custom dedicated hash fields
update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Process Hacker Execution - remove custom dedicated hash fields
update: PUA - System Informer Execution - remove custom dedicated hash fields
update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
update: Renamed AdFind Execution - remove custom dedicated hash fields
update: Renamed AutoIt Execution - remove custom dedicated hash fields
update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
update: Renamed PAExec Execution - remove custom dedicated hash fields
update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-25 09:30:14 +01:00
github-actions[bot] f533350560 Merge PR #5065 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-11-01 10:21:04 +01:00
Mohamed Ashraf 7e4748ec0e feat: update multiple rules (#5055) 
* Update multiple rules

* updates

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-25 16:32:03 +02:00
Omar A. 9b3c363cd0 Merge PR #4954 from @omaramin17 - Update multiple rules with additional sharing domains 
update: BITS Transfer Job Download From File Sharing Domains - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Websites -  File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Remote AppX Package Locations - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Unusual File Download From File Sharing Websites - File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`

--------- 

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-23 11:16:06 +02:00
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
 2024-08-12 12:02:50 +02:00
github-actions[bot] f7ec533704 Merge PR #4841 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from "experimental" to "test"
 2024-05-02 10:34:25 +02:00
github-actions[bot] a8e1ecd658 Merge PR #4791 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-04-01 15:14:10 +02:00
github-actions[bot] 0108cdc344 Merge PR #4745 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test
 2024-03-01 15:38:35 +01:00
Nasreddine Bencherchali 2acebc90f2 Merge PR #4702 from @nasbench - Rule tuning and updates 
fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter
fix: Outbound RDP Connections Over Non-Standard Tools - Update filters
fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic
remove: Suspicious Non-Browser Network Communication With Reddit API
update: BITS Transfer Job Download From File Sharing Domains - Add additional domains
update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports
update: HH.EXE Initiated HTTP Network Connection - Update list of ports
update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters
update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports
update: Network Connection Initiated To Mega.nz - Update domains
update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports
update: Office Application Initiated Network Connection To Non-Local IP - update list of filters
update: Potential Dead Drop Resolvers - Update domains and filters
update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains
update: Suspicious File Download From File Sharing Websites - Add additional domains
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains
update: Suspicious Remote AppX Package Locations - Add additional domains
update: Unusual File Download From File Sharing Websites - Add additional domains
 2024-02-12 12:29:36 +01:00
Florian Roth e6e0ffbdce Merge PR #4674 from @Neo23x0 - Increase hack tool coverage 
update: Hacktool Execution - Imphash - Add additional imphash values to increase coverage
update: Findstr Launching .lnk File - Increase coverage by adding cases where the commandline ends with a double or a single quote.
---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-01-15 15:24:03 +01:00
Florian Roth 2535a61f71 Merge PR #4647 from @Neo23x0 - add new hack tool by imphash 
update: Hacktool Named File Stream Created - Added new Imphash values for `EDRSandBlast`, `EDRSilencer` and `Forensia` utilities.

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-01-10 14:11:33 +01:00
github-actions[bot] c3fe2da997 chore: promote older rules status from experimental to test (#4651) 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-01-01 09:00:51 +01:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
Nasreddine Bencherchali be9abb9364 feat: update cl diag script rules 2023-08-17 19:26:21 +02:00
Nasreddine Bencherchali c39581217a feat: update rules using file sharing domains 2023-08-17 13:39:59 +02:00
Nasreddine Bencherchali b20e7b449c feat: rules update 2023-07-26 10:56:18 +02:00
Nasreddine Bencherchali e39b85a3f4 fix: fp found in testing 2023-06-14 00:23:28 +02:00
Nasreddine Bencherchali d468c2fb33 feat: add more extensions and fix metadata 2023-05-18 22:55:18 +02:00
Nasreddine Bencherchali 9ebec1c6e3 fix: apply suggestions from code review 2023-05-18 22:54:53 +02:00
Florian Roth 11069e87c6 docs: add url 2023-05-18 14:58:44 +02:00
Florian Roth 8bad6f0ebc .zip domain stream hash - file type download 2023-05-18 14:54:43 +02:00
Nasreddine Bencherchali 0cb01970e7 feat: new rules, updates and goofy guineapig stuff (#4229) 2023-05-15 15:53:39 +02:00
Florian Roth dee38387c5 more backstab hashes 2023-05-05 13:17:01 +02:00
Florian Roth 91956f8058 Merge branch 'master' into rule-devel 2023-05-05 10:10:24 +02:00
Florian Roth efb99a12f2 Update create_stream_hash_hacktool_download.yml 2023-05-05 10:09:50 +02:00
Florian Roth 5d3dd08ab8 Backstab tool imphash 2023-05-05 09:55:08 +02:00
Nasreddine Bencherchali 4e7bb74d43 feat: update browsers selections and filters 2023-04-18 18:05:08 +02:00
Nasreddine Bencherchali 032570a080 feat: more winget updates 2023-04-18 03:35:42 +02:00
Nasreddine Bencherchali 1d89b041ae fix: change title from domain to wbesites 2023-02-10 10:49:52 +01:00
Nasreddine Bencherchali 5e3aae4970 fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-02-10 10:38:45 +01:00
Nasreddine Bencherchali 82d0b9e10c fix: add missing modified and improve test 2023-02-10 00:56:07 +01:00
Nasreddine Bencherchali 82cde0e10c feat: update rules related to onenote and more 2023-02-10 00:40:16 +01:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
Nasreddine Bencherchali 0909b65bff feat: update sharing websites 2023-01-19 22:07:31 +01:00
frack113 aee5ca7afc Fix invalid field cast or name (#3841) 2022-12-30 11:46:21 +01:00
Florian Roth e493a41bc6 Merge pull request #3757 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed in Nextron testing CI
 2022-12-05 18:54:31 +01:00
Florian Roth 1796502b90 fix: FPs noticed in Nextron testing CI 2022-12-05 17:39:42 +01:00
Nasreddine Bencherchali b6492e731b feat: general updates and fixes 2022-12-02 23:16:03 +01:00
Florian Roth c6d02d6fe2 rule: modified date update, PPLKiller 2022-11-12 09:27:41 +01:00
Florian Roth 6f26d672f1 refactor: add forkatz imphash 2022-11-12 08:39:36 +01:00
Nasreddine Bencherchali e8f10733e0 Add browsers 2022-10-31 20:57:22 +01:00
frack113 dfdaecc52c Order yaml field 2022-10-25 12:00:56 +02:00
frack113 f78e9e9034 Add rule 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-24 17:52:05 +02:00
Florian Roth e92f2475b6 refactor: JuicyPotatoNG imphashes 2022-10-06 08:30:48 +02:00
frack113 6813043323 Merge pull request #3468 from nasbench/nasbench-rule-devel 
Rule Devel
 2022-09-08 06:29:36 +02:00
Nasreddine Bencherchali b70ac17676 Fix 2022-09-07 21:58:22 +02:00
Florian Roth 2ac92283e6 indentation and new hashes 2022-09-07 16:05:48 +02:00
Florian Roth b293a7a181 refactor: SysmonEnte, SharpEvtMute, SysmonQuiet 2022-09-07 16:01:05 +02:00
Florian Roth 6f1ff59027 SysmonEnte Hashes 2022-09-07 15:29:09 +02:00
Nasreddine Bencherchali df257caa4c Update create_stream_hash_susp_ip_domains.yml 2022-09-07 12:17:18 +02:00