security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,723 Commits 1 Branch 57 Tags
b2ca6754eac8b924c69f90e8024a29bbfb0e1971
Commit Graph

2864 Commits

Author SHA1 Message Date
sreehari3 b2ca6754ea mitre tags: Persistence (T1053) ,(T1053.005) 
added those  MITRE tags
 2022-04-14 09:09:03 +05:30
Florian Roth 3eafd9dfdb Merge pull request #2910 from SigmaHQ/rule-devel 
rule: RPCSS service process anomalies
 2022-04-13 19:04:44 +02:00
Florian Roth ed465ea36a rule: RPCSS service process anomalies 2022-04-13 15:44:10 +02:00
Max Altgelt 98f313526d fix: copy / paste issues 2022-04-13 09:23:08 +02:00
megan201296 d6245133e3 Typo fix 
Fix unfinished word "legitimate" in false positives
 2022-04-12 11:05:09 -05:00
Florian Roth 76c730a831 Merge pull request #2903 from securepeacock/master 
Update Netsh Firewall Enumeration
 2022-04-12 17:24:51 +02:00
Florian Roth 482a2fdcf9 Update proc_creation_win_susp_netsh_command.yml 2022-04-12 07:55:58 +02:00
frack113 afa3fc9a41 Merge pull request #2901 from megan201296/patch-23 
Change ATT&CK technique
 2022-04-12 07:46:41 +02:00
securepeacock 3f7c77256a Update proc_creation_win_susp_network_command.yml 2022-04-11 13:45:37 -04:00
securepeacock 162d577523 Update proc_creation_win_susp_network_command.yml 
Added route print
 2022-04-11 13:36:52 -04:00
securepeacock 38276d96b8 Update proc_creation_win_susp_netsh_command.yml 
Update to catch other procedures for Firewall Enumerations like run cmd.exe /c netsh firewall show state & netsh firewall show config.
 2022-04-11 13:06:15 -04:00
megan201296 c7a3834070 Change ATT&CK technique 
Per source reference, the ADS rule is T1564.004 BUT copying/downloading files is T1105 (hwich in turn is C&C, not defense evasion"
 2022-04-11 10:56:03 -05:00
megan201296 e01083a625 Change MITRE ATT&CK tactic ID 
The subtechnique `.011` is  specific to RunDLL32 proxy execution. There is no existing sub-technique specific to wuauclt.exe so only the top level technique should be referenced.
 2022-04-11 10:41:46 -05:00
Florian Roth a3457babca Merge pull request #2893 from frack113/redcannary_20220409 
New Redcannary Windows Tests
 2022-04-09 21:03:26 +02:00
Florian Roth cbec7b274e Update proc_creation_win_susp_vaultcmd.yml 2022-04-09 20:02:34 +02:00
Florian Roth 2f0bce02ea Update proc_creation_win_sqlite_firefox_cookies.yml 2022-04-09 20:01:54 +02:00
Florian Roth 217f7d3c3c Update proc_creation_win_sqlite_firefox_cookies.yml 2022-04-09 19:43:03 +02:00
Florian Roth 87d06a4f6d fix: remove rule causing many FPs 2022-04-09 19:33:55 +02:00
Florian Roth 1a5fc46d8d Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-04-09 19:19:12 +02:00
frack113 e59c55b85f Update proc_creation_win_susp_vaultcmd.yml 2022-04-09 18:08:55 +02:00
frack113 89985b08c8 New Redcannary Windows Tests 2022-04-09 18:00:15 +02:00
Florian Roth c18f246c23 docs: modified date 2022-04-08 16:33:19 +02:00
Florian Roth 8b2f23ffbb fix: possible FP with Veeam software 2022-04-08 16:32:46 +02:00
Amrik 6bc5b8e29c Fix: Typo in title 2022-04-07 19:30:00 -07:00
frack113 77e05ab762 Merge pull request #2887 from frack113/fix_tag 
Update tags
 2022-04-07 22:34:23 +02:00
Florian Roth e4503df4b1 Update proc_creation_win_powershell_public_folder.yml 2022-04-07 18:52:45 +02:00
frack113 7819a3b96e Update tags 2022-04-07 14:46:58 +02:00
Max Altgelt df41827266 feat: detect PS execution in public folder 2022-04-07 10:50:50 +02:00
Max Altgelt 3cddcc906d feat: Add new rule for Creative Cloud node abuse 2022-04-07 10:50:50 +02:00
Florian Roth ac5346c2a5 Merge pull request #2881 from SigmaHQ/rule-devel 
DumpMinitool Usage
 2022-04-07 09:44:44 +02:00
megan201296 b0eaf3fb5a Rename proc_creation_win_coti_sqlcmd.yml to proc_creation_win_conti_sqlcmd.yml 
Fix typo in rule name
 2022-04-06 10:46:08 -05:00
Florian Roth 5a4a2544dd refactor: extended rule 2022-04-06 17:07:51 +02:00
Florian Roth 4a4d990151 fix: less strict directory filter 2022-04-06 14:02:01 +02:00
Florian Roth 3b25fba51a rule: DumpMinitool usage 2022-04-06 14:01:14 +02:00
Florian Roth 7ef4187875 Merge pull request #2879 from SigmaHQ/rule-devel 
Base64 Encoded CommandLine Params
 2022-04-05 20:17:59 +02:00
Florian Roth 774183f1eb refactor: lowered level to informational 2022-04-05 18:54:47 +02:00
Florian Roth a731446733 Revert "removed rule due to many FPs" 
This reverts commit 5bdb97ba17.
 2022-04-05 18:54:14 +02:00
Florian Roth 5bdb97ba17 removed rule due to many FPs 2022-04-05 18:53:45 +02:00
Florian Roth 7ee145fbce rule: base64 encoded value in command line 2022-04-05 13:09:57 +02:00
Florian Roth bcc9f96beb fix: add tags 2022-04-05 13:09:43 +02:00
frack113 6e67a6d520 Set to low for FP 2022-04-04 19:33:23 +02:00
frack113 b7675b8163 Add proc_creation_win_susp_conhost_option 2022-04-04 19:20:27 +02:00
Florian Roth 4ca5f58081 Merge branch 'master' into rule-devel 2022-04-04 12:02:47 +02:00
Florian Roth 96499b52de fix: date in rule 2022-04-04 11:37:55 +02:00
Florian Roth 7423ad6ffa fix: missing timestamp 2022-04-04 11:34:26 +02:00
phantinuss 67ad16f411 edit because of ambiguous trailing space 2022-03-31 12:04:37 +02:00
phantinuss 51d45bae8b chore: promote status of rules 2022-03-31 12:04:37 +02:00
phantinuss 5ebb919472 fix: FP with intel graphics 2022-03-31 12:04:37 +02:00
phantinuss 8afe875ad6 update rule to also match on original sample 2022-03-31 12:04:36 +02:00
Florian Roth 08d3bd48ce Merge pull request #2868 from securepeacock/patch-11 
Create proc_creation_win_fsutil_drive_enumeration.yml
 2022-03-30 21:05:56 +02:00