security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,450 Commits 1 Branch 57 Tags
bfd8b62dfac00a2a18b25cb7dda3fab3913fe185
Commit Graph

9450 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth bfd8b62dfa rule: kernel dump using dtrace 2021-12-28 10:01:11 +01:00
Florian Roth 6540d2e924 rule: download from Microsoft domain 2021-12-27 17:22:34 +01:00
Florian Roth 7a8f09a6b5 fix: FPs with 4688 events that can contain 'Registry' 2021-12-27 11:48:51 +01:00
Florian Roth 1609fbb2ac docs: title reordered 2021-12-24 09:13:25 +01:00
Florian Roth db3ebaf97c refactor: added curl.exe to the list 2021-12-23 08:27:44 +01:00
Florian Roth e9702af82b rule: sAMAccountName Spoofing CVE-2021-42287 2021-12-22 08:50:05 +01:00
frack113 0e31c23620 Merge pull request #2476 from frack113/redcannary_20211220 
Windows Redcannary
 2021-12-21 20:41:58 +01:00
Florian Roth f4787d73cc Merge pull request #2484 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-21 15:31:50 +01:00
Florian Roth b3c7ef50f5 Merge branch 'master' into aurora-false-positive-fixing 2021-12-21 14:44:55 +01:00
Florian Roth a471b4ea45 Merge pull request #2483 from Karneades/patch-1 
rule: Add Java class proxy download rule
 2021-12-21 14:10:43 +01:00
Florian Roth 4c76e917df Merge pull request #2480 from frack113/diavol 
Add thedfirreport Diavol Ransomware rules
 2021-12-21 14:10:35 +01:00
Florian Roth 21cd791075 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-21 13:47:41 +01:00
Florian Roth c006b9df31 fix: FPs noticed with Aurora after Nvidia driver upgrade 2021-12-21 13:47:39 +01:00
Florian Roth 59bfca6aba Update win_pc_sqlcmd_veeam_dump.yml 2021-12-21 13:28:47 +01:00
Florian Roth 55b4085afc Merge pull request #2473 from elhoim/add_mimikatz_keywords 
Add mimikatz keywords to 3 rules
 2021-12-21 13:28:15 +01:00
Florian Roth 694b133529 Merge pull request #2475 from elhoim/memssp_log_file 
New rule to detect Mimimaktz MemSSP default log file creation
 2021-12-21 13:27:13 +01:00
Florian Roth 5c3c4830f7 Update win_pc_false_sysinternalsuite.yml 2021-12-21 13:26:50 +01:00
Florian Roth 6e19e75ece Update win_pc_sqlcmd_veeam_dump.yml 2021-12-21 13:24:36 +01:00
Florian Roth a1594e8c4a Merge pull request #2482 from Karneades/hideSrv 
rule: abuse of permissions to hide services
 2021-12-21 13:23:20 +01:00
Florian Roth c842b12970 Update proxy_java_class_download.yml 2021-12-21 13:22:47 +01:00
Andreas Hunkeler c0a6de06c4 rule: Add Java class proxy download rule 2021-12-21 11:25:08 +01:00
David ANDRE d5bfce1e36 Removed duplicate filter entries. 2021-12-21 10:23:23 +01:00
David André 2ce0529792 Merge branch 'SigmaHQ:master' into add_mimikatz_keywords 2021-12-21 09:26:51 +01:00
frack113 17493bab7c Merge pull request #2481 from Karneades/patch-1 
rule: add further reference in regsrv32 rule
 2021-12-21 08:59:15 +01:00
Andreas Hunkeler 090e0304d4 rule: abuse of permissions to hide services 2021-12-20 23:36:23 +01:00
Andreas Hunkeler 5ac7c0a076 rule: add further reference in regsrv32 rule 2021-12-20 22:58:32 +01:00
frack113 b490086d37 Add thedfirreport Diavol Ransomware 2021-12-20 18:59:11 +01:00
Florian Roth 3c7b4b7225 Update win_alert_mimikatz_keywords.yml 2021-12-20 18:40:19 +01:00
Florian Roth 75765f2aef Update win_mimikatz_command_line.yml 2021-12-20 17:30:03 +01:00
Florian Roth 12387fc275 Update win_alert_mimikatz_keywords.yml 2021-12-20 17:28:42 +01:00
Florian Roth 31788f91d8 Merge pull request #2477 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-20 16:56:21 +01:00
Florian Roth 1727a5d62f Merge pull request #2478 from phantinuss/master 
FP Tuning
 2021-12-20 16:49:55 +01:00
phantinuss 145622afcf change level to medium as non-tunable in the wild FPs with powershell.exe are found 2021-12-20 15:12:21 +01:00
phantinuss ad65524fb7 fix: FP matching thor scanner 2021-12-20 13:59:38 +01:00
Florian Roth 5d3f39e317 fix: duplicate entry 2021-12-20 12:53:45 +01:00
Florian Roth cf65b61397 Update file_event_mimimaktz_memssp_log_file.yml 2021-12-20 12:51:27 +01:00
Florian Roth 37da48ba3f fix: FPs noticed with Aurora 2021-12-20 12:04:40 +01:00
frack113 e542c10e8e Fix error 2021-12-20 11:35:12 +01:00
David ANDRE 8c61e58152 New rule to detect Mimimaktz MemSSP default log file creation 2021-12-20 10:49:18 +01:00
frack113 96a42f3bb5 Windows redcannary 2021-12-20 10:43:32 +01:00
David ANDRE ed17c07aff Corrected alignment 2021-12-20 09:25:05 +01:00
David ANDRE b0dda59d09 Added mimikatz keywords from user published documentation to win_mimimkatz_command_line 2021-12-20 09:22:34 +01:00
David ANDRE 147c319bff Added mimikatz keywords from user published documentation to win_susp_system_user_anomaly 2021-12-20 09:01:34 +01:00
David ANDRE d2f9a9c63e Added mimikatz keywords from user published documentation 2021-12-20 08:56:13 +01:00
frack113 f4f3f860cb Merge pull request #2470 from frack113/redcanary_20211219 
Windows Redcannary
 2021-12-20 08:39:41 +01:00
frack113 ffc87968cf Merge pull request #2469 from frack113/aurora_fp 
Aurora FP
 2021-12-20 08:39:13 +01:00
Florian Roth cea0a760d7 Merge pull request #2468 from nasbench/master 
Add/Update Rules
 2021-12-19 20:25:18 +01:00
Florian Roth 89e1f491b3 refactor: add accepteula to flags 2021-12-19 19:43:37 +01:00
frack113 b89580488a Windows Redcannary 2021-12-19 11:20:42 +01:00
frack113 f8962bec98 Aurora FP 2021-12-19 10:35:39 +01:00