security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,450 Commits 1 Branch 57 Tags
bfd8b62dfac00a2a18b25cb7dda3fab3913fe185
Commit Graph

2393 Commits

Author SHA1 Message Date
Florian Roth bfd8b62dfa rule: kernel dump using dtrace 2021-12-28 10:01:11 +01:00
Florian Roth 6540d2e924 rule: download from Microsoft domain 2021-12-27 17:22:34 +01:00
Florian Roth 7a8f09a6b5 fix: FPs with 4688 events that can contain 'Registry' 2021-12-27 11:48:51 +01:00
Florian Roth 1609fbb2ac docs: title reordered 2021-12-24 09:13:25 +01:00
Florian Roth db3ebaf97c refactor: added curl.exe to the list 2021-12-23 08:27:44 +01:00
frack113 0e31c23620 Merge pull request #2476 from frack113/redcannary_20211220 
Windows Redcannary
 2021-12-21 20:41:58 +01:00
Florian Roth b3c7ef50f5 Merge branch 'master' into aurora-false-positive-fixing 2021-12-21 14:44:55 +01:00
Florian Roth 4c76e917df Merge pull request #2480 from frack113/diavol 
Add thedfirreport Diavol Ransomware rules
 2021-12-21 14:10:35 +01:00
Florian Roth c006b9df31 fix: FPs noticed with Aurora after Nvidia driver upgrade 2021-12-21 13:47:39 +01:00
Florian Roth 59bfca6aba Update win_pc_sqlcmd_veeam_dump.yml 2021-12-21 13:28:47 +01:00
Florian Roth 55b4085afc Merge pull request #2473 from elhoim/add_mimikatz_keywords 
Add mimikatz keywords to 3 rules
 2021-12-21 13:28:15 +01:00
Florian Roth 5c3c4830f7 Update win_pc_false_sysinternalsuite.yml 2021-12-21 13:26:50 +01:00
Florian Roth 6e19e75ece Update win_pc_sqlcmd_veeam_dump.yml 2021-12-21 13:24:36 +01:00
Florian Roth a1594e8c4a Merge pull request #2482 from Karneades/hideSrv 
rule: abuse of permissions to hide services
 2021-12-21 13:23:20 +01:00
David ANDRE d5bfce1e36 Removed duplicate filter entries. 2021-12-21 10:23:23 +01:00
David André 2ce0529792 Merge branch 'SigmaHQ:master' into add_mimikatz_keywords 2021-12-21 09:26:51 +01:00
Andreas Hunkeler 090e0304d4 rule: abuse of permissions to hide services 2021-12-20 23:36:23 +01:00
Andreas Hunkeler 5ac7c0a076 rule: add further reference in regsrv32 rule 2021-12-20 22:58:32 +01:00
frack113 b490086d37 Add thedfirreport Diavol Ransomware 2021-12-20 18:59:11 +01:00
Florian Roth 75765f2aef Update win_mimikatz_command_line.yml 2021-12-20 17:30:03 +01:00
phantinuss 145622afcf change level to medium as non-tunable in the wild FPs with powershell.exe are found 2021-12-20 15:12:21 +01:00
frack113 e542c10e8e Fix error 2021-12-20 11:35:12 +01:00
frack113 96a42f3bb5 Windows redcannary 2021-12-20 10:43:32 +01:00
David ANDRE b0dda59d09 Added mimikatz keywords from user published documentation to win_mimimkatz_command_line 2021-12-20 09:22:34 +01:00
David ANDRE 147c319bff Added mimikatz keywords from user published documentation to win_susp_system_user_anomaly 2021-12-20 09:01:34 +01:00
frack113 f4f3f860cb Merge pull request #2470 from frack113/redcanary_20211219 
Windows Redcannary
 2021-12-20 08:39:41 +01:00
Florian Roth 89e1f491b3 refactor: add accepteula to flags 2021-12-19 19:43:37 +01:00
frack113 b89580488a Windows Redcannary 2021-12-19 11:20:42 +01:00
Nasreddine Bencherchali 70f3f4fa88 Create win_susp_psloglist.yml 
- The flags can be used with both "-" and "/" characters.
- This rule aims to detect any usage of psloglist, no matter if the binary is with the original name or not. This is achieved by looking for both the image name and the specific command line arguments
 2021-12-18 21:52:05 +01:00
Nasreddine Bencherchali 6f01874e07 Create win_susp_nt_resource_kit_auditpol_usage.yml 2021-12-18 21:06:46 +01:00
Florian Roth 91b51068ea fix condition 
https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:57 +01:00
Florian Roth 78900a7b96 fix condition 
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:35 +01:00
Florian Roth 61ae79bcff Condition changed 
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:12 +01:00
Florian Roth 4362060da6 Update process_creation_advanced_ip_scanner.yml 2021-12-18 20:24:11 +01:00
Nasreddine Bencherchali da5cb2116c Update process_creation_advanced_ip_scanner.yml 2021-12-18 20:08:00 +01:00
Nasreddine Bencherchali 8401ece3d6 Create process_creation_cleanwipe.yml 2021-12-18 20:05:49 +01:00
Nasreddine Bencherchali 92e7ff882f Create process_creation_advanced_port_scanner.yml 2021-12-18 20:00:40 +01:00
Florian Roth dbf3455990 Merge pull request #2467 from SigmaHQ/aurora-false-positive-fixing 
fix: exclude *.scr screensavers
 2021-12-18 19:00:20 +01:00
Florian Roth 3f5859bac5 fix: exclude *.scr screensavers 2021-12-18 15:40:12 +01:00
Florian Roth 68be189402 Merge pull request #2463 from Karneades/java 
rule: add new rule for java spawning suspicious binaries
 2021-12-18 07:56:53 +01:00
Florian Roth 8a3c521a34 Merge pull request #2466 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-18 07:16:16 +01:00
Florian Roth e20d8be164 refactor: split rule up into two, more susp sub procs 2021-12-18 06:39:14 +01:00
Florian Roth f1918e512c Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-18 00:18:00 +01:00
Florian Roth 4b7b829d18 fix: FPs noticed with Aurora 2021-12-18 00:17:58 +01:00
Florian Roth 8aec4e6d9e Merge pull request #2462 from Karneades/patch-1 
Move winrm rule to process creation
 2021-12-17 23:57:53 +01:00
Florian Roth 4cdb23598f Merge branch 'master' into master 2021-12-17 17:46:05 +01:00
Andreas Hunkeler 55c83e31c2 rule: add new rule for java spawning suspicious binaries 2021-12-17 17:40:38 +01:00
Andreas Hunkeler 9ecacdaeea Move winrm rule to process creation 2021-12-17 17:31:06 +01:00
Florian Roth a7b1ab0073 fix: bug in rule 2021-12-17 16:30:37 +01:00
Florian Roth d0d9e74313 fix: FP noticed with Aurora 2021-12-17 12:32:48 +01:00