security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,907 Commits 1 Branch 57 Tags
c2868f6e03500a1455bb680d4750123cd832ac4e
Commit Graph

1093 Commits

Author SHA1 Message Date
ecco c2868f6e03 remove TAB from cli escape as it's currently unsupported in sigmac 2019-09-23 04:46:10 -04:00
Florian Roth 038900e2fe fix: renamed powershell rule 2019-09-06 17:33:56 +02:00
Florian Roth 7f1b6eb311 fix: duplicate rule 2019-09-06 10:30:47 +02:00
Florian Roth fcbae16cc8 rule: image debugger 2019-09-06 10:28:20 +02:00
ecco 01956f1312 powershell false positives 2019-09-06 03:54:19 -04:00
Thomas Patzke afe6668fbd Merge pull request #438 from duzvik/master 
Escaped '\*' to '\*' where required
 2019-09-05 10:57:25 +02:00
Thomas Patzke f9f5558ae1 Merge pull request #392 from TareqAlKhatib/shim 
Fixed commandline to detect any shim install from any location
 2019-09-05 10:28:50 +02:00
Florian Roth 7bef822da7 rule: minor improvement to susp ps enc cmd 2019-09-04 16:31:49 +02:00
Denys Iuzvyk 774be4d008 Escaped '\*' to '\*' where required 2019-09-04 14:05:58 +03:00
Florian Roth 03d45d57de rule: emissary panda activity 2019-09-03 15:35:33 +02:00
ecco 8cad0c638e add comcvcs.dll memdump method 2019-09-02 07:49:19 -04:00
Florian Roth dca5a7a248 Merge pull request #432 from EccoTheFlintstone/master 
add/modify powershell Empire rules
 2019-09-02 11:40:36 +02:00
ecco 5f30e52739 add/modify powershell Empire rules 2019-09-02 05:04:44 -04:00
Florian Roth ace0cc36c6 rule: improved csc rule 2019-08-31 08:44:09 +02:00
Florian Roth 7cc26e30b4 docs: renamed file name 2019-08-30 12:04:20 +02:00
Florian Roth f8785e722f docs: changed title and description of rule 2019-08-30 12:03:42 +02:00
Florian Roth ba46d6b4de docs: added reference to rule 2019-08-30 11:55:02 +02:00
Florian Roth 398ef9c6aa rules: teardown implant, apt28 ua 2019-08-30 11:53:55 +02:00
Florian Roth ca2019b57f fix: typo in MITRE tag 2019-08-27 12:32:56 +02:00
Florian Roth 6b7cd94197 Changes 2019-08-27 12:23:42 +02:00
weev3 d42a51372d Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30
Florian Roth 70a26a6132 fix: fixed MITRE tags 2019-08-24 13:58:54 +02:00
Florian Roth c321fc2680 rule: csc.exe suspicious source folder 2019-08-24 13:53:15 +02:00
Florian Roth b32ed3c817 rules: encoded FromBase64String keyword 2019-08-24 13:53:05 +02:00
Florian Roth 87ce52f6fe fix: fixed wrong MITRE tag 2019-08-23 23:19:39 +02:00
Florian Roth 5bd242cb21 rule: encoded IEX 2019-08-23 23:13:36 +02:00
Thomas Patzke 68fb56f503 Merge pull request #345 from ki11oFF/patch-1 
Detection of usage mimikatz trough WinRM
 2019-08-23 23:04:07 +02:00
Thomas Patzke 945f45ebd7 Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement 
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
 2019-08-23 23:01:25 +02:00
Thomas Patzke fc08e3c5b7 Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement 
Win susp add sid history improvement
 2019-08-23 22:58:46 +02:00
Florian Roth cc01f76e99 docs: minor changes 2019-08-22 14:22:55 +02:00
Florian Roth c291038ebe rule: renamed powershell 2019-08-22 14:22:55 +02:00
ecco d0a24f4409 filter NULL values to remove false positives 2019-08-20 05:10:41 -04:00
Karneades 18bbec4bcd improve(rule): add Empire links and userland match 
Add default task name and powershell task command to match what the rule name says: detects default config.
 2019-08-09 11:58:43 +02:00
Florian Roth 4fcb52d098 fix: removed mmc susp rule due to many FPs 2019-08-07 14:26:15 +02:00
Florian Roth f6fd1df6f4 Rule: separate Ryuk rule created for VBurovs strings 2019-08-06 10:33:46 +02:00
Florian Roth a8b738e346 Merge pull request #380 from vburov/patch-5 
Ryuk Ransomware commands from real case
 2019-08-06 10:29:00 +02:00
Florian Roth 83841ea117 Merge pull request #411 from nikotin69/master 
compliance rules by SOC prime
 2019-08-05 20:53:02 +02:00
Florian Roth 302ae9c5d0 Added level 2019-08-05 19:51:22 +02:00
Florian Roth 4dbf392562 Title, Level adjusted 2019-08-05 19:48:56 +02:00
Florian Roth fdb9b351d0 Level to low 2019-08-05 19:48:21 +02:00
Florian Roth 317c0bd07a Removed "Detects" keyword from title 2019-08-05 19:47:46 +02:00
Florian Roth 2af8cb0d0e Update cleartext_protocols.yml 2019-08-05 19:47:03 +02:00
Florian Roth c7ec45c0ff Update workstation_was_locked.yml 2019-08-05 19:44:14 +02:00
Florian Roth e64fcb32a2 Update group_modification_logging.yml 2019-08-05 19:43:59 +02:00
Florian Roth 5caf4f5f14 Update default_credentials_usage.yml 2019-08-05 19:43:46 +02:00
Florian Roth 10cc1de4c9 Fixed global rule syntax 2019-08-05 19:43:15 +02:00
Florian Roth dcdd021dc6 Duplicate port 3306 2019-08-05 19:36:50 +02:00
Karneades 42e6c9149b Remove unneeded event code 2019-08-05 19:13:39 +02:00
Karneades 0e3cc042f4 Add more exclusions to mmc process rule 2019-08-05 18:53:33 +02:00
Karneades 5caa951b8f Add new rule for detecting MMC spawning a shell 
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml. And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml.
 2019-08-05 18:42:31 +02:00