security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,524 Commits 1 Branch 57 Tags
c33119563729eca8a2517d92aa7922ad2cd59cd9
Commit Graph

2797 Commits

Author SHA1 Message Date
Florian Roth f7cd8e3424 fix: duplicate id 2022-03-24 11:41:26 +01:00
Florian Roth f3abef8b5f fix: indentation 2022-03-24 11:34:00 +01:00
Florian Roth 53b450d377 rule: PowerShell Downloads 2022-03-24 09:16:12 +01:00
Florian Roth 7c4d198498 fix: FPs with win32calc.exe 2022-03-23 16:31:45 +01:00
Florian Roth 535e6ce0cc refactor: scheduled task patterns 2022-03-23 09:09:43 +01:00
Florian Roth d8046b5989 rules: registry, tamper with Defender & LSA 2022-03-22 16:10:11 +01:00
Florian Roth 63066ab5e1 Merge branch 'master' into rule-devel 2022-03-22 13:16:13 +01:00
Florian Roth 68542e20e9 fix: condition 2022-03-22 13:16:08 +01:00
Florian Roth 35828985e0 refactor: rule extended 2022-03-21 12:59:14 +01:00
Florian Roth 007e52ccb9 rule: suspicious parents, susp powershell parent rule 2022-03-21 12:57:59 +01:00
phantinuss f1dcaa02f4 fix: single list element 2022-03-21 12:33:55 +01:00
Florian Roth 816b11ab80 Merge branch 'master' into rule-devel 2022-03-21 11:19:22 +01:00
Florian Roth 056206627a minor changes to description and hash values 2022-03-21 11:19:05 +01:00
Florian Roth dd46054e17 Merge pull request #2834 from redsand/fp_missing_sys32_dir_rundll32 
Fp missing system32 dir rundll32 with invalid extension
 2022-03-20 22:31:58 +01:00
Tim Shelton 5086cde0dd updating to ensure match against all system32 execution path 2022-03-20 19:48:51 +00:00
Tim Shelton 3da10f30d8 Adding additional filter for system32 2022-03-20 19:45:33 +00:00
Paul Hager 68659cf5fd new susp service installation rules 2022-03-18 16:08:40 +01:00
Florian Roth fbf1b8456c Merge pull request #2825 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with EdgeTransport sub processes
 2022-03-18 11:04:10 +01:00
Florian Roth 2f51f8e1d2 fix: FPs noticed with EdgeTransport sub processes 2022-03-18 10:18:40 +01:00
Florian Roth d0eef19e95 Merge pull request #2822 from SigmaHQ/rule-devel 
Webshell detection rule refactoring
 2022-03-18 08:49:04 +01:00
Florian Roth e754849425 fix: missing space 2022-03-18 08:37:09 +01:00
frack113 41fce11b76 Merge pull request #2820 from frack113/day_off 
Windows Redcannary
 2022-03-18 08:18:18 +01:00
Florian Roth 59a8a6f952 Merge branch 'master' into rule-devel 2022-03-17 20:16:28 +01:00
Florian Roth 22133aaa07 Merge pull request #2821 from redsand/fp_tasktop_path_traversal 
Adding filter for java  tasktop
 2022-03-17 18:44:16 +01:00
Florian Roth 33617fd8b4 rule: new webshell detection rule 2022-03-17 18:31:11 +01:00
Tim Shelton 026677cf8a fixing spelling error 2022-03-17 17:27:11 +00:00
Florian Roth 8250dd73a2 refactor: webshell detection rules 2022-03-17 18:24:15 +01:00
Tim Shelton a1cb805913 Adding filter for java tasktop 2022-03-17 17:23:06 +00:00
frack113 829409d29a Redcannary 2022-03-17 16:48:41 +01:00
frack113 becf3baeb4 Merge pull request #2813 from phantinuss/master 
Changes to falsepositives metadata
 2022-03-17 14:31:27 +01:00
Florian Roth 1ab03bd9f8 Merge pull request #2815 from SigmaHQ/rule-devel 
rule: remote thread creation, rule: get-addbaccount
 2022-03-16 18:47:03 +01:00
Florian Roth 39811e1405 refactor: uppercase values, DropLoader imphash 2022-03-16 17:56:55 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss 9b82e099a3 fix: unlikely --> Unlikely 2022-03-16 14:16:10 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 8acf6431f5 Merge pull request #2809 from SigmaHQ/rule-devel 
CrackMapExec patterns, minor addition to ncat rule, rar rule adjusted
 2022-03-16 11:25:10 +01:00
Florian Roth 0e1945beaa refactor: rar usage w password & compression level 2022-03-16 09:57:45 +01:00
Thomas Patzke 125359cfbc Merge pull request #2810 from SigmaHQ/fix 
Fixes
 2022-03-16 07:29:24 +01:00
Thomas Patzke f022b087e0 Fixed date format in rule 2022-03-15 23:31:14 +01:00
Florian Roth a10561e084 ncat pattern 2022-03-15 18:05:13 +01:00
Florian Roth 306bb438e3 CrackMapExec patterns 2022-03-15 18:05:04 +01:00
Paul Hager 87600161bf new rule from thedfirreport.com 2022-03-15 16:39:12 +01:00
Paul Hager 3b09f1c9da new rule from thedfirreport.com 2022-03-15 16:38:27 +01:00
Paul Hager 20125d87c2 new rule from thedfirreport.com 2022-03-15 16:36:57 +01:00
frack113 c5263039ae Merge pull request #2798 from frack113/moonbounce 
Add proc_creation_win_wmic_remote_command
 2022-03-13 22:22:10 +01:00
Florian Roth 70954c8153 Update proc_creation_win_wmic_remote_command.yml 2022-03-13 13:22:10 +01:00