security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,309 Commits 1 Branch 57 Tags
cd2792f82c8c5049490f079eff48bb4fa490ef1d
Commit Graph

6309 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth cd2792f82c Merge pull request #1547 from frack113/new_filter_condition 
Add New filter condition
 2021-06-10 14:42:44 +02:00
Florian Roth 5e35e387dd Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth 45c3d4702b Merge pull request #1520 from SyeedHasan/master 
Detection rule for 'ISO mounts'
 2021-06-10 09:51:29 +02:00
Florian Roth 78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Florian Roth 9c0700bc56 Powershell artefacts to critical 2021-06-10 09:42:07 +02:00
Florian Roth 04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth f52ed7604c BabyShark Pattern 2021-06-10 09:41:36 +02:00
Florian Roth 28abdf3a81 Update win_iso_mount.yml 2021-06-10 09:31:40 +02:00
Florian Roth b2d0fbba2c Adjustments 2021-06-10 09:12:37 +02:00
Florian Roth ab3baa9463 Merge pull request #1534 from SpeedyFireCyclone/mdatp_serviceinstalled 
MDATP ServiceInstalled mapping
 2021-06-10 09:05:56 +02:00
Florian Roth 3dca4425d5 Merge pull request #1546 from frack113/issues_1525 
Add missing sysmon EventID
 2021-06-10 09:05:35 +02:00
frack113 a600e2dcaa forget a print debug 2021-06-10 08:49:15 +02:00
frack113 af1aee9541 Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00
frack113 1b4d4cfb82 Add missing sysmon EventID 2021-06-09 12:52:38 +02:00
Florian Roth ced94bb728 Merge pull request #1545 from roysjosh/eql 
Add support for Elastic EQL
 2021-06-08 21:19:37 +02:00
Joshua Roys 2034d36677 Add support for Elastic EQL 
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
 2021-06-08 13:38:38 -04:00
Florian Roth 8a04bea6aa Merge pull request #1535 from mvelazc0/master 
Password Spraying Sigma Rules
 2021-06-08 16:14:52 +02:00
Florian Roth 16fc76bd5e Merge pull request #1544 from Karneades/patch-1 
Revert renaming of ngrok rule
 2021-06-08 15:42:38 +02:00
Andreas Hunkeler 2d44803bf5 Revert renaming of ngrok rule 
Initially the rule had only a detection for RDP but after my last commits we have more ports in detections, so previous generic name is better.
 2021-06-08 13:09:35 +02:00
Florian Roth cfdf3b7c08 Merge pull request #1538 from frack113/powershell_delete_volume_shadow_copies 
Add t1490 powershell delete volume shadow copie
 2021-06-08 11:02:34 +02:00
Florian Roth 07176ddb25 Merge pull request #1541 from frack113/win_tamper_with_windows_defender 
Windows tamper with windows defender
 2021-06-08 11:02:14 +02:00
Florian Roth 242b56031f Merge pull request #1542 from Karneades/patch-1 
Update ngrok usage rule
 2021-06-08 11:01:45 +02:00
Florian Roth 3a85b9073b Merge pull request #1543 from frack113/Disable_Microsoft_Office_Security_Features 
T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features
 2021-06-08 11:00:59 +02:00
frack113 c1f43cc4ca T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features 2021-06-08 09:32:01 +02:00
frack113 0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
Andreas Hunkeler cea2d5cd81 Add modified date to ngrok rule 2021-06-07 18:17:17 +02:00
Andreas Hunkeler e1ef13bb24 Update ngrok usage rule 
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
 2021-06-07 17:20:18 +02:00
frack113 5914e46d4a fix typo errors 2021-06-07 15:15:36 +02:00
frack113 e66a3f9513 T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp. 2021-06-07 15:03:19 +02:00
Florian Roth 321c31cb7b Merge pull request #1540 from frack113/sysmon_amsi_bypass_remove_key 
T1562.001 Remove the AMSI Provider registry key
 2021-06-07 11:09:16 +02:00
frack113 43ccc07ad0 T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection 2021-06-07 10:09:21 +02:00
Florian Roth a17bd970db Merge pull request #1539 from frack113/basic_sysmon_modif 
Detect modification of sysmon configuration by sysmon
 2021-06-07 09:12:38 +02:00
mvelazco 178df3f056 fixing title lengths 2021-06-04 10:57:52 -04:00
frack113 169f948ac2 Get a new error after another Atomic Test 2021-06-04 13:20:10 +02:00
frack113 3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
mvelazco d8aa0ae124 adding references 2021-06-03 23:38:10 -04:00
mvelazco d4f66f2af6 rolling back unwanted changes 2021-06-03 18:29:06 -04:00
mvelazco 7ebab6f872 Merge branch 'master' of github.com:mvelazc0/sigma 2021-06-03 18:26:09 -04:00
mvelazco 103fe2b344 minor fixes and 3 extra sigma rules 2021-06-03 18:26:07 -04:00
mvelazco f53675f41a Merge branch 'SigmaHQ:master' into master 2021-06-03 14:54:41 -07:00
mvelazco 50d734a17a Adding 4 initial sigma rules 2021-06-03 17:51:47 -04:00
Florian Roth b26eece20d Merge pull request #1533 from SpeedyFireCyclone/cobaltstrike_service_install_fix 
Consistency: Service File Name to ServiceFileName
 2021-06-03 23:34:00 +02:00
frack113 537272c944 Add t1490 powershell delete volume shadow copie 2021-06-03 22:39:06 +02:00
Remco Hofman 0aa05f53e9 MDATP ServiceInstalled event mapping 2021-06-03 21:43:52 +02:00
Remco Hofman 12c822511e Consistency: Service File Name to ServiceFileName 2021-06-03 21:33:11 +02:00
Florian Roth bcd6d3c9ba Merge pull request #1528 from SigmaHQ/dependabot/pip/urllib3-1.26.5 
Bump urllib3 from 1.26.4 to 1.26.5
 2021-06-03 20:50:58 +02:00
Florian Roth 2115bfcd75 Merge pull request #1519 from frack113/esrule_new_option 
Add some fun backend option for es-rule
 2021-06-03 20:50:44 +02:00
Florian Roth 42036049ec Merge pull request #1523 from frack113/fix_win_global_catalog_enumeration 
Filtering Platform Connection are in security channel not system
 2021-06-03 20:50:23 +02:00
Florian Roth b45561c4c9 Merge pull request #1524 from frack113/fix_powershell_alternate_powershell_hosts 
make powershell_alternate_powershell_hosts more accurate
 2021-06-03 20:50:06 +02:00
Florian Roth d41825766a Merge pull request #1529 from SigmaHQ/rule-devel 
fix: FPs with Volume Shadow Copy Service Keys
 2021-06-03 20:49:31 +02:00