security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,272 Commits 1 Branch 57 Tags
cea2d5cd81a4dbc0918328e59b3cd784ef4e69b0
Commit Graph

4530 Commits

Author SHA1 Message Date
Andreas Hunkeler cea2d5cd81 Add modified date to ngrok rule 2021-06-07 18:17:17 +02:00
Andreas Hunkeler e1ef13bb24 Update ngrok usage rule 
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
 2021-06-07 17:20:18 +02:00
frack113 43ccc07ad0 T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection 2021-06-07 10:09:21 +02:00
frack113 169f948ac2 Get a new error after another Atomic Test 2021-06-04 13:20:10 +02:00
frack113 3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
Remco Hofman 12c822511e Consistency: Service File Name to ServiceFileName 2021-06-03 21:33:11 +02:00
Florian Roth 42036049ec Merge pull request #1523 from frack113/fix_win_global_catalog_enumeration 
Filtering Platform Connection are in security channel not system
 2021-06-03 20:50:23 +02:00
Florian Roth b45561c4c9 Merge pull request #1524 from frack113/fix_powershell_alternate_powershell_hosts 
make powershell_alternate_powershell_hosts more accurate
 2021-06-03 20:50:06 +02:00
Florian Roth d41825766a Merge pull request #1529 from SigmaHQ/rule-devel 
fix: FPs with Volume Shadow Copy Service Keys
 2021-06-03 20:49:31 +02:00
Florian Roth 4d7b3b7afe Merge pull request #1530 from Karneades/patch-1 
Add further detections to shadow copies deletion
 2021-06-03 13:51:00 +02:00
Florian Roth 11eca86be3 Update process_creation_c3_load_by_rundll32.yml 2021-06-03 12:44:47 +02:00
Florian Roth 151d120a24 Update process_creation_SDelete.yml 2021-06-03 12:40:55 +02:00
frack113 ba0f2e6b16 Add windows T1485 SDelete 2021-06-03 10:59:22 +02:00
Alfie Champion 9876643e3e added rule for rundll32 launch of fsecure C3 2021-06-02 19:57:39 +01:00
Andreas Hunkeler e8ee6aec2f Add further detections to shadow copies deletion 
* Add diskshadow.exe to existing detection
* Add new detection for wbadmin.exe
* Fix typo in match on L31
* Add raccine refs
 2021-06-02 15:47:41 +02:00
Florian Roth 7812ff51d3 fix: FPs with Volume Shadow Copy Service Keys 2021-06-02 13:04:05 +02:00
Florian Roth 7288ae93b9 Merge pull request #1526 from WojciechLesicki/master 
Added a new rule about loading dll CS via rundll32 and also some chan…
 2021-06-01 21:54:26 +02:00
Florian Roth eb4300756e Update win_cobaltstrike_service_installs.yml 2021-06-01 21:53:25 +02:00
Florian Roth 736eeabf9f Merge pull request #1527 from SigmaHQ/rule-devel 
fix: rule FPs with Stealthy VSTO Persistence
 2021-06-01 18:18:22 +02:00
Florian Roth 950b252d5c Update process_creation_cobaltstrike_load_by_rundll32.yml 2021-06-01 18:11:19 +02:00
WojciechLesicki d6f6b88b4c I corrected the tag 2021-06-01 17:11:24 +02:00
WojciechLesicki 90a21d954a Change title 2021-06-01 16:55:49 +02:00
WojciechLesicki cc4c55ed10 Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations 2021-06-01 16:18:23 +02:00
Florian Roth 34cf1333de fix: rule FPs with Stealthy VSTO Persistence 2021-06-01 13:58:35 +02:00
frack113 bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
frack113 5f98f00a36 Filtering Platform Connection are in security channel not system 2021-06-01 08:19:26 +02:00
Florian Roth b191efaab1 Merge pull request #1522 from SigmaHQ/rule-devel 
rule: nginx core dump
 2021-05-31 16:56:16 +02:00
Florian Roth ab73dd4dd6 rule: nginx core dump 2021-05-31 10:49:42 +02:00
frack113 0b2037ccad fix **firewall** is a category like in all other rules 2021-05-30 09:43:29 +02:00
frack113 7d55c7ca80 category other is useless 
Add a new reference
 2021-05-30 09:17:41 +02:00
frack113 f91abf8929 Fix auditd is a service 2021-05-30 08:58:25 +02:00
frack113 a634452871 product is lowercase 2021-05-30 08:43:01 +02:00
frack113 58436c2a02 product is lowercase 2021-05-30 08:37:48 +02:00
frack113 33a5137bc7 Fix logsource to get accurate detection 2021-05-30 08:22:38 +02:00
frack113 9a0604029e duplicate uuid 5a105d34-05fc-401e-8553-272b45c1522d 
- win_cobaltstrike_service_installs.yml
- win_mal_service_installs.yml
 2021-05-27 21:06:07 +02:00
frack113 179bfa7d56 duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 
- sysmon_susp_webdav_client_execution.yml
- sysmon_wdigest_enable_uselogoncredential.yml
 2021-05-27 20:59:26 +02:00
Florian Roth 39900bb7c5 refactor: re-add exec seldction 2021-05-27 19:24:20 +02:00
Florian Roth 9af8e81cb4 Merge branch 'master' into rule-devel 2021-05-27 19:23:21 +02:00
Florian Roth c3ab7d19f1 Merge pull request #1515 from jbeley/master 
Modified win_susp_rclone_exec.yml to detect renamed rclone executable…
 2021-05-27 18:22:16 +02:00
Florian Roth 431f34b985 fix: other locations 
https://twitter.com/ber_m1ng/status/1397948048135778309
 2021-05-27 18:12:20 +02:00
Florian Roth a4e6f58b16 rule: suspicious programs - no DLL in command line 2021-05-27 17:49:10 +02:00
Florian Roth fa45298474 Merge pull request #1516 from SigmaHQ/rule-devel 
Update win_susp_regedit_trustedinstaller.yml
 2021-05-27 17:48:48 +02:00
Jeff Beley f675ac36b1 Modified win_susp_rclone_exec.yml to detect renamed rclone executables and rclone executed from inside of other programs (BEACON) 2021-05-27 15:03:52 +00:00
Florian Roth 61f5e66569 Update win_susp_regedit_trustedinstaller.yml 2021-05-27 16:57:41 +02:00
Florian Roth 71625c54f0 Merge pull request #1514 from SigmaHQ/rule-devel 
ProcessHacker rule, NCCGroup rclone rules
 2021-05-27 16:30:30 +02:00
Florian Roth d1582944a7 fix: dates in new rules 2021-05-27 16:30:09 +02:00
Florian Roth d5e8d1153f fix: missing condition 2021-05-27 15:04:13 +02:00
Florian Roth 7ce7095c2c fix: title with lower case letters 2021-05-27 15:01:32 +02:00
Florian Roth 5cf7078fb3 Merge pull request #1484 from ZikyHD/filter_sysmon_in_memory_assembly_execution 
Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution…
 2021-05-27 12:55:31 +02:00
Florian Roth ea430c8823 Merge pull request #1471 from d4rk-d4nph3/master 
Updated rule for Advanced IP Scanner and new rule for PowerView
 2021-05-27 12:55:03 +02:00