security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

4601 Commits

Author SHA1 Message Date
Florian Roth 33bdfd124d refactor: comsvcs.dll adjustments - run by ordinal variants 2021-12-08 10:02:21 +01:00
Florian Roth bfd6b48ee4 refactor: adjusted run by ordinal pattern for Sysmon 2021-12-08 10:01:54 +01:00
Florian Roth c6f1398cfb rule: DInject usage 2021-12-08 09:38:23 +01:00
frack113 592259af80 Add T1016 2021-12-07 20:41:49 +01:00
Florian Roth c447cb4212 Merge pull request #2398 from SigmaHQ/rule-devel 
rule: improved comsvcs.dll Minidump rule
 2021-12-07 15:59:33 +01:00
Florian Roth 1cae016459 rule: fix and extend comsvcs minidump rule 2021-12-07 15:05:20 +01:00
Florian Roth 63fd1189e7 rule: improved comsvcs.dll Minidump rule 2021-12-07 12:59:20 +01:00
Florian Roth 5fcf0d9e06 Merge pull request #2397 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-07 11:28:14 +01:00
Florian Roth 506631485e fix: FPs noticed with Aurora 2021-12-07 10:38:10 +01:00
Florian Roth fc6ad3667c Merge pull request #2396 from SigmaHQ/rule-devel 
New rules - Suspicious SYSTEM context
 2021-12-07 08:24:12 +01:00
Florian Roth 507a0649f3 rule: suspicious process creation as SYSTEM user 2021-12-07 07:34:18 +01:00
frack113 777d218adc Merge pull request #2390 from frack113/t1007 
Add redcannary T1007
 2021-12-07 06:45:38 +01:00
Florian Roth dc3b6df0ee Merge pull request #2394 from redsand/fp_powershell_cmdline_special_chars 
Adding fp filter for ssm-document-worker
 2021-12-07 06:14:44 +01:00
Tim Shelton 905d6bf8fd Adding fp filter for ssm-document-worker 2021-12-06 22:02:54 +00:00
Florian Roth 426d212dd7 Merge pull request #2389 from SigmaHQ/rule-devel 
New rules
 2021-12-06 20:14:01 +01:00
frack113 07560e61a0 Add redcannary T1007 2021-12-06 18:56:25 +01:00
Florian Roth 0665cc6223 rule: add user to remote desktop users 2021-12-06 18:29:50 +01:00
frack113 adec878e22 add win_pc_susp_rundll32_script_run 2021-12-04 20:32:42 +01:00
frack113 452750dd05 Fix from reference 2021-12-04 20:25:28 +01:00
frack113 e215f4606b Order rules 2021-12-04 10:07:07 +01:00
frack113 5e0326f461 Merge pull request #2376 from frack113/fix_FP 
Fix some FP
 2021-12-04 08:57:58 +01:00
frack113 6f5271275e Merge pull request #2367 from phantinuss/noallofthem 
feat: discourage the usage of 'all of them'
 2021-12-04 08:16:53 +01:00
frack113 4dbf10017d Add FP on new windows 10 VM 2021-12-03 17:31:59 +01:00
Florian Roth 6852e56ff5 refactor: increase level to high - BITSADMIN PowerShell combo 2021-12-03 15:48:26 +01:00
Florian Roth 34c697cead Merge pull request #2370 from redsand/fix_fp_in_cmdline 
Fixing false positive when cmd.exe is called with full path
 2021-12-02 16:56:55 +01:00
Tim Shelton 384862b906 When command begins with C:\Windows\System32\cmd.exe it will always match susp_del_exe # ex - C:\Windows\System32\cmd.exe" /c del /f /q "C:\Program Files (x86)\Software Package\Client\tmpDir\" 2021-12-02 15:13:23 +00:00
phantinuss 07a0a37273 feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' 2021-12-02 14:47:39 +01:00
Tim Shelton 86250b4acb fixing lint err 2021-12-01 18:15:39 +00:00
Tim Shelton 3aca9ad2ef fixing false positive due to direct calls to xcopy and cmd.exe 2021-12-01 18:01:36 +00:00
frack113 30a5838514 Merge pull request #2359 from phantinuss/master 
Add dll+exe files to rule because of CVE-2020-1599
 2021-12-01 16:46:04 +01:00
frack113 04d90ee007 Merge pull request #2350 from redsand/fp_format_list 
Filtering false positives of static arguments to wmic /format
 2021-12-01 16:29:47 +01:00
phantinuss 1150e07121 fix: typo 2021-12-01 15:14:43 +01:00
Florian Roth f75ffb6141 Merge pull request #2358 from SigmaHQ/rule-devel 
rules: addition to APT UserAgents, new: NPPSpy Hacktool Usage
 2021-12-01 15:10:17 +01:00
frack113 80a1b02fe5 Update win_renamed_binary.yml 2021-12-01 06:54:30 +01:00
Matthew Green 0384f8fb52 Update win_renamed_binary.yml 2021-12-01 15:07:06 +11:00
Tim Shelton fa26f5f7f5 simplifying format 2021-11-30 14:21:38 +00:00
Florian Roth a4a2654050 Merge pull request #2349 from redsand/fix_xor_false_positive 
adding false positive filter for amazon ssm-document-worker
 2021-11-30 14:11:34 +01:00
frack113 03e549e335 Fix FP Kaspersky Security Center Web Console 2021-11-30 10:36:12 +01:00
Tim Shelton 14f11c905d adding additional entries that are static 2021-11-29 23:02:48 +00:00
Tim Shelton 44f791680f adding filter for FP /Format:List which is a specific format 2021-11-29 22:57:26 +00:00
Florian Roth 20b5c0bb5d Merge pull request #2347 from redsand/sysmon_logon_scripts_userinitmprlogonscript_proc 
Sysmon logon scripts userinitmprlogonscript proc
 2021-11-29 23:25:16 +01:00
Florian Roth 2da59406b7 Merge pull request #2344 from frack113/dfir_20211129 
add win_pc_susp_regsvr32_image
 2021-11-29 23:24:45 +01:00
Tim Shelton 0c283ab767 adding false positive filter for amazon ssm-document-worker 2021-11-29 21:51:19 +00:00
Tim Shelton c20a6daa73 adding wildcard to netlogon to be a bit more inclusive. 2021-11-29 19:59:26 +00:00
Florian Roth b8985a222f fix: FPs noticed with Aurora 2021-11-29 16:13:24 +01:00
frack113 09712e7388 add win_pc_susp_regsvr32_image 2021-11-29 16:05:53 +01:00
Florian Roth 80485d94f2 docs: Tscon description change 2021-11-29 13:07:39 +01:00
Florian Roth 1ab0dd7100 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-29 11:40:47 +01:00
Florian Roth ede058b4fd Update win_malware_emotet.yml 2021-11-29 11:38:28 +01:00
Florian Roth 47d8de37b7 Merge pull request #2340 from SigmaHQ/rule-devel 
rule: whoami as parameter
 2021-11-29 10:56:03 +01:00