security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth c8fef4d093 fix: removed unnecessary lists 2018-07-07 15:43:56 -06:00
Florian Roth dea019f89d fix: some threat levels adjusted 2018-07-07 13:00:23 -06:00
Florian Roth 9ce8630a27 Merge pull request #102 from yt0ng/patch-4 
MSHTA spwaned by SVCHOST as seen in LethalHTA
 2018-07-07 12:59:00 -06:00
yt0ng 6a014a3dc8 MSHTA spwaned by SVCHOST as seen in LethalHTA 
"Furthermore it can be detected by an mshta.exe process spawned by svchost.exe."
 2018-07-06 19:52:58 +02:00
Florian Roth ed470feb21 Merge pull request #99 from yt0ng/master 
Detects ImageLoad by uncommon Image
 2018-07-06 10:11:02 -06:00
yt0ng b21afc3bc8 user subTee was removed from Twitter 2018-07-04 17:29:05 +02:00
yt0ng f84c33d005 Known powershell scripts names for exploitation 
Detects the creation of known powershell scripts for exploitation
 2018-07-04 17:24:18 +02:00
Florian Roth 7867838540 fix: typo in rule description 2018-07-03 05:05:44 -06:00
Florian Roth e7465d299f fix: false positive with MsMpEng.exe and svchost.exe as child process 2018-07-03 05:05:44 -06:00
Thomas Patzke 0cdfc776de Sigma tools release 0.5 0.5 2018-07-03 00:07:43 +02:00
Thomas Patzke 3e40a48ce1 Merge branch 'SaltyHash123-master' 2018-07-02 23:31:43 +02:00
Thomas Patzke 0bacba05aa Added backend 'splunkxml' to CI tests 2018-07-02 23:20:02 +02:00
Thomas Patzke 67158ba1d2 Merge branch 'master' of https://github.com/SaltyHash123/sigma into SaltyHash123-master 2018-07-02 23:14:04 +02:00
yt0ng 42941ee105 Detects ImageLoad by uncommon Image 
Process Hollowing Described by SubTee using notepad https://twitter.com/subTee/status/1012657434702123008
 2018-07-01 15:47:17 +02:00
Florian Roth 48582a1c93 Bugfix in Flash Downloader Rule 2018-06-30 23:39:38 +02:00
Florian Roth 2a74a62c67 Config file for SPARK scanner 2018-06-29 16:42:16 +02:00
Florian Roth c3bf968462 High FP Rule 2018-06-29 16:01:46 +02:00
Florian Roth c26c3ee426 Trying to fix rule 2018-06-28 16:39:47 +02:00
Florian Roth fa98595ad6 Added SPARK Sigma rule scan feature to list 2018-06-28 16:28:07 +02:00
Florian Roth 9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
Florian Roth 336f4c83e0 Merge pull request #97 from scherma/patch-1 
False positive circumstance
 2018-06-27 23:18:56 +02:00
scherma 19ba5df207 False positive circumstance 2018-06-27 21:14:38 +01:00
Florian Roth 86e6518764 Changed (any) statements to (not null) to comply with the newest specs 2018-06-27 20:57:58 +02:00
Florian Roth a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth 9705366060 Adjusted some rules 2018-06-27 16:54:44 +02:00
Florian Roth fc72bd16af Fixed bugs 2018-06-27 09:20:41 +02:00
Thomas Patzke c3d582bc13 Cleanup 2018-06-26 23:37:21 +02:00
Florian Roth 5843fe2590 Update README.md 2018-06-25 18:59:36 +02:00
Florian Roth 467b8c80f4 Update README.md 2018-06-25 18:58:05 +02:00
Florian Roth 2ae57166ac Updated README 2018-06-25 18:29:02 +02:00
Florian Roth 3283c52c0f Added WDATP in the list of supported backends 2018-06-25 18:09:21 +02:00
Florian Roth f4b150def8 Rule: Powershell remote thread creation in Rundll32 2018-06-25 15:23:19 +02:00
Florian Roth 1a1011b0ad Merge pull request #96 from yt0ng/master 
Detects the creation of a schtask via PowerSploit Default Configuration
 2018-06-23 17:15:14 +02:00
yt0ng c59d0c7dca Added additional options 2018-06-23 15:54:31 +02:00
yt0ng cc3fd9f5d0 Detects the creation of a schtask via PowerSploit Default Configuration 
https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
 2018-06-23 15:45:58 +02:00
Roey 14464f8c79 Added support of splunk dashboards (xml) 2018-06-22 14:17:58 +02:00
Florian Roth 28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke 7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke d8e036f737 sigmac: Parameter for ignoring "not supported" errors 
Used to pass tests with complete rule set that would fail for backends
which target systems don't support required features.
 2018-06-22 00:23:59 +02:00
Thomas Patzke 31727b3b25 Added Windows Defender ATP backend 
Missing:
* Aggregations
 2018-06-22 00:03:10 +02:00
Thomas Patzke df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Thomas Patzke e72c0d5de4 SingleTextQueryBackend ignores empty components in composed queries 
Example: one component of a AND-composition is ignored if invoked
generate* call returns None.
 2018-06-21 23:59:41 +02:00
Thomas Patzke d8a7bcad39 Reordered rule generation 
Generation of query parts before and after main query gives access to
information possibly gathered while main query generation.
 2018-06-21 23:50:13 +02:00
Florian Roth b05856eae1 Rule: Update suspicious TLD downloads 2018-06-13 00:08:46 +02:00
Florian Roth 3d52030391 Changed help text for -r flag 2018-06-13 00:08:46 +02:00
Florian Roth 946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth 7edd95744a Windows NTLM 2018-06-13 00:08:46 +02:00
Florian Roth e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth c9658074dd Removed "not yet implemented" comment from -r flag 2018-06-13 00:08:46 +02:00
Florian Roth df2745ec6c Merge pull request #92 from yt0ng/patch-2 
Update proxy_ua_apt.yml
 2018-06-10 10:29:16 +02:00