security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,403 Commits 1 Branch 57 Tags
df0d93baa00eb962fc4ddb92c5be2da95413f180
Commit Graph

7886 Commits

Author SHA1 Message Date
Florian Roth df0d93baa0 Merge pull request #2805 from ionsor/patch-4 
Update win_dcsync.yml
 2022-03-15 16:02:17 +01:00
Florian Roth dd5e10c2f5 Merge pull request #2803 from redsand/fp_remote_powershell_valid_call_ms_archive 
FP on valid remote call of Powershell Archive.psm1, maybe beneficial …
 2022-03-15 12:53:40 +01:00
Feathers 8014c477cd Update win_dcsync.yml 
Added a more detailed source on this detection.
Also included the AccessMask corresponding to “control access” that is specifically registered when access is allowed following extended rights verification (typically associated with the use of high level and explicit permissions that are required to initiate the DCSync attack) as is described in the Black Landern Security blog post.
Added 3 other GUIDs that corresponds to:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes
9923a32a-3607-11d2-b9be-0000f87a36b2 - DS-Install-Replica
89e95b76-444d-4c62-991a-0facbeda640c - DS-Replication-Get-Changes-In-Filtered-Set
 2022-03-15 12:37:07 +01:00
Tim Shelton bda0f3cfe0 FP on valid remote call of Powershell Archive.psm1, maybe beneficial to filter all powershell modules in future 2022-03-14 22:23:06 +00:00
Florian Roth e3398dbbec Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-03-14 12:01:55 +01:00
Florian Roth 9beafefe52 rules: suspicious linux patterns 2022-03-14 12:01:52 +01:00
Florian Roth 7ee62d7f69 Merge branch 'master' into rule-devel 2022-03-14 11:38:44 +01:00
Florian Roth a9b7c365cd docs: adjusted description 2022-03-13 23:30:44 +01:00
Florian Roth 7e0928233b refactor: split up lsass access rule in two 
- one with level medium that contains all access attempts using 0x410, 0x1410 and 0x1040
- all other access masks remain in the original rule
 2022-03-13 23:29:54 +01:00
Florian Roth ed8d7b36eb Merge pull request #2799 from frack113/fp_update 
WindowsUpdate FP
 2022-03-13 23:17:54 +01:00
frack113 c5263039ae Merge pull request #2798 from frack113/moonbounce 
Add proc_creation_win_wmic_remote_command
 2022-03-13 22:22:10 +01:00
frack113 c5c72124b1 WindowsUpdate FP 2022-03-13 19:22:08 +01:00
Florian Roth 70954c8153 Update proc_creation_win_wmic_remote_command.yml 2022-03-13 13:22:10 +01:00
frack113 06f51aecf5 Add proc_creation_win_wmic_remote_command 2022-03-13 12:21:00 +01:00
frack113 283246cdd0 Fix selection_tools 2022-03-12 11:15:10 +01:00
frack113 0bab1f19a9 Add proc_creation_win_network_scan_loop 2022-03-12 10:53:12 +01:00
Florian Roth 52f2b7f966 Merge pull request #2795 from SigmaHQ/rule-devel 
refactor: lsass dump files names, new: NTDS.dit exfiltration activity
 2022-03-11 20:56:06 +01:00
Florian Roth 1141f00480 fix: more lists with only one parameter 2022-03-11 20:11:06 +01:00
Florian Roth 1691f09099 fix: list with one item 2022-03-11 20:00:33 +01:00
Florian Roth c843293e47 rules: NTDS.DIT exfiltration 2022-03-11 18:14:09 +01:00
Florian Roth b96d30acc7 docs: adjustments 2022-03-11 18:13:54 +01:00
Florian Roth d033831e98 refactor: increased level of ntdsutil usage 2022-03-11 17:04:58 +01:00
Florian Roth eb2f620089 fix: FP with Suspicius Schtasks rule 2022-03-11 17:04:33 +01:00
Paul Hager 1fb583b225 fix: FP fix 2022-03-11 11:46:25 +01:00
frack113 94d7ef2e7f Merge pull request #2790 from frack113/malware_dropper 
Add file_event_win_susp_dropper
 2022-03-11 06:27:49 +01:00
Florian Roth 1c9fefc478 refactor: add iocs to lsass dump files names 2022-03-10 21:03:16 +01:00
frack113 3cb0640192 Add file_event_win_susp_dropper 2022-03-09 20:56:35 +01:00
phantinuss 587691cdc1 fix: FPs found in production environment 2022-03-09 16:22:33 +01:00
Florian Roth 187ce70e4e refactor: schtasks creation, based on parent proc 2022-03-09 08:49:23 +01:00
Florian Roth c2e6adda9d docs: changed UltraVNC flags rule < Gamaredon 2022-03-09 08:17:14 +01:00
frack113 d27a6b63a6 Merge pull request #2787 from frack113/refactor_regex 
Refactor regex
 2022-03-09 06:42:02 +01:00
frack113 c6d37d4a78 fix yaml 2022-03-08 19:14:46 +01:00
frack113 5938569d3e Refactor regex 2022-03-08 19:07:37 +01:00
Florian Roth cd2b9a36f0 Merge pull request #2762 from redsand/fp_windows_shell_spawn_suspicious_program 
Adding false positive filters for tenable nessus and amazon workspace
 2022-03-08 18:37:35 +01:00
Florian Roth 50615f807c fix: indentation 2022-03-08 17:47:20 +01:00
Florian Roth 2ef5930e66 Merge pull request #2786 from SigmaHQ/rule-devel 
fix: unused filter
 2022-03-08 09:48:45 +01:00
Florian Roth 5e360806fc filter adjustments 2022-03-08 09:48:32 +01:00
Florian Roth d872b5a329 Merge pull request #2785 from d4rk-d4nph3/master 
Added HermeticWiper IoC for Suspicious Call by Ordinal
 2022-03-08 09:46:33 +01:00
Florian Roth ffd4470079 Merge pull request #2784 from frack113/refactor_regex 
Refactor regex
 2022-03-08 09:46:19 +01:00
Florian Roth 91a7b5a304 Merge branch 'master' into pr/2785 2022-03-08 08:43:59 +01:00
Florian Roth f6d5c1645b fix: unused filter 
https://github.com/SigmaHQ/sigma/commit/df48b60cb47e9ca868ae4e7703f227500b6ad5da#commitcomment-68196360
 2022-03-08 08:41:53 +01:00
Bhabesh f8593638a8 Fixing name to HermeticWizard 2022-03-08 10:44:43 +05:45
Bhabesh 63dd632af9 Added HermeticWiper IoC for Suspicious Call by Ordinal 2022-03-08 10:42:37 +05:45
frack113 143f5fe4e2 Fix yml 2022-03-07 19:37:33 +01:00
frack113 f9c0e21323 Refactor regex 2022-03-07 19:08:30 +01:00
Florian Roth 9824a9c0d5 Merge branch 'master' into rule-devel 2022-03-07 18:30:21 +01:00
Florian Roth eebd0439e8 Merge pull request #2782 from phantinuss/master 
Increase Rule status
 2022-03-07 18:15:04 +01:00
Florian Roth 5befed1fac fix: adjusted rules that use utf16le, extended others 2022-03-07 18:14:29 +01:00
Florian Roth 87f08c32f8 Merge pull request #2781 from SigmaHQ/rule-devel 
Imphash rule adjustments
 2022-03-07 18:01:49 +01:00
phantinuss 48922db480 chore: increase rule status 2022-03-07 17:11:00 +01:00