security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,088 Commits 1 Branch 57 Tags
e098fc73cb2fb18c723fd9727e116e9dc9bcb22e
Commit Graph

1837 Commits

Author SHA1 Message Date
Florian Roth 17fb418271 Merge pull request #1817 from SigmaHQ/rule-devel 
rules: ProxyShell refactoring and new rule
 2021-08-10 08:18:32 +02:00
Florian Roth dbf8aecd83 fix: typo in cmdlet name 2021-08-09 18:05:51 +02:00
Florian Roth a9ad4eda4a rules: ProxyShell refactoring and new rule 2021-08-09 17:57:34 +02:00
frack113 dd2aa8706d Merge pull request #1786 from j91321/anydesk 
Silent installation of AnyDesk (Conti)
 2021-08-09 08:57:32 +02:00
frack113 bacb44ab97 Merge pull request #1780 from Sam0x90/master 
Adding detection rule for esentutl utility
 2021-08-07 16:23:45 +02:00
frack113 f75f8fabab fix file name 2021-08-07 15:54:43 +02:00
frack113 07d21c58e8 Update process_susp_esentutl_params.yaml 2021-08-07 15:49:25 +02:00
frack113 89ee63f63b Merge pull request #1791 from SigmaHQ/rule-devel 
More rules - including the ones for ProxyShell
 2021-08-07 11:49:16 +02:00
Florian Roth 88a721a1ab docs: add space in title 2021-08-07 10:13:05 +02:00
Florian Roth 1dcf25878c Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-07 10:10:48 +02:00
Florian Roth 0a8904a61e fix: issues with new rule 2021-08-07 10:10:12 +02:00
frack113 5f89a29ea7 fix file name 2021-08-07 10:01:23 +02:00
Florian Roth 1ac49a2055 rule: ProxyShell patterns 2021-08-07 09:22:24 +02:00
Florian Roth c0360cd1ca change name and line breaks 2021-08-06 18:53:08 +02:00
Florian Roth 7de55075f7 fix: condition 2021-08-06 18:45:38 +02:00
Florian Roth d69e2333c8 various fixes 2021-08-06 18:44:54 +02:00
Florian Roth e02b85dc99 '--start-with-win' is pretty specific 2021-08-06 18:41:14 +02:00
Ján Trenčanský 2f3b48c347 Fix title 2021-08-06 14:18:30 +02:00
Ján Trenčanský 516e1ade6d Silent installation of AnyDesk 2021-08-06 14:06:35 +02:00
Sam0x90 96911e55b9 Adding detection rule for esentutl utility 
Used by Conti affiliates to target NTDS file and MSEdge info
 2021-08-06 00:55:57 +04:00
Florian Roth eb247704fe Merge pull request #1761 from d4rk-d4nph3/master 
Added rule for Cabinet file expansion and Pypykatz
 2021-08-05 15:50:12 +02:00
Florian Roth c44b22b52f Merge pull request #1762 from frack113/redcanary_collection 
[OSCD] Redcanary TA0009 collection
 2021-08-05 15:49:10 +02:00
Florian Roth a04aa6ac49 rule: ADCSPwn 2021-07-31 10:18:21 +02:00
frack113 f9aff7d403 fix product sysmon_apt_sourgrum.yml 2021-07-30 16:02:38 +02:00
Bhabesh Rai 9131ed6db5 Added rule for Cabinet file expansion 2021-07-30 12:36:05 +05:45
frack113 ccaffc79f7 update ref win_susp_psr_capture_screenshots.yml 2021-07-30 08:40:21 +02:00
frack113 dfa28944d0 update ref in sysmon_creation_mavinject_dll.yml 2021-07-30 08:31:37 +02:00
frack113 eff6b50a89 add process_creation_susp_recon.yml 2021-07-30 08:15:13 +02:00
Florian Roth ec9c15226f SeriousSAM PowerShell rule 2021-07-29 18:12:10 +02:00
Florian Roth 77c8225db3 Merge pull request #1745 from frack113/redcanary_t1115 
[OSCD]  process_creation_clip.yml t1115
 2021-07-28 16:24:15 +02:00
Florian Roth c3eced4ae7 Merge pull request #1748 from frack113/update_win_susp_rar_flags.yml 
update win_susp_rar_flags.yml
 2021-07-28 16:23:14 +02:00
Florian Roth dc4380d459 Merge pull request #1750 from frack113/redcanary_t1560.001_winzip 
[OSCD] Redcanary t1560.001 winzip
 2021-07-28 16:22:48 +02:00
Florian Roth 321a15d004 Merge pull request #1751 from frack113/redcanary_t1560.001_7zip 
[OSCD] Redcanary t1560.001 7z
 2021-07-28 16:22:31 +02:00
Florian Roth 6d5e695cd1 Merge pull request #1753 from frack113/redcanary_t1119 
Redcanary t1119
 2021-07-28 16:21:40 +02:00
frack113 8a885dd098 add process_creation_automated_collection.yml 2021-07-28 13:17:40 +02:00
Florian Roth 87a911a15e Update process_creation_susp_7z.yml 2021-07-27 16:02:09 +02:00
Florian Roth 428995d00e Update process_creation_susp_7z.yml 2021-07-27 15:24:39 +02:00
Florian Roth c31bc05aae Update process_creation_susp_7z.yml 2021-07-27 15:22:44 +02:00
frack113 54e6e36ecc add process_creation_susp_7z.yml 2021-07-27 12:54:39 +02:00
Florian Roth ee85fdfa3f Merge pull request #1749 from SigmaHQ/rule-devel 
CobaltStrike Process Patterns and minor fixes
 2021-07-27 12:52:22 +02:00
Florian Roth 5d039dd138 rule: Cobalt Strike patterns 2021-07-27 11:24:40 +02:00
frack113 ea56db2bed forget date field 2021-07-27 11:09:35 +02:00
frack113 227e4bca13 add process_creation_susp_winzip.yml 2021-07-27 10:57:32 +02:00
frack113 8b82fbf36b update detection 2021-07-27 10:34:46 +02:00
Florian Roth 90ca1a8ad2 fix: bug in author field (cannot be a list) 2021-07-27 10:14:53 +02:00
Florian Roth 1a538371c9 fix: bug in author field (not list) 2021-07-27 10:14:03 +02:00
frack113 8aa79b9d86 add process_creation_clip.yml 2021-07-27 08:50:03 +02:00
Florian Roth 21c4d241a1 HiveNightmare and Relay attack tools adjustments 2021-07-26 10:59:35 +02:00
John Lambert 2b57f95e72 Update win_grabbing_sensitive_hives_via_reg.yml 2021-07-24 18:17:27 -05:00
John Lambert da6e747547 cover evasions from unicode substitutions 
Add variations to cover unicode substitutions to avoid evasion.

> Unicode contains a range for Spacing Modifier Letters (0x02B0 - 0x02FF) [4], which includes characters such as ˪, ˣ and ˢ. Some command-line parsers recognise these as letters and convert them back to l, x and s respectively. 

See (https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation) by @Wietze
 2021-07-24 10:33:15 -05:00