security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,344 Commits 1 Branch 57 Tags
e5cd850640355a32f4cfeaac0355b32477b80098
Commit Graph

84 Commits

Author SHA1 Message Date
Florian Roth 3f46d0ea28 Update sysmon_outlook_newform.yml 2021-06-10 17:41:57 +02:00
Tobias Michalski 1f52763878 Removed EventIDs 2021-06-10 16:41:00 +02:00
Tobias Michalski e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Florian Roth 71625c54f0 Merge pull request #1514 from SigmaHQ/rule-devel 
ProcessHacker rule, NCCGroup rclone rules
 2021-05-27 16:30:30 +02:00
Florian Roth 7ce7095c2c fix: title with lower case letters 2021-05-27 15:01:32 +02:00
Florian Roth 1bf9546fad Merge pull request #1482 from ZikyHD/improve_sysmon_creation_system_file 
Exclude dism.exe
 2021-05-27 12:53:27 +02:00
Florian Roth c0b93a010c NCCGroup rules from rclone blog post 
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 2021-05-27 12:49:40 +02:00
frack113 0a588a1ecc Fix falsepositives list 2021-05-21 12:33:50 +02:00
SomeOne a93acbbe03 Exclude dism.exe 2021-05-16 15:23:31 +02:00
Florian Roth 451f25910d Merge pull request #1430 from Scoubi/patch-1 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:56 +02:00
Florian Roth 8973b573bd Update and rename rules/windows/other/win_Outlook_C2_Macro_Creation.yml to rules/windows/file_event/win_outlook_c2_macro_creation.yml 2021-05-04 09:36:26 +02:00
Steven d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven 7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Thomas Patzke 3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
Thomas Patzke 90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
Anton Kutepov d7ef865bb9 Merge remote-tracking branch 'upstream/master' and fix conflicts 2021-03-07 23:36:13 +03:00
Florian Roth 73a3a1e5cd Merge pull request #1360 from d4rk-d4nph3/master 
Added sigma rule for vSphere RCE CVE-2021-21972
 2021-03-03 09:32:05 +01:00
Bhabesh Rai 56eed19fba Added rules for successful exploitation fo CVE-2021-26857/8 in Exchannge 2021-03-03 12:46:50 +05:45
Anton Kutepov 3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
yugoslavskiy 70eff4b1fc Merge pull request #1219 from ryanplasma/rplas-SIGMA-547-page-37 
[OSCD] Add Files Dropped to Program Files by Non-Priviledged Process Rule
 2021-01-06 00:22:57 +03:00
yugoslavskiy c71e0ae0ea Merge pull request #1209 from vburov/patch-15 
[OSCD] Create win_susp_multiple_files_renamed_or_deleted.yml
 2021-01-06 00:19:41 +03:00
yugoslavskiy 1cfc0d17ef Merge pull request #1141 from omkar72/oscd-6 
[OSCD] suspicious clr logs creation
 2021-01-05 23:22:36 +03:00
Vasiliy Burov cf8d195c5c Update win_susp_multiple_files_renamed_or_deleted.yml 2020-11-30 11:49:42 +03:00
Jonhnathan 9a5b17f2bb Remove additional backslash 2020-11-19 23:04:26 -03:00
Jonhnathan f79caba72a Remove additional backslash 2020-11-19 22:58:50 -03:00
Ryan Plas d4d694b4da Logic fix for sysmon_non_priv_program_files_move 2020-11-10 10:01:47 -05:00
Vasiliy Burov 903ce08277 Update win_susp_multiple_files_renamed_or_deleted.yml 2020-11-01 14:21:27 +03:00
Roberto Rodriguez 972326f761 A few more - 7 Rules 2020-10-29 21:11:41 -04:00
Vasiliy Burov ab60fdcef4 Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 23:38:22 +03:00
Vasiliy Burov 683824ee46 Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 11:44:45 +03:00
Vasiliy Burov d743cbbe4b Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 11:14:43 +03:00
Vasiliy Burov d90ec67cce Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-28 11:44:21 +03:00
Vasiliy Burov 2d2464ba22 Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-28 11:20:26 +03:00
Vasiliy Burov fdbd8de219 Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" 
This reverts commit eb166222bd.
 2020-10-28 10:51:18 +03:00
Vasiliy Burov 00f1326ae6 Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" 
This reverts commit 64e48ed94d.
 2020-10-28 10:50:53 +03:00
Jonhnathan 3477866451 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 2020-10-27 22:10:17 -03:00
Jonhnathan ebb84486f5 Update sysmon_susp_adsi_cache_usage.yml 2020-10-27 22:04:31 -03:00
Jonhnathan 182b12614b Update sysmon_quarkspw_filedump.yml 2020-10-27 22:02:47 -03:00
Vasiliy Burov 64e48ed94d Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 23:33:56 +03:00
Vasiliy Burov eb166222bd Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 23:15:28 +03:00
Vasiliy Burov 172c619719 Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 22:50:09 +03:00
Vasiliy Burov edede617cf Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-27 22:36:12 +03:00
Vasiliy Burov 515c4dd9cd Added some false positives issues 2020-10-27 20:35:22 +03:00
Vasiliy Burov 66965cec33 Added some false positives issues 2020-10-27 17:31:46 +03:00
Vasiliy Burov b84fc7850c Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-26 13:48:19 +03:00
Vasiliy Burov 779596334c Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-26 12:35:16 +03:00
Vasiliy Burov 6da58584c5 Update win_susp_multiple_files_renamed_or_deleted.yml 
Added an issue into 'falsepositives' section.
 2020-10-26 12:14:59 +03:00
Vasiliy Burov 093941778b Update and rename win_susp_multiple_files_renamed.yml to win_susp_multiple_files_renamed_or_deleted.yml 2020-10-22 15:57:29 +03:00
Vasiliy Burov 3a2c1d213a Update win_susp_multiple_files_renamed.yml 2020-10-20 19:25:31 +03:00