security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,344 Commits 1 Branch 57 Tags
e5cd850640355a32f4cfeaac0355b32477b80098
Commit Graph

1658 Commits

Author SHA1 Message Date
Florian Roth e5cd850640 Merge pull request #1556 from frack113/PR_617_V2 
Fix all the rules to pass the test
 2021-06-16 08:22:51 +02:00
Hasan 8196fbaada Parenthesis for condition statement 2021-06-16 10:41:52 +05:00
Hasan 1114a25a2c Removal of NODE from ALL filter for better coverage 2021-06-15 17:07:51 +05:00
Hasan 82bcfb29c3 Addition of Safemode flags 2021-06-15 17:07:02 +05:00
frack113 558bcd5ceb Fix all the rules to pass the test 2021-06-14 07:33:26 +02:00
Tobias Michalski 54e98c8441 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 16:41:22 +02:00
Tobias Michalski e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Florian Roth 83dddf99b4 Update win_exchange_TransportAgent.yml 2021-06-10 16:07:22 +02:00
Florian Roth cd0531b345 fix: removed process_creation log source 2021-06-10 15:37:00 +02:00
Tobias Michalski 3970934252 Switched EventID:1 to category: process_creation 2021-06-10 14:13:29 +02:00
Florian Roth 5e35e387dd Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth 78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Andreas Hunkeler 2d44803bf5 Revert renaming of ngrok rule 
Initially the rule had only a detection for RDP but after my last commits we have more ports in detections, so previous generic name is better.
 2021-06-08 13:09:35 +02:00
Florian Roth 07176ddb25 Merge pull request #1541 from frack113/win_tamper_with_windows_defender 
Windows tamper with windows defender
 2021-06-08 11:02:14 +02:00
frack113 0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
Andreas Hunkeler cea2d5cd81 Add modified date to ngrok rule 2021-06-07 18:17:17 +02:00
Andreas Hunkeler e1ef13bb24 Update ngrok usage rule 
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
 2021-06-07 17:20:18 +02:00
Florian Roth d41825766a Merge pull request #1529 from SigmaHQ/rule-devel 
fix: FPs with Volume Shadow Copy Service Keys
 2021-06-03 20:49:31 +02:00
Florian Roth 4d7b3b7afe Merge pull request #1530 from Karneades/patch-1 
Add further detections to shadow copies deletion
 2021-06-03 13:51:00 +02:00
Florian Roth 11eca86be3 Update process_creation_c3_load_by_rundll32.yml 2021-06-03 12:44:47 +02:00
Florian Roth 151d120a24 Update process_creation_SDelete.yml 2021-06-03 12:40:55 +02:00
frack113 ba0f2e6b16 Add windows T1485 SDelete 2021-06-03 10:59:22 +02:00
Alfie Champion 9876643e3e added rule for rundll32 launch of fsecure C3 2021-06-02 19:57:39 +01:00
Andreas Hunkeler e8ee6aec2f Add further detections to shadow copies deletion 
* Add diskshadow.exe to existing detection
* Add new detection for wbadmin.exe
* Fix typo in match on L31
* Add raccine refs
 2021-06-02 15:47:41 +02:00
Florian Roth 7288ae93b9 Merge pull request #1526 from WojciechLesicki/master 
Added a new rule about loading dll CS via rundll32 and also some chan…
 2021-06-01 21:54:26 +02:00
Florian Roth 950b252d5c Update process_creation_cobaltstrike_load_by_rundll32.yml 2021-06-01 18:11:19 +02:00
WojciechLesicki d6f6b88b4c I corrected the tag 2021-06-01 17:11:24 +02:00
WojciechLesicki 90a21d954a Change title 2021-06-01 16:55:49 +02:00
WojciechLesicki cc4c55ed10 Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations 2021-06-01 16:18:23 +02:00
frack113 a634452871 product is lowercase 2021-05-30 08:43:01 +02:00
Florian Roth 39900bb7c5 refactor: re-add exec seldction 2021-05-27 19:24:20 +02:00
Florian Roth 9af8e81cb4 Merge branch 'master' into rule-devel 2021-05-27 19:23:21 +02:00
Florian Roth c3ab7d19f1 Merge pull request #1515 from jbeley/master 
Modified win_susp_rclone_exec.yml to detect renamed rclone executable…
 2021-05-27 18:22:16 +02:00
Florian Roth 431f34b985 fix: other locations 
https://twitter.com/ber_m1ng/status/1397948048135778309
 2021-05-27 18:12:20 +02:00
Florian Roth a4e6f58b16 rule: suspicious programs - no DLL in command line 2021-05-27 17:49:10 +02:00
Florian Roth fa45298474 Merge pull request #1516 from SigmaHQ/rule-devel 
Update win_susp_regedit_trustedinstaller.yml
 2021-05-27 17:48:48 +02:00
Jeff Beley f675ac36b1 Modified win_susp_rclone_exec.yml to detect renamed rclone executables and rclone executed from inside of other programs (BEACON) 2021-05-27 15:03:52 +00:00
Florian Roth 61f5e66569 Update win_susp_regedit_trustedinstaller.yml 2021-05-27 16:57:41 +02:00
Florian Roth 71625c54f0 Merge pull request #1514 from SigmaHQ/rule-devel 
ProcessHacker rule, NCCGroup rclone rules
 2021-05-27 16:30:30 +02:00
Florian Roth d1582944a7 fix: dates in new rules 2021-05-27 16:30:09 +02:00
Florian Roth ea430c8823 Merge pull request #1471 from d4rk-d4nph3/master 
Updated rule for Advanced IP Scanner and new rule for PowerView
 2021-05-27 12:55:03 +02:00
Florian Roth 059e669ac6 Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth c0b93a010c NCCGroup rules from rclone blog post 
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 2021-05-27 12:49:40 +02:00
Florian Roth 7812a4217c rule: regedit as trustedinstaller 2021-05-27 11:36:05 +02:00
Florian Roth b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth adbdb5b22f Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
Florian Roth 8aabb58eca Merge pull request #1498 from w0rk3r/otrf 
Update broken OTRF Threat Hunter Playbook References
 2021-05-26 13:06:16 +02:00
frack113 afb3d63900 fix typo of fields 2021-05-24 10:37:14 +02:00
frack113 1fcd0bf951 fix typo of fields 2021-05-24 10:34:56 +02:00
Florian Roth 576e047e76 Delete win_susp_Register_cimprovider.yml 2021-05-22 15:43:41 +02:00