security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,344 Commits 1 Branch 57 Tags
e5cd850640355a32f4cfeaac0355b32477b80098
Commit Graph

170 Commits

Author SHA1 Message Date
Hasan 33fcfd71bb Merge fixes for Rules 2021-06-16 10:45:20 +05:00
Hasan fabcb6c3c6 Removed asterisks from filter 2021-06-16 10:42:29 +05:00
Hasan 415ced0023 Corrected MITRE reference tag 2021-06-15 19:07:50 +05:00
Hasan f079556067 Removed GUID phrase from description 2021-06-15 17:14:32 +05:00
Hasan 1764714e26 Rule to detect new TaskCache Entry 2021-06-15 17:08:14 +05:00
Tobias Michalski 1f52763878 Removed EventIDs 2021-06-10 16:41:00 +02:00
Tobias Michalski e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Tobias Michalski 56d200bad0 Fixed meta informations 2021-06-10 12:44:19 +02:00
Tobias Michalski bbc8633c67 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 11:32:08 +02:00
Tobias Michalski 4d6e7e1338 Rules persitence by exploiting Outlook or Exchange 2021-06-10 11:26:21 +02:00
frack113 c1f43cc4ca T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features 2021-06-08 09:32:01 +02:00
frack113 43ccc07ad0 T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection 2021-06-07 10:09:21 +02:00
Florian Roth d41825766a Merge pull request #1529 from SigmaHQ/rule-devel 
fix: FPs with Volume Shadow Copy Service Keys
 2021-06-03 20:49:31 +02:00
Florian Roth 7812ff51d3 fix: FPs with Volume Shadow Copy Service Keys 2021-06-02 13:04:05 +02:00
Florian Roth 736eeabf9f Merge pull request #1527 from SigmaHQ/rule-devel 
fix: rule FPs with Stealthy VSTO Persistence
 2021-06-01 18:18:22 +02:00
Florian Roth 34cf1333de fix: rule FPs with Stealthy VSTO Persistence 2021-06-01 13:58:35 +02:00
frack113 179bfa7d56 duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 
- sysmon_susp_webdav_client_execution.yml
- sysmon_wdigest_enable_uselogoncredential.yml
 2021-05-27 20:59:26 +02:00
Florian Roth 059e669ac6 Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth adbdb5b22f Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
Florian Roth 8aabb58eca Merge pull request #1498 from w0rk3r/otrf 
Update broken OTRF Threat Hunter Playbook References
 2021-05-26 13:06:16 +02:00
frack113 3717c68bb7 fix typo of level 2021-05-24 10:45:58 +02:00
Jonhnathan 687f2d67fc Update Threat Hunter Playbook Reference 2021-05-22 01:09:30 -03:00
frack113 cabaccceb8 Fix falsepositives list 2021-05-21 11:15:10 +02:00
frack113 dfe7e4e38c Fix falsepositives list 2021-05-21 11:12:04 +02:00
frack113 70a5c8bb5f registry_event is a category 2021-05-12 08:51:38 +02:00
frack113 026320f613 registry_event is a category 2021-05-12 08:36:42 +02:00
phantinuss da533c7425 fixed title capitalization 2021-05-05 15:22:09 +02:00
phantinuss 254a3bb122 new rules detecting the creation of a local hidden user 2021-05-05 15:12:07 +02:00
Florian Roth 0e9176776d refactor: moved rule 2021-05-05 12:11:59 +02:00
SomeOne 4aae26cabd Grouping filters 2021-05-01 21:05:34 +02:00
SomeOne 80dc6aaf59 Add FP and fix filters 2021-05-01 20:54:26 +02:00
Florian Roth d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Florian Roth c7ce9154d1 Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
Steven d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven 7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Roberto Rodriguez db0e969121 HybridConnectionMgr Service Activity 2021-04-12 16:26:15 -04:00
Thomas Patzke 3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
Thomas Patzke a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
Thomas Patzke 90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
Anton Kutepov d7ef865bb9 Merge remote-tracking branch 'upstream/master' and fix conflicts 2021-03-07 23:36:13 +03:00
Florian Roth 2b5f9f994f Merge pull request #1376 from SigmaHQ/rule-devel 
UNC2452 rules - GoldMax, GoldFinder, Sibot
 2021-03-05 18:17:20 +01:00
Florian Roth b864768de8 fix: wrong conditions 2021-03-05 11:55:49 +01:00
Florian Roth c3b84f2d5b UNC2452 rules - GoldMax, Sibot, GoldFinder 
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
 2021-03-05 11:54:35 +01:00
Anton Kutepov 3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
Florian Roth b65dbee01f Merge pull request #1366 from Neo23x0/rule-devel 
rule: SilentProcessExit monitors
 2021-02-26 18:09:44 +01:00
Florian Roth ba7c7409a3 fix: typo in modified 2021-02-26 17:48:50 +01:00
Florian Roth 79acbbef9f rule: SilentProcessExit monitors 2021-02-26 17:35:42 +01:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Bhabesh Rai 93c7931037 Added Stealthy Office Persistence via VSTO 2021-01-10 17:54:17 +05:45