security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

63 Commits

Author SHA1 Message Date
Paul Hager 68659cf5fd new susp service installation rules 2022-03-18 16:08:40 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Florian Roth 05763aea3f docs: level adjusted 2022-02-17 13:02:18 +01:00
Florian Roth 57271c3c00 fix: bugs in rules 2022-02-16 17:26:57 +01:00
Florian Roth 51bbe21c70 fix: more Aurora FP fixes 2022-02-16 17:16:50 +01:00
Florian Roth 2500c16aea fix: FPs noticed with Aurora 2022-02-16 17:00:27 +01:00
Florian Roth d6af219bed Merge branch 'master' into pr/2573 2022-01-19 19:42:49 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
Tim Shelton 37243f5902 Updating formatting for more accurate mssql sqlps.exe detection 2022-01-19 14:49:00 +00:00
Tim Shelton dc1e150a46 adding support for mssql sqlps.exe 2022-01-18 23:55:04 +00:00
Tim Shelton ec51cf6698 Allow wmi service to also perform, since winrm is being allowed 2022-01-18 22:20:55 +00:00
Tim Shelton a0983a3659 Allow dsac to perform powershell execution over named pipes. DSAC - Active Directory Admin Client 2022-01-18 19:55:00 +00:00
Florian Roth e055ec1d52 refactor: change all " of them" expressions 2022-01-11 10:59:57 +01:00
Florian Roth c7c4130c04 Update sysmon_alternate_powershell_hosts_pipe.yml 2021-12-17 12:31:08 +01:00
Tim Shelton 0dea125a82 Adding filter for calls using \WINDOWS\System32\sdiagnhost.exe, used rule 867613fb-fa60-4497-a017-a82df74a172c as filter reference 2021-12-03 16:53:20 +00:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
Florian Roth 11fc576103 fix: FPs with rules 2021-11-25 19:04:27 +01:00
frack113 f47d0da3f7 add missing MITRE Techniques 2021-11-20 12:26:01 +01:00
David André 7ad901fce1 Corrected typo in HyperBro malware name 2021-11-12 08:36:13 +01:00
frack113 e51dab10c2 fix logsources 2021-11-07 09:55:02 +01:00
frack113 9f7d4a832e Update sysmon_mal_namedpipes.yml 2021-10-31 07:03:27 +01:00
David André 0de88e2f30 Added four other named pipes and corrected one missing slash 2021-10-29 16:33:07 +02:00
David André 8c57d29561 Added turla hyperstack named pipe 2021-10-29 15:49:04 +02:00
WojciechLesicki ad0bcebe9c Adding some additional details about sysmon config and also way to test detection. 2021-10-25 21:30:33 +02:00
WojciechLesicki 6c86500414 Description changes acording to https://github.com/SwiftOnSecurity/sysmon-config/pull/151 2021-10-18 21:34:05 +02:00
Roberto Rodriguez 7f17eaeb87 added rule to detect suspicious named pipe connections to an AD FS server 2021-10-08 01:57:22 -04:00
frack113 318f8b714e split global win_tool_psexec.yml 2021-09-21 10:10:48 +02:00
Thomas Patzke 143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
Austin Songer fa5554660c Update sysmon_mal_cobaltstrike_re.yml 2021-09-04 17:33:05 -05:00
frack113 a048403089 Merge pull request #1973 from klingerko/cs_namedpipe_updates 
Remove duplicate and regex improvements
 2021-09-02 15:25:01 +02:00
klingerko 15e25f9635 update modifed date 2021-09-02 14:50:14 +02:00
Florian Roth 0603581111 Merge pull request #1969 from SigmaHQ/rule-devel 
More Named Pipe Rules and WMI rule refactoring
 2021-09-02 10:15:00 +02:00
Konstantin Klinger 457da818a4 regex optimisations 2021-09-01 17:06:55 +02:00
Konstantin Klinger e83ee55573 remove duplicate 2021-09-01 17:05:36 +02:00
Florian Roth 2f7f050ad8 fix: removed tags 2021-09-01 16:32:27 +02:00
Florian Roth 8761927e8c rule: susp scrcons.exe creating named pipe 2021-09-01 13:57:17 +02:00
Florian Roth affc929c3b LiquidSnake named pipe 2021-09-01 13:54:47 +02:00
Florian Roth c8b3036949 Merge pull request #1968 from SigmaHQ/rule-devel 
docs: note to improved sysmon config
 2021-09-01 13:21:28 +02:00
Florian Roth f102b2d9a1 docs: note to improved sysmon config 2021-09-01 13:07:18 +02:00
phantinuss e59b8e1e3e add applicable pipe names from regex rule 2021-08-26 14:53:20 +02:00
phantinuss dc19268583 remove becasue of possible conflict 
with a legitimate tool (https://labs.nettitude.com/blog/cve-2017-16245-cve-2017-16246-avecto-defendpoint-multiple-vulnerabilities/)
 2021-08-26 14:25:12 +02:00
Florian Roth 6c7d355ef5 Try to add more pipe names to this non-regex rule 2021-08-26 14:00:57 +02:00
phantinuss 217dbc768a More malleable CobaltStrike C2 profiles from new source/reference 2021-08-26 12:53:43 +02:00
Florian Roth 91b42f9077 fix: indentation 2021-08-23 15:03:59 +02:00
Florian Roth dc3ed771b5 rule: EfsPotato Named Pipe 2021-08-23 08:32:50 +02:00
Florian Roth ab16490d33 fix: re CS rule 2021-07-30 08:24:41 +02:00
Florian Roth 096395a49a fix: one condition style error 2021-07-30 07:19:42 +02:00
Florian Roth 0cbb6f82ad CobaltStrike NamedPipe Patterns 
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
 2021-07-30 07:11:11 +02:00
Florian Roth c1cebe627a refactor: reworked CS pipe rule 2021-05-26 17:22:34 +02:00