security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

567 Commits

Author SHA1 Message Date
G Y d247766a2e Update powershell_data_compressed.yml 
Corrected old link and formatting.
 2021-07-03 20:48:03 +08:00
Florian Roth e7144b34ee fix: bug in syntax 2021-07-03 13:19:56 +02:00
Florian Roth 2d0cdc16fc added modified date 2021-07-03 13:19:14 +02:00
G Y 7f067f7273 Update powershell_powerview_malicious_commandlets.yml 
Added new commandlet names based on aliases seen in https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1, fixed a typo, and improved formatting.
 2021-07-03 11:07:11 +08:00
Bhabesh Rai 206adbb2b6 Merging upstream updates 2021-07-01 12:18:30 +05:45
CriimBow 188b847670 Typo on Find-DomainObjectPropertyOutlier 2021-06-25 10:35:33 +02:00
Florian Roth 5e35e387dd Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth 9c0700bc56 Powershell artefacts to critical 2021-06-10 09:42:07 +02:00
Florian Roth 04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth cfdf3b7c08 Merge pull request #1538 from frack113/powershell_delete_volume_shadow_copies 
Add t1490 powershell delete volume shadow copie
 2021-06-08 11:02:34 +02:00
frack113 0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
frack113 537272c944 Add t1490 powershell delete volume shadow copie 2021-06-03 22:39:06 +02:00
frack113 bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
Florian Roth ea430c8823 Merge pull request #1471 from d4rk-d4nph3/master 
Updated rule for Advanced IP Scanner and new rule for PowerView
 2021-05-27 12:55:03 +02:00
Florian Roth 059e669ac6 Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth adbdb5b22f Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
Bhabesh Rai cc9ac2ddcf Added rule for PowerView's malicious cmdlets 2021-05-25 21:04:32 +05:45
Jonhnathan 26ecbea0ba Update Threat Hunter Playbook Reference 2021-05-22 01:03:49 -03:00
Jonhnathan 4ebdcf2f1d Update Threat Hunter Playbook Reference 2021-05-22 01:03:23 -03:00
frack113 1d1170e8ba Fix falsepositives list 2021-05-21 12:31:01 +02:00
frack113 a6cadc6de5 Fix falsepositives list 2021-05-21 12:29:28 +02:00
frack113 ad376a8328 Fix falsepositives list 2021-05-21 12:28:12 +02:00
frack113 2197514fc5 Fix falsepositives list 2021-05-21 12:26:37 +02:00
frack113 48a7e80192 Fix falsepositives list 2021-05-21 12:24:25 +02:00
partyh4rd 5a98e36905 Update powershell_suspicious_getprocess_lsass.yml 
fix mitre_code 1552.004 -> 1003.001
 2021-05-04 14:04:52 +03:00
Florian Roth 1ff5e226ad Merge pull request #1436 from SigmaHQ/rule-devel 
Rule devel
 2021-04-23 17:33:07 +02:00
Florian Roth c7ce9154d1 Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
Florian Roth 1333a95c51 rule: get-process lsass 2021-04-23 16:44:53 +02:00
Florian Roth 5aed7c80db Merge pull request #1435 from SigmaHQ/rule-devel 
fix: FPs with certutil command and McAfee Chromium Container
 2021-04-23 14:55:31 +02:00
Florian Roth 85582c540e docs: changed modification date 2021-04-23 14:55:04 +02:00
Florian Roth ce03ca9485 fix: Jitter keyword prone to FPs 2021-04-23 14:54:32 +02:00
Florian Roth 64f5af4c45 Merge pull request #1432 from SigmaHQ/rule-devel 
fix: splunk windows config, additional rule
 2021-04-23 10:30:44 +02:00
Florian Roth d5e88d369c fix: fixed rule title 2021-04-23 09:51:31 +02:00
Florian Roth b447e6338f rule: Export-PfxCertificate 2021-04-23 09:01:14 +02:00
Steven d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven 850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Florian Roth 4abebd98d9 Merge pull request #1418 from SigmaHQ/rule-devel 
Fixing false positives with newest OSCD rules
 2021-04-09 17:26:02 +02:00
Florian Roth 897da252f1 fix: missing new line placeholder escape 2021-04-09 16:45:07 +02:00
Florian Roth 65a11dde52 fix: rules causing too many false positives 2021-04-09 15:55:14 +02:00
Thomas Patzke 3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
Thomas Patzke a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
Thomas Patzke b1b0240692 Fixes 2021-04-03 23:21:13 +02:00
Thomas Patzke 90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
Anton Kutepov 3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
Florian Roth 274b7b0f2e fix: search for keywords within message 2021-02-26 09:42:12 +01:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Florian Roth aaeb72a2b6 fix: FPs 2021-02-01 11:47:23 +01:00
yugoslavskiy d25ca9b280 Merge pull request #1229 from zinint/1009-19-1 
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
 2021-01-06 00:24:08 +03:00
yugoslavskiy f4578b0698 Merge pull request #1223 from zinint/1009-23-1 
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
 2021-01-06 00:23:33 +03:00