security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

2788 Commits

Author SHA1 Message Date
Florian Roth a5281c0eaf Merge branch 'master' into log-source-cleanup 2022-03-22 15:16:14 +01:00
phantinuss f1dcaa02f4 fix: single list element 2022-03-21 12:33:55 +01:00
Florian Roth 816b11ab80 Merge branch 'master' into rule-devel 2022-03-21 11:19:22 +01:00
Florian Roth 056206627a minor changes to description and hash values 2022-03-21 11:19:05 +01:00
Florian Roth dd46054e17 Merge pull request #2834 from redsand/fp_missing_sys32_dir_rundll32 
Fp missing system32 dir rundll32 with invalid extension
 2022-03-20 22:31:58 +01:00
Tim Shelton 5086cde0dd updating to ensure match against all system32 execution path 2022-03-20 19:48:51 +00:00
Tim Shelton 3da10f30d8 Adding additional filter for system32 2022-03-20 19:45:33 +00:00
Paul Hager 68659cf5fd new susp service installation rules 2022-03-18 16:08:40 +01:00
Florian Roth fbf1b8456c Merge pull request #2825 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with EdgeTransport sub processes
 2022-03-18 11:04:10 +01:00
Florian Roth 2f51f8e1d2 fix: FPs noticed with EdgeTransport sub processes 2022-03-18 10:18:40 +01:00
Florian Roth d0eef19e95 Merge pull request #2822 from SigmaHQ/rule-devel 
Webshell detection rule refactoring
 2022-03-18 08:49:04 +01:00
Florian Roth e754849425 fix: missing space 2022-03-18 08:37:09 +01:00
frack113 41fce11b76 Merge pull request #2820 from frack113/day_off 
Windows Redcannary
 2022-03-18 08:18:18 +01:00
Florian Roth 59a8a6f952 Merge branch 'master' into rule-devel 2022-03-17 20:16:28 +01:00
Florian Roth 22133aaa07 Merge pull request #2821 from redsand/fp_tasktop_path_traversal 
Adding filter for java  tasktop
 2022-03-17 18:44:16 +01:00
Florian Roth 33617fd8b4 rule: new webshell detection rule 2022-03-17 18:31:11 +01:00
Tim Shelton 026677cf8a fixing spelling error 2022-03-17 17:27:11 +00:00
Florian Roth 8250dd73a2 refactor: webshell detection rules 2022-03-17 18:24:15 +01:00
Tim Shelton a1cb805913 Adding filter for java tasktop 2022-03-17 17:23:06 +00:00
frack113 829409d29a Redcannary 2022-03-17 16:48:41 +01:00
frack113 becf3baeb4 Merge pull request #2813 from phantinuss/master 
Changes to falsepositives metadata
 2022-03-17 14:31:27 +01:00
Florian Roth 1ab03bd9f8 Merge pull request #2815 from SigmaHQ/rule-devel 
rule: remote thread creation, rule: get-addbaccount
 2022-03-16 18:47:03 +01:00
Florian Roth 39811e1405 refactor: uppercase values, DropLoader imphash 2022-03-16 17:56:55 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss 9b82e099a3 fix: unlikely --> Unlikely 2022-03-16 14:16:10 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 8acf6431f5 Merge pull request #2809 from SigmaHQ/rule-devel 
CrackMapExec patterns, minor addition to ncat rule, rar rule adjusted
 2022-03-16 11:25:10 +01:00
Florian Roth 0e1945beaa refactor: rar usage w password & compression level 2022-03-16 09:57:45 +01:00
Thomas Patzke 125359cfbc Merge pull request #2810 from SigmaHQ/fix 
Fixes
 2022-03-16 07:29:24 +01:00
Thomas Patzke f022b087e0 Fixed date format in rule 2022-03-15 23:31:14 +01:00
Florian Roth a10561e084 ncat pattern 2022-03-15 18:05:13 +01:00
Florian Roth 306bb438e3 CrackMapExec patterns 2022-03-15 18:05:04 +01:00
Paul Hager 87600161bf new rule from thedfirreport.com 2022-03-15 16:39:12 +01:00
Paul Hager 3b09f1c9da new rule from thedfirreport.com 2022-03-15 16:38:27 +01:00
Paul Hager 20125d87c2 new rule from thedfirreport.com 2022-03-15 16:36:57 +01:00
frack113 c5263039ae Merge pull request #2798 from frack113/moonbounce 
Add proc_creation_win_wmic_remote_command
 2022-03-13 22:22:10 +01:00
Florian Roth 70954c8153 Update proc_creation_win_wmic_remote_command.yml 2022-03-13 13:22:10 +01:00
frack113 06f51aecf5 Add proc_creation_win_wmic_remote_command 2022-03-13 12:21:00 +01:00
frack113 283246cdd0 Fix selection_tools 2022-03-12 11:15:10 +01:00
frack113 0bab1f19a9 Add proc_creation_win_network_scan_loop 2022-03-12 10:53:12 +01:00
Florian Roth 52f2b7f966 Merge pull request #2795 from SigmaHQ/rule-devel 
refactor: lsass dump files names, new: NTDS.dit exfiltration activity
 2022-03-11 20:56:06 +01:00
Florian Roth 1141f00480 fix: more lists with only one parameter 2022-03-11 20:11:06 +01:00
Florian Roth 1691f09099 fix: list with one item 2022-03-11 20:00:33 +01:00
Florian Roth c843293e47 rules: NTDS.DIT exfiltration 2022-03-11 18:14:09 +01:00
Florian Roth b96d30acc7 docs: adjustments 2022-03-11 18:13:54 +01:00
Florian Roth d033831e98 refactor: increased level of ntdsutil usage 2022-03-11 17:04:58 +01:00