security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

2788 Commits

Author SHA1 Message Date
Austin Songer f1d937cbd6 Update win_susp_disable_eventlog.yml 2021-06-26 12:22:54 -05:00
Austin Songer de6fac1d18 Update win_susp_disable_eventlog.yml 2021-06-26 03:15:05 -05:00
mlp1515 60d352a21a Merge branch 'SigmaHQ:master' into master 2021-06-25 13:17:24 +02:00
Florian Roth 537d89d185 Merge pull request #1575 from SigmaHQ/rule-devel 
rules: PurpleSharp, WMIC ActiveScriptEventConsumer
 2021-06-25 12:15:35 +02:00
Florian Roth 7b6208c05c rules: PurpleSharp, WMIC ActiveScriptEventConsumer 2021-06-25 09:56:42 +02:00
Andreas Hunkeler 3de0679d5a Add fp note to PortProxy rules 2021-06-24 11:22:41 +02:00
Florian Roth 1dd557e543 fix: global action unneeded 2021-06-23 09:23:08 +02:00
Sittikorn S c0724e533f Update and rename win_renamed_meg.yml to win_renamed_megasync.yml 2021-06-23 09:24:42 +07:00
Sittikorn S a310806dbf Update win_renamed_meg.yml 2021-06-23 08:35:12 +07:00
Sittikorn S 10488512ae Update win_renamed_meg.yml 2021-06-22 22:27:34 +07:00
Sittikorn S 177442d6df Update win_renamed_meg.yml 2021-06-22 22:20:49 +07:00
Sittikorn S 6328ce8ef6 Update win_renamed_meg.yml 2021-06-22 22:17:51 +07:00
Sittikorn S f55cd9ed1b Update win_renamed_meg.yml 2021-06-22 22:03:56 +07:00
Sittikorn S 268a4c31e3 Update win_renamed_meg.yml 
Change mitre tags T1218.001 to T1218
 2021-06-22 22:00:35 +07:00
Sittikorn S e6d08d0ad6 Update win_renamed_meg.yml 2021-06-22 21:55:09 +07:00
Sittikorn S a08b6c4e0a Create win_renamed_meg.yml 2021-06-22 21:50:07 +07:00
Florian Roth 7e748fa91a Merge pull request #1567 from BlackB0lt/patch-2 
Create win_script_event_consumer_spawn new rule
 2021-06-22 12:43:34 +02:00
Sittikorn S d9a749eec0 Update and rename win_script_event_consumer_spawn to win_script_event_consumer_spawn.yml 2021-06-22 16:35:46 +07:00
Florian Roth cbe97206de fix: several indentation issues, casing in tags 2021-06-22 11:03:17 +02:00
Andreas Hunkeler cd0b46ab62 rule: add port proxy registry rule and add references 2021-06-22 08:16:56 +02:00
Sittikorn S 1bcac7b04a Create win_script_event_consumer_spawn 2021-06-21 21:20:39 +07:00
mlp1515 a5e77bac17 Merge branch 'SigmaHQ:master' into master 2021-06-16 15:32:48 +02:00
Florian Roth e5cd850640 Merge pull request #1556 from frack113/PR_617_V2 
Fix all the rules to pass the test
 2021-06-16 08:22:51 +02:00
Hasan 8196fbaada Parenthesis for condition statement 2021-06-16 10:41:52 +05:00
Hasan 1114a25a2c Removal of NODE from ALL filter for better coverage 2021-06-15 17:07:51 +05:00
Hasan 82bcfb29c3 Addition of Safemode flags 2021-06-15 17:07:02 +05:00
mlp1515 aa5dab332e Update win_multiple_suspicious_cli.yml 
Modify modified field
 2021-06-14 08:54:07 +02:00
frack113 558bcd5ceb Fix all the rules to pass the test 2021-06-14 07:33:26 +02:00
mlp1515 ecfb42fcb2 Update win_multiple_suspicious_cli.yml 
Add contains in CommandLine condition
 2021-06-13 13:43:43 +02:00
Tobias Michalski 54e98c8441 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 16:41:22 +02:00
Tobias Michalski e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Florian Roth 83dddf99b4 Update win_exchange_TransportAgent.yml 2021-06-10 16:07:22 +02:00
Florian Roth cd0531b345 fix: removed process_creation log source 2021-06-10 15:37:00 +02:00
Tobias Michalski 3970934252 Switched EventID:1 to category: process_creation 2021-06-10 14:13:29 +02:00
Florian Roth 5e35e387dd Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth 78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Andreas Hunkeler 2d44803bf5 Revert renaming of ngrok rule 
Initially the rule had only a detection for RDP but after my last commits we have more ports in detections, so previous generic name is better.
 2021-06-08 13:09:35 +02:00
Florian Roth 07176ddb25 Merge pull request #1541 from frack113/win_tamper_with_windows_defender 
Windows tamper with windows defender
 2021-06-08 11:02:14 +02:00
frack113 0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
Andreas Hunkeler cea2d5cd81 Add modified date to ngrok rule 2021-06-07 18:17:17 +02:00
Andreas Hunkeler e1ef13bb24 Update ngrok usage rule 
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
 2021-06-07 17:20:18 +02:00
Florian Roth d41825766a Merge pull request #1529 from SigmaHQ/rule-devel 
fix: FPs with Volume Shadow Copy Service Keys
 2021-06-03 20:49:31 +02:00
Florian Roth 4d7b3b7afe Merge pull request #1530 from Karneades/patch-1 
Add further detections to shadow copies deletion
 2021-06-03 13:51:00 +02:00
Florian Roth 11eca86be3 Update process_creation_c3_load_by_rundll32.yml 2021-06-03 12:44:47 +02:00
Florian Roth 151d120a24 Update process_creation_SDelete.yml 2021-06-03 12:40:55 +02:00
frack113 ba0f2e6b16 Add windows T1485 SDelete 2021-06-03 10:59:22 +02:00
Alfie Champion 9876643e3e added rule for rundll32 launch of fsecure C3 2021-06-02 19:57:39 +01:00
Andreas Hunkeler e8ee6aec2f Add further detections to shadow copies deletion 
* Add diskshadow.exe to existing detection
* Add new detection for wbadmin.exe
* Fix typo in match on L31
* Add raccine refs
 2021-06-02 15:47:41 +02:00
Florian Roth 7288ae93b9 Merge pull request #1526 from WojciechLesicki/master 
Added a new rule about loading dll CS via rundll32 and also some chan…
 2021-06-01 21:54:26 +02:00
Florian Roth 950b252d5c Update process_creation_cobaltstrike_load_by_rundll32.yml 2021-06-01 18:11:19 +02:00