security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

2788 Commits

Author SHA1 Message Date
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
Florian Roth 5802915f39 Update win_pc_reg_dump_sam.yml 2022-01-05 22:40:39 +01:00
frack113 727e5ee925 Windows redcannary 2022-01-05 19:52:52 +01:00
Florian Roth b2e70c3622 Merge pull request #2520 from SigmaHQ/rule-devel 
fix: massive performance impact of keyword-based rule
 2022-01-05 15:14:09 +01:00
Florian Roth aeeb483fb7 fix: missed to set modified date 2022-01-05 14:19:02 +01:00
Florian Roth d61b0c0120 fix: unnecessary performance impact 2022-01-05 14:18:42 +01:00
Florian Roth 42e6556475 Merge pull request #2516 from sreemanshanker/master 
Add files via upload
 2022-01-05 11:12:19 +01:00
Florian Roth 8d8112f13d Update process_creation_headless_browser_file_download.yml 2022-01-04 22:27:05 +01:00
Florian Roth acbce4f498 fix: filename not according to standard 2022-01-04 19:59:32 +01:00
Florian Roth 48c1b959bd Merge pull request #2518 from SigmaHQ/rule-devel 
rule: format.com fs lolbin
 2022-01-04 19:56:38 +01:00
Florian Roth f98990436e rule: format.com fs lolbin 2022-01-04 17:15:43 +01:00
Florian Roth a10b293076 Merge pull request #2517 from SigmaHQ/rule-devel 
LOLBIN process dumps, Winrar dump file combination
 2022-01-04 13:57:55 +01:00
Florian Roth 9b7c34c1d2 rule: Winrar comprress .dmp file 2022-01-04 08:56:41 +01:00
Florian Roth e7138cc3d5 rule: process dumping lolbins 2022-01-04 08:51:06 +01:00
Florian Roth 5620442c5e Update Suspicious use of headless browser to download files.yml 2022-01-04 07:13:51 +01:00
sreemanshanker becca39eb4 Update Suspicious use of headless browser to download files.yml 2022-01-04 13:51:07 +08:00
sreemanshanker 024a3a52db Add files via upload 2022-01-04 13:47:23 +08:00
Florian Roth bd55bcbee0 Merge pull request #2509 from blueteamer8699/feature/sysmon_gathernetworkinfo 
windows lolbin 'gathernetworkinfo.vbs' detection
 2022-01-03 13:53:03 +01:00
Florian Roth 872e68d07c Update win_lolbin_cscript_gathernetworkinfo.yml 2022-01-03 13:07:32 +01:00
frack113 601aa50587 Merge pull request #2507 from frack113/redcannary_20220102 
Windows Redcannary
 2022-01-03 12:38:05 +01:00
blueteamer8699 27f2029d96 updated rule to include the relevant changes from running python3 tests 2022-01-03 17:58:30 +11:00
blueteamer8699 27eb156e8f added a rule to detect use of windows lolbin 'gathernetworkinfo.vbs' for information gathering 2022-01-03 11:49:17 +11:00
Florian Roth 5f37a1e25f Update win_pc_susp_powershell_encode.yml 2022-01-02 15:51:55 +01:00
Florian Roth 4adf1af606 Update win_pc_wmic_reconnaissance.yml 2022-01-02 13:32:04 +01:00
frack113 757bf95ecb fix detection 2022-01-02 11:45:33 +01:00
frack113 637ce004ae fix tag 2022-01-02 10:50:40 +01:00
frack113 8b67ad069e Windows Redcannary 2022-01-02 10:36:52 +01:00
frack113 e75e3dc1fb fix CommandLine 2022-01-02 09:17:10 +01:00
frack113 7eebc4d054 Windows redcannary 2022-01-01 08:42:40 +01:00
frack113 5d5b3e83b1 Windows persistence 2021-12-30 11:58:10 +01:00
frack113 1a877a5ccd Merge pull request #2495 from frack113/redcannary_20211227 
Windows redcannary rules
 2021-12-28 12:52:07 +01:00
frack113 1f1b0dc656 Merge pull request #2492 from frack113/redcannary_20211216 
Windows Redcannary impact
 2021-12-28 12:51:40 +01:00
Florian Roth ee0f216929 Update win_pc_hashcat.yml 2021-12-28 12:09:59 +01:00
Florian Roth 345aab18cb Update win_pc_susp_taskkill.yml 2021-12-28 12:05:20 +01:00
Florian Roth 6edd497bf6 Update win_pc_susp_taskkill.yml 2021-12-28 12:04:51 +01:00
Florian Roth 992237c9aa Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-12-28 10:01:14 +01:00
Florian Roth bfd8b62dfa rule: kernel dump using dtrace 2021-12-28 10:01:11 +01:00
frack113 744b7602c9 Windows redcannary rules 2021-12-27 20:25:01 +01:00
Florian Roth 1c4688cbb6 Merge branch 'master' into rule-devel 2021-12-27 17:38:21 +01:00
Florian Roth 6540d2e924 rule: download from Microsoft domain 2021-12-27 17:22:34 +01:00
Florian Roth 7a8f09a6b5 fix: FPs with 4688 events that can contain 'Registry' 2021-12-27 11:48:51 +01:00
frack113 b967deaabd Windows Redcannary impact 2021-12-26 12:09:42 +01:00
Florian Roth 4951e78c74 Merge pull request #2491 from SigmaHQ/rule-devel 
docs: title reordered
 2021-12-25 09:59:28 +01:00
Florian Roth 1609fbb2ac docs: title reordered 2021-12-24 09:13:25 +01:00
Florian Roth 41b29fb3b9 Merge pull request #2490 from SigmaHQ/rule-devel 
refactor: added curl.exe to the list
 2021-12-23 17:56:08 +01:00
Florian Roth db3ebaf97c refactor: added curl.exe to the list 2021-12-23 08:27:44 +01:00
eb8f9a 2ab0582fd1 (win_susp_rundll32_activity.yml) Rule syntax error 
es-dsl does not work properly because the rule syntax is not valid

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_rundll32_activity.yml

59 to 61 lines
     - CommandLine|contains|all:
       - 'syssetup.dll'
       - SetupInfObjectInstallAction'

should be like below
     - CommandLine|contains|all:
       - 'syssetup.dll'
       - 'SetupInfObjectInstallAction'
 2021-12-23 10:09:51 +09:00
Florian Roth 6b233cc2ec Merge pull request #2487 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-22 15:37:42 +01:00
Florian Roth b276ccd121 fix: FPs noticed with THOR 2021-12-22 14:51:06 +01:00
Andreas Hunkeler 9c25a43089 rule: add new rule to detect shell spawn by Java keytool 2021-12-22 11:48:02 +01:00