security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
Florian Roth 6c2dea3a8c fix: FPs noticed with Aurora 2022-02-01 15:57:44 +01:00
Florian Roth 9fc06fb027 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-01 15:57:20 +01:00
Florian Roth 6efa5da3dc fix: unescaped double back slashes 2022-02-01 15:57:15 +01:00
frack113 6b3b9e924f Fix GPO FP 2022-02-01 14:21:48 +01:00
Sittikorn S e16974522b Update sysmon_process_hollowing.yml 
Update filters
 2022-02-01 15:19:36 +07:00
Florian Roth 0d27cf9681 Merge pull request #2624 from SigmaHQ/rule-devel 
Some TeamViewer rules
 2022-01-31 16:38:58 +01:00
Florian Roth 926f9b588c Merge pull request #2605 from securepeacock/patch-9 
Rundll32 From Abnormal Drive
 2022-01-31 16:38:46 +01:00
frack113 7ceb3968d8 Update file_event_susp_teamviewer_remote_session.yml 2022-01-31 06:24:02 +01:00
Florian Roth c35973d6e7 rule: TeamViewer remote session 2022-01-30 22:26:13 +01:00
Florian Roth ba3065e943 refactor: added another TV domain 2022-01-30 22:26:01 +01:00
Florian Roth 1b57916890 rule: suspicious renamed teamviewer 2022-01-30 22:05:47 +01:00
Florian Roth fb44e9ae56 Update process_creation_rundll32_not_from_c_drive.yml 2022-01-30 21:48:57 +01:00
frack113 0bcb842c70 Redcannary windows 2022-01-30 18:47:49 +01:00
Florian Roth d27deada7d Merge pull request #2622 from frack113/red_20220130 
win_pc_susp_takeown
 2022-01-30 18:06:36 +01:00
frack113 542a901f57 add win_pc_susp_takeown 2022-01-30 12:03:32 +01:00
Florian Roth 545e8c1c03 Merge pull request #2606 from securepeacock/patch-10 
Create sysmon_process_hollowing.yml
 2022-01-30 11:33:58 +01:00
Florian Roth 027fce7f13 Update sysmon_process_hollowing.yml 2022-01-29 23:55:21 +01:00
Florian Roth 74f65eb004 Merge branch 'master' into aurora-false-positive-fixing 2022-01-29 19:37:26 +01:00
Florian Roth e0425f2167 Merge pull request #2620 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-01-29 19:34:02 +01:00
Florian Roth 8d5742e83e fix: fixing FPs with LSASS access mask in old rule 2022-01-29 18:17:46 +01:00
Florian Roth 642b3748fe Merge pull request #2615 from frack113/redcannary_20220128 
Add windows redcannary rules
 2022-01-29 15:25:40 +01:00
Florian Roth dc19846101 fix: FPs in deprecated rule 2022-01-28 23:43:11 +01:00
Florian Roth 56fba15638 Update process_creation_tool_nircmd.yml 2022-01-28 23:14:17 +01:00
Florian Roth 34c8de908d Update process_creation_tool_nircmd_as_system.yml 2022-01-28 23:08:41 +01:00
Nasreddine Bencherchali 6f96372ece Update process_creation_tool_nircmd_as_system.yml 2022-01-28 21:10:52 +01:00
Nasreddine Bencherchali b0b9d32dfa Update process_creation_tool_nircmd.yml 2022-01-28 21:10:03 +01:00
Nasreddine Bencherchali 0b09dbdcd1 Update process_creation_tool_nircmd_as_system.yml 2022-01-28 21:01:43 +01:00
Florian Roth 883040ee96 Merge pull request #2617 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-01-28 18:06:39 +01:00
Florian Roth 0391cffab4 Merge pull request #2616 from SigmaHQ/rule-devel 
rule: xordump
 2022-01-28 18:06:21 +01:00
Florian Roth 7b05827326 fix: FPs noticed with Aurora 2022-01-28 17:26:51 +01:00
Florian Roth bfee0f8067 rule: xordump 2022-01-28 17:26:12 +01:00
frack113 5b30db61b0 Add windows redcannary rules 2022-01-28 16:12:38 +01:00
Florian Roth a5cb3ba37f Merge pull request #2598 from SigmaHQ/rule-devel 
rules: NirCmd, NSudo, RunX
 2022-01-28 12:18:15 +01:00
frack113 9a517bae7c Merge pull request #2614 from frack113/update_ref 
sysmon_proxy_execution_wuauclt Update References
 2022-01-28 11:51:45 +01:00
Florian Roth 982808c3db refactor: whoami / authority, rule: whoami as trusted installer 2022-01-28 11:30:30 +01:00
frack113 a6e3b4691b Update References 2022-01-28 10:30:39 +01:00
frack113 d4b4d4e382 Merge pull request #2612 from glennbarrett/patch-1 
Typo fix in win_plugx_susp_exe_locations.yml
 2022-01-28 10:00:07 +01:00
frack113 069d4ac8bd Update modified 2022-01-28 09:09:26 +01:00
frack113 4ef359a96f Merge pull request #2611 from redsand/fp_for_iexplorer 
adding filter for fp of iexplorer calling cpl
 2022-01-28 06:59:35 +01:00
Glenn Barrett edb769b086 Typo fix in win_plugx_susp_exe_locations.yml 
Change SysWowo64 to SysWow64
 2022-01-27 15:08:54 -05:00
frack113 1431992e4e Merge pull request #2604 from frack113/add_ps_version 
add posh_ps_clear_powershell_history
 2022-01-27 18:24:37 +01:00
Tim Shelton f8ce6d87a8 adding filter for fp of iexplorer calling cpls: C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:276824072 WinX:0 WinY:0 IEFrame:0000000000000000 2022-01-27 16:31:37 +00:00
Florian Roth a8cbfa832d Merge pull request #2609 from SigmaHQ/aurora-false-positive-fixing 
fix: too many false positives with certain access masks
 2022-01-27 16:53:34 +01:00
frack113 1aa7697ca8 Update posh_ps_clear_powershell_history.yml 2022-01-27 16:16:57 +01:00
frack113 79de1631de Merge pull request #2601 from secDre4mer/master 
fix: Add filter for empty image to rule
 2022-01-27 16:16:06 +01:00
Florian Roth 82d5f4a511 fix: too many false positives with certain access masks 2022-01-27 09:08:40 +01:00
Florian Roth d52602dd5e Update posh_ps_clear_powershell_history.yml 2022-01-26 18:09:09 +01:00
Florian Roth feedcee6bf Update posh_ps_clear_powershell_history.yml 2022-01-26 17:57:26 +01:00
Florian Roth e08e8dd3d4 Update sysmon_process_hollowing.yml 2022-01-26 17:53:46 +01:00
mhaag-spl b3b37719e7 Update sysmon_lsass_memdump.yml 
Updated Sysmon Lsass Memdump to detect other memory dumping techniques from mimikatz, nanodump, invoke-mimikatz, and so forth. This adds additional GrantedAccess permissions and adds ntdll.dll to CallTrace. Tested with Atomic Red Team T1003.001, MimiKatz, Invoke-Mimikatz and Cobalt Strike.
 2022-01-26 08:12:49 -07:00