security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
Florian Roth 55b4085afc Merge pull request #2473 from elhoim/add_mimikatz_keywords 
Add mimikatz keywords to 3 rules
 2021-12-21 13:28:15 +01:00
Florian Roth 694b133529 Merge pull request #2475 from elhoim/memssp_log_file 
New rule to detect Mimimaktz MemSSP default log file creation
 2021-12-21 13:27:13 +01:00
Florian Roth 5c3c4830f7 Update win_pc_false_sysinternalsuite.yml 2021-12-21 13:26:50 +01:00
Florian Roth 6e19e75ece Update win_pc_sqlcmd_veeam_dump.yml 2021-12-21 13:24:36 +01:00
Florian Roth a1594e8c4a Merge pull request #2482 from Karneades/hideSrv 
rule: abuse of permissions to hide services
 2021-12-21 13:23:20 +01:00
David ANDRE d5bfce1e36 Removed duplicate filter entries. 2021-12-21 10:23:23 +01:00
David André 2ce0529792 Merge branch 'SigmaHQ:master' into add_mimikatz_keywords 2021-12-21 09:26:51 +01:00
Andreas Hunkeler 090e0304d4 rule: abuse of permissions to hide services 2021-12-20 23:36:23 +01:00
Andreas Hunkeler 5ac7c0a076 rule: add further reference in regsrv32 rule 2021-12-20 22:58:32 +01:00
frack113 b490086d37 Add thedfirreport Diavol Ransomware 2021-12-20 18:59:11 +01:00
Florian Roth 3c7b4b7225 Update win_alert_mimikatz_keywords.yml 2021-12-20 18:40:19 +01:00
Florian Roth 75765f2aef Update win_mimikatz_command_line.yml 2021-12-20 17:30:03 +01:00
Florian Roth 12387fc275 Update win_alert_mimikatz_keywords.yml 2021-12-20 17:28:42 +01:00
Florian Roth 31788f91d8 Merge pull request #2477 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-20 16:56:21 +01:00
phantinuss 145622afcf change level to medium as non-tunable in the wild FPs with powershell.exe are found 2021-12-20 15:12:21 +01:00
phantinuss ad65524fb7 fix: FP matching thor scanner 2021-12-20 13:59:38 +01:00
Florian Roth 5d3f39e317 fix: duplicate entry 2021-12-20 12:53:45 +01:00
Florian Roth cf65b61397 Update file_event_mimimaktz_memssp_log_file.yml 2021-12-20 12:51:27 +01:00
Florian Roth 37da48ba3f fix: FPs noticed with Aurora 2021-12-20 12:04:40 +01:00
frack113 e542c10e8e Fix error 2021-12-20 11:35:12 +01:00
David ANDRE 8c61e58152 New rule to detect Mimimaktz MemSSP default log file creation 2021-12-20 10:49:18 +01:00
frack113 96a42f3bb5 Windows redcannary 2021-12-20 10:43:32 +01:00
David ANDRE ed17c07aff Corrected alignment 2021-12-20 09:25:05 +01:00
David ANDRE b0dda59d09 Added mimikatz keywords from user published documentation to win_mimimkatz_command_line 2021-12-20 09:22:34 +01:00
David ANDRE 147c319bff Added mimikatz keywords from user published documentation to win_susp_system_user_anomaly 2021-12-20 09:01:34 +01:00
David ANDRE d2f9a9c63e Added mimikatz keywords from user published documentation 2021-12-20 08:56:13 +01:00
frack113 f4f3f860cb Merge pull request #2470 from frack113/redcanary_20211219 
Windows Redcannary
 2021-12-20 08:39:41 +01:00
frack113 ffc87968cf Merge pull request #2469 from frack113/aurora_fp 
Aurora FP
 2021-12-20 08:39:13 +01:00
Florian Roth 89e1f491b3 refactor: add accepteula to flags 2021-12-19 19:43:37 +01:00
frack113 b89580488a Windows Redcannary 2021-12-19 11:20:42 +01:00
frack113 f8962bec98 Aurora FP 2021-12-19 10:35:39 +01:00
Nasreddine Bencherchali 70f3f4fa88 Create win_susp_psloglist.yml 
- The flags can be used with both "-" and "/" characters.
- This rule aims to detect any usage of psloglist, no matter if the binary is with the original name or not. This is achieved by looking for both the image name and the specific command line arguments
 2021-12-18 21:52:05 +01:00
Nasreddine Bencherchali 6f01874e07 Create win_susp_nt_resource_kit_auditpol_usage.yml 2021-12-18 21:06:46 +01:00
Florian Roth 91b51068ea fix condition 
https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:57 +01:00
Florian Roth 78900a7b96 fix condition 
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:35 +01:00
Florian Roth 61ae79bcff Condition changed 
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:12 +01:00
Florian Roth 4362060da6 Update process_creation_advanced_ip_scanner.yml 2021-12-18 20:24:11 +01:00
Nasreddine Bencherchali da5cb2116c Update process_creation_advanced_ip_scanner.yml 2021-12-18 20:08:00 +01:00
Nasreddine Bencherchali 8401ece3d6 Create process_creation_cleanwipe.yml 2021-12-18 20:05:49 +01:00
Nasreddine Bencherchali 92e7ff882f Create process_creation_advanced_port_scanner.yml 2021-12-18 20:00:40 +01:00
Florian Roth dbf3455990 Merge pull request #2467 from SigmaHQ/aurora-false-positive-fixing 
fix: exclude *.scr screensavers
 2021-12-18 19:00:20 +01:00
Florian Roth 3f5859bac5 fix: exclude *.scr screensavers 2021-12-18 15:40:12 +01:00
Florian Roth 68be189402 Merge pull request #2463 from Karneades/java 
rule: add new rule for java spawning suspicious binaries
 2021-12-18 07:56:53 +01:00
Florian Roth 8a3c521a34 Merge pull request #2466 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-18 07:16:16 +01:00
Florian Roth 8f36cb8b7e Merge pull request #2454 from frack113/CVE_2021_42278 
cve_2021_42278 or cve_2021_42287
 2021-12-18 06:46:47 +01:00
Florian Roth e20d8be164 refactor: split rule up into two, more susp sub procs 2021-12-18 06:39:14 +01:00
Florian Roth 529b35cd8b fix: more FPs noticed 2021-12-18 06:22:16 +01:00
Florian Roth 4e49c28472 fix: FPs noticed with Aurora 2021-12-18 06:19:35 +01:00
Florian Roth f1918e512c Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-18 00:18:00 +01:00
Florian Roth 4b7b829d18 fix: FPs noticed with Aurora 2021-12-18 00:17:58 +01:00