security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
frack113 eb5465e5a6 Fix detection from reference 2021-11-12 13:41:48 +01:00
Florian Roth 0ab163b6ba fix: FP which happens more frequently under normal circumstances 2021-11-12 13:31:25 +01:00
Florian Roth 04ad3d7622 Update win_hack_hydra.yml 2021-11-12 13:14:27 +01:00
Florian Roth 1661c61147 Merge pull request #2250 from securepeacock/patch-5 
Create sysmon_excel_outbound_network_connection.yml
 2021-11-12 13:05:02 +01:00
frack113 9f7a027913 Fix category and EventID 2021-11-12 12:18:44 +01:00
frack113 8e39eb7fde Remove useless EventID 2021-11-12 11:28:09 +01:00
David André 7ad901fce1 Corrected typo in HyperBro malware name 2021-11-12 08:36:13 +01:00
frack113 555eb9244d Merge pull request #2253 from redsand/filter_empty_details_in_registry_changes 
Filter empty details in registry changes
 2021-11-12 07:00:58 +01:00
securepeacock 27a72f10fe Update sysmon_excel_outbound_network_connection.yml 
I got an error for level field, I'm guessing it was due to a capital M and it's case sensitive.
 2021-11-11 21:57:44 -05:00
securepeacock e514567a82 Update sysmon_excel_outbound_network_connection.yml 2021-11-11 21:50:10 -05:00
securepeacock e207596041 Update sysmon_excel_outbound_network_connection.yml 2021-11-11 21:46:24 -05:00
securepeacock 1d58c79386 Update sysmon_excel_outbound_network_connection.yml 2021-11-11 21:44:07 -05:00
securepeacock b4da880a9f Update sysmon_excel_outbound_network_connection.yml 
Updated per Florian's recommendations, please let me know if there's anything else.
 2021-11-11 19:49:16 -05:00
Tim Shelton a1c85108fa Updating author and date modified 2021-11-11 20:37:34 +00:00
Tim Shelton 4bc4732203 Merge branch 'master' of https://github.com/redsand/sigma into ignore_sql_server_tools_for_powershell 2021-11-11 20:36:22 +00:00
Tim Shelton 089a772a5a Merge branch 'filter_empty_details_in_registry_changes' of https://github.com/redsand/sigma into filter_empty_details_in_registry_changes 2021-11-11 20:34:16 +00:00
Tim Shelton 07f9e3912c updating modified date and author fields 2021-11-11 20:34:00 +00:00
redsand (Tim Shelton) 7edaa510e2 Merge branch 'SigmaHQ:master' into filter_empty_details_in_registry_changes 2021-11-11 14:32:26 -06:00
Tim Shelton 9fddfd4afb filter out where Details is (Empty) 2021-11-11 17:34:20 +00:00
Florian Roth 5d0c160e41 Merge branch 'master' into pr/2228 2021-11-11 18:10:05 +01:00
Florian Roth 81922af134 Merge pull request #2249 from redsand/add_allow_for_dns_exe_via_dc 
Add allow for dns exe via dc
 2021-11-11 17:22:32 +01:00
Florian Roth 791736cb3e Merge pull request #2243 from SigmaHQ/rule-devel 
CobaltStrike DNS beaconing, some FP fixes
 2021-11-11 17:21:33 +01:00
Florian Roth b61e92ae1d fix: FP with VSCode 2021-11-11 16:12:49 +01:00
securepeacock 361660e42c Update sysmon_excel_outbound_network_connection.yml 2021-11-10 15:28:19 -05:00
securepeacock 352b62241b Create sysmon_excel_outbound_network_connection.yml 2021-11-10 15:18:16 -05:00
redsand (Tim Shelton) 5ca5ab8cb3 Merge branch 'SigmaHQ:master' into add_allow_for_dns_exe_via_dc 2021-11-10 13:42:31 -06:00
frack113 82c9785f87 Fix detection 2021-11-10 19:57:46 +01:00
frack113 f01523d791 Integrity do not exist in file_event 2021-11-10 19:51:01 +01:00
frack113 da8fcabe0c Fix TargetFilename case 2021-11-10 19:49:25 +01:00
frack113 b6f6beda3c FileMagicBytes do not exist in file_event 2021-11-10 19:44:08 +01:00
frack113 95b9cd3d35 fix detection 2021-11-10 19:40:10 +01:00
frack113 3ea1eda717 ParentImage do not exist in network_connection 2021-11-10 19:38:05 +01:00
frack113 b7b1ebf772 Fix LogonId - SubjectLogonId 2021-11-10 19:12:51 +01:00
frack113 a4951a29bb Fix detection 2021-11-10 18:57:54 +01:00
Tim Shelton 9b469f21a2 adds microsoft sql server mgmt studio to allow list, along with note 2021-11-10 17:38:15 +00:00
Tim Shelton 52d0cb67eb adding additional allow for dns service (domain controllers) 2021-11-10 17:09:15 +00:00
Florian Roth 5abea871b0 docs: put link in references 2021-11-10 09:28:59 +01:00
frack113 ee4082b50d Merge pull request #2242 from frack113/fix_ProcessCommandLine 
Fix process command line
 2021-11-10 08:09:06 +01:00
frack113 a089a83794 Merge pull request #2238 from frack113/fix_logsource 
Fix logsource
 2021-11-10 08:08:40 +01:00
Florian Roth e30b09fcce fix: more FPs with Windows 11 services 2021-11-09 19:09:07 +01:00
Florian Roth 5613b6ca82 fix: FP with MicrosoftEdgeUpdate 2021-11-09 19:06:26 +01:00
Florian Roth c07a9adb9b fix: moved rule written for DNS/Sysmon to the correct folder 2021-11-09 17:30:15 +01:00
Florian Roth 39283c0ac2 CobaltStrike DNS rules 2021-11-09 17:29:43 +01:00
frack113 3c3bf75aa8 fix detection from test 2021-11-09 17:04:27 +01:00
Florian Roth 37b9abd827 fix: date field 2021-11-09 16:52:19 +01:00
Florian Roth 77e9decc64 Merge branch 'master' into rule-devel 2021-11-09 16:45:49 +01:00
frack113 24f3e9db5b fix detection from ref 2021-11-09 16:44:11 +01:00
Florian Roth c61ca81d9c refactor: raw disk access rule FPs 2021-11-09 16:15:31 +01:00
frack113 c5fa73c328 fix ProcessCommandLine to ParentCommandLine 2021-11-09 16:13:29 +01:00
frack113 6c19303aa4 normalize logsource 2021-11-09 10:48:13 +01:00