security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
Florian Roth 9684c4e55f Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-17 12:03:54 +02:00
Florian Roth 80b3acfce9 fix: false positive with Xen / Oracle scripts 2021-08-17 12:03:49 +02:00
frack113 06840be3e7 fix author 2021-08-16 18:46:25 +02:00
frack113 dfd9e6d8f0 Merge pull request #1857 from frack113/fix_HostApplication 
Update definition for powershell-classic rule
 2021-08-16 17:18:24 +02:00
frack113 eb406ba36f Merge pull request #1844 from frack113/cleanup 
Add more compliance test
 2021-08-16 17:17:25 +02:00
Florian Roth d2790f2450 fix: missing "|all" modifier 2021-08-16 16:14:48 +02:00
frack113 e1b99db149 fix duplicate uuid 2021-08-16 15:50:14 +02:00
Florian Roth 669308a37a Merge pull request #1855 from frack113/coti_sqlcmd 
Rule to detect Coti sqlcmd
 2021-08-16 14:27:24 +02:00
Florian Roth 141ca03c9b Merge pull request #1853 from secDre4mer/contileak 
feat: Add some rules to detect Conti behaviour
 2021-08-16 14:18:43 +02:00
Florian Roth 3028eb68b6 refactoring: procdump rules 2021-08-16 13:55:00 +02:00
frack113 911579023c fix powershell_alternate_powershell_hosts.yml 2021-08-16 13:30:45 +02:00
frack113 2dbf9af27d add definition to powershell-classic 2021-08-16 12:56:24 +02:00
frack113 fda11e3608 fix very bad cut and paste 2021-08-16 11:22:50 +02:00
frack113 a861f55e5c fix title 2021-08-16 11:15:32 +02:00
frack113 a70607bce7 add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00
Florian Roth 79bc89b344 rule: av hacktool events 2021-08-16 10:57:03 +02:00
Florian Roth f8bedfa759 docs: added link to leak file on VT 2021-08-16 10:12:35 +02:00
frack113 dc9bb22a00 fix duplicate id 2021-08-16 09:29:22 +02:00
Max Altgelt 78e2c0da92 fix: Clean up duplicated ID 2021-08-16 09:26:45 +02:00
frack113 fb80b35141 fix condition 2021-08-16 09:21:38 +02:00
frack113 5b09dff1fb cleanup win_malware_conti_shadowcopy.yml 2021-08-16 09:21:04 +02:00
frack113 ed424c55c8 fix selection 2021-08-16 09:20:25 +02:00
frack113 26d632bf05 fix condition 2021-08-16 09:19:46 +02:00
frack113 e8723e892a clean-up powershell_invoke_nightmare.yml 2021-08-16 09:19:10 +02:00
frack113 f69868b5aa Merge pull request #1834 from secDre4mer/master 
Correct incorrect message / keyword usage
 2021-08-16 09:16:33 +02:00
Max Altgelt 5b60e0ea5a feat: Add some rules to detect Conti behaviour 
Add rules based on the leaks from the Conti group to detect
malicious behaviour.
 2021-08-16 09:13:51 +02:00
Max Altgelt d2a35edae9 fix: Remove powershell_alternate_hosts from PR 
Remove a rule using Host Application (which may or may not exist,
based on the log parser) from the PR. A future PR will clean up
rules using Host Application.
 2021-08-16 08:42:17 +02:00
frack113 c3457c9911 fix titles 2021-08-15 19:05:00 +02:00
frack113 245cb6d510 fix more errors 2021-08-15 18:55:44 +02:00
frack113 12396f615c remove duplicate rule and fix errors 2021-08-15 16:52:24 +02:00
frack113 a75859a976 First commit 2021-08-15 16:00:14 +02:00
frack113 db0de126a5 test author for Detection Rule License 1.1 2021-08-14 19:16:36 +02:00
frack113 e45557316e Fix selection with only 1 element 2021-08-14 09:54:27 +02:00
Max Altgelt ce326cb903 fix: Correct broken rules, add documentation 2021-08-13 15:46:30 +02:00
phantinuss 246ba0c17f generalise amsi bypass rule to CobaltStrike BOF injection pattern 
generalise to CobaltStrike BOF injection pattern
 2021-08-13 15:34:01 +02:00
frack113 1b480f2ee6 Merge pull request #1819 from frack113/split_1802_builtin 
Correct lists with only 1 value
 2021-08-13 12:43:26 +02:00
frack113 5e42187062 remove change for Message rule 2021-08-13 11:01:33 +02:00
Max Altgelt e1ef8f4055 fix: Rewrite another message rule 
Rewrites another message rule. This one is a bit more complex
since a bitmap is used and the string representation is not
available.
 2021-08-13 10:28:34 +02:00
frack113 62e541ec7f Merge pull request #1784 from frack113/winlogbeat-modules-enabled 
Update Mapping Winlogbeat modules enabled
 2021-08-12 19:14:17 +02:00
Max Altgelt 6f05e33feb fix: Correct incorrect message / keyword usage 
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
 2021-08-12 16:28:07 +02:00
Florian Roth 62c9468180 Merge pull request #1832 from SigmaHQ/rule-devel 
Whoami Refactoring
 2021-08-12 14:28:28 +02:00
Florian Roth d9d543e545 refactor: removed OriginalFileName from rule to improve compatibilty 2021-08-12 13:28:24 +02:00
Florian Roth 34d70de084 rule: whoami anomalies 2021-08-12 13:28:00 +02:00
Florian Roth bd0a2a1b9f rule: renamed whoami 2021-08-12 13:27:51 +02:00
Florian Roth 418a0bbf7e Merge pull request #1827 from phantinuss/master 
2 new rules (Little Corporal Maldoc and keyword generic version of "ProxyShell MSExchange MailBox Export Pattern")
 2021-08-12 11:41:50 +02:00
Florian Roth 6ed62b431e Merge pull request #1830 from SigmaHQ/rule-devel 
SystemNightmare and Typo
 2021-08-12 11:41:16 +02:00
Florian Roth 08883c8e32 refactor: removed old rule that uses Message field 
Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible.

We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details)
 2021-08-12 09:27:50 +02:00
phantinuss a880663d51 fix: add missing 'all of' for 'and' conjunction of the assignment keywords 2021-08-11 17:46:10 +02:00
phantinuss 1c919c07c7 exchange mailbox export with generic keyword search (Message is not a real field) 2021-08-11 16:57:15 +02:00
Florian Roth c8d481fd83 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-11 10:10:32 +02:00