security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
phantinuss 882ea7ec22 fix: remove unnecessary single value list 2021-08-04 15:50:39 +02:00
frack113 f040725dd8 fix EventID: 4104 ScriptBlockText 2021-08-04 14:49:50 +02:00
phantinuss 994701bd8e CobaltStrike injected AMSI bypass 2021-08-04 11:28:58 +02:00
frack113 644fe80786 add powershell_timestomp.yml 2021-08-03 16:01:54 +02:00
Bhabesh Rai 85b88c7646 Added rule for pypykatz 2021-08-03 15:06:27 +05:45
frack113 b5e4b04cb5 fix eventid 400 powershell-classic 2021-08-03 10:04:15 +02:00
frack113 0efe69bd36 add poweshell_detect_vm_env.yml 2021-08-03 08:30:26 +02:00
Florian Roth 97d2dc89a8 fix: order of modifiers 2021-08-02 00:25:09 +02:00
Florian Roth bda207660d refactor: modified CobaltStrike service install rule 2021-07-31 12:51:42 +02:00
Florian Roth a04aa6ac49 rule: ADCSPwn 2021-07-31 10:18:21 +02:00
Florian Roth 6cd2e26fa0 rule: WinDivert driver load 2021-07-30 16:54:29 +02:00
frack113 f9aff7d403 fix product sysmon_apt_sourgrum.yml 2021-07-30 16:02:38 +02:00
Bhabesh Rai 1f0d4ca3dc Merge branch 'master' of https://github.com/d4rk-d4nph3/sigma into master 2021-07-30 12:36:21 +05:45
Bhabesh Rai 9131ed6db5 Added rule for Cabinet file expansion 2021-07-30 12:36:05 +05:45
frack113 ccaffc79f7 update ref win_susp_psr_capture_screenshots.yml 2021-07-30 08:40:21 +02:00
frack113 dfa28944d0 update ref in sysmon_creation_mavinject_dll.yml 2021-07-30 08:31:37 +02:00
frack113 e33ec91b9a add powershell_keylogging.yml 2021-07-30 08:28:19 +02:00
Florian Roth ab16490d33 fix: re CS rule 2021-07-30 08:24:41 +02:00
frack113 38ede57cb4 add powershell_suspicious_recon.yml 2021-07-30 08:20:51 +02:00
frack113 eff6b50a89 add process_creation_susp_recon.yml 2021-07-30 08:15:13 +02:00
Florian Roth 096395a49a fix: one condition style error 2021-07-30 07:19:42 +02:00
Florian Roth 0cbb6f82ad CobaltStrike NamedPipe Patterns 
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
 2021-07-30 07:11:11 +02:00
Florian Roth ec9c15226f SeriousSAM PowerShell rule 2021-07-29 18:12:10 +02:00
Florian Roth 5ce5465559 Merge pull request #1755 from SigmaHQ/rule-devel 
Different rule updates
 2021-07-28 18:56:28 +02:00
Florian Roth 77c8225db3 Merge pull request #1745 from frack113/redcanary_t1115 
[OSCD]  process_creation_clip.yml t1115
 2021-07-28 16:24:15 +02:00
Florian Roth f57f5931ed Merge pull request #1746 from frack113/tune_sysmon_office_vsto_persistence.yml 
Tune sysmon_office_vsto_persistence.yml
 2021-07-28 16:23:49 +02:00
Florian Roth 59a93ef964 Merge pull request #1747 from frack113/tune_sysmon_taskcache_entry.yml 
Tune sysmon_taskcache_entry.yml
 2021-07-28 16:23:38 +02:00
Florian Roth c3eced4ae7 Merge pull request #1748 from frack113/update_win_susp_rar_flags.yml 
update win_susp_rar_flags.yml
 2021-07-28 16:23:14 +02:00
Florian Roth dc4380d459 Merge pull request #1750 from frack113/redcanary_t1560.001_winzip 
[OSCD] Redcanary t1560.001 winzip
 2021-07-28 16:22:48 +02:00
Florian Roth 321a15d004 Merge pull request #1751 from frack113/redcanary_t1560.001_7zip 
[OSCD] Redcanary t1560.001 7z
 2021-07-28 16:22:31 +02:00
Florian Roth 6d5e695cd1 Merge pull request #1753 from frack113/redcanary_t1119 
Redcanary t1119
 2021-07-28 16:21:40 +02:00
Florian Roth 7f820c7b29 rule updates 2021-07-28 16:20:21 +02:00
phantinuss 9833cc34e5 direct syscall to NtOpenProcess 2021-07-28 15:14:30 +02:00
Florian Roth aefd50f049 fix: avoid FPs with HTool string 2021-07-28 14:23:54 +02:00
frack113 2758c1aa93 add powershell_automated_collection.yml 2021-07-28 14:14:02 +02:00
frack113 8a885dd098 add process_creation_automated_collection.yml 2021-07-28 13:17:40 +02:00
Florian Roth 87a911a15e Update process_creation_susp_7z.yml 2021-07-27 16:02:09 +02:00
Florian Roth 428995d00e Update process_creation_susp_7z.yml 2021-07-27 15:24:39 +02:00
Florian Roth c31bc05aae Update process_creation_susp_7z.yml 2021-07-27 15:22:44 +02:00
frack113 54e6e36ecc add process_creation_susp_7z.yml 2021-07-27 12:54:39 +02:00
Florian Roth ee85fdfa3f Merge pull request #1749 from SigmaHQ/rule-devel 
CobaltStrike Process Patterns and minor fixes
 2021-07-27 12:52:22 +02:00
Florian Roth 5d039dd138 rule: Cobalt Strike patterns 2021-07-27 11:24:40 +02:00
frack113 ea56db2bed forget date field 2021-07-27 11:09:35 +02:00
frack113 227e4bca13 add process_creation_susp_winzip.yml 2021-07-27 10:57:32 +02:00
frack113 8b82fbf36b update detection 2021-07-27 10:34:46 +02:00
Florian Roth 90ca1a8ad2 fix: bug in author field (cannot be a list) 2021-07-27 10:14:53 +02:00
Florian Roth 1a538371c9 fix: bug in author field (not list) 2021-07-27 10:14:03 +02:00
frack113 7287a46f2f Tune false positive 2021-07-27 10:05:57 +02:00
frack113 f3bcffeb0a Tune false positive 2021-07-27 09:58:00 +02:00
frack113 8aa79b9d86 add process_creation_clip.yml 2021-07-27 08:50:03 +02:00