security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
Jonhnathan 6ecafac619 Update sysmon_susp_driver_load.yml 2020-11-19 22:56:34 -03:00
Jonhnathan f42ef96140 Fix Reference 2020-11-19 22:50:27 -03:00
Jonhnathan fdd28556cf Fix ref 2020-11-19 22:48:20 -03:00
Jonhnathan 4f4fcbc576 Update win_susp_wmi_login.yml 2020-11-19 22:47:20 -03:00
Jonhnathan ea385767b9 Update win_susp_ntlm_auth.yml 2020-11-19 22:40:43 -03:00
Jonhnathan 5d85bbba56 Improve detection logic 2020-11-19 22:37:13 -03:00
Jonhnathan c20bce4a77 Update win_susp_msmpeng_crash.yml 2020-11-19 22:30:48 -03:00
Jonhnathan 7fe2c00ac1 Update win_net_ntlm_downgrade.yml 2020-11-19 22:14:37 -03:00
Jonhnathan 371c112143 Fix the detection logic 
ObjectName = admin was included in the query using AND, not OR.
 2020-11-19 21:45:19 -03:00
v3t0 3d206b08d8 [OSCD] Added a rule to detect potential persistence using registry keys 2020-11-15 19:04:12 -05:00
stvetro 19eb8306d3 Removed unnessary antifalse positive 2020-11-14 09:50:29 +04:00
Ryan Plas d4d694b4da Logic fix for sysmon_non_priv_program_files_move 2020-11-10 10:01:47 -05:00
Florian Roth af4d546408 Merge pull request #1282 from Neo23x0/rule-devel 
fix: FPs with notepad++ GUP rule
 2020-11-10 13:39:28 +01:00
Florian Roth 2e9d7951a6 Merge pull request #1272 from bczyz1/patch-2 
Fix typo in win_apt_lazarus_session_hijack.yml
 2020-11-10 13:35:08 +01:00
Florian Roth f6c0fb2d33 fix: FPs with notepad++ GUP rule 2020-11-09 16:34:12 +01:00
Florian Roth c3785d6dc7 rule: FPs with WmiPrvSE rule 2020-11-05 16:44:33 +01:00
bczyz1 c554aaea8f update win_apt_slingshot.yml 
- optimized rule
- added detection of task modification (flag /change + /disable as described here https://stackoverflow.com/questions/26169582/does-anyone-know-of-a-way-to-turn-off-windows-defragmenters-default-schedule-us)
 2020-11-05 15:51:22 +01:00
yugoslavskiy efc3f298b8 simplify syntax 2020-11-04 23:03:34 +01:00
yugoslavskiy 2f789c45dc change a syntax a bit to re-run the tests 2020-11-04 22:30:27 +01:00
bczyz1 4a5b2d642e Fix typo in win_apt_lazarus_session_hijack.yml 2020-11-03 14:46:29 +01:00
GlebSukhodolskiy 8068487340 test trigger 2020-11-03 12:04:03 +03:00
GlebSukhodolskiy 544876951f fixed duplication v2 2020-11-03 02:34:34 +03:00
GlebSukhodolskiy 48e46c279a fixed duplication 2020-11-03 02:25:22 +03:00
GlebSukhodolskiy cf8c721662 fixed optimization and references 2020-11-03 02:16:13 +03:00
GlebSukhodolskiy e2c4af012b Changed to Placeholders Usage 
A query was too big to pass a test, so I changed logic to placeholders usage.
 2020-11-03 00:56:42 +03:00
feedb e93dd7fe61 fix 2020-11-01 15:25:12 +03:00
Vasiliy Burov 903ce08277 Update win_susp_multiple_files_renamed_or_deleted.yml 2020-11-01 14:21:27 +03:00
yugoslavskiy ea71828d34 change syntax a bit to re-run the test 2020-10-31 23:57:13 +01:00
stvetro 8dc8fdc44b Added antifalsepositive condition 
4688 always has non empty cmd
 2020-10-31 12:46:30 +04:00
omkargudhate22 f1bb9726ca updated mitre tag 2020-10-30 13:35:40 +05:30
omkar72 86a849728d ryuk changes 2020-10-30 13:15:11 +05:30
Roberto Rodriguez 972326f761 A few more - 7 Rules 2020-10-29 21:11:41 -04:00
Roberto Rodriguez 25b92d4a2e Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-10-29 21:04:45 -04:00
Vasiliy Burov ab60fdcef4 Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 23:38:22 +03:00
Vasiliy Burov 683824ee46 Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 11:44:45 +03:00
Vasiliy Burov d743cbbe4b Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-29 11:14:43 +03:00
Semanur Guneysu 46c52b4347 Update sysmon_abusing_debug_privilege.yml 2020-10-28 20:11:29 +03:00
nsaddler 07f777d1b5 Update powershell_CL_Mutexverifiers_LOLScript_v2.yml 2020-10-28 19:32:18 +03:00
nsaddler 7ee644eac0 Update powershell_CL_Invocation_LOLScript_v2.yml 2020-10-28 19:30:21 +03:00
nsaddler d0a796439b Update powershell_CL_Invocation_LOLScript.yml 2020-10-28 19:25:43 +03:00
Наталья Шорникова a4a3e01f25 Splitting into two rules 2020-10-28 19:13:29 +03:00
Наталья Шорникова 55a7fe6b9d Splitting into two rules 2020-10-28 19:08:23 +03:00
Vasiliy Burov d90ec67cce Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-28 11:44:21 +03:00
Vasiliy Burov 744c637125 Delete win_rdp_session_hijacking.yml 2020-10-28 11:38:39 +03:00
Vasiliy Burov 931ccde3e6 Merge branch 'patch-15' of https://github.com/vburov/sigma into patch-15 2020-10-28 11:27:48 +03:00
Vasiliy Burov eec398ea0e Merge branch 'master' into patch-15 2020-10-28 11:27:28 +03:00
Vasiliy Burov 2d2464ba22 Update win_susp_multiple_files_renamed_or_deleted.yml 2020-10-28 11:20:26 +03:00
Vasiliy Burov fdbd8de219 Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" 
This reverts commit eb166222bd.
 2020-10-28 10:51:18 +03:00
Vasiliy Burov 00f1326ae6 Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" 
This reverts commit 64e48ed94d.
 2020-10-28 10:50:53 +03:00
Jonhnathan 28febe5dd2 Update win_apt_chafer_mar18.yml 2020-10-27 23:28:04 -03:00