security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Arnim Rupp aab00905f1 Update win_av_relevant_match.yml 
Add Ransomware and Cobalt Strike strings.
 2022-02-03 21:43:42 +01:00
Pawel Mazur fede3b1183 Auditd rule - Systemd Service Creation 2022-02-03 20:31:07 +01:00
Florian Roth 6ce92b27be refactor: more regex avoidance 2022-02-03 20:05:10 +01:00
Florian Roth 8c07a51ab9 fix: non-ascii character in description 2022-02-03 19:52:07 +01:00
Florian Roth b715894497 refactor: avoid regex use 2022-02-03 19:48:19 +01:00
frack113 1ac80bebf8 add image_load_susp_advapi32_dll 2022-02-03 18:54:34 +01:00
frack113 d1268d040c Change status and related 2022-02-03 06:53:50 +01:00
frack113 8eeadb9beb Add other browser 2022-02-03 06:38:43 +01:00
Florian Roth f85e598dbe Merge pull request #2632 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-02 22:49:26 +01:00
JSHOX1 81292263ba Update win_susp_ntlm_brute_force.yml 2022-02-02 16:18:20 -05:00
Florian Roth 20a7bad5d8 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-02 20:40:21 +01:00
Florian Roth 885651efae fix: FPs noticed with Aurora 2022-02-02 20:39:47 +01:00
Florian Roth ed493accf5 Merge pull request #2627 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing; Double backslash escaping fix
 2022-02-02 18:39:51 +01:00
Florian Roth 013670445f Merge pull request #2625 from BlackB0lt/patch-23 
Update sysmon_process_hollowing.yml
 2022-02-02 18:39:28 +01:00
Florian Roth d2e741cf9a Merge pull request #2628 from frack113/redcannay_t1553_005 
Windows Redcannary T1553.005
 2022-02-02 18:38:55 +01:00
JSHOX1 1346d93e95 Update win_susp_ntlm_brute_force.yml 2022-02-02 12:25:07 -05:00
JSHOX1 50fb36c4cb Create win_susp_ntlm_brute_force.yml 2022-02-02 09:24:13 -05:00
Florian Roth ef955b92ae Merge branch 'master' into aurora-false-positive-fixing 2022-02-02 13:49:23 +01:00
Florian Roth cb8a0a6e73 Revert "fix: FPs with GoogleDrive update" 
This reverts commit 86f3302a33.
 2022-02-02 13:49:06 +01:00
Florian Roth 4b09e643c2 fix: condition in malware back connect rule 2022-02-02 13:48:56 +01:00
phantinuss b627c62fe8 fix: filter out googledrivesync.exe FP 2022-02-02 12:25:55 +01:00
Florian Roth 86f3302a33 fix: FPs with GoogleDrive update 2022-02-02 11:45:42 +01:00
phantinuss a22d57fc87 fix: rename filter 2022-02-02 11:12:39 +01:00
phantinuss 2d36c6222d fix: FPs found in prod environment 2022-02-02 11:03:19 +01:00
phantinuss 65c3a72715 fix: used in legitimate microsoft scripts 2022-02-02 11:00:43 +01:00
Florian Roth 52e4aeca69 Merge pull request #2629 from markus-nclose/master 
CobaltStrike typo
 2022-02-02 09:45:18 +01:00
frack113 4d28fb5320 Merge pull request #2626 from frack113/update_wdigest 
Fix FP sysmon_wdigest_enable_uselogoncredential
 2022-02-02 06:35:13 +01:00
frack113 120436bdb4 Update filter 2022-02-02 06:34:32 +01:00
markus-nclose 4c2a3c3036 CobaltStrike typo 
This typo keeps sneaking back in - critical for detection. 
Spelling correct according to https://www.nextron-systems.com/wp-content/uploads/2018/09/Antivirus_Event_Analysis_CheatSheet_1.5-2.pdf
 2022-02-02 07:31:48 +02:00
Florian Roth f357c73554 Merge branch 'master' into aurora-false-positive-fixing 2022-02-01 19:50:21 +01:00
frack113 3c0f4b79c9 Windows Redcannary T1553.005 2022-02-01 18:41:53 +01:00
Florian Roth 7f9fd3ea63 Update sysmon_process_hollowing.yml 2022-02-01 16:01:27 +01:00
Florian Roth ca8aa9bb62 fix: missing update in modified date 2022-02-01 15:59:20 +01:00
Florian Roth 6c2dea3a8c fix: FPs noticed with Aurora 2022-02-01 15:57:44 +01:00
Florian Roth 9fc06fb027 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-01 15:57:20 +01:00
Florian Roth 6efa5da3dc fix: unescaped double back slashes 2022-02-01 15:57:15 +01:00
frack113 6b3b9e924f Fix GPO FP 2022-02-01 14:21:48 +01:00
Sittikorn S e16974522b Update sysmon_process_hollowing.yml 
Update filters
 2022-02-01 15:19:36 +07:00
Florian Roth 0d27cf9681 Merge pull request #2624 from SigmaHQ/rule-devel 
Some TeamViewer rules
 2022-01-31 16:38:58 +01:00
Florian Roth 926f9b588c Merge pull request #2605 from securepeacock/patch-9 
Rundll32 From Abnormal Drive
 2022-01-31 16:38:46 +01:00
frack113 7ceb3968d8 Update file_event_susp_teamviewer_remote_session.yml 2022-01-31 06:24:02 +01:00
Florian Roth c35973d6e7 rule: TeamViewer remote session 2022-01-30 22:26:13 +01:00
Florian Roth ba3065e943 refactor: added another TV domain 2022-01-30 22:26:01 +01:00
Florian Roth 1b57916890 rule: suspicious renamed teamviewer 2022-01-30 22:05:47 +01:00
Florian Roth fb44e9ae56 Update process_creation_rundll32_not_from_c_drive.yml 2022-01-30 21:48:57 +01:00
frack113 0bcb842c70 Redcannary windows 2022-01-30 18:47:49 +01:00
Florian Roth d27deada7d Merge pull request #2622 from frack113/red_20220130 
win_pc_susp_takeown
 2022-01-30 18:06:36 +01:00
frack113 542a901f57 add win_pc_susp_takeown 2022-01-30 12:03:32 +01:00
Florian Roth 545e8c1c03 Merge pull request #2606 from securepeacock/patch-10 
Create sysmon_process_hollowing.yml
 2022-01-30 11:33:58 +01:00
Florian Roth 027fce7f13 Update sysmon_process_hollowing.yml 2022-01-29 23:55:21 +01:00