security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Iveco 68c20dca20 Fixed title length 2020-03-26 16:56:46 +01:00
Iveco 39a3af04ce Fixed title length 2020-03-26 16:56:06 +01:00
Justin Ellison dabc759136 Eliminate title collision 
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
 2020-03-26 09:13:52 -05:00
iveco ddacde9e6b add LDAPFragger detections 2020-03-26 15:13:36 +01:00
Florian Roth 28953a2942 fix: MITRE tags in rule 2020-03-25 18:11:04 +01:00
Florian Roth 6584729a0d rule: powershell downloadfile 2020-03-25 14:58:14 +01:00
Florian Roth 35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
Florian Roth 17297193c7 Merge branch 'master' into devel 2020-03-25 14:18:11 +01:00
Florian Roth 50b0d04ee8 rule: Exploited CVE-2020-10189 Zoho ManageEngine 2020-03-25 14:02:53 +01:00
Florian Roth 28d8b87a0f rule: extended web shell spawn rule 2020-03-25 14:02:39 +01:00
j91321 1d86e0b4a5 Change falsepositives to array 2020-03-24 19:59:54 +01:00
j91321 c784adb10b Wrong indentation falsepositives 2020-03-24 19:55:41 +01:00
j91321 98a633e54c Add missing status and falsepositives 2020-03-24 19:53:41 +01:00
j91321 3c74d8b87d Add correct Source to detection to avoid FP 2020-03-24 19:49:24 +01:00
j91321 bc442d3021 Add path with lowercase system32 2020-03-24 19:48:24 +01:00
j91321 78bfa950d7 Add WinPrvSE.exe to detection 2020-03-24 19:47:10 +01:00
Thomas Patzke c10332b06c Merge pull request #663 from neu5ron/updates_sigmac_and_rules 
Updates sigmac and rules
 2020-03-22 00:22:31 +01:00
Harish SEGAR ba3994f319 Fix of '1 of x' condition 2020-03-21 12:19:01 +01:00
Harish SEGAR 81b277ba1a suspicious powershell parent process... 2020-03-21 00:26:30 +01:00
Harish SEGAR a88b22a1bd Fix namefield. 2020-03-20 23:34:15 +01:00
Harish SEGAR 67694e4ba7 Restructure new improvement to process_creation folder. 2020-03-20 23:29:32 +01:00
Harish SEGAR b9a916ceb4 Removed useless condition. 2020-03-20 22:50:26 +01:00
Harish SEGAR 30fac9545a Fixed author field. 2020-03-20 22:49:07 +01:00
Harish SEGAR 1f251cec07 Added missing action field 2020-03-20 22:46:19 +01:00
Harish SEGAR 293018a9e7 Added conditions... 2020-03-20 22:33:14 +01:00
Harish SEGAR 74b81120e4 Usage of value modifiers... 2020-03-20 22:03:48 +01:00
Harish SEGAR b129f09fee Improvement detection on downgrade of powershell 2020-03-20 21:48:19 +01:00
Maxime Thiebaut dce18b23b7 Add "Suspicious desktop.ini Action" rule 2020-03-19 21:43:03 +01:00
Florian Roth 6040b1f1f8 Merge pull request #668 from Neo23x0/devel 
Devel
 2020-03-19 18:36:31 +01:00
Florian Roth 8454f60a8e fix: reduced level due to false positives 2020-03-17 20:40:28 +01:00
neu5ron b575df8cd7 use the taxonomy for http response which is sc-status 2020-03-14 15:02:33 -04:00
neu5ron 4cd99e71bf use the taxonomy which states to use c-uri instead of c-uri-path 2020-03-14 15:02:06 -04:00
neu5ron 4c94906d53 rule should be wildcard AND had a prepended ^ in one of the CommandLine conditions that would have caused to not trigger 2020-03-14 15:00:42 -04:00
neu5ron 4b572f3ccb newline in description - typo 2020-03-14 14:58:58 -04:00
neu5ron d212d43acf spelling 2020-03-14 14:58:25 -04:00
Florian Roth cbf0f43934 Merge pull request #655 from msec1203/msec1203-patch-1 
add rule for suspicious use of csharp console by scripting utility
 2020-03-09 18:01:12 +01:00
Florian Roth 6845fa21b3 fix: fixed several issues 2020-03-09 17:43:16 +01:00
David Szili 0947538228 MDATP schema changes 
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
 2020-03-09 17:12:41 +01:00
ecco 2489b8534c sysmon registry events fix 2020-03-09 12:02:04 -04:00
Florian Roth ddefb3bc58 Merge branch 'master' into devel 2020-03-07 11:06:25 +01:00
Florian Roth 07914c2783 Merge pull request #652 from 2XXE-SRA/patch-1 
MMC Lateral Movement Rule 1
 2020-03-07 11:02:16 +01:00
Florian Roth 2e184382f5 fix: eventid in process_creation rules 2020-03-07 10:43:47 +01:00
Florian Roth 60279c7501 Merge pull request #610 from axi0m/patch-1 
Update proxy_raw_paste_service_access.yml
 2020-03-07 10:39:56 +01:00
Florian Roth 7e8b59abe6 Merge pull request #643 from grumo35/patch-2 
Update sysmon_cred_dump_tools_dropped_files.yml
 2020-03-07 10:39:35 +01:00
Florian Roth c609de4f27 Merge pull request #648 from NVISO-BE/patch-azure-ad-replication 
Exclude Azure AD sync accounts from AD Replication rule
 2020-03-07 10:39:04 +01:00
Florian Roth b040c129be fix: author field starting with an '@' symbol 2020-03-07 10:38:02 +01:00
2XXE (SRA) ae56db97ff mmc lateral movement detection 1 
see https://github.com/Neo23x0/sigma/issues/576
 2020-03-04 14:57:41 -05:00
ecco b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth 6bbb166f3d rule: extended webshell rule with tomcat.exe 2020-03-04 14:25:57 +01:00
Florian Roth 53278c2a46 Merge pull request #649 from Neo23x0/devel 
fix: avoiding FPs with Citrix software
 2020-03-03 11:35:02 +01:00