security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
phantinuss b6d4e39538 feat: check for the existence of a description field 
it is not mandatory in the sigma standard but
mandatory for this repository
 2022-01-12 12:55:49 +01:00
Florian Roth f77da595c4 fix: FPs noticed with Aurora 2022-01-12 11:32:34 +01:00
Florian Roth 09aaec8ed2 rules: ntds.dit write, minimized msedge 2022-01-12 11:32:12 +01:00
Bhabesh 6554556c14 Added two filters to reduce FP 2022-01-12 12:55:07 +05:45
frack113 d2dc2e3f27 Merge pull request #2545 from frack113/quote 
Simple Quote in detection
 2022-01-12 06:40:28 +01:00
frack113 b89fe3d0a6 Merge pull request #2548 from frack113/fix_selection 
Fix condition
 2022-01-11 21:46:16 +01:00
frack113 69297b5a28 Merge pull request #2547 from asalih/patch-2 
Update powershell_suspicious_invocation_specific_in_contextinfo.yml
 2022-01-11 21:42:54 +01:00
frack113 7b77be3453 Fix condition 2022-01-11 20:51:57 +01:00
Florian Roth 430f561321 Merge pull request #2542 from redsand/new_cscript_wscript_dropper_using_file_event 
New signature to detect cscript/wscript dropper using the sysmon file event
 2022-01-11 17:59:48 +01:00
Ahmet Salih 9b261a5cb7 Update powershell_suspicious_invocation_specific_in_contextinfo.yml 
close #2546
 2022-01-11 18:23:30 +03:00
Tim Shelton 0d553a832b updating condition per @frack113 preference 2022-01-11 14:59:47 +00:00
frack113 f7e670d55e Simple Quote 2022-01-11 13:40:53 +01:00
Florian Roth 11164849b3 Merge pull request #2543 from SigmaHQ/rule-devel 
Several new rules and some fixes
 2022-01-11 12:44:03 +01:00
Florian Roth e055ec1d52 refactor: change all " of them" expressions 2022-01-11 10:59:57 +01:00
Florian Roth fe754d1937 rule: regsvr32 pattern 2022-01-11 10:46:48 +01:00
Florian Roth 2d50f8d28a rule: several lolbins 2022-01-11 10:46:39 +01:00
Florian Roth de6a153e81 refactor: improved rule 2022-01-11 09:27:22 +01:00
Florian Roth 7eaa3f8d3f refactor: rewrite re rule to contains 2022-01-11 09:19:55 +01:00
Florian Roth 1fad4edfcb refactor: minor changes to procdump rule 2022-01-11 09:10:05 +01:00
Florian Roth 64deb38131 rule: procdump evasion 2022-01-11 09:07:56 +01:00
Florian Roth a6932962eb fix: bug in procdump file event rule 2022-01-11 08:22:02 +01:00
Florian Roth 55d49b7e9b Merge branch 'master' into rule-devel 2022-01-11 08:20:29 +01:00
frack113 c990deb416 Merge pull request #2539 from redsand/fp_when_join_path_is_used 
Fp attempting to detect suspicious xor encoded powershell
 2022-01-11 06:41:09 +01:00
frack113 2dce43507a Merge pull request #2541 from redsand/fp_win_creation_scr_binary_file 
fp where symantec apparently performs this behavior with .scr files
 2022-01-11 06:34:12 +01:00
frack113 2c60ed9acb Merge pull request #2540 from frack113/quote_lnx 
fix quote
 2022-01-11 06:34:00 +01:00
frack113 d2a21f62cb Merge pull request #2538 from frack113/fix_detection 
fix detection posh_ps_suspicious_iofilestream
 2022-01-11 06:33:16 +01:00
Tim Shelton 50d76f2c89 fixing related field, didnt properly format 2022-01-11 00:09:49 +00:00
Tim Shelton cca339a81e Updating id 2022-01-10 23:17:51 +00:00
Tim Shelton 194519eadb oops, duh... 2022-01-10 23:00:24 +00:00
Tim Shelton ff41473423 filtering fp where symantec apparently performs this behavior 2022-01-10 22:57:14 +00:00
frack113 9092958019 fix quote 2022-01-10 22:25:47 +01:00
Tim Shelton 4d0f62aff7 adding back tick per https://docs.microsoft.com/en-us/powershell/scripting/lang-spec/chapter-02?view=powershell-7.2 2022-01-10 20:51:28 +00:00
Tim Shelton 4a110e369c fixing yaml 2022-01-10 20:45:55 +00:00
Tim Shelton eaf49e3697 adding double quote 2022-01-10 20:44:59 +00:00
Tim Shelton fa19eeb0f8 checks for join with space or quote or double quote in order to reduce fps 2022-01-10 20:44:35 +00:00
frack113 16f3fdb922 fix detection 2022-01-10 17:48:46 +01:00
sagiezero 24dfdbd715 feat(rules): adding rpc_firewall rules 2022-01-10 18:04:43 +02:00
Bhabesh 798c447317 Added new reference for Office Security Settings Changed 2022-01-10 12:02:01 +05:45
Florian Roth 962051e4d7 Merge pull request #2534 from frack113/fix_win_susp_firewall_disable 
Fix win susp firewall disable
 2022-01-09 22:17:55 +01:00
frack113 7a164e61dd fix 'off' error 2022-01-09 19:58:54 +01:00
frack113 ae0dc80226 Microsoft Defender Firewall 2022-01-09 19:48:22 +01:00
frack113 f96a5ce9ff Fix detection 2022-01-09 19:24:38 +01:00
Florian Roth ab761ce996 refactor: adjusted rule level 2022-01-09 16:13:25 +01:00
Florian Roth ebb3f54d67 Update win_pc_iis_http_logging.yml 2022-01-09 16:13:00 +01:00
Florian Roth 68fea95772 Update posh_ps_suspicious_iofilestream.yml 2022-01-09 16:12:31 +01:00
Florian Roth da5c01507c Update win_fe_csharp_compile_artefact.yml 2022-01-09 16:11:54 +01:00
frack113 01c6e5f6e3 Windows Redcannary 2022-01-09 12:37:23 +01:00
frack113 ac240b1487 Merge pull request #2527 from frack113/promote_366d 
Change status to test
 2022-01-09 08:02:36 +01:00
frack113 86e7fdafa2 Merge pull request #2531 from frack113/redcannary_20220107 
Windows Redcannary
 2022-01-09 08:02:00 +01:00
Florian Roth 6f7d28b52a Merge pull request #2532 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-01-08 15:57:31 +01:00