security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth de318c122a fix: FPs noticed with Aurora 2021-12-22 13:54:39 +01:00
Andreas Hunkeler 9c25a43089 rule: add new rule to detect shell spawn by Java keytool 2021-12-22 11:48:02 +01:00
Florian Roth e9702af82b rule: sAMAccountName Spoofing CVE-2021-42287 2021-12-22 08:50:05 +01:00
frack113 0e31c23620 Merge pull request #2476 from frack113/redcannary_20211220 
Windows Redcannary
 2021-12-21 20:41:58 +01:00
Florian Roth b3c7ef50f5 Merge branch 'master' into aurora-false-positive-fixing 2021-12-21 14:44:55 +01:00
Florian Roth a471b4ea45 Merge pull request #2483 from Karneades/patch-1 
rule: Add Java class proxy download rule
 2021-12-21 14:10:43 +01:00
Florian Roth 4c76e917df Merge pull request #2480 from frack113/diavol 
Add thedfirreport Diavol Ransomware rules
 2021-12-21 14:10:35 +01:00
Florian Roth 21cd791075 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-21 13:47:41 +01:00
Florian Roth c006b9df31 fix: FPs noticed with Aurora after Nvidia driver upgrade 2021-12-21 13:47:39 +01:00
Florian Roth 59bfca6aba Update win_pc_sqlcmd_veeam_dump.yml 2021-12-21 13:28:47 +01:00
Florian Roth 55b4085afc Merge pull request #2473 from elhoim/add_mimikatz_keywords 
Add mimikatz keywords to 3 rules
 2021-12-21 13:28:15 +01:00
Florian Roth 694b133529 Merge pull request #2475 from elhoim/memssp_log_file 
New rule to detect Mimimaktz MemSSP default log file creation
 2021-12-21 13:27:13 +01:00
Florian Roth 5c3c4830f7 Update win_pc_false_sysinternalsuite.yml 2021-12-21 13:26:50 +01:00
Florian Roth 6e19e75ece Update win_pc_sqlcmd_veeam_dump.yml 2021-12-21 13:24:36 +01:00
Florian Roth a1594e8c4a Merge pull request #2482 from Karneades/hideSrv 
rule: abuse of permissions to hide services
 2021-12-21 13:23:20 +01:00
Florian Roth c842b12970 Update proxy_java_class_download.yml 2021-12-21 13:22:47 +01:00
Andreas Hunkeler c0a6de06c4 rule: Add Java class proxy download rule 2021-12-21 11:25:08 +01:00
David ANDRE d5bfce1e36 Removed duplicate filter entries. 2021-12-21 10:23:23 +01:00
David André 2ce0529792 Merge branch 'SigmaHQ:master' into add_mimikatz_keywords 2021-12-21 09:26:51 +01:00
Andreas Hunkeler 090e0304d4 rule: abuse of permissions to hide services 2021-12-20 23:36:23 +01:00
Andreas Hunkeler 5ac7c0a076 rule: add further reference in regsrv32 rule 2021-12-20 22:58:32 +01:00
frack113 b490086d37 Add thedfirreport Diavol Ransomware 2021-12-20 18:59:11 +01:00
Florian Roth 3c7b4b7225 Update win_alert_mimikatz_keywords.yml 2021-12-20 18:40:19 +01:00
Florian Roth 75765f2aef Update win_mimikatz_command_line.yml 2021-12-20 17:30:03 +01:00
Florian Roth 12387fc275 Update win_alert_mimikatz_keywords.yml 2021-12-20 17:28:42 +01:00
Florian Roth 31788f91d8 Merge pull request #2477 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-20 16:56:21 +01:00
phantinuss 145622afcf change level to medium as non-tunable in the wild FPs with powershell.exe are found 2021-12-20 15:12:21 +01:00
phantinuss ad65524fb7 fix: FP matching thor scanner 2021-12-20 13:59:38 +01:00
Florian Roth 5d3f39e317 fix: duplicate entry 2021-12-20 12:53:45 +01:00
Florian Roth cf65b61397 Update file_event_mimimaktz_memssp_log_file.yml 2021-12-20 12:51:27 +01:00
Florian Roth 37da48ba3f fix: FPs noticed with Aurora 2021-12-20 12:04:40 +01:00
frack113 e542c10e8e Fix error 2021-12-20 11:35:12 +01:00
David ANDRE 8c61e58152 New rule to detect Mimimaktz MemSSP default log file creation 2021-12-20 10:49:18 +01:00
frack113 96a42f3bb5 Windows redcannary 2021-12-20 10:43:32 +01:00
David ANDRE ed17c07aff Corrected alignment 2021-12-20 09:25:05 +01:00
David ANDRE b0dda59d09 Added mimikatz keywords from user published documentation to win_mimimkatz_command_line 2021-12-20 09:22:34 +01:00
David ANDRE 147c319bff Added mimikatz keywords from user published documentation to win_susp_system_user_anomaly 2021-12-20 09:01:34 +01:00
David ANDRE d2f9a9c63e Added mimikatz keywords from user published documentation 2021-12-20 08:56:13 +01:00
frack113 f4f3f860cb Merge pull request #2470 from frack113/redcanary_20211219 
Windows Redcannary
 2021-12-20 08:39:41 +01:00
frack113 ffc87968cf Merge pull request #2469 from frack113/aurora_fp 
Aurora FP
 2021-12-20 08:39:13 +01:00
Florian Roth 89e1f491b3 refactor: add accepteula to flags 2021-12-19 19:43:37 +01:00
frack113 b89580488a Windows Redcannary 2021-12-19 11:20:42 +01:00
frack113 f8962bec98 Aurora FP 2021-12-19 10:35:39 +01:00
Nasreddine Bencherchali 70f3f4fa88 Create win_susp_psloglist.yml 
- The flags can be used with both "-" and "/" characters.
- This rule aims to detect any usage of psloglist, no matter if the binary is with the original name or not. This is achieved by looking for both the image name and the specific command line arguments
 2021-12-18 21:52:05 +01:00
Nasreddine Bencherchali 6f01874e07 Create win_susp_nt_resource_kit_auditpol_usage.yml 2021-12-18 21:06:46 +01:00
Florian Roth 91b51068ea fix condition 
https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:57 +01:00
Florian Roth 78900a7b96 fix condition 
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:35 +01:00
Florian Roth 61ae79bcff Condition changed 
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:12 +01:00
Florian Roth 4362060da6 Update process_creation_advanced_ip_scanner.yml 2021-12-18 20:24:11 +01:00
Nasreddine Bencherchali da5cb2116c Update process_creation_advanced_ip_scanner.yml 2021-12-18 20:08:00 +01:00