security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth 1ab03bd9f8 Merge pull request #2815 from SigmaHQ/rule-devel 
rule: remote thread creation, rule: get-addbaccount
 2022-03-16 18:47:03 +01:00
Florian Roth bd8306cd28 Merge pull request #2814 from SigmaHQ/aurora-false-positive-fixing 
fix: sadly still too many fps with this rule
 2022-03-16 18:15:23 +01:00
Florian Roth 39811e1405 refactor: uppercase values, DropLoader imphash 2022-03-16 17:56:55 +01:00
Florian Roth 16cac67751 fix: indentation 2022-03-16 15:35:54 +01:00
Florian Roth 426b3a0906 Merge pull request #2796 from d4rk-d4nph3/master 
Added rule for shellcode injection by Metasploit and Empire
 2022-03-16 15:34:03 +01:00
Florian Roth 4445ea6baf fix: sadly still too many fps with this rule 2022-03-16 15:21:27 +01:00
Florian Roth 1099c5630e rule: remote thread creation, get-addbaccount 2022-03-16 15:21:01 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss 9b82e099a3 fix: unlikely --> Unlikely 2022-03-16 14:16:10 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 8acf6431f5 Merge pull request #2809 from SigmaHQ/rule-devel 
CrackMapExec patterns, minor addition to ncat rule, rar rule adjusted
 2022-03-16 11:25:10 +01:00
Florian Roth 4d2a4b74cd Merge pull request #2808 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-03-16 09:58:21 +01:00
Florian Roth 0e1945beaa refactor: rar usage w password & compression level 2022-03-16 09:57:45 +01:00
Thomas Patzke 125359cfbc Merge pull request #2810 from SigmaHQ/fix 
Fixes
 2022-03-16 07:29:24 +01:00
Thomas Patzke f022b087e0 Fixed date format in rule 2022-03-15 23:31:14 +01:00
Florian Roth c818e00fc2 Merge branch 'master' into aurora-false-positive-fixing 2022-03-15 18:07:13 +01:00
Florian Roth b2cdb92b11 fix: FPs with THOR 2022-03-15 18:05:42 +01:00
Florian Roth a10561e084 ncat pattern 2022-03-15 18:05:13 +01:00
Florian Roth 306bb438e3 CrackMapExec patterns 2022-03-15 18:05:04 +01:00
Paul Hager 87600161bf new rule from thedfirreport.com 2022-03-15 16:39:12 +01:00
Paul Hager 3b09f1c9da new rule from thedfirreport.com 2022-03-15 16:38:27 +01:00
Paul Hager 20125d87c2 new rule from thedfirreport.com 2022-03-15 16:36:57 +01:00
Florian Roth df0d93baa0 Merge pull request #2805 from ionsor/patch-4 
Update win_dcsync.yml
 2022-03-15 16:02:17 +01:00
Florian Roth dd5e10c2f5 Merge pull request #2803 from redsand/fp_remote_powershell_valid_call_ms_archive 
FP on valid remote call of Powershell Archive.psm1, maybe beneficial …
 2022-03-15 12:53:40 +01:00
Feathers 8014c477cd Update win_dcsync.yml 
Added a more detailed source on this detection.
Also included the AccessMask corresponding to “control access” that is specifically registered when access is allowed following extended rights verification (typically associated with the use of high level and explicit permissions that are required to initiate the DCSync attack) as is described in the Black Landern Security blog post.
Added 3 other GUIDs that corresponds to:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes
9923a32a-3607-11d2-b9be-0000f87a36b2 - DS-Install-Replica
89e95b76-444d-4c62-991a-0facbeda640c - DS-Replication-Get-Changes-In-Filtered-Set
 2022-03-15 12:37:07 +01:00
Tim Shelton bda0f3cfe0 FP on valid remote call of Powershell Archive.psm1, maybe beneficial to filter all powershell modules in future 2022-03-14 22:23:06 +00:00
Florian Roth e3398dbbec Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-03-14 12:01:55 +01:00
Florian Roth 9beafefe52 rules: suspicious linux patterns 2022-03-14 12:01:52 +01:00
Florian Roth 7ee62d7f69 Merge branch 'master' into rule-devel 2022-03-14 11:38:44 +01:00
Florian Roth a9b7c365cd docs: adjusted description 2022-03-13 23:30:44 +01:00
Florian Roth 7e0928233b refactor: split up lsass access rule in two 
- one with level medium that contains all access attempts using 0x410, 0x1410 and 0x1040
- all other access masks remain in the original rule
 2022-03-13 23:29:54 +01:00
Florian Roth ed8d7b36eb Merge pull request #2799 from frack113/fp_update 
WindowsUpdate FP
 2022-03-13 23:17:54 +01:00
frack113 c5263039ae Merge pull request #2798 from frack113/moonbounce 
Add proc_creation_win_wmic_remote_command
 2022-03-13 22:22:10 +01:00
frack113 c5c72124b1 WindowsUpdate FP 2022-03-13 19:22:08 +01:00
Florian Roth 70954c8153 Update proc_creation_win_wmic_remote_command.yml 2022-03-13 13:22:10 +01:00
frack113 06f51aecf5 Add proc_creation_win_wmic_remote_command 2022-03-13 12:21:00 +01:00
frack113 283246cdd0 Fix selection_tools 2022-03-12 11:15:10 +01:00
frack113 0bab1f19a9 Add proc_creation_win_network_scan_loop 2022-03-12 10:53:12 +01:00
Florian Roth 52f2b7f966 Merge pull request #2795 from SigmaHQ/rule-devel 
refactor: lsass dump files names, new: NTDS.dit exfiltration activity
 2022-03-11 20:56:06 +01:00
Florian Roth 1141f00480 fix: more lists with only one parameter 2022-03-11 20:11:06 +01:00
Florian Roth 7c1c5d2789 fix: FP noticed with Aurora 2022-03-11 20:07:18 +01:00
Florian Roth 1691f09099 fix: list with one item 2022-03-11 20:00:33 +01:00
Florian Roth c843293e47 rules: NTDS.DIT exfiltration 2022-03-11 18:14:09 +01:00
Florian Roth b96d30acc7 docs: adjustments 2022-03-11 18:13:54 +01:00
Florian Roth d033831e98 refactor: increased level of ntdsutil usage 2022-03-11 17:04:58 +01:00
Florian Roth eb2f620089 fix: FP with Suspicius Schtasks rule 2022-03-11 17:04:33 +01:00