security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth 791736cb3e Merge pull request #2243 from SigmaHQ/rule-devel 
CobaltStrike DNS beaconing, some FP fixes
 2021-11-11 17:21:33 +01:00
Florian Roth b61e92ae1d fix: FP with VSCode 2021-11-11 16:12:49 +01:00
frack113 c2ef681e86 fix modified 2021-11-11 10:26:08 +01:00
frack113 c682c12ecf Add sudo service 2021-11-11 10:21:21 +01:00
frack113 1d38a7dfa5 Fix linux process_creation field case 2021-11-11 10:16:36 +01:00
frack113 bd3358d33c Fix auditd field name 2021-11-11 10:13:48 +01:00
frack113 735e5eade9 Fix macos category 2021-11-11 09:52:31 +01:00
securepeacock 361660e42c Update sysmon_excel_outbound_network_connection.yml 2021-11-10 15:28:19 -05:00
securepeacock 352b62241b Create sysmon_excel_outbound_network_connection.yml 2021-11-10 15:18:16 -05:00
redsand (Tim Shelton) 5ca5ab8cb3 Merge branch 'SigmaHQ:master' into add_allow_for_dns_exe_via_dc 2021-11-10 13:42:31 -06:00
frack113 82c9785f87 Fix detection 2021-11-10 19:57:46 +01:00
frack113 f01523d791 Integrity do not exist in file_event 2021-11-10 19:51:01 +01:00
frack113 da8fcabe0c Fix TargetFilename case 2021-11-10 19:49:25 +01:00
frack113 b6f6beda3c FileMagicBytes do not exist in file_event 2021-11-10 19:44:08 +01:00
frack113 95b9cd3d35 fix detection 2021-11-10 19:40:10 +01:00
frack113 3ea1eda717 ParentImage do not exist in network_connection 2021-11-10 19:38:05 +01:00
frack113 b7b1ebf772 Fix LogonId - SubjectLogonId 2021-11-10 19:12:51 +01:00
frack113 a4951a29bb Fix detection 2021-11-10 18:57:54 +01:00
Tim Shelton 9b469f21a2 adds microsoft sql server mgmt studio to allow list, along with note 2021-11-10 17:38:15 +00:00
Tim Shelton 52d0cb67eb adding additional allow for dns service (domain controllers) 2021-11-10 17:09:15 +00:00
Florian Roth 5abea871b0 docs: put link in references 2021-11-10 09:28:59 +01:00
frack113 ee4082b50d Merge pull request #2242 from frack113/fix_ProcessCommandLine 
Fix process command line
 2021-11-10 08:09:06 +01:00
frack113 a089a83794 Merge pull request #2238 from frack113/fix_logsource 
Fix logsource
 2021-11-10 08:08:40 +01:00
frack113 ca17949d85 Merge pull request #2237 from frack113/m365 
standardization m365
 2021-11-10 08:08:10 +01:00
Florian Roth e30b09fcce fix: more FPs with Windows 11 services 2021-11-09 19:09:07 +01:00
Florian Roth 5613b6ca82 fix: FP with MicrosoftEdgeUpdate 2021-11-09 19:06:26 +01:00
frack113 c14322dfc3 Merge pull request #2241 from frack113/linux 
Order Linux directory
 2021-11-09 17:48:57 +01:00
Florian Roth c07a9adb9b fix: moved rule written for DNS/Sysmon to the correct folder 2021-11-09 17:30:15 +01:00
Florian Roth 39283c0ac2 CobaltStrike DNS rules 2021-11-09 17:29:43 +01:00
frack113 3c3bf75aa8 fix detection from test 2021-11-09 17:04:27 +01:00
Florian Roth 37b9abd827 fix: date field 2021-11-09 16:52:19 +01:00
Florian Roth 77e9decc64 Merge branch 'master' into rule-devel 2021-11-09 16:45:49 +01:00
frack113 24f3e9db5b fix detection from ref 2021-11-09 16:44:11 +01:00
Florian Roth c61ca81d9c refactor: raw disk access rule FPs 2021-11-09 16:15:31 +01:00
frack113 c5fa73c328 fix ProcessCommandLine to ParentCommandLine 2021-11-09 16:13:29 +01:00
frack113 18fea95b86 move to macos 2021-11-09 13:33:58 +01:00
frack113 e8a36ace96 move to other 2021-11-09 13:32:22 +01:00
frack113 c8f488eabf move to builtin 2021-11-09 13:27:20 +01:00
frack113 6c19303aa4 normalize logsource 2021-11-09 10:48:13 +01:00
frack113 8f39ef9ed1 normalize logsource 2021-11-09 10:41:09 +01:00
frack113 3430943746 standardization 2021-11-09 07:27:25 +01:00
frack113 73e2b5fae6 Merge pull request #2233 from frack113/zipexec 
Add win_pc_susp_zipexec
 2021-11-08 22:46:17 +01:00
frack113 3e670a876f Merge pull request #2232 from frack113/fix_sysmon_rule 
fix logsources
 2021-11-08 21:28:44 +01:00
frack113 d3c3cd9930 Merge pull request #2230 from frack113/process_creation_clean 
Process creation directory clean
 2021-11-08 21:27:25 +01:00
Florian Roth 3f57251768 Merge branch 'master' into rule-devel 2021-11-08 11:46:35 +01:00
Florian Roth d43f845157 Update proxy_cobalt_malformed_uas.yml 2021-11-08 11:21:49 +01:00
Florian Roth 20f4099cec rule: Kirbi file creation 2021-11-08 11:21:40 +01:00
frack113 4672762010 add win_pc_susp_zipexec 2021-11-07 21:57:40 +01:00
frack113 e51dab10c2 fix logsources 2021-11-07 09:55:02 +01:00
Nate Guagenti 8291aba4d3 remove duplicate exclusion 
exclude_tlds was listed twice
 2021-11-06 15:45:34 -04:00