security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Tobias Michalski 4d6e7e1338 Rules persitence by exploiting Outlook or Exchange 2021-06-10 11:26:21 +02:00
Florian Roth 5e35e387dd Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth 45c3d4702b Merge pull request #1520 from SyeedHasan/master 
Detection rule for 'ISO mounts'
 2021-06-10 09:51:29 +02:00
Florian Roth 78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Florian Roth 9c0700bc56 Powershell artefacts to critical 2021-06-10 09:42:07 +02:00
Florian Roth 04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth f52ed7604c BabyShark Pattern 2021-06-10 09:41:36 +02:00
Florian Roth 28abdf3a81 Update win_iso_mount.yml 2021-06-10 09:31:40 +02:00
luffynextgen c75d92410d Create sysmon_svchost_cred_dump.yml 2021-06-10 09:30:08 +02:00
Florian Roth b2d0fbba2c Adjustments 2021-06-10 09:12:37 +02:00
Florian Roth 8a04bea6aa Merge pull request #1535 from mvelazc0/master 
Password Spraying Sigma Rules
 2021-06-08 16:14:52 +02:00
Andreas Hunkeler 2d44803bf5 Revert renaming of ngrok rule 
Initially the rule had only a detection for RDP but after my last commits we have more ports in detections, so previous generic name is better.
 2021-06-08 13:09:35 +02:00
Florian Roth cfdf3b7c08 Merge pull request #1538 from frack113/powershell_delete_volume_shadow_copies 
Add t1490 powershell delete volume shadow copie
 2021-06-08 11:02:34 +02:00
Florian Roth 07176ddb25 Merge pull request #1541 from frack113/win_tamper_with_windows_defender 
Windows tamper with windows defender
 2021-06-08 11:02:14 +02:00
Florian Roth 242b56031f Merge pull request #1542 from Karneades/patch-1 
Update ngrok usage rule
 2021-06-08 11:01:45 +02:00
frack113 c1f43cc4ca T1562.001 Atomic Test #18 - Disable Microsoft Office Security Features 2021-06-08 09:32:01 +02:00
frack113 0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
Andreas Hunkeler cea2d5cd81 Add modified date to ngrok rule 2021-06-07 18:17:17 +02:00
Andreas Hunkeler e1ef13bb24 Update ngrok usage rule 
* Add further reference
* Add new selection
* Add WinRM and SMB ports to selection
* Add authtoken string for authentication of a ngrok client
* Add fp link for https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0
 2021-06-07 17:20:18 +02:00
frack113 5914e46d4a fix typo errors 2021-06-07 15:15:36 +02:00
frack113 e66a3f9513 T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp. 2021-06-07 15:03:19 +02:00
frack113 43ccc07ad0 T1562.001 Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection 2021-06-07 10:09:21 +02:00
mvelazco 178df3f056 fixing title lengths 2021-06-04 10:57:52 -04:00
frack113 169f948ac2 Get a new error after another Atomic Test 2021-06-04 13:20:10 +02:00
frack113 3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
mvelazco d8aa0ae124 adding references 2021-06-03 23:38:10 -04:00
mvelazco d4f66f2af6 rolling back unwanted changes 2021-06-03 18:29:06 -04:00
mvelazco 7ebab6f872 Merge branch 'master' of github.com:mvelazc0/sigma 2021-06-03 18:26:09 -04:00
mvelazco 103fe2b344 minor fixes and 3 extra sigma rules 2021-06-03 18:26:07 -04:00
mvelazco f53675f41a Merge branch 'SigmaHQ:master' into master 2021-06-03 14:54:41 -07:00
mvelazco 50d734a17a Adding 4 initial sigma rules 2021-06-03 17:51:47 -04:00
frack113 537272c944 Add t1490 powershell delete volume shadow copie 2021-06-03 22:39:06 +02:00
Remco Hofman 12c822511e Consistency: Service File Name to ServiceFileName 2021-06-03 21:33:11 +02:00
Florian Roth 42036049ec Merge pull request #1523 from frack113/fix_win_global_catalog_enumeration 
Filtering Platform Connection are in security channel not system
 2021-06-03 20:50:23 +02:00
Florian Roth b45561c4c9 Merge pull request #1524 from frack113/fix_powershell_alternate_powershell_hosts 
make powershell_alternate_powershell_hosts more accurate
 2021-06-03 20:50:06 +02:00
Florian Roth d41825766a Merge pull request #1529 from SigmaHQ/rule-devel 
fix: FPs with Volume Shadow Copy Service Keys
 2021-06-03 20:49:31 +02:00
Florian Roth 4d7b3b7afe Merge pull request #1530 from Karneades/patch-1 
Add further detections to shadow copies deletion
 2021-06-03 13:51:00 +02:00
Florian Roth 11eca86be3 Update process_creation_c3_load_by_rundll32.yml 2021-06-03 12:44:47 +02:00
Florian Roth 151d120a24 Update process_creation_SDelete.yml 2021-06-03 12:40:55 +02:00
frack113 ba0f2e6b16 Add windows T1485 SDelete 2021-06-03 10:59:22 +02:00
Alfie Champion 9876643e3e added rule for rundll32 launch of fsecure C3 2021-06-02 19:57:39 +01:00
Andreas Hunkeler e8ee6aec2f Add further detections to shadow copies deletion 
* Add diskshadow.exe to existing detection
* Add new detection for wbadmin.exe
* Fix typo in match on L31
* Add raccine refs
 2021-06-02 15:47:41 +02:00
Florian Roth 7812ff51d3 fix: FPs with Volume Shadow Copy Service Keys 2021-06-02 13:04:05 +02:00
Florian Roth 7288ae93b9 Merge pull request #1526 from WojciechLesicki/master 
Added a new rule about loading dll CS via rundll32 and also some chan…
 2021-06-01 21:54:26 +02:00
Florian Roth eb4300756e Update win_cobaltstrike_service_installs.yml 2021-06-01 21:53:25 +02:00
Florian Roth 736eeabf9f Merge pull request #1527 from SigmaHQ/rule-devel 
fix: rule FPs with Stealthy VSTO Persistence
 2021-06-01 18:18:22 +02:00
Florian Roth 950b252d5c Update process_creation_cobaltstrike_load_by_rundll32.yml 2021-06-01 18:11:19 +02:00
WojciechLesicki d6f6b88b4c I corrected the tag 2021-06-01 17:11:24 +02:00
WojciechLesicki 90a21d954a Change title 2021-06-01 16:55:49 +02:00
WojciechLesicki cc4c55ed10 Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations 2021-06-01 16:18:23 +02:00