security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
frack113 6630ec7c41 Fix falsepositives list 2021-05-21 12:23:09 +02:00
frack113 a9e85ca58e Fix falsepositives list 2021-05-21 12:22:36 +02:00
frack113 f4be70aa9e Fix falsepositives list 2021-05-21 12:19:17 +02:00
frack113 f312663820 Fix falsepositives list 2021-05-21 11:29:17 +02:00
frack113 6878bfade9 Fix falsepositives list 2021-05-21 11:17:36 +02:00
frack113 cabaccceb8 Fix falsepositives list 2021-05-21 11:15:10 +02:00
frack113 45190c3874 Fix falsepositives list 2021-05-21 11:13:27 +02:00
frack113 dfe7e4e38c Fix falsepositives list 2021-05-21 11:12:04 +02:00
Florian Roth a0efd7a4dc Merge pull request #1494 from Karneades/patch-1 
Add keyword WinRM to remote powershell rules
 2021-05-21 10:35:18 +02:00
Andreas Hunkeler e58c59dcfd Update modified field in WinRM rule 2021-05-21 09:29:11 +02:00
Andreas Hunkeler d8ec5fa6af Add modified field in WinRM rule 2021-05-21 09:28:45 +02:00
Florian Roth a30391f3b4 Merge pull request #1495 from SigmaHQ/rule-devel 
rule refactoring: Cobalt Strike service start
 2021-05-20 17:43:29 +02:00
Andreas Hunkeler 93241e7fc6 Add keyword WinRM to remote powershell process rule 2021-05-20 17:03:32 +02:00
Andreas Hunkeler b46f65965d Add keyword WinRM to remote powershell network rule 2021-05-20 17:02:17 +02:00
Andreas Hunkeler 3763e54b99 Add keyword WinRM to remote powershell process rule 2021-05-20 17:00:25 +02:00
Andreas Hunkeler 226a666827 rule: add rule to detect shell spawn from WinRM host process 2021-05-20 16:05:13 +02:00
Florian Roth ebac8a098f rule refactoring: Cobalt Strike service start 2021-05-20 10:05:12 +02:00
Jonhnathan 1cf7bb5735 Add Hex equivalent of WriteData 2021-05-19 10:27:20 -03:00
Darin Smith e921181f4b Add AWS snapshot exfiltration rule 2021-05-17 13:00:01 -07:00
SomeOne e46ae5a28c Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution rule 2021-05-16 16:03:33 +02:00
Vasiliy Burov d5c2f80cea Update win_hack_hydra.yml 
Modified the rule to avoid false positives
 2021-05-16 17:02:54 +03:00
SomeOne a93acbbe03 Exclude dism.exe 2021-05-16 15:23:31 +02:00
SomeOne 53b21d1afe Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule 2021-05-16 15:03:58 +02:00
SomeOne a788cd43ee Add Windows Defender on WL 2021-05-16 14:10:33 +02:00
Florian Roth 5a3af872d8 Merge pull request #1479 from SigmaHQ/rule-devel 
Rule devel, Trademark test
 2021-05-15 13:42:34 +02:00
Florian Roth 9b32e72d0b fix: syntax issue 2021-05-15 13:19:12 +02:00
Florian Roth 02bf32ce6c fixed more legal issues 2021-05-15 13:09:08 +02:00
Florian Roth 48757423ef rule darkside patterns 2021-05-14 18:06:53 +02:00
Florian Roth a655c5c1a0 update ngrok rule 2021-05-14 17:44:53 +02:00
Florian Roth e4a1ce4498 rule: ngrok rdp port exposure 2021-05-14 17:34:52 +02:00
Florian Roth 3cf1be9e8d rule: exchange vulnerability CVE-2021-28480 2021-05-14 10:08:41 +02:00
Florian Roth 30bee7204c Merge pull request #1475 from wagga40/master 
Modified some field values for case sensitive backends (SQL)
 2021-05-14 08:59:39 +02:00
Florian Roth 83068416fa Merge pull request #1458 from P4rtyH4RD/P4rtyH4RD-patch-1-mitre-code 
Update powershell_suspicious_getprocess_lsass.yml
 2021-05-14 08:59:14 +02:00
wagga40 8944ccea04 Modified some field values for case sensitive backends (SQL) 2021-05-13 06:19:04 +02:00
frack113 cccfb3e59e file_event is a category 2021-05-12 09:05:52 +02:00
frack113 0fd8606e00 image_load is a category 2021-05-12 09:02:04 +02:00
frack113 fa72242ff0 image_load is a category 2021-05-12 08:59:51 +02:00
frack113 ecc0fcb082 process_creation is a category 2021-05-12 08:57:57 +02:00
frack113 cf0a710b4d process_creation is a category 2021-05-12 08:55:35 +02:00
frack113 70a5c8bb5f registry_event is a category 2021-05-12 08:51:38 +02:00
frack113 026320f613 registry_event is a category 2021-05-12 08:36:42 +02:00
Bhabesh Rai 48487385ef Preserved creation date 2021-05-11 19:17:32 +05:45
Florian Roth 7d7f8c90ec Merge pull request #1443 from icthieves/patch-3 
Update win_scm_database_privileged_operation.yml
 2021-05-11 15:00:20 +02:00
Florian Roth 980ea97217 Merge pull request #1444 from icthieves/patch-2 
Update win_scm_database_handle_failure.yml
 2021-05-11 15:00:09 +02:00
Florian Roth 3564cf81f9 Merge pull request #1460 from neu5ron/patch-1 
[Add Rule] Zeek Suspicious DNS Z Flag Set
 2021-05-11 14:59:48 +02:00
Florian Roth 7bc733a3cf Merge pull request #1473 from frack113/master 
Correct the sysmon case-sensitive Key
 2021-05-11 14:59:20 +02:00
Florian Roth 0fcbce9932 Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml 
Got Rid of References that are no longer valid.
 2021-05-11 14:32:47 +02:00
Florian Roth 85736ad859 Merge pull request #1467 from 2d4d/master 
Update av_webshell.yml
 2021-05-11 14:32:11 +02:00
frack113 f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113 c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00