security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke 24b08bbf30 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-05-24 17:06:32 +02:00
Florian Roth 40f0beb58d Merge pull request #794 from SanWieb/update_susp_run_key 
Remove AppData folder as suspicious folder
 2020-05-24 16:30:10 +02:00
Sander Wiebing b8ee736f44 Remove AppData folder as suspicious folder 
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)

Too many to whitelist them all
 2020-05-24 15:16:07 +02:00
Florian Roth 6fbfa9dfdd Merge pull request #793 from Neo23x0/rule-devel 
Esentutl rule and StrongPity Loader UA
 2020-05-23 23:47:12 +02:00
ecco f970d28f10 add more false positives 2020-05-23 15:06:15 -04:00
Florian Roth 3028a27055 fix: buggy rule 2020-05-23 18:32:02 +02:00
Florian Roth df715386b6 rule: suspicious esentutl use 2020-05-23 18:27:36 +02:00
Florian Roth d0da2810c1 Merge pull request #792 from EccoTheFlintstone/fff 
fix FP + remove powershell rule redundant with sysmon_in_memory_power…
 2020-05-23 18:13:16 +02:00
Florian Roth 8321cc7ee1 Merge pull request #772 from gamma37/suspicious_activities 
Create a rule for "suspicious activities"
 2020-05-23 18:11:32 +02:00
Florian Roth d1a5471d21 rule: Strong Pity loader UA 2020-05-23 17:38:10 +02:00
ecco 67faf4bd41 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml 2020-05-23 10:56:23 -04:00
Florian Roth 9cd9a301c2 Merge pull request #791 from SanWieb/master 
added rule for Netsh RDP port opening
 2020-05-23 16:50:31 +02:00
Florian Roth e1a05dfc1c Update lnx_auditd_susp_C2_commands.yml 2020-05-23 16:49:03 +02:00
Florian Roth ee1ca77fad Merge pull request #771 from gamma37/new_rules 
Create a new rule to detect "Create Account"
 2020-05-23 16:47:46 +02:00
Florian Roth 895c84703f Merge pull request #790 from EccoTheFlintstone/fp_fix 
fix false positive matching on every powershell process not run by SY…
 2020-05-23 16:47:01 +02:00
ecco 327a53c120 add new test for sysmon rules without eventid 2020-05-23 10:25:37 -04:00
ecco 10ca3006f5 move rule where needed 2020-05-23 10:07:55 -04:00
ecco 2b89e56054 fix test 2020-05-23 10:03:13 -04:00
ecco d9bc09c38c fix test 2020-05-23 10:02:58 -04:00
ecco 78a7852a43 renamed dbghelp rule with new ID and comment and removed a false positive 2020-05-23 09:16:40 -04:00
Sander Wiebing d310805ed9 rule: Netsh RDP port opening 2020-05-23 14:19:52 +02:00
ecco 75ba5f989c add 1 more FP to wmi load 2020-05-23 07:44:45 -04:00
ecco 9a7f462d79 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) 2020-05-23 07:17:56 -04:00
ecco cfde0625f5 fix false positive matching on every powershell process not run by SYSTEM account 2020-05-23 07:05:09 -04:00
Florian Roth 12e1aeaf9f Merge pull request #788 from Neo23x0/rule-devel 
refactor: split up rule for CVE-2020-1048 into 2 rules
 2020-05-23 09:54:43 +02:00
Florian Roth 46f3a70a7d Merge pull request #786 from EccoTheFlintstone/perf_fix 
various rules cleaning (slight perf improvements)
 2020-05-23 09:54:28 +02:00
Florian Roth 34006d0794 refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 09:16:19 +02:00
Florian Roth 57c8e63acd refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 09:09:58 +02:00
ecco ec17c2ab56 filter on createkey only when needed 2020-05-22 10:37:00 -04:00
4A616D6573 879ad6f206 Update win_susp_ntlm_rdp.yml 2020-05-22 13:32:02 +10:00
4A616D6573 daa3c5e053 Update win_susp_ntlm_rdp.yml 2020-05-22 13:28:56 +10:00
4A616D6573 0f8f5fb29c Create win_susp_ntlm_rdp.yml 2020-05-22 13:24:27 +10:00
Thomas Patzke 96fae4be68 Added CrachMapExec rules 2020-05-22 00:50:37 +02:00
Florian Roth 64e0e7ca72 Merge pull request #784 from Neo23x0/rule-devel 
refactor: slightly improved Greenbug rule
 2020-05-21 14:19:09 +02:00
Florian Roth 91c4c4ecc5 refactor: slightly improved Greenbug rule 2020-05-21 13:38:11 +02:00
Florian Roth bbf78374b6 Merge pull request #783 from Neo23x0/rule-devel 
Greenbug Rule
 2020-05-21 09:55:46 +02:00
Florian Roth 9a3b6c1c77 docs: added MITRE ATT&CK group tag 2020-05-21 09:44:11 +02:00
Florian Roth 344eb713c5 rule: Greenbug campaign 2020-05-21 09:39:57 +02:00
Thomas Patzke 8d9b706d6a Merge pull request #727 from 3CORESec/master 
Override Features
 2020-05-20 19:11:56 +02:00
Florian Roth e7980bb434 Merge pull request #782 from ZikyHD/patch-1 
Remove duplicate 'CommandLine' in fields
 2020-05-20 12:55:41 +02:00
Florian Roth af92a5bd2c Merge pull request #780 from tatsu-i/master 
Null field check to eliminate false positives
 2020-05-20 12:55:29 +02:00
ZikyHD 8963c0a65e Remove duplicate 'CommandLine' in fields 2020-05-20 11:54:47 +02:00
vh e8b956f575 Updated config 2020-05-20 12:35:00 +03:00
Florian Roth 9ab65cd1c7 Update win_alert_ad_user_backdoors.yml 2020-05-19 14:50:22 +02:00
Thomas Patzke 04dfe6c5fc Merge pull request #778 from neu5ron/sigmacs 
SIGMACs: Winlogbeat & Zeek
 2020-05-19 13:18:40 +02:00
Florian Roth df75bdd3b6 Merge pull request #779 from neu5ron/rules 
Rules: Zeek
 2020-05-19 13:10:56 +02:00
neu5ron 7c3dea22b8 small T, big T 2020-05-19 05:13:48 -04:00
neu5ron dd382848b4 Merge remote-tracking branch 'neu5ron-sigma/rules' into rules 2020-05-19 05:09:05 -04:00
neu5ron 602c8917ef domain user enumeration via zeek rpc (dce_rpc) log. 2020-05-19 05:08:26 -04:00
Tatsuya Ito c815773b1a enhancement rule 2020-05-19 18:05:51 +09:00