security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth ab1dda7685 fix: non-ascii rule 2020-02-21 16:21:39 +01:00
Thomas Patzke 61d31c3f3a Fixed tagging 2020-02-20 23:51:12 +01:00
Thomas Patzke 48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke 373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Manabu Niseki c6eb3bfbf2 Update sigma2misp 
Make enable to use with modern PyMISP
 2020-02-20 18:55:10 +09:00
Antonlovesdnb 9625a94d0b Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-19 14:52:31 -05:00
Antonlovesdnb 6234f72a6c Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-19 14:52:09 -05:00
Antonlovesdnb 328858279f Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-19 14:51:50 -05:00
Antonlovesdnb 1f01fe446f Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-19 14:51:22 -05:00
Antonlovesdnb 6d0805ac13 Update sysmon_susp_winword_vbadll_load.yml 2020-02-19 14:51:00 -05:00
Antonlovesdnb 1e461cb2d1 Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-19 14:50:31 -05:00
Antonlovesdnb 56ffa9ec0e Update sysmon_registry_trust_record_modification.yml 2020-02-19 14:50:09 -05:00
Antonlovesdnb 397cdecb94 5 Rules covering various macro techniques 
- Rule to look for GAC DLL loaded by an Office Product
- Rule to look for any DLL in C:\Windows\assembly loaded by an Office Product
- Rule to look for clr.dll loaded by an Office Product
- Rule to look for directory services parsing dll loaded by an Office Product
- Rule to look for kerberos dll loaded by an Office Product
 2020-02-19 14:43:13 -05:00
Antonlovesdnb f8be92dae0 Add files via upload 2020-02-19 10:13:44 -05:00
Florian Roth a9403b70d5 Merge pull request #623 from Neo23x0/devel 
fix: fixing too restrictive rule
 2020-02-18 11:14:51 +01:00
Florian Roth 6413730810 fix: fixing too restrictive rule 
https://twitter.com/Hexacorn/status/1229702521679118336
 2020-02-18 10:43:22 +01:00
Florian Roth f7a6ffa121 Merge pull request #622 from Neo23x0/devel 
Minor changes, process dump via rundll32 comsvcs.dll
 2020-02-18 10:26:28 +01:00
Florian Roth 04b97bd84c fix: character in filename 2020-02-18 10:19:48 +01:00
Florian Roth 5a4095f13f fix: restored GPL 2020-02-18 10:06:00 +01:00
Florian Roth cd607d4fed rule: process dump via rundll32 and comsvcs.dll's MiniDumpW 2020-02-18 10:04:55 +01:00
Florian Roth 73dfc847fc rule: changed lsass process dump to level high 2020-02-18 10:03:25 +01:00
yugoslavskiy 7f3f1944d9 fix redundancy 2020-02-18 01:10:56 +03:00
Florian Roth 2363213fc9 add TimeSketch to list of products that use Sigma 2020-02-17 08:41:23 +01:00
Thomas Patzke 01d6c3b58d Fixes 2020-02-16 23:24:00 +01:00
Wagga b9c745a1b2 New Koadic detection rule 2020-02-16 16:48:49 +01:00
yugoslavskiy d0e284ae18 fix typo (duplicates) 2020-02-16 18:19:25 +03:00
yugoslavskiy 168ab7c620 Merge branch 'oscd' of https://github.com/Neo23x0/sigma into oscd 2020-02-16 17:57:48 +03:00
Thomas Patzke f118839664 Further fixes and deduplications 
From suggestions of @yugoslavskiy in issue #554.
 2020-02-16 14:03:07 +01:00
Thomas Patzke 77c927bc14 Revert "Moved rules with enrichments into unsupported" 
This reverts commit ba83b8862a.
 2020-02-15 22:52:06 +01:00
Florian Roth eb36150e6b rule: UserAgent used by PowerTon malware 2020-02-15 19:06:49 +01:00
Florian Roth d909fefa82 Merge pull request #620 from james0d0a/master 
rule: Zeek Suspicious kerberos network traffic RC4
 2020-02-13 09:34:06 +01:00
Florian Roth 94bb7dd77f fix: issues 2020-02-13 09:17:21 +01:00
Florian Roth 983f7fcd39 Merge pull request #618 from faloker/master 
More rules for AWS events
 2020-02-13 09:15:04 +01:00
james dickenson 21e4aa33dc rule modification: fixed filter condition on zeek suspicious rc4 traffic 2020-02-12 21:27:36 -08:00
james dickenson 1347e5060f logsource config for zeek events in splunk 2020-02-12 21:24:03 -08:00
james dickenson 93367d725d rule: zeek suspicious kerberos RC4 traffic 2020-02-12 21:21:46 -08:00
faloker 6d9c8e44d7 Update rules titles 2020-02-12 23:09:16 +02:00
faloker 1b15dba712 Correct the indentation 2020-02-12 22:48:46 +02:00
faloker f387cf0c37 Add the rule to detect changes to startup scripts 2020-02-12 22:23:18 +02:00
faloker 01d2f9f99d Add the rule to detect backdooring of users keys 2020-02-12 22:22:38 +02:00
faloker b26c5d8c51 Add rules to detect AWS RDS exfiltration 2020-02-12 22:21:52 +02:00
faloker ddf5f8ec23 Update conditions 2020-02-12 22:20:15 +02:00
faloker aacab37f84 Add a rule for guardduty trusted IPs manipulation 2020-02-11 23:28:23 +02:00
faloker b6c834195e Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00
Florian Roth 7a5587f14d Merge pull request #616 from Neo23x0/devel 
rule: remove keywords in powershell rule prone to FPs
 2020-02-11 16:43:01 +01:00
Florian Roth a4c210ed16 rule: remove keywords in powershell rule prone to FPs 2020-02-11 16:26:17 +01:00
Florian Roth bf98d286f9 Merge pull request #615 from Neo23x0/devel 
fix: dumpert rule with wrong sysmon event id
 2020-02-08 20:03:28 +01:00
Florian Roth d9645af840 rule: added Emotet UA 
https://twitter.com/webbthewombat/status/1225827092132179968
 2020-02-08 10:37:56 +01:00
Florian Roth 880a0b5593 Merge pull request #614 from timbMSFT/gallium_vpn 
additional gallium ttp
 2020-02-07 17:56:09 +01:00
Florian Roth 080532d20c logsource change 
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
 2020-02-07 15:47:27 +01:00