blue-team-tools

Author	SHA1	Message	Date
$frack113$ frack113	744b7602c9	Windows redcannary rules	2021-12-27 20:25:01 +01:00
Florian Roth	f37603ab60	fix: filter FPs with Microsoft cloud	2021-12-27 19:47:32 +01:00
Florian Roth	aa0094483a	fix: FPs with MS Edge installers	2021-12-27 19:45:08 +01:00
Florian Roth	2ed5d7306d	Merge pull request #2493 from SigmaHQ/rule-devel Suspicious Download from Office Domain	2021-12-27 18:41:52 +01:00
Florian Roth	1c4688cbb6	Merge branch 'master' into rule-devel	2021-12-27 17:38:21 +01:00
Florian Roth	6540d2e924	rule: download from Microsoft domain	2021-12-27 17:22:34 +01:00
$frack113$ frack113	7d200d95f3	Aurora FP	2021-12-27 17:13:17 +01:00
Florian Roth	73c7c5790c	docs: removed tracking info from reference link	2021-12-27 11:52:16 +01:00
Florian Roth	7a8f09a6b5	fix: FPs with 4688 events that can contain 'Registry'	2021-12-27 11:48:51 +01:00
$frack113$ frack113	b967deaabd	Windows Redcannary impact	2021-12-26 12:09:42 +01:00
Florian Roth	4951e78c74	Merge pull request #2491 from SigmaHQ/rule-devel docs: title reordered	2021-12-25 09:59:28 +01:00
Florian Roth	1609fbb2ac	docs: title reordered	2021-12-24 09:13:25 +01:00
Florian Roth	7dead58102	Merge pull request #2465 from hazedav/lacework-value-exists fix(lacework): value exists	2021-12-23 17:56:27 +01:00
Florian Roth	41b29fb3b9	Merge pull request #2490 from SigmaHQ/rule-devel refactor: added curl.exe to the list	2021-12-23 17:56:08 +01:00
$frack113$ frack113	f5c62c2a1b	Merge pull request #2489 from EB8F9A/master (win_susp_rundll32_activity.yml) Rule syntax error	2021-12-23 17:30:21 +01:00
Florian Roth	db3ebaf97c	refactor: added curl.exe to the list	2021-12-23 08:27:44 +01:00
eb8f9a	2d27e68c17	Merge pull request #1 from EB8F9A/EB8F9A-patch-1 (win_susp_rundll32_activity.yml) Rule syntax error	2021-12-23 10:11:11 +09:00
eb8f9a	2ab0582fd1	(win_susp_rundll32_activity.yml) Rule syntax error es-dsl does not work properly because the rule syntax is not valid https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_rundll32_activity.yml 59 to 61 lines - CommandLine\|contains\|all: - 'syssetup.dll' - SetupInfObjectInstallAction' should be like below - CommandLine\|contains\|all: - 'syssetup.dll' - 'SetupInfObjectInstallAction'	2021-12-23 10:09:51 +09:00
Florian Roth	c888e47471	Merge pull request #2488 from SigmaHQ/aurora-false-positive-fixing Aurora false positive fixing	2021-12-22 22:02:45 +01:00
Florian Roth	1653f30953	Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing	2021-12-22 19:00:35 +01:00
Florian Roth	c4fa0c22ad	fix: FPs noticed with Aurora	2021-12-22 19:00:32 +01:00
Florian Roth	6b233cc2ec	Merge pull request #2487 from SigmaHQ/aurora-false-positive-fixing fix: FPs noticed with Aurora	2021-12-22 15:37:42 +01:00
Florian Roth	b276ccd121	fix: FPs noticed with THOR	2021-12-22 14:51:06 +01:00
Florian Roth	e320a76039	Merge pull request #2486 from Karneades/keytool rule: add new rule to detect shell spawn by Java keytool	2021-12-22 13:56:23 +01:00
Florian Roth	1e4ec32c1a	Merge pull request #2485 from SigmaHQ/rule-devel rule: sAMAccountName Spoofing CVE-2021-42287	2021-12-22 13:54:54 +01:00
Florian Roth	de318c122a	fix: FPs noticed with Aurora	2021-12-22 13:54:39 +01:00
Andreas Hunkeler	9c25a43089	rule: add new rule to detect shell spawn by Java keytool	2021-12-22 11:48:02 +01:00
Florian Roth	e9702af82b	rule: sAMAccountName Spoofing CVE-2021-42287	2021-12-22 08:50:05 +01:00
$frack113$ frack113	0e31c23620	Merge pull request #2476 from frack113/redcannary_20211220 Windows Redcannary	2021-12-21 20:41:58 +01:00
Florian Roth	f4787d73cc	Merge pull request #2484 from SigmaHQ/aurora-false-positive-fixing Aurora false positive fixing	2021-12-21 15:31:50 +01:00
Florian Roth	b3c7ef50f5	Merge branch 'master' into aurora-false-positive-fixing	2021-12-21 14:44:55 +01:00
Florian Roth	a471b4ea45	Merge pull request #2483 from Karneades/patch-1 rule: Add Java class proxy download rule	2021-12-21 14:10:43 +01:00
Florian Roth	4c76e917df	Merge pull request #2480 from frack113/diavol Add thedfirreport Diavol Ransomware rules	2021-12-21 14:10:35 +01:00
Florian Roth	21cd791075	Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing	2021-12-21 13:47:41 +01:00
Florian Roth	c006b9df31	fix: FPs noticed with Aurora after Nvidia driver upgrade	2021-12-21 13:47:39 +01:00
Florian Roth	59bfca6aba	Update win_pc_sqlcmd_veeam_dump.yml	2021-12-21 13:28:47 +01:00
Florian Roth	55b4085afc	Merge pull request #2473 from elhoim/add_mimikatz_keywords Add mimikatz keywords to 3 rules	2021-12-21 13:28:15 +01:00
Florian Roth	694b133529	Merge pull request #2475 from elhoim/memssp_log_file New rule to detect Mimimaktz MemSSP default log file creation	2021-12-21 13:27:13 +01:00
Florian Roth	5c3c4830f7	Update win_pc_false_sysinternalsuite.yml	2021-12-21 13:26:50 +01:00
Florian Roth	6e19e75ece	Update win_pc_sqlcmd_veeam_dump.yml	2021-12-21 13:24:36 +01:00
Florian Roth	a1594e8c4a	Merge pull request #2482 from Karneades/hideSrv rule: abuse of permissions to hide services	2021-12-21 13:23:20 +01:00
Florian Roth	c842b12970	Update proxy_java_class_download.yml	2021-12-21 13:22:47 +01:00
Julien Doutre	63705cdccb	Comments	2021-12-21 12:17:13 +01:00
Julien Doutre	860744594e	No mutable default argument	2021-12-21 12:02:31 +01:00
Andreas Hunkeler	c0a6de06c4	rule: Add Java class proxy download rule	2021-12-21 11:25:08 +01:00
David ANDRE	d5bfce1e36	Removed duplicate filter entries.	2021-12-21 10:23:23 +01:00
David André	2ce0529792	Merge branch 'SigmaHQ:master' into add_mimikatz_keywords	2021-12-21 09:26:51 +01:00
$frack113$ frack113	17493bab7c	Merge pull request #2481 from Karneades/patch-1 rule: add further reference in regsrv32 rule	2021-12-21 08:59:15 +01:00
Andreas Hunkeler	090e0304d4	rule: abuse of permissions to hide services	2021-12-20 23:36:23 +01:00
Andreas Hunkeler	5ac7c0a076	rule: add further reference in regsrv32 rule	2021-12-20 22:58:32 +01:00

... 19 20 21 22 23 ...

10511 Commits