security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
frack113 ec7319be21 Name Normalization 
Name Normalization
 2022-02-27 07:39:46 +01:00
frack113 5a48f68cc2 Merge pull request #2751 from wagga40/master 
Add a check to avoid outputting empty JSON or YAML rules.
 2022-02-26 20:01:45 +01:00
Wagga da6b5969a0 Add a check to avoid outputting empty JSON or YAML rules. 
Add a check to avoid outputting empty JSON or YAML rules.
 2022-02-26 18:24:15 +01:00
Florian Roth 3226504fbd Merge branch 'master' into aurora-false-positive-fixing 2022-02-26 13:18:26 +01:00
Florian Roth 52d30f4132 fix: FPs noticed with Aurora 2022-02-26 13:18:18 +01:00
Florian Roth de197e7897 Merge pull request #2747 from frack113/fix_detection 
Fix detection
 2022-02-25 19:04:16 +01:00
Florian Roth 5f8b16d147 Merge pull request #2748 from SigmaHQ/rule-devel 
rules: Hermetic Wiper, BlackByte reports
 2022-02-25 19:03:59 +01:00
Florian Roth f647e45e69 Merge pull request #2749 from redsand/fp_msiexec 
Filters false positive from msiexec.exe
 2022-02-25 19:03:45 +01:00
Tim Shelton 6d29b4c4a5 oof, misspelled detection type 2 2022-02-25 16:34:32 +00:00
Tim Shelton f6caaf795a oof, misspelled detection type 2022-02-25 16:32:33 +00:00
Florian Roth 744813ff87 rule: Hermetic Wiper group activity 2022-02-25 17:29:32 +01:00
Florian Roth eec5b1458c docs: wording change 2022-02-25 17:29:16 +01:00
Tim Shelton 9d06c3cfe7 Filters false positive from msiexec.exe 2022-02-25 16:17:01 +00:00
Florian Roth 653c39fe6a Merge pull request #2746 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-02-25 16:29:24 +01:00
Florian Roth d6d206d6d6 rules: BlackByte rule update, and some generic rules 2022-02-25 16:02:42 +01:00
frack113 775279423d Fix detection 2022-02-25 15:39:26 +01:00
Florian Roth 7baf014421 rule: BlackByte ransomware 2022-02-25 15:24:36 +01:00
Florian Roth 5901b41f95 fix: FPs noticed with Aurora 2022-02-25 13:55:37 +01:00
Florian Roth 701cb53f97 Merge pull request #2745 from SigmaHQ/rule-devel 
rule: ScreenConnect Backstag, CrackMapExec Flags
 2022-02-25 13:33:58 +01:00
Florian Roth b0b675b004 rule: CrackMapExec flags rule 2022-02-25 11:39:19 +01:00
Florian Roth 98c1c60758 Merge branch 'master' into rule-devel 2022-02-25 10:38:58 +01:00
Florian Roth 881d1f707e Merge pull request #2738 from humpalum/master 
feat: CrashDump Disable Sigmarule
 2022-02-25 10:38:15 +01:00
Florian Roth 3d609cfdf3 rule: ScreenConnect anomaly 
https://www.mandiant.com/resources/telegram-malware-iranian-espionage
 2022-02-25 10:31:58 +01:00
Florian Roth 89071f09e7 docs: changed technique to T1564 (Hide Artefacts) 
https://attack.mitre.org/techniques/T1564/
 2022-02-25 09:50:46 +01:00
Florian Roth a786ed36db add MITRE ATT&CK techniques 2022-02-25 09:25:22 +01:00
Florian Roth 6f79d70532 Merge branch 'master' into rule-devel 2022-02-25 09:19:16 +01:00
frack113 f4d5fc1f77 Merge pull request #2742 from neu5ron/patch-2 
Update zeek_dns_suspicious_zbit_flag.yml
 2022-02-25 06:39:19 +01:00
Nate Guagenti 7dc0facf05 Update zeek_dns_suspicious_zbit_flag.yml 2022-02-24 20:03:56 -05:00
frack113 73bffcacbf Merge pull request #2741 from Pooch11/win-dpapi-key 
Fix detection criteria modifier to contains 'bckupkey'
 2022-02-24 21:27:29 +01:00
frack113 beafcc7b4c Merge pull request #2740 from AndrewRathbun/master 
Update proc_creation_win_susp_esentutl_params.yml - minor spelling error
 2022-02-24 21:27:00 +01:00
Nate Guagenti 878df636e2 Update zeek_dns_suspicious_zbit_flag.yml 
add MX, common mail server query type to exclusion list.
 2022-02-24 14:57:24 -05:00
unknown 528cdd199b Update modified date 2022-02-24 14:38:35 -05:00
unknown 03048a1fdb Fix criteria to contains bckupkey 2022-02-24 13:55:34 -05:00
Florian Roth e068695733 Merge pull request #2739 from devinbfergy/master 
Add values that are referenced in the spec
 2022-02-24 18:20:10 +01:00
Florian Roth 220344f477 Merge pull request #2735 from SigmaHQ/rule-devel 
rules: suspicious schtasks creation
 2022-02-24 18:19:45 +01:00
Florian Roth f05e2c86fc Merge pull request #2737 from humpalum/patch-4 
fix: False Positives
 2022-02-24 18:19:31 +01:00
Andrew Rathbun b17f2b3840 Update proc_creation_win_susp_esentutl_params.yml 2022-02-24 11:52:21 -05:00
Devin Ferguson cdaf1b5b8c Add values that are referenced in the spec 
Adding the values that can be the status based on the wiki file to the actual specification yaml.
 2022-02-24 10:30:54 -06:00
Tobias Michalski d210e56e34 fix: Removed Spacing 2022-02-24 16:02:58 +01:00
Tobias Michalski 1b6483002b fix: Added newline 2022-02-24 15:57:13 +01:00
Tobias Michalski 573902c38d feat: CrashDump Disable Sigmarule 2022-02-24 15:55:36 +01:00
Tobias Michalski e89867848d Update sysmon_mimikatz_trough_winrm.yml 2022-02-24 11:27:57 +01:00
Tobias Michalski 4a6ab42c6b Update sysmon_mimikatz_trough_winrm.yml 2022-02-24 11:09:47 +01:00
Tobias Michalski 662e5ed66d fix: False Positives 2022-02-24 10:35:31 +01:00
frack113 2dc2b99714 Merge pull request #2736 from frack113/issues_2724 
fix Provider_Name
 2022-02-24 09:27:29 +01:00
Florian Roth 536910f7d7 fix: FPs with new task scheduler rule 2022-02-24 08:41:53 +01:00
frack113 ffe2dd2a00 fix Provider_Name 2022-02-24 06:54:22 +01:00
Florian Roth 1682bdb8a8 fix: condition section 2022-02-23 23:28:53 +01:00
Florian Roth 22fbf5bb0a fix: indentation of conditions 2022-02-23 23:28:22 +01:00
Florian Roth d455dec42c fix: wrong condition 2022-02-23 23:26:33 +01:00