security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,088 Commits 1 Branch 57 Tags
e921181f4b392bae47b052d28f2c402c21843803
Commit Graph

4384 Commits

Author SHA1 Message Date
Darin Smith e921181f4b Add AWS snapshot exfiltration rule 2021-05-17 13:00:01 -07:00
Florian Roth 5a3af872d8 Merge pull request #1479 from SigmaHQ/rule-devel 
Rule devel, Trademark test
 2021-05-15 13:42:34 +02:00
Florian Roth 9b32e72d0b fix: syntax issue 2021-05-15 13:19:12 +02:00
Florian Roth 02bf32ce6c fixed more legal issues 2021-05-15 13:09:08 +02:00
Florian Roth 48757423ef rule darkside patterns 2021-05-14 18:06:53 +02:00
Florian Roth a655c5c1a0 update ngrok rule 2021-05-14 17:44:53 +02:00
Florian Roth e4a1ce4498 rule: ngrok rdp port exposure 2021-05-14 17:34:52 +02:00
Florian Roth 3cf1be9e8d rule: exchange vulnerability CVE-2021-28480 2021-05-14 10:08:41 +02:00
Florian Roth 30bee7204c Merge pull request #1475 from wagga40/master 
Modified some field values for case sensitive backends (SQL)
 2021-05-14 08:59:39 +02:00
Florian Roth 83068416fa Merge pull request #1458 from P4rtyH4RD/P4rtyH4RD-patch-1-mitre-code 
Update powershell_suspicious_getprocess_lsass.yml
 2021-05-14 08:59:14 +02:00
wagga40 8944ccea04 Modified some field values for case sensitive backends (SQL) 2021-05-13 06:19:04 +02:00
frack113 cccfb3e59e file_event is a category 2021-05-12 09:05:52 +02:00
frack113 0fd8606e00 image_load is a category 2021-05-12 09:02:04 +02:00
frack113 fa72242ff0 image_load is a category 2021-05-12 08:59:51 +02:00
frack113 ecc0fcb082 process_creation is a category 2021-05-12 08:57:57 +02:00
frack113 cf0a710b4d process_creation is a category 2021-05-12 08:55:35 +02:00
frack113 70a5c8bb5f registry_event is a category 2021-05-12 08:51:38 +02:00
frack113 026320f613 registry_event is a category 2021-05-12 08:36:42 +02:00
Florian Roth 7d7f8c90ec Merge pull request #1443 from icthieves/patch-3 
Update win_scm_database_privileged_operation.yml
 2021-05-11 15:00:20 +02:00
Florian Roth 980ea97217 Merge pull request #1444 from icthieves/patch-2 
Update win_scm_database_handle_failure.yml
 2021-05-11 15:00:09 +02:00
Florian Roth 3564cf81f9 Merge pull request #1460 from neu5ron/patch-1 
[Add Rule] Zeek Suspicious DNS Z Flag Set
 2021-05-11 14:59:48 +02:00
Florian Roth 7bc733a3cf Merge pull request #1473 from frack113/master 
Correct the sysmon case-sensitive Key
 2021-05-11 14:59:20 +02:00
Florian Roth 0fcbce9932 Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml 
Got Rid of References that are no longer valid.
 2021-05-11 14:32:47 +02:00
Florian Roth 85736ad859 Merge pull request #1467 from 2d4d/master 
Update av_webshell.yml
 2021-05-11 14:32:11 +02:00
frack113 f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113 c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00
frack113 720dd24814 Correct cast-sensitive Key "OriginalFilename" 2021-05-11 11:13:33 +02:00
frack113 a1b0dfc0cd Correct cast-sensitive Key "DestinationIp" 2021-05-11 10:49:10 +02:00
Florian Roth 67e807983c Merge pull request #1470 from SigmaHQ/rule-devel 
New CS rule for malformed UAs, FP fixes
 2021-05-10 13:40:27 +02:00
Florian Roth 416030a85f rule: cobaltstrike malformed UAs 2021-05-10 12:43:14 +02:00
Florian Roth fcb7aa3bcf fix: FPs with rules 2021-05-10 12:42:59 +02:00
Florian Roth 270aedfd62 Merge pull request #1469 from d4rk-d4nph3/master 
Added rule for RClone usage for exfiltration
 2021-05-10 10:50:35 +02:00
Bhabesh Rai 9c8b9756e5 Added rule for RClone usage for exfiltration 2021-05-10 14:06:53 +05:45
Nate Guagenti 0bee1b006f fix - add date 2021-05-08 21:37:25 -04:00
Arnim Rupp b9fc257124 Update av_relevant_files.yml 
added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?)
 2021-05-09 00:03:47 +02:00
Arnim Rupp ad3b829f2d Update av_webshell.yml 
Added new strings and moved some from startwith to contains.
 2021-05-08 08:49:17 +02:00
Austin Songer 39a21a9e89 Got Rid of References that are no longer valid. 2021-05-06 14:14:08 -05:00
Florian Roth 384f40aa5b Merge pull request #1464 from d4rk-d4nph3/master 
Added rule for Moriya rootkit
 2021-05-06 18:15:53 +02:00
Florian Roth 453fa0f299 Update win_moriya_rootkit.yml 2021-05-06 15:24:21 +02:00
Florian Roth 79c11a5cba Update win_moriya_rootkit.yml 2021-05-06 14:59:28 +02:00
Bhabesh Rai e5f95cac0c Added rule for Moriya rootkit 2021-05-06 17:29:20 +05:45
phantinuss da533c7425 fixed title capitalization 2021-05-05 15:22:09 +02:00
phantinuss 254a3bb122 new rules detecting the creation of a local hidden user 2021-05-05 15:12:07 +02:00
phantinuss 4b520de373 new rule detecting ld.so preload persistence by keyword 2021-05-05 15:12:07 +02:00
Florian Roth 9e662b9159 Update sysmon_vuln_dell_driver_load.yml 2021-05-05 14:31:01 +02:00
Florian Roth 80c7899c56 rule: whoami priv 2021-05-05 14:27:36 +02:00
Florian Roth c4ad770830 Merge pull request #1462 from SigmaHQ/rule-devel 
Rule devel
 2021-05-05 13:21:30 +02:00
Florian Roth 8497c8a9e6 fix: linux keywords rule 2021-05-05 12:56:24 +02:00
Florian Roth 615a284de3 Merge pull request #1461 from d4rk-d4nph3/master 
Added rule for Pingback backdoor
 2021-05-05 12:42:27 +02:00
Florian Roth 44097243bf rule: dell driver load 2021-05-05 12:12:08 +02:00