security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,775 Commits 1 Branch 57 Tags
f7ba2b39764bda72adbbde2d3fbe2c2d75d0bb1c
Commit Graph

365 Commits

Author SHA1 Message Date
Thomas Patzke dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Thomas Patzke d14f5c3436 Merge pull request #371 from savvyspoon/issue285 
CAR tagging
 2019-06-19 23:21:43 +02:00
Thomas Patzke d82df83ef1 Merge pull request #369 from TareqAlKhatib/refactors 
Refactors
 2019-06-19 23:16:19 +02:00
Michael Wade f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Sherif Eldeeb 2d22a3fe02 Add detection for recent Mimikatz versions 
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
 2019-06-12 12:13:31 +03:00
Thomas Patzke 5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
Tareq AlKhatib fce2a45dac Corrected Typo 2019-06-10 09:51:34 +03:00
Florian Roth 7b63c92fc0 Rule: applying recommendation 
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
 2019-05-23 09:44:25 +02:00
Olaf Hartong b60cfbe244 Added password flag 2019-05-22 13:20:26 +02:00
Florian Roth 346022cfe8 Transformed to process creation rule 2019-05-22 12:50:49 +02:00
Olaf Hartong 4a775650a2 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:36:03 +02:00
Olaf Hartong e675cdf9c4 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:32:07 +02:00
Olaf Hartong 544dfe3704 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:28:42 +02:00
Florian Roth c937fe3c1b Rule: Terminal Service Process Spawn 2019-05-22 10:38:27 +02:00
Florian Roth 74ca0eeb88 Rule: Renamed PsExec 2019-05-21 09:49:40 +02:00
Florian Roth 694fa567b6 Reformatted 2019-05-15 20:22:53 +02:00
Florian Roth 1c36bfde79 Bugfix - Swisscom in Newline 2019-05-15 15:03:55 +02:00
Florian Roth d5f49c5777 Fixed syntax 2019-05-15 14:50:57 +02:00
Florian Roth 508d1cdae0 Removed double back slashes 2019-05-15 14:46:45 +02:00
Unknown 13522b97a7 Adjusting Newline 2019-05-15 12:15:41 +02:00
Unknown 275896dbe6 Suspicious Outbound RDP Rule likely identifying CVE-2019-0708 2019-05-15 11:47:12 +02:00
Florian Roth f78413deab Merge pull request #309 from jmlynch/master 
added rules for renamed wscript, cscript and paexec. Added two direct…
 2019-04-17 23:59:27 +02:00
Florian Roth daaee558a1 Rule: added date to Tom's WMI rule 2019-04-15 09:06:53 +02:00
Florian Roth 65b81dad32 Rule: Suspicious scripting in a WMI consumer 2019-04-15 08:13:35 +02:00
Jason Lynch f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
Florian Roth 81693d81b6 Merge pull request #295 from sbousseaden/master 
Create win_atsvc_task.yml
 2019-04-04 18:32:13 +02:00
Karneades 865d971704 Remove backslashes in CommandLine for sticky key rule 
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
 2019-04-03 16:16:18 +02:00
sbousseaden 3d69727332 Create sysmon_rdp_settings_hijack.yml 2019-04-03 14:16:25 +02:00
sbousseaden 016261cacf Update sysmon_lsass_memdump.yml 2019-04-03 14:06:49 +02:00
sbousseaden a85c668f6f Update sysmon_lsass_memdump.yml 2019-04-03 14:00:51 +02:00
sbousseaden 32c6b34746 Create sysmon_lsass_memdump.yml 2019-04-03 13:51:59 +02:00
sbousseaden ddb2d92a98 Create sysmon_tsclient_filewrite_startup.yml 2019-04-03 13:19:59 +02:00
Tareq AlKhatib 783d8c4268 Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00
Tareq AlKhatib 075df83118 Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
Yugoslavskiy Daniil 05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy 725ab99e90 Merge pull request #1 from AverageS/master 
Fix rules
 2019-03-06 04:31:01 +01:00
Wydra Mateusz 534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00
Wydra Mateusz bb95347745 rules update 2019-03-06 00:43:42 +01:00
mrblacyk 07807837ee Missing tags 2019-03-06 00:02:37 +01:00
mikhail be108d95cc Merge branch 'master' of https://github.com/AverageS/sigma 2019-03-06 01:57:38 +03:00
mikhail 40241c1fdf Fix 4 rules 2019-03-06 01:56:05 +03:00
mrblacyk 99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Thomas Patzke 6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
Thomas Patzke c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Thomas Patzke 58a32f35d9 Merge pull request #246 from james0d0a/master 
Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml
 2019-02-24 16:53:49 +01:00
Tareq AlKhatib 7d3d819ea5 Added a detection path through process spawn 2019-02-24 10:29:58 +03:00
Tareq AlKhatib a022333382 Added private IP filter to reduce FPs 2019-02-23 21:15:03 +03:00
Florian Roth d3b623e92a Rule: suspicious pipes extended 
https://github.com/Neo23x0/sigma/issues/253
 2019-02-21 13:26:48 +01:00
Florian Roth 343a40ced7 Rule: extended exec location rule to support 4688 events 2019-02-21 13:26:48 +01:00
Florian Roth f0a4aede24 Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00