security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,974 Commits 1 Branch 57 Tags
f7d116a4722bc3da25edce88a61cb9b3fd58a2b2
Commit Graph

4095 Commits

Author SHA1 Message Date
frack113 cf8d8d3ed4 fix TargetFilename case error 2021-08-06 08:43:05 +02:00
Florian Roth eb247704fe Merge pull request #1761 from d4rk-d4nph3/master 
Added rule for Cabinet file expansion and Pypykatz
 2021-08-05 15:50:12 +02:00
Florian Roth c44b22b52f Merge pull request #1762 from frack113/redcanary_collection 
[OSCD] Redcanary TA0009 collection
 2021-08-05 15:49:10 +02:00
Florian Roth 83505351bc Merge pull request #1764 from frack113/fix_product 
fix product sysmon_apt_sourgrum.yml
 2021-08-05 15:48:35 +02:00
Florian Roth 448868302d Merge pull request #1767 from frack113/redcanary_t1497_001 
[OSCD] Detect Virtualization Environment (Windows) T1497.001
 2021-08-05 15:47:37 +02:00
Florian Roth 3634901bf1 Update poweshell_detect_vm_env.yml 2021-08-05 15:47:29 +02:00
Florian Roth 6a11190e79 Merge pull request #1769 from frack113/fix_powershell_400 
Cleanup eventid 400 powershell-classic
 2021-08-05 15:47:04 +02:00
Florian Roth da6b5f8ec5 Merge pull request #1770 from frack113/redcanary_powershell_T1070.006 
[OSCD] powershell_timestomp.yml T1070.006
 2021-08-05 15:46:48 +02:00
Florian Roth b1fb462c39 Update powershell_timestomp.yml 2021-08-05 15:46:01 +02:00
Florian Roth 9b7be5985e Merge pull request #1773 from phantinuss/master 
Two CobaltStrike BOF rules and a little fix on the local rule test script usage text
 2021-08-05 15:42:47 +02:00
Florian Roth 6507e8c060 Merge pull request #1774 from frack113/fix_4104_ScriptBlockText 
Clean-up Powershell EventID 4104
 2021-08-05 15:42:35 +02:00
Florian Roth 52b41da731 Merge pull request #1775 from austinsonger/sysmon_disabled_pua_protection_on_microsoft_defender.yml 
Create sysmon_disabled_pua_protection_on_microsoft_defender.yml
 2021-08-05 15:42:17 +02:00
Florian Roth c05dacb1f0 Merge pull request #1776 from austinsonger/sysmon_disabled_tamper_protection_on_microsoft_defender.yml 
sysmon_disabled_tamper_protection_on_microsoft_defender.yml
 2021-08-05 15:41:54 +02:00
Austin Songer 483dacb209 Create sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml 2021-08-04 19:11:00 -05:00
Austin Songer ff7fb4e4d2 Create sysmon_disabled_tamper_protection_on_microsoft_defender.yml 2021-08-04 19:08:10 -05:00
Austin Songer 6a2663a3ae Update sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 17:00:34 -05:00
Austin Songer 8d195bf5d5 Update sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 13:11:31 -05:00
Austin Songer bae075713c Update sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 13:10:37 -05:00
Austin Songer f89ba18c5d Create sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 11:27:41 -05:00
phantinuss 882ea7ec22 fix: remove unnecessary single value list 2021-08-04 15:50:39 +02:00
frack113 f040725dd8 fix EventID: 4104 ScriptBlockText 2021-08-04 14:49:50 +02:00
phantinuss 994701bd8e CobaltStrike injected AMSI bypass 2021-08-04 11:28:58 +02:00
frack113 644fe80786 add powershell_timestomp.yml 2021-08-03 16:01:54 +02:00
Bhabesh Rai 85b88c7646 Added rule for pypykatz 2021-08-03 15:06:27 +05:45
frack113 b5e4b04cb5 fix eventid 400 powershell-classic 2021-08-03 10:04:15 +02:00
frack113 0efe69bd36 add poweshell_detect_vm_env.yml 2021-08-03 08:30:26 +02:00
frack113 f9aff7d403 fix product sysmon_apt_sourgrum.yml 2021-07-30 16:02:38 +02:00
Bhabesh Rai 1f0d4ca3dc Merge branch 'master' of https://github.com/d4rk-d4nph3/sigma into master 2021-07-30 12:36:21 +05:45
Bhabesh Rai 9131ed6db5 Added rule for Cabinet file expansion 2021-07-30 12:36:05 +05:45
frack113 ccaffc79f7 update ref win_susp_psr_capture_screenshots.yml 2021-07-30 08:40:21 +02:00
frack113 dfa28944d0 update ref in sysmon_creation_mavinject_dll.yml 2021-07-30 08:31:37 +02:00
frack113 e33ec91b9a add powershell_keylogging.yml 2021-07-30 08:28:19 +02:00
Florian Roth ab16490d33 fix: re CS rule 2021-07-30 08:24:41 +02:00
frack113 38ede57cb4 add powershell_suspicious_recon.yml 2021-07-30 08:20:51 +02:00
frack113 eff6b50a89 add process_creation_susp_recon.yml 2021-07-30 08:15:13 +02:00
Florian Roth 096395a49a fix: one condition style error 2021-07-30 07:19:42 +02:00
Florian Roth 0cbb6f82ad CobaltStrike NamedPipe Patterns 
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
 2021-07-30 07:11:11 +02:00
Florian Roth ec9c15226f SeriousSAM PowerShell rule 2021-07-29 18:12:10 +02:00
Florian Roth 5ce5465559 Merge pull request #1755 from SigmaHQ/rule-devel 
Different rule updates
 2021-07-28 18:56:28 +02:00
Florian Roth 77c8225db3 Merge pull request #1745 from frack113/redcanary_t1115 
[OSCD]  process_creation_clip.yml t1115
 2021-07-28 16:24:15 +02:00
Florian Roth f57f5931ed Merge pull request #1746 from frack113/tune_sysmon_office_vsto_persistence.yml 
Tune sysmon_office_vsto_persistence.yml
 2021-07-28 16:23:49 +02:00
Florian Roth 59a93ef964 Merge pull request #1747 from frack113/tune_sysmon_taskcache_entry.yml 
Tune sysmon_taskcache_entry.yml
 2021-07-28 16:23:38 +02:00
Florian Roth c3eced4ae7 Merge pull request #1748 from frack113/update_win_susp_rar_flags.yml 
update win_susp_rar_flags.yml
 2021-07-28 16:23:14 +02:00
Florian Roth dc4380d459 Merge pull request #1750 from frack113/redcanary_t1560.001_winzip 
[OSCD] Redcanary t1560.001 winzip
 2021-07-28 16:22:48 +02:00
Florian Roth 321a15d004 Merge pull request #1751 from frack113/redcanary_t1560.001_7zip 
[OSCD] Redcanary t1560.001 7z
 2021-07-28 16:22:31 +02:00
Florian Roth 6d5e695cd1 Merge pull request #1753 from frack113/redcanary_t1119 
Redcanary t1119
 2021-07-28 16:21:40 +02:00
Florian Roth 7f820c7b29 rule updates 2021-07-28 16:20:21 +02:00
phantinuss 9833cc34e5 direct syscall to NtOpenProcess 2021-07-28 15:14:30 +02:00
Florian Roth aefd50f049 fix: avoid FPs with HTool string 2021-07-28 14:23:54 +02:00
frack113 2758c1aa93 add powershell_automated_collection.yml 2021-07-28 14:14:02 +02:00