security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,335 Commits 1 Branch 57 Tags
fb167c5698ff01a30d2ada8eaa53c4e2dee2e54a
Commit Graph

2334 Commits

Author SHA1 Message Date
Florian Roth 3a30d19cfd Merge pull request #2447 from SigmaHQ/rule-devel 
fix: FP with proc creation Image non .exe suffix
 2021-12-13 14:03:41 +01:00
Florian Roth cd63ce23ff fix: FP with proc creation Image non .exe suffix 2021-12-13 11:44:29 +01:00
frack113 221f479825 Windows Redcannay T1069.001 2021-12-12 12:15:27 +01:00
frack113 d45dc2eaf3 Merge pull request #2434 from frack113/T1049 
Windows T1049 RedCannary
 2021-12-12 11:28:23 +01:00
Florian Roth 074c6b1714 Merge pull request #2423 from redsand/detect_net_use_password_plaintext 
Detect net use password plaintext
 2021-12-11 15:25:06 +01:00
frack113 c91a4a1a75 Merge pull request #2430 from frack113/windows_t1046 
Add windows t1046 rules
 2021-12-11 12:28:47 +01:00
frack113 c53740296c Fix title 2021-12-11 10:26:47 +01:00
frack113 dc1af19336 Add win_pc_susp_tasklist_command 2021-12-11 10:20:21 +01:00
frack113 ee67779811 Windows T1049 RedCannary 2021-12-11 09:38:20 +01:00
Tim Shelton b41471ed6b adds space to detect between : (drive argument) and \\ (network share path) 2021-12-10 18:10:37 +00:00
frack113 904fb9181e Add windows t1046 rules 2021-12-10 16:31:16 +01:00
Florian Roth a9c9c9ae3a Merge pull request #2425 from SigmaHQ/aurora-false-positive-fixing 
fix: FP with new SYSTEM rule
 2021-12-10 13:50:04 +01:00
Florian Roth 8c85f4ffa4 fix: FP with new SYSTEM rule 2021-12-10 12:17:25 +01:00
Tim Shelton b503a11366 oof, wrong field, sorry! 2021-12-10 06:49:55 +00:00
redsand (Tim Shelton) 879a1325f9 Merge branch 'SigmaHQ:master' into fp_for_matching_msiexec_behavior 2021-12-10 00:47:49 -06:00
redsand (Tim Shelton) 6151094fdd Merge branch 'SigmaHQ:master' into detect_net_use_password_plaintext 2021-12-10 00:46:38 -06:00
Florian Roth 834681c3b4 Update win_susp_net_use_password_plaintext.yml 2021-12-09 23:51:32 +01:00
Tim Shelton f59c8c3360 changing case of title 2021-12-09 20:53:07 +00:00
Tim Shelton 791f419b9e fixing column 2021-12-09 20:41:50 +00:00
Tim Shelton 19eff6952b Fixing format errors 2021-12-09 20:39:43 +00:00
Tim Shelton ae34e020c2 Adding new sig to detect password on commandline 2021-12-09 20:33:37 +00:00
Tim Shelton 88eaeca844 Adding filter for msiexec repair option 2021-12-09 15:16:52 +00:00
Florian Roth 0689e253b4 set level to "high" 2021-12-09 16:03:20 +01:00
Florian Roth a5c53789d9 set level to high 2021-12-09 16:03:06 +01:00
Max Altgelt 3c699a2272 fix: inline list with one argument 2021-12-09 15:49:18 +01:00
Max Altgelt ca2ead74b1 feat: Add rules to detect uncommon process creation events 2021-12-09 14:21:34 +01:00
Max Altgelt 538fb06f05 fix: mark string as regex 2021-12-09 14:09:19 +01:00
frack113 f59124e0ad Merge pull request #2404 from frack113/t1016 
Add some T1016 windows
 2021-12-08 17:22:37 +01:00
Florian Roth b315ff9786 Merge pull request #2408 from SigmaHQ/aurora-false-positive-fixing 
fix: multiple FPs with different rules
 2021-12-08 14:50:01 +01:00
Florian Roth b5493a6136 Merge pull request #2407 from SigmaHQ/rule-devel 
fix: dysfunctional imphash rules, rule: grafana rule
 2021-12-08 13:04:20 +01:00
Florian Roth 42e077d382 fix: Suspicious SYSTEM User Process Creation > schtasks 2021-12-08 11:44:30 +01:00
Florian Roth a502f316ef Merge pull request #2406 from SigmaHQ/rule-devel 
Rule refactoring, DInject rule
 2021-12-08 11:26:24 +01:00
Florian Roth b7f982734a fix: dysfunctional imphash rules 2021-12-08 11:26:17 +01:00
Florian Roth 33bdfd124d refactor: comsvcs.dll adjustments - run by ordinal variants 2021-12-08 10:02:21 +01:00
Florian Roth bfd6b48ee4 refactor: adjusted run by ordinal pattern for Sysmon 2021-12-08 10:01:54 +01:00
Florian Roth c6f1398cfb rule: DInject usage 2021-12-08 09:38:23 +01:00
frack113 592259af80 Add T1016 2021-12-07 20:41:49 +01:00
Florian Roth c447cb4212 Merge pull request #2398 from SigmaHQ/rule-devel 
rule: improved comsvcs.dll Minidump rule
 2021-12-07 15:59:33 +01:00
Florian Roth 1cae016459 rule: fix and extend comsvcs minidump rule 2021-12-07 15:05:20 +01:00
Florian Roth 63fd1189e7 rule: improved comsvcs.dll Minidump rule 2021-12-07 12:59:20 +01:00
Florian Roth 5fcf0d9e06 Merge pull request #2397 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-07 11:28:14 +01:00
Florian Roth 506631485e fix: FPs noticed with Aurora 2021-12-07 10:38:10 +01:00
Florian Roth fc6ad3667c Merge pull request #2396 from SigmaHQ/rule-devel 
New rules - Suspicious SYSTEM context
 2021-12-07 08:24:12 +01:00
Florian Roth 507a0649f3 rule: suspicious process creation as SYSTEM user 2021-12-07 07:34:18 +01:00
frack113 777d218adc Merge pull request #2390 from frack113/t1007 
Add redcannary T1007
 2021-12-07 06:45:38 +01:00
Florian Roth dc3b6df0ee Merge pull request #2394 from redsand/fp_powershell_cmdline_special_chars 
Adding fp filter for ssm-document-worker
 2021-12-07 06:14:44 +01:00
Tim Shelton 905d6bf8fd Adding fp filter for ssm-document-worker 2021-12-06 22:02:54 +00:00
Florian Roth 426d212dd7 Merge pull request #2389 from SigmaHQ/rule-devel 
New rules
 2021-12-06 20:14:01 +01:00
frack113 07560e61a0 Add redcannary T1007 2021-12-06 18:56:25 +01:00
Florian Roth 0665cc6223 rule: add user to remote desktop users 2021-12-06 18:29:50 +01:00