security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

35 Commits

Author SHA1 Message Date
Thomas Patzke 143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
Austin Songer fa5554660c Update sysmon_mal_cobaltstrike_re.yml 2021-09-04 17:33:05 -05:00
frack113 a048403089 Merge pull request #1973 from klingerko/cs_namedpipe_updates 
Remove duplicate and regex improvements
 2021-09-02 15:25:01 +02:00
klingerko 15e25f9635 update modifed date 2021-09-02 14:50:14 +02:00
Florian Roth 0603581111 Merge pull request #1969 from SigmaHQ/rule-devel 
More Named Pipe Rules and WMI rule refactoring
 2021-09-02 10:15:00 +02:00
Konstantin Klinger 457da818a4 regex optimisations 2021-09-01 17:06:55 +02:00
Konstantin Klinger e83ee55573 remove duplicate 2021-09-01 17:05:36 +02:00
Florian Roth 2f7f050ad8 fix: removed tags 2021-09-01 16:32:27 +02:00
Florian Roth 8761927e8c rule: susp scrcons.exe creating named pipe 2021-09-01 13:57:17 +02:00
Florian Roth affc929c3b LiquidSnake named pipe 2021-09-01 13:54:47 +02:00
Florian Roth c8b3036949 Merge pull request #1968 from SigmaHQ/rule-devel 
docs: note to improved sysmon config
 2021-09-01 13:21:28 +02:00
Florian Roth f102b2d9a1 docs: note to improved sysmon config 2021-09-01 13:07:18 +02:00
phantinuss e59b8e1e3e add applicable pipe names from regex rule 2021-08-26 14:53:20 +02:00
phantinuss dc19268583 remove becasue of possible conflict 
with a legitimate tool (https://labs.nettitude.com/blog/cve-2017-16245-cve-2017-16246-avecto-defendpoint-multiple-vulnerabilities/)
 2021-08-26 14:25:12 +02:00
Florian Roth 6c7d355ef5 Try to add more pipe names to this non-regex rule 2021-08-26 14:00:57 +02:00
phantinuss 217dbc768a More malleable CobaltStrike C2 profiles from new source/reference 2021-08-26 12:53:43 +02:00
Florian Roth 91b42f9077 fix: indentation 2021-08-23 15:03:59 +02:00
Florian Roth dc3ed771b5 rule: EfsPotato Named Pipe 2021-08-23 08:32:50 +02:00
Florian Roth ab16490d33 fix: re CS rule 2021-07-30 08:24:41 +02:00
Florian Roth 096395a49a fix: one condition style error 2021-07-30 07:19:42 +02:00
Florian Roth 0cbb6f82ad CobaltStrike NamedPipe Patterns 
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
 2021-07-30 07:11:11 +02:00
Florian Roth c1cebe627a refactor: reworked CS pipe rule 2021-05-26 17:22:34 +02:00
Florian Roth ba12057919 Merge pull request #1505 from WojciechLesicki/master 
Update rule regarding other named pipe
 2021-05-26 14:35:22 +02:00
WojciechLesicki 8b707bc948 Added also \status_ pipe. 2021-05-25 21:58:22 +02:00
WojciechLesicki f1a0308e73 Add one more pipe, references etc. 2021-05-25 21:07:23 +02:00
WojciechLesicki 38552e98cf Adding some pipes 2021-05-25 15:47:34 +02:00
Jonhnathan c7f7eb6698 Update Threat Hunter Playbook Reference 2021-05-22 01:02:43 -03:00
Florian Roth ecb133f97d docs: extended authors of malicious pipe rule 2021-05-04 09:28:17 +02:00
Florian Roth c6aeee958e rule: more named pipes by @blueteam0ps 2021-05-04 09:27:11 +02:00
Florian Roth f2fa8dd956 rules: CobaltStrike named pipes 2021-04-23 17:16:09 +02:00
Steven d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven 7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Steven 850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Steven 0c9a82af89 - Remove 'service: sysmon' since defining the categories made the rules generic 2020-10-02 09:37:52 +02:00
Steven 8b74abe0bc - Created new categories for sysmon events 
- Replaced the explicit EventIDs with the reference to the category
- Moved the rules to the corresponding directories
 2020-09-30 20:44:14 +02:00