security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

7892 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Austin Songer 4ddcea0714 Update sysmon_dns_over_https_enabled.yml 2021-07-22 11:09:41 -05:00
Austin Songer d093fea6a5 Update sysmon_dns_over_https_enabled.yml 2021-07-22 11:07:02 -05:00
Austin Songer 6e8df1e9d2 Update sysmon_dns_over_https_enabled.yml 2021-07-22 11:05:54 -05:00
Austin Songer edf1740ec4 Update sysmon_dns_over_https_enabled.yml 2021-07-22 11:05:31 -05:00
Austin Songer c7685e1c18 Create sysmon_dns_over_https_enabled.yml 2021-07-22 11:04:15 -05:00
Florian Roth edfd082754 Merge pull request #1716 from frack113/elk_keyword_rule 
powershell_nishang_malicious_commandlets Elk keywords trouble
 2021-07-22 15:01:13 +02:00
Florian Roth cbc7a746d4 feat: some often used ncat command line strings 2021-07-22 15:00:50 +02:00
Florian Roth 7a8fcf4237 Merge pull request #1718 from frack113/powercat 
[OSCD] powershell_powercat.yml T1095
 2021-07-22 14:53:34 +02:00
Florian Roth 132bd8fdd8 Merge pull request #1720 from frack113/redcanary_t1411_001 
[OSCD] powershell_suspicious_mail_acces.yml T1114.001
 2021-07-22 14:53:21 +02:00
Florian Roth 583cae058e Merge pull request #1723 from phantinuss/master 
Add sysmon_status and sysmon_error category to thor logsource; logical rule fix
 2021-07-22 14:53:01 +02:00
Florian Roth 9f2f6db598 Merge pull request #1721 from frack113/update_test 
Update date and modified test
 2021-07-22 11:10:25 +02:00
Florian Roth 7add93e05d Merge pull request #1722 from frack113/clean_duplicate 
Find a duplicate rules
 2021-07-22 11:10:15 +02:00
Florian Roth 1cfb0e4689 Update win_mal_flowcloud.yml 2021-07-22 11:09:45 +02:00
phantinuss 3b5f3d8bef fix: indentation 2021-07-22 10:18:03 +02:00
phantinuss e4880169d3 add sysmon_status and sysmon_error category to thor logsources 2021-07-22 09:59:16 +02:00
phantinuss 3c85bba998 fix: according to the reference the condition should be or; it would never match otherwise anyways 2021-07-22 09:59:04 +02:00
frack113 985a80de96 Find duplicate rules 2021-07-22 08:33:52 +02:00
frack113 fe20158f5e Update date and modified test 2021-07-21 18:28:47 +02:00
frack113 4cc4df35d8 add powershell_suspicious_mail_acces.yml 2021-07-21 15:27:12 +02:00
frack113 72da7a3053 fix tags attack.t1095 2021-07-21 13:08:35 +02:00
frack113 41c4f1d157 add powershell_powercat.yml 2021-07-21 13:04:27 +02:00
frack113 1b537cac5d add sysmon_netcat_execution.yml 2021-07-21 10:55:54 +02:00
Florian Roth 461aac3ac5 Merge pull request #1709 from frack113/add_test 
test_rules.py check duplicate id
 2021-07-21 10:44:08 +02:00
Florian Roth 0930a933c3 Merge pull request #1713 from frack113/redcanary_t1552_004 
[OSCD] process_creation_discover_private_keys.yml T1552.004
 2021-07-21 10:43:45 +02:00
Florian Roth 78f903a2cc Merge pull request #1714 from frack113/redcanary_t1074_001 
[OSCD] win_susp_zip_compress.yml T1074.001
 2021-07-21 10:43:32 +02:00
Florian Roth 8f0e58b6ed Merge pull request #1715 from frack113/redcanary_t1095 
Update powershell_suspicious_download.yml
 2021-07-21 10:43:05 +02:00
frack113 44254038d3 fix human error : test-sigmac Error 4 2021-07-21 10:01:46 +02:00
frack113 b9b0ef2066 convert keywords to correct field name Payload 2021-07-21 09:44:26 +02:00
Florian Roth ddb4744613 regsvr32 anomaly rule update 
https://twitter.com/BlackMatter23/status/1417545425297580045
 2021-07-20 21:14:48 +02:00
frack113 ba50a2309c fix case EventID 2021-07-20 16:26:13 +02:00
frack113 42005a07b7 update powershell_suspicious_download.yml 2021-07-20 16:12:24 +02:00
frack113 b031a1b4b7 add win_susp_zip_compress.yml 2021-07-20 13:13:53 +02:00
frack113 cf8904b560 fix files_with_incorrect_mitre_tags 2021-07-20 12:22:31 +02:00
Florian Roth 66aaa2210c refactor: widened PS1 Empire cmdlines rule 2021-07-20 11:26:22 +02:00
frack113 da6135ccb3 add process_creation_discover_private_keys.yml 2021-07-20 11:20:30 +02:00
Florian Roth 6fbce11094 Merge pull request #1712 from SigmaHQ/rule-devel 
fix: bug in regsvr anomaly rule
 2021-07-18 13:00:19 +02:00
Florian Roth b7b4c4555f fix: bug in regsvr anomaly rule 2021-07-18 12:59:31 +02:00
Florian Roth 345f55bc53 Merge pull request #1711 from thegoatreich/patch-1 
Add LogRhythm to supported targets
 2021-07-17 13:47:24 +02:00
Florian Roth c905e61f7a Merge pull request #1705 from thegoatreich/logrhythm-support 
Logrhythm support
 2021-07-17 13:47:04 +02:00
Florian Roth 7eb873e48b Merge pull request #1710 from SigmaHQ/rule-devel 
added more legitimate extensions to regsvr32 rule
 2021-07-17 13:46:21 +02:00
thegoatreich dff7ad653a Add LogRhythm to supported targets 2021-07-17 11:02:32 +01:00
Florian Roth 53c25969ab added more legitimate extensions to regsvr32 rule 2021-07-17 11:20:05 +02:00
frack113 50c47a4ed0 check duplicate id 2021-07-17 10:32:29 +02:00
Florian Roth 8a75890b51 Merge pull request #1702 from d4rk-d4nph3/master 
Added rule for ADRecon execution
 2021-07-17 09:50:29 +02:00
Florian Roth e838a1acc4 increased level 2021-07-17 09:50:11 +02:00
Florian Roth 715bca0fd2 Merge pull request #1704 from frack113/redcanary_t1216 
Redcanary t1216
 2021-07-17 09:48:43 +02:00
Florian Roth 56ae1938af Merge pull request #1706 from BlackB0lt/patch-12 
Create sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
 2021-07-17 09:46:35 +02:00
Florian Roth 3967240818 Merge pull request #1708 from heyibrahimkhan/patch-7 
Update ecs-suricata.yml
 2021-07-17 09:44:40 +02:00
Florian Roth b1a00152bc Merge pull request #1698 from SigmaHQ/rule-devel 
several new rules and fixes
 2021-07-17 09:39:47 +02:00
Florian Roth b911175f28 Suspicious mshta patterns 2021-07-17 09:04:41 +02:00