security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,994 Commits 1 Branch 57 Tags
01dc930c173e329c191245b76f05de5fa4b5da21
Commit Graph

2238 Commits

Author SHA1 Message Date
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
Florian Roth 6664d6e522 Merge pull request #2329 from SigmaHQ/rule-devel 
fix: regex in lolbas rules
 2021-11-27 11:05:34 +01:00
Florian Roth 5a9f82206f Merge pull request #1045 from vburov/patch-9 
Create win_hack_hydra.yml
 2021-11-27 10:21:56 +01:00
Florian Roth 8e2be01845 Merge branch 'master' into rule-devel 2021-11-27 10:17:07 +01:00
Florian Roth 0593446f96 fix: regex in diantz rule 2021-11-27 10:16:27 +01:00
Florian Roth 62cd452c95 Merge branch 'master' into rule-devel 2021-11-27 10:16:10 +01:00
Florian Roth 0f6c2e007e fix: regex in Extract32 rule 2021-11-27 10:15:24 +01:00
Florian Roth ef13bea075 fix: regular expression in " 2021-11-27 10:05:51 +01:00
Florian Roth 97207bdf81 Merge branch 'master' into aurora-false-positive-fixing 2021-11-27 09:22:15 +01:00
Florian Roth 0ad9f9a859 fix: FPs noticed with Aurora 2021-11-27 09:13:53 +01:00
Florian Roth 9d3ba0f432 refactor: reduce to medium 
since we cannot easily detect a real threat without a filter for every possible updater, we have to reduce level to medium here
 2021-11-27 08:52:33 +01:00
frack113 138b066283 Merge pull request #2326 from austinsonger/win_lolbas_dump64.yml 
process_creation_win_lolbas_dump64.yml
 2021-11-27 07:50:11 +01:00
Florian Roth 46f0e32118 Update process_creation_win_lolbas_dump64.yml 2021-11-27 01:18:56 +01:00
Austin Songer 248dcbe735 Update process_creation_win_lolbas_dump64.yml 2021-11-26 14:34:32 -06:00
Florian Roth 1b8a6b901b docs: change title and description 2021-11-26 21:24:54 +01:00
Florian Roth 83e4236edf fix: tag, changed rule to avoid FP with VS binary 
there is a legitimate binary used in Visual Studio named dump64.exe, we can exclude the original location and only report when we see it in a different location or used with procdump command line flags
https://www.advanceduninstaller.com/Visual-Studio-Professional-2019-dc240beb51a0e41e029278d4ad2a2e87-application.htm
 2021-11-26 21:23:21 +01:00
Austin Songer 18bab18dd9 Update process_creation_win_lolbas_dump64.yml 2021-11-26 14:19:10 -06:00
Austin Songer d485fa9b93 Create process_creation_win_lolbas_dump64.yml 2021-11-26 14:03:10 -06:00
frack113 5e57e476c2 fix remote 2021-11-26 19:01:45 +01:00
frack113 0f33cbc85b add lolbas rule 2021-11-26 18:50:19 +01:00
Florian Roth 9c8a649e6c fix: FP with suspicious svchost.exe rule 2021-11-26 17:12:33 +01:00
Florian Roth d91b925873 fix: FPs 2021-11-26 14:42:21 +01:00
phantinuss 271e8291a5 fix: remove unneeded escape 2021-11-25 09:24:04 +01:00
frack113 960a03eaf4 add lobas Binary 2021-11-24 19:17:00 +01:00
Florian Roth 3e8b43e324 Merge pull request #2307 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-24 17:31:44 +01:00
Florian Roth f60e8e5d17 fix: more false positive filters 2021-11-24 16:58:53 +01:00
phantinuss eb8c9c046b rule: download using certreq 2021-11-24 16:39:44 +01:00
Florian Roth 88cc418b98 Merge branch 'rule-devel' into aurora-false-positive-fixing 2021-11-24 13:42:00 +01:00
phantinuss b807aba67a fix: key/value 2021-11-24 11:41:02 +01:00
phantinuss 30b57f33ed rule: rundll calling shell32 with dll in suspicious location 2021-11-24 10:56:58 +01:00
Florian Roth 2c07bd562f Merge pull request #2301 from SigmaHQ/rule-devel 
refactor: reworked psexec / paexec rules
 2021-11-24 09:27:35 +01:00
Florian Roth 33c5e027d3 refactor: psexec flags 2021-11-23 18:00:48 +01:00
Florian Roth 99fc5fc3cc refactor: reworked psexec / paexec rules 2021-11-23 16:34:31 +01:00
Florian Roth 42571791b3 Merge branch 'rule-devel' into aurora-false-positive-fixing 2021-11-22 15:24:46 +01:00
Florian Roth 2c5631f1bf Merge branch 'master' into aurora-false-positive-fixing 2021-11-22 15:23:43 +01:00
Florian Roth 68e4864069 fix: exclusions in new WinRAR rule 2021-11-22 15:23:28 +01:00
Florian Roth 75663ceb46 rule: file creation LPE CVE-2021-41379 2021-11-22 14:15:51 +01:00
Florian Roth 9a2e7a23fa docs: tags for CVE-2021-41379 2021-11-22 14:06:50 +01:00
Florian Roth 023a0f0685 Revert "refactor: rule could possible generate to many FPs" 
This reverts commit 24c4d51796.
 2021-11-22 14:03:59 +01:00
Florian Roth 24c4d51796 refactor: rule could possible generate to many FPs 2021-11-22 11:28:32 +01:00
Florian Roth 7432aa37a0 refactor: lsass query info access 2021-11-22 11:02:01 +01:00
frack113 ab663f9bcf Add MITTRE Technique 2021-11-20 10:56:41 +01:00
frack113 8f0cee86ac Add Technique tags 2021-11-20 09:53:35 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
frack113 264db60c5e Merge pull request #2276 from phantinuss/master 
Rule Fix: Paths with Quotes
 2021-11-19 19:05:36 +01:00
Florian Roth 4acbb15713 Merge branch 'master' into rule-devel 2021-11-19 15:52:21 +01:00
Florian Roth ecc7181d6e fix: FP with Windows Update Client LOLBIN rule 2021-11-18 13:34:55 +01:00
phantinuss 84476e1dd4 fix: prevent possible FPs from non-windows native calls using paths surrounded by quotes 2021-11-18 10:06:03 +01:00
Florian Roth 7dce83033b rule: Winrar suspicious folder 2021-11-17 19:01:48 +01:00
phantinuss 0109694e26 enhance emotet rundll32 execution pattern for current campaign 2021-11-17 15:59:05 +01:00