security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,973 Commits 1 Branch 57 Tags
0889a1fc3b1a950fab00a5334f1fef3cd8ba0cb2
Commit Graph

9973 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 0889a1fc3b Merge pull request #2656 from redsand/hawk 
Hawk backend - adjust risk score rules and remove translation
 2022-02-08 09:01:29 +01:00
Florian Roth 121b28c419 Merge pull request #2660 from redsand/fp_sysmon_creation_system_file_allow_wbengine 
FP from wbengine when writing a system filename
 2022-02-08 09:01:10 +01:00
Florian Roth 07e0d0412e Merge pull request #2662 from nasbench/master 
Update sysmon_raw_disk_access_using_illegitimate_tools.yml
 2022-02-08 09:00:46 +01:00
Florian Roth 7606ab96c8 Merge pull request #2657 from phantinuss/master 
fix: FPs
 2022-02-08 09:00:31 +01:00
Florian Roth 7e17c2bbd2 Merge pull request #2658 from Karneades/patch-1 
rule: ACTINIUM Scheduled Task Persistence
 2022-02-07 21:20:22 +01:00
Florian Roth 3ca0382671 Merge pull request #2661 from redsand/fp_mimikatz_command_line 
FP mimikatz when loading powershell function Convert-GuidToCompressedGuid
 2022-02-07 21:20:04 +01:00
Nasreddine Bencherchali 7d1e149844 Update sysmon_raw_disk_access_using_illegitimate_tools.yml 2022-02-07 20:51:19 +01:00
Tim Shelton f3ce179f76 fixing false positive when loading the powershell function Convert-GuidToCompressedGuid 2022-02-07 17:10:57 +00:00
Tim Shelton 913aac6695 allow fp from wbengine 2022-02-07 16:58:58 +00:00
Florian Roth aef0bd2a2d Update process_creation_apt_actinium_persistence.yml 2022-02-07 16:15:48 +01:00
Andreas Hunkeler 40411f0596 Fix list issue in new wscript persistence rule 2022-02-07 15:54:42 +01:00
Andreas Hunkeler 0a78c3966b rule: ACTINIUM Scheduled Task Persistence 2022-02-07 15:43:30 +01:00
Florian Roth a60426e4a2 Update win_alert_lsass_access.yml 2022-02-07 15:43:04 +01:00
phantinuss ed2025e626 fix: FPs 2022-02-07 15:32:15 +01:00
Tim Shelton fe95c8abaf setting minimum value of record score to zero 2022-02-07 14:15:16 +00:00
Florian Roth 4d56024c10 Merge pull request #2655 from jaegeral/codespell_2022_022 
some smaller typo fixes
 2022-02-07 15:13:34 +01:00
Florian Roth dda32a5f03 Merge pull request #2654 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-07 15:13:13 +01:00
Tim Shelton 64c32fa566 Merge branch 'master' of https://github.com/redsand/sigma into hawk 2022-02-07 14:12:45 +00:00
jaegeral 8bd9ead40b some smaller typo fixes 2022-02-07 13:17:03 +00:00
Florian Roth e69a816f7d fix: extended filters for raw disk access rule 2022-02-07 13:58:16 +01:00
Florian Roth 5c73f913f2 Merge branch 'master' into aurora-false-positive-fixing 2022-02-07 13:17:00 +01:00
Florian Roth c50f4dbd23 Merge pull request #2653 from SigmaHQ/rule-devel 
fix: FP noticed with Aurora
 2022-02-07 13:15:47 +01:00
Florian Roth 9842118c53 Merge branch 'master' into aurora-false-positive-fixing 2022-02-07 13:15:05 +01:00
Florian Roth 5862cdc192 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-07 13:14:53 +01:00
Florian Roth b0e73af9ff fix: FPs noticed with Aurora 2022-02-07 13:14:51 +01:00
Florian Roth 90f551a194 Merge branch 'master' into rule-devel 2022-02-06 23:34:54 +01:00
Florian Roth d083efa095 fix: FPs noticed with Aurora 2022-02-06 23:33:52 +01:00
frack113 6dbbccc84e Merge pull request #2648 from frack113/x86matthew_lnk 
add win_pc_embed_exe_lnk
 2022-02-06 21:15:51 +01:00
frack113 968dbeeaca Merge pull request #2647 from frack113/red_20220206 
add posh_ps_get_adreplaccount
 2022-02-06 21:15:31 +01:00
frack113 60a0e26974 Merge pull request #2651 from frack113/fix_detecttion 
lnx_auditd_systemd_service_creation fix detection
 2022-02-06 21:13:12 +01:00
Florian Roth c5bdbb1b71 Merge pull request #2649 from SigmaHQ/rule-devel 
refactor: lsass dump filename IOC pattern
 2022-02-06 20:39:23 +01:00
frack113 ff9ecf395f Fix detection 2022-02-06 19:16:27 +01:00
Florian Roth 80a552d28d refactor: lsass dump filename IOC pattern 2022-02-06 14:26:55 +01:00
Florian Roth 094215a7e0 Update win_pc_embed_exe_lnk.yml 2022-02-06 14:20:30 +01:00
Florian Roth 97dacc4ffc refactor: increased level to medium 2022-02-06 14:17:38 +01:00
frack113 f1f38a2df4 add win_pc_embed_exe_lnk 2022-02-06 14:01:48 +01:00
frack113 62611e0e39 add posh_ps_get_adreplaccount 2022-02-06 11:15:00 +01:00
Florian Roth e28d5ce97f Merge pull request #2646 from SigmaHQ/rule-devel 
fix: avoid Microsoft Defender detections
 2022-02-06 09:44:40 +01:00
Florian Roth 27c63d2735 Merge branch 'master' into rule-devel 2022-02-06 08:57:37 +01:00
Florian Roth e2aa3665af fix: avoid Microsoft Defender detections 
We keep the strings as specific as necessary while avoiding Microsoft Defender detections on the rule files
 2022-02-06 08:56:54 +01:00
Florian Roth 49d35717ad Merge pull request #2645 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-05 22:26:52 +01:00
Florian Roth fada8df7d4 fix: FP notices with Aurora 2022-02-05 21:40:03 +01:00
Florian Roth 44221ed95e fix: Aurora Sigma rule matches in application log 2022-02-05 21:38:10 +01:00
frack113 ebd09793d7 Merge pull request #2643 from elhoim/patch-1 
Avoiding being too narrow for paths
 2022-02-05 12:03:46 +01:00
frack113 ef629c1502 Merge pull request #2641 from frack113/red_20220204 
Windows redcanaryco
 2022-02-05 12:03:28 +01:00
frack113 59141ce789 Merge pull request #2636 from zakibro/master 
Auditd rule - Systemd Service Creation
 2022-02-05 10:35:01 +01:00
Florian Roth c23a82d2e7 Update win_re_set_servicedll.yml 2022-02-04 23:19:36 +01:00
Florian Roth 8dc0835b2a Update win_pc_redirect_to_stream.yml 2022-02-04 23:18:08 +01:00
Florian Roth affd73506d Update win_pc_susp_instalutil.yml 2022-02-04 23:16:05 +01:00
David André 391d73a2c2 Avoiding being too narrow for paths 
InstallUtil.exe is also available under 32 bits path for .net framework
 2022-02-04 21:08:47 +01:00