security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,299 Commits 1 Branch 57 Tags
1fc408bfaa458268d89a24d32c5a2ece1c19dc8f
Commit Graph

872 Commits

Author SHA1 Message Date
Florian Roth 92510e2507 extended Exchange post-exploitation rule 2021-03-17 18:01:45 +01:00
Florian Roth bfc99996b5 fix: Bug in rule condition 2021-03-16 16:35:21 +01:00
Florian Roth 32adf0c3ce fix: prone to FPs 2021-03-16 15:52:35 +01:00
Florian Roth 70f9480ec5 fix: wrong field name 2021-03-15 08:14:43 +01:00
Florian Roth a0b034aa2b fix: better exclusion 2021-03-13 09:09:43 +01:00
Florian Roth 145c3bc2ca refactor: more hafnium indicators 2021-03-13 09:07:58 +01:00
Florian Roth 69ee1cece2 fix: FPs 2021-03-13 09:07:44 +01:00
Florian Roth 48da4e1314 Update win_apt_hafnium.yml 2021-03-11 13:55:31 +01:00
Florian Roth 9084fc4fa7 Update on HAFNIUM rule 
https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
 2021-03-11 13:38:07 +01:00
Florian Roth ec490b40ec fix: 1 of them condition 2021-03-09 09:15:12 +01:00
Florian Roth 563335ec5a rule: suspicious service binary location 2021-03-09 09:01:36 +01:00
Florian Roth 2ded9543f3 rule: HAFNIUM post-exploitation activity 2021-03-09 09:01:24 +01:00
Florian Roth 2b5f9f994f Merge pull request #1376 from SigmaHQ/rule-devel 
UNC2452 rules - GoldMax, GoldFinder, Sibot
 2021-03-05 18:17:20 +01:00
Florian Roth a61fbe6bd8 fix: duplicate UUID 2021-03-05 12:09:43 +01:00
Florian Roth b864768de8 fix: wrong conditions 2021-03-05 11:55:49 +01:00
Florian Roth c3b84f2d5b UNC2452 rules - GoldMax, Sibot, GoldFinder 
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
 2021-03-05 11:54:35 +01:00
Florian Roth bdc35aa3ec Update win_webshell_spawn.yml 2021-03-05 11:34:17 +01:00
Florian Roth 9e921115bc Merge pull request #1373 from SigmaHQ/rule-devel 
HAFNIUM rule
 2021-03-03 10:34:08 +01:00
Florian Roth 73a3a1e5cd Merge pull request #1360 from d4rk-d4nph3/master 
Added sigma rule for vSphere RCE CVE-2021-21972
 2021-03-03 09:32:05 +01:00
Bhabesh Rai 56eed19fba Added rules for successful exploitation fo CVE-2021-26857/8 in Exchannge 2021-03-03 12:46:50 +05:45
Florian Roth 6d30f87c0c refactor: procdump use 2021-03-02 23:36:25 +01:00
Florian Roth 5c1dc30a13 Merge pull request #1369 from SigmaHQ/rule-devel 
fix: FPs with rule and avast sandbox
 2021-03-02 15:30:30 +01:00
Florian Roth c873d878b9 fix: FPs with rule and avast sandbox 2021-03-02 10:08:30 +01:00
Florian Roth 40710fe89a Merge pull request #1357 from Neo23x0/rule-devel 
Rule FP fixes
 2021-02-26 11:05:00 +01:00
Florian Roth 9d937705c0 fix: null values in separate filter expression 
> null value in lists cause problems in some backends
 2021-02-25 15:19:26 +01:00
Florian Roth a8912da1a0 rule: finger.exe execution 2021-02-24 17:47:56 +01:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Florian Roth f8b6b9d68e fix: FPs with Suspect Svchost Activity 2021-02-24 13:55:40 +01:00
Florian Roth 9eb55016bf fix: FPs with WMI Spawning Windows PowerShell 2021-02-24 13:32:30 +01:00
Florian Roth b032bc3328 fix: FPs with Wmiprvse Spawning Process 2021-02-24 13:27:18 +01:00
Florian Roth 96803a5a27 Merge pull request #1355 from Neo23x0/rule-devel 
Rule devel
 2021-02-22 17:46:21 +01:00
Florian Roth 94035e1e11 fix: error in condition 2021-02-22 17:30:11 +01:00
Florian Roth 749789c17d fix: condition in eventlog rule 2021-02-22 17:24:19 +01:00
Florian Roth 786a799c3f Merge pull request #1345 from blueteam0ps/patch-2 
Created win_sus_auditpol_usage.yml
 2021-02-18 11:17:04 +01:00
Florian Roth 089a931007 rule: ScreenConnect remote access 2021-02-11 13:04:16 +01:00
Florian Roth 4c2691d3c3 rule: disable windows eventlog 2021-02-11 12:28:52 +01:00
bartlomiej-czyz e79168ee56 Create win_rundll32_without_parameters.yml 2021-02-03 22:18:23 +01:00
BlueTeamOps c3c706503e Update win_sus_auditpol_usage.yml 2021-02-02 22:24:54 +11:00
BlueTeamOps b0d0bb95b0 Created win_sus_auditpol_usage.yml 
This adds detection for suspicious behaviour of the auditpol binary
 2021-02-02 19:12:13 +11:00
Florian Roth 309e15dc5c rule: add call by ordinal 2021-02-01 20:16:31 +01:00
Florian Roth 597633c938 rule: ShimCache Flush 2021-02-01 20:05:28 +01:00
Florian Roth 179db920ec Merge pull request #1343 from Neo23x0/rule-devel 
Rule devel
 2021-02-01 12:28:22 +01:00
Florian Roth aaeb72a2b6 fix: FPs 2021-02-01 11:47:23 +01:00
Florian Roth 33fee6af8b rule: security product uninstallation 2021-01-30 11:24:08 +01:00
Florian Roth e533b4effb fix: tags 2021-01-28 13:51:51 +01:00
Florian Roth cd4491cba2 rule: disable volume snaptshots 2021-01-28 13:48:30 +01:00
Florian Roth 6b9eef58da Merge pull request #1338 from Neo23x0/rule-devel 
Improved UNC2452 activity rules
 2021-01-25 14:36:44 +01:00
Florian Roth 7d99a48bb2 rule: new Quakbot pattern 2021-01-25 12:03:30 +01:00
Florian Roth b62c705bf0 Improved UNC2452 activity rules 2021-01-22 09:18:11 +01:00
Florian Roth efa39eb18d Merge pull request #1336 from Neo23x0/rule-devel 
rule: Raccine uninstall
 2021-01-21 18:17:31 +01:00