security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,362 Commits 1 Branch 57 Tags
2560f40e0601b67d8a9652bc02f22b65717ef892
Commit Graph

2798 Commits

Author SHA1 Message Date
Florian Roth 428db0c74a Merge pull request #1382 from d4rk-d4nph3/master 
Added rule for CVE-2021-21978 in VMware View Planner
 2021-03-29 11:22:56 +02:00
Florian Roth b296c643de Merge pull request #1346 from blueteam0ps/patch-3 
Added win_ad_find_discovery.yml
 2021-03-29 11:20:49 +02:00
BlueTeamOps 6ef5f0a0a2 Added detection for Dumpert 
-Dumpert based LSASS dump using DLL
-Dumpert.exe detection
 2021-03-27 07:34:05 +11:00
BlueTeamOps 8916459bab Added additional CS signatures 2021-03-25 22:44:24 +11:00
Florian Roth 48265ad71a Merge pull request #1398 from SigmaHQ/rule-devel 
MSExchange Management log mapping, some fixes
 2021-03-20 17:21:31 +01:00
Florian Roth 525f4b6a6b Merge pull request #1388 from Cyb3rPandaH/master 
CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property
 2021-03-20 08:53:04 +01:00
Florian Roth e47ee24889 Merge branch 'master' into rule-devel 2021-03-20 08:52:55 +01:00
Florian Roth 334dd9a058 Update win_set_oabvirtualdirectory_externalurl.yml 2021-03-20 08:34:02 +01:00
Florian Roth 33af006479 Merge pull request #1389 from ZikyHD/patch_win_susp_wuauclt 
Fix ProcessCommandLine field
 2021-03-20 08:29:23 +01:00
Florian Roth 01fcfd4f76 Merge pull request #1390 from ZikyHD/patch_win_proc_wrong_parent 
Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)
 2021-03-20 08:29:09 +01:00
Florian Roth 2472926c48 Merge pull request #1391 from ZikyHD/patch_win_etw_trace_evasion 
Fix win_etw_trace_evasion rule
 2021-03-20 08:28:51 +01:00
Florian Roth dd4a1ac393 fix: prone to FPs - use is unclear 
https://regex101.com/r/tss5TZ/1
 2021-03-18 16:44:49 +01:00
Florian Roth 6b2bcd3d87 Merge pull request #1395 from SigmaHQ/rule-devel 
Rule devel
 2021-03-18 10:52:02 +01:00
Florian Roth d30e87d543 fix: lsass access - FPs with AV / EDR software 2021-03-18 09:04:03 +01:00
Florian Roth 92510e2507 extended Exchange post-exploitation rule 2021-03-17 18:01:45 +01:00
Florian Roth 943f8513e2 Merge pull request #1393 from SigmaHQ/rule-devel 
Rule devel
 2021-03-16 16:35:55 +01:00
Florian Roth bfc99996b5 fix: Bug in rule condition 2021-03-16 16:35:21 +01:00
Florian Roth 32adf0c3ce fix: prone to FPs 2021-03-16 15:52:35 +01:00
zikyhd e91822e070 Fix win_etw_trace_evasion rule 2021-03-15 15:02:18 +01:00
Cedric HIEN 864973888e Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8) 2021-03-15 12:07:05 +01:00
Cedric HIEN e4f24f4e1f Fix ProcessCommandLine field 2021-03-15 11:56:19 +01:00
Florian Roth 310888bae7 Merge pull request #1386 from SigmaHQ/rule-devel 
Rule devel
 2021-03-15 10:52:57 +01:00
Florian Roth 70f9480ec5 fix: wrong field name 2021-03-15 08:14:43 +01:00
Cyb3rPandaH f138a27426 CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property 
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
 2021-03-15 00:33:47 -04:00
Florian Roth a0b034aa2b fix: better exclusion 2021-03-13 09:09:43 +01:00
Florian Roth 145c3bc2ca refactor: more hafnium indicators 2021-03-13 09:07:58 +01:00
Florian Roth 69ee1cece2 fix: FPs 2021-03-13 09:07:44 +01:00
Florian Roth 48da4e1314 Update win_apt_hafnium.yml 2021-03-11 13:55:31 +01:00
Florian Roth 9084fc4fa7 Update on HAFNIUM rule 
https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
 2021-03-11 13:38:07 +01:00
Florian Roth 27fef60ace Merge pull request #1383 from SigmaHQ/rule-devel 
fix: FPs with LSASS Access from Non System Account
 2021-03-10 18:59:29 +01:00
Florian Roth 78004cc29c fix: condition contains - values without 0x 2021-03-10 18:56:05 +01:00
Florian Roth 29dec7dd8b fix: FPs with LSASS Access from Non System Account 2021-03-10 18:51:27 +01:00
Bhabesh Rai a58c5ed7cc Added rule for CVE-2021-21978 in VMware View Planner 2021-03-10 18:05:15 +05:45
Florian Roth f0051ffcf6 Merge pull request #1378 from SigmaHQ/rule-devel 
HAFNIUM activity
 2021-03-09 15:42:32 +01:00
Florian Roth dca5c870d7 Merge pull request #1374 from hieuttmmo/master 
Detect HAFNIUM operations
 2021-03-09 09:16:52 +01:00
Florian Roth ec490b40ec fix: 1 of them condition 2021-03-09 09:15:12 +01:00
Florian Roth 563335ec5a rule: suspicious service binary location 2021-03-09 09:01:36 +01:00
Florian Roth 2ded9543f3 rule: HAFNIUM post-exploitation activity 2021-03-09 09:01:24 +01:00
BlueTeamOps 26a5300208 added spaces for oudmp and dclist 2021-03-09 08:22:36 +11:00
Florian Roth 2b5f9f994f Merge pull request #1376 from SigmaHQ/rule-devel 
UNC2452 rules - GoldMax, GoldFinder, Sibot
 2021-03-05 18:17:20 +01:00
Florian Roth a61fbe6bd8 fix: duplicate UUID 2021-03-05 12:09:43 +01:00
Florian Roth 3a0fc4835a Merge pull request #1363 from markus-nclose/master 
Fix CobaltStrike typo
 2021-03-05 12:06:31 +01:00
Florian Roth b864768de8 fix: wrong conditions 2021-03-05 11:55:49 +01:00
Florian Roth c3b84f2d5b UNC2452 rules - GoldMax, Sibot, GoldFinder 
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
 2021-03-05 11:54:35 +01:00
Florian Roth bdc35aa3ec Update win_webshell_spawn.yml 2021-03-05 11:34:17 +01:00
Florian Roth 62b65a3578 Merge pull request #1375 from SigmaHQ/rule-devel 
fix: description
 2021-03-04 17:35:53 +01:00
Florian Roth bea2f226c6 fix: description 2021-03-04 17:35:25 +01:00
Tran Trung Hieu 5f74a58081 Detect HAFNIUM operations 2021-03-04 00:01:54 +07:00
Florian Roth 9e921115bc Merge pull request #1373 from SigmaHQ/rule-devel 
HAFNIUM rule
 2021-03-03 10:34:08 +01:00
Florian Roth d8ded5ebdc refactor: changed symbols after feedback from Volexity 2021-03-03 10:15:45 +01:00