security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,882 Commits 1 Branch 57 Tags
2c07bd562fda3ae4bf182d2da164001a3bf0669c
Commit Graph

8882 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 2c07bd562f Merge pull request #2301 from SigmaHQ/rule-devel 
refactor: reworked psexec / paexec rules
 2021-11-24 09:27:35 +01:00
frack113 a28154dba0 Merge pull request #2302 from frack113/fix_field 
fix field name
 2021-11-24 06:20:59 +01:00
frack113 a1db916851 Merge pull request #2299 from frack113/update_FP 
Update detection win_system_defender_disabled.yml
 2021-11-24 06:20:32 +01:00
frack113 bf9b3844a6 Merge pull request #2298 from austinsonger/kubernetes-cronjob 
Kubernetes cronjob
 2021-11-24 06:20:16 +01:00
Florian Roth 424bed1915 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-24 00:27:45 +01:00
Florian Roth 37b445d3bb fix: FPs that only show up in Aurora 
Sysmon configs are often too restricted
 2021-11-24 00:27:43 +01:00
frack113 b81b5666ce fix field name 2021-11-23 18:47:42 +01:00
Florian Roth 33c5e027d3 refactor: psexec flags 2021-11-23 18:00:48 +01:00
Florian Roth 99fc5fc3cc refactor: reworked psexec / paexec rules 2021-11-23 16:34:31 +01:00
Florian Roth 653950e456 Merge pull request #2300 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-23 10:52:54 +01:00
Florian Roth 0a682f6fe0 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-11-23 09:37:23 +01:00
Florian Roth 614046c241 fix: missing filter in condition 2021-11-23 09:37:20 +01:00
frack113 b764153d4f Update detection 2021-11-23 08:16:10 +01:00
Austin Songer 70d1e6d0f3 Update azure_kubernetes_cronjob.yml 2021-11-22 22:45:35 -06:00
Austin Songer 253ec56d1c Create azure_kubernetes_cronjob.yml 2021-11-22 22:40:06 -06:00
Austin Songer 5c118eef46 Create gcp_kubernetes_cronjob.yml 2021-11-22 22:39:39 -06:00
Florian Roth 17c04919af Merge pull request #2297 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-22 22:06:26 +01:00
Florian Roth f2585f44da fix: bug in filter 2021-11-22 21:30:19 +01:00
Florian Roth 7468d495ff fix: FP with LSASS access rule 2021-11-22 21:29:21 +01:00
Florian Roth 497a9d9e2a Merge pull request #2296 from SigmaHQ/rule-devel 
rules: InstallerFileTakeOver LPE CVE-2021-41379
 2021-11-22 17:12:03 +01:00
Florian Roth 42571791b3 Merge branch 'rule-devel' into aurora-false-positive-fixing 2021-11-22 15:24:46 +01:00
Florian Roth 2c5631f1bf Merge branch 'master' into aurora-false-positive-fixing 2021-11-22 15:23:43 +01:00
Florian Roth 68e4864069 fix: exclusions in new WinRAR rule 2021-11-22 15:23:28 +01:00
Florian Roth e778372d1f Merge pull request #2295 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-22 15:19:05 +01:00
Florian Roth 8fc93d3340 refactor: generic lsass access filter 2021-11-22 15:05:56 +01:00
Florian Roth 75663ceb46 rule: file creation LPE CVE-2021-41379 2021-11-22 14:15:51 +01:00
Florian Roth 9a2e7a23fa docs: tags for CVE-2021-41379 2021-11-22 14:06:50 +01:00
Florian Roth 023a0f0685 Revert "refactor: rule could possible generate to many FPs" 
This reverts commit 24c4d51796.
 2021-11-22 14:03:59 +01:00
Florian Roth ff6bb3acea extended filters and descriptions 2021-11-22 14:01:30 +01:00
Florian Roth d5eff9ef6d fix: FP with In-memory PowerShell rule and Visual Studio 2021-11-22 13:45:31 +01:00
Florian Roth 37ff832fda fix: FPs with LSASS access rule 2021-11-22 13:43:20 +01:00
Florian Roth 145d05e756 Merge pull request #2294 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs with Aurora
 2021-11-22 13:30:07 +01:00
Florian Roth db03d08b11 Merge pull request #2293 from SigmaHQ/rule-devel 
fix: 0x1000 access on LSASS, rule: new LSASS access, rule: CVE-2021-41379
 2021-11-22 13:29:31 +01:00
Florian Roth cda13acc83 Revert "refactor: add another flag set" 
This reverts commit ca62fe586f.
 2021-11-22 12:51:16 +01:00
Florian Roth ca62fe586f refactor: add another flag set 2021-11-22 12:21:19 +01:00
Florian Roth a5b7a92d91 fix: FPs with Aurora 2021-11-22 12:20:21 +01:00
Florian Roth 01189dcef2 fix: rule condition 2021-11-22 11:47:39 +01:00
Florian Roth d2e45afc3c fix: typo in filename - missing period 2021-11-22 11:40:17 +01:00
Florian Roth d3ec743906 fix: changed modified date 2021-11-22 11:38:37 +01:00
Florian Roth fbd8df5768 rule: lsass access suspicious flags 2021-11-22 11:37:09 +01:00
Florian Roth 24c4d51796 refactor: rule could possible generate to many FPs 2021-11-22 11:28:32 +01:00
Florian Roth 7432aa37a0 refactor: lsass query info access 2021-11-22 11:02:01 +01:00
frack113 e5404785d3 Merge pull request #2290 from frack113/fix_fieldname 
Fix field name in windows rules
 2021-11-21 09:09:40 +01:00
frack113 2bdfcc9ac2 Merge pull request #2291 from remotephone/remotephone-t1036_006 
Add Rule: MacOS - macos_space_after_filename.yml
 2021-11-21 09:09:26 +01:00
remotephone be59ca0f01 Update macos_space_after_filename.yml 
Fixing new line and updating change date
 2021-11-20 15:54:24 -06:00
remotephone 9530d67834 Create macos_space_after_filename.yml 
Adding coverage for macOS space after filename
 2021-11-20 15:43:51 -06:00
frack113 bac2e9f35e Merge pull request #2285 from frack113/sigma2attack 
Update Sigma2attack
 2021-11-20 20:45:43 +01:00
frack113 bc61fbeee2 Merge pull request #2281 from orlinum/patch-2 
Create win_ADCS_certificate_template_configuration_vulnerability.yml
 2021-11-20 20:45:04 +01:00
frack113 3162b7ccfe Merge pull request #2280 from orlinum/patch-1 
Create win_ADCS_certificate_template_configuration_vulnerability_EKU.yml
 2021-11-20 20:44:42 +01:00
frack113 4425f9cbcd Update sigma2attack.py 2021-11-20 19:59:57 +01:00