security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,845 Commits 1 Branch 57 Tags
2df291fe0acda1400286daaeebf510a76db03ee0
Commit Graph

2914 Commits

Author SHA1 Message Date
Florian Roth 864ac49e15 rule: suspicious characters in command line 2022-04-28 20:30:12 +02:00
Florian Roth 9d0de84816 fix: typo 2022-04-28 17:26:49 +02:00
Florian Roth aee70235f6 Update proc_creation_win_susp_rundll32_spawn_explorer.yml 2022-04-28 14:09:53 +02:00
David André ab59018d26 Added newline at end of file 2022-04-28 11:37:38 +02:00
David André fd63f4800d Merge branch 'SigmaHQ:master' into rundll_spawn_explorer 2022-04-28 09:10:54 +02:00
David ANDRE 8f059c2545 Added condition and corrected spaces 2022-04-27 21:47:58 +02:00
Florian Roth 7e3064e032 fix: selection identifier 2022-04-27 17:39:01 +02:00
Florian Roth e237560c07 rule: KrbRelay 2022-04-27 17:37:10 +02:00
Florian Roth f98279bf1f rule: Cube0x0 tools 2022-04-27 17:36:57 +02:00
David ANDRE 53fc5581a2 Changed title 2022-04-27 17:21:36 +02:00
David ANDRE 1ac42b1a23 Added rule windows suspicious rundll32 spawning explorer 2022-04-27 17:18:04 +02:00
Florian Roth 382dacf5d7 Merge branch 'master' into aurora-false-positive-fixing 2022-04-27 15:05:48 +02:00
Florian Roth b7e064dc23 fix: FP with SYSTEM user rule 2022-04-27 12:01:58 +02:00
Florian Roth 787bb9b32c refactor: adding OriginalFilename for better coverage 2022-04-27 11:30:09 +02:00
Florian Roth 5b2374475d fix: FP with whoami child 2022-04-26 17:28:17 +02:00
Florian Roth 55133898ee Revert "rule: suspicious PowerShell sub processes" 
This reverts commit e9adb6a8ca.
 2022-04-26 17:05:41 +02:00
Florian Roth e9adb6a8ca rule: suspicious PowerShell sub processes 2022-04-26 17:04:39 +02:00
Florian Roth f743062963 rule: KrbRelayUp usage 2022-04-26 16:43:50 +02:00
Florian Roth 0a55406444 fix: wording on two rules 2022-04-26 16:43:44 +02:00
frack113 914a2c71c8 Merge pull request #2940 from frack113/redcannary_20220424 
Redcannary T1218.007
 2022-04-26 06:23:09 +02:00
Aegide 06954761ab Update proc_creation_win_susp_whoami.yml 
minor typo
 2022-04-25 21:11:06 +02:00
frack113 fe4916e718 add proc_creation_win_msiexec_dll 2022-04-24 15:03:27 +02:00
Florian Roth e36c646933 Merge pull request #2932 from SigmaHQ/rule-devel 
Password Recon Rules
 2022-04-21 13:38:04 +02:00
phantinuss 13e31e8383 fix: FPs found in win2022 domain controller baseline 2022-04-21 10:48:59 +02:00
Florian Roth 9b2c35daa1 docs: false positive condition added 2022-04-21 09:13:06 +02:00
Florian Roth c7dada5e21 rule: invocation of key manager 2022-04-21 09:12:41 +02:00
Florian Roth 6e594875f3 refactor: cmdkey extended coverage 2022-04-21 09:12:13 +02:00
Florian Roth c85ad7b138 fix: event collectors that include spaces in cmd 2022-04-21 07:54:08 +02:00
Florian Roth fbba1e9c94 Merge branch 'master' into rule-devel 2022-04-21 07:52:54 +02:00
Paul Hager fc3c637bde fix: author remove 2022-04-20 19:35:59 +02:00
Florian Roth 50ca09c6a4 Merge branch 'master' into rule-devel 2022-04-20 17:54:11 +02:00
Paul Hager a71833767c new rule 2022-04-20 10:48:30 +02:00
Florian Roth f85ccba575 Merge pull request #2927 from humpalum/patch-5 
fix: Comma in title seems to break splunk search
 2022-04-19 18:51:31 +02:00
Florian Roth b30540f644 Merge pull request #2926 from pH-T/master 
new rule: Suspicious Powershell Execution
 2022-04-19 18:51:18 +02:00
Florian Roth 7f84e094c7 Merge pull request #2923 from frack113/7zip 
add proc_creation_win_7zip_cve_2022_29072
 2022-04-19 18:51:06 +02:00
frack113 7802601b7c Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:53:34 +02:00
Florian Roth 76bc06358e Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:35:40 +02:00
Florian Roth 938bd15d95 Update proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml 2022-04-19 17:32:39 +02:00
Florian Roth c9bae754a6 Update proc_creation_win_schtasks_powershell_windowsapps_execution.yml 2022-04-19 17:31:01 +02:00
Florian Roth fee402c183 Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:26:39 +02:00
Florian Roth c05bfce733 Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:25:25 +02:00
Florian Roth a1ded56b1f Update proc_creation_win_msiexec_embedding.yml 2022-04-19 17:23:45 +02:00
Tobias Michalski 992e70032e fix: Comma in title seems to break splunk search 
Most likely it comes from a bad parsing by Sigma2Splunkalert but since it is unmaintained and this is the only rule with a comma in title, this is the easy fix. 

Error in 'inputlookup' command: Invalid argument:
'_Privileged_Console_Access_whitelist.csv'

[| inputlookup "Using_Sticky-keys_To_Obtain_Unauthenticated,_Privileged_Console_Access_whitelist.csv]
 2022-04-19 17:22:01 +02:00
Paul Hager 93689d6029 new rule 2022-04-19 16:16:11 +02:00
frack113 174a34a9eb add proc_creation_win_7zip_cve_2022_29072 2022-04-17 12:36:04 +02:00
frack113 4df63f2c81 Add proc_creation_win_msiexec_embedding 2022-04-16 16:22:39 +02:00
Florian Roth 57a4bab682 rule: suspicious schtasks rule 2022-04-15 18:22:28 +02:00
Florian Roth 56f80cb0fc Merge pull request #2918 from SigmaHQ/rule-devel 
refactor: proposed changes from issue #2917
 2022-04-15 08:05:44 +02:00
Florian Roth d3ddefe096 refactor: proposed changes from issue #2917 
https://github.com/SigmaHQ/sigma/issues/2917
 2022-04-14 16:57:30 +02:00
frack113 6857301e6c Update proc_creation_win_apt_actinium_persistence.yml 2022-04-14 09:59:45 +02:00