security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,114 Commits 1 Branch 57 Tags
33bdfd124dd0c5e1fc03315da9a48aaa97a29d71
Commit Graph

9114 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 33bdfd124d refactor: comsvcs.dll adjustments - run by ordinal variants 2021-12-08 10:02:21 +01:00
Florian Roth bfd6b48ee4 refactor: adjusted run by ordinal pattern for Sysmon 2021-12-08 10:01:54 +01:00
Florian Roth c6f1398cfb rule: DInject usage 2021-12-08 09:38:23 +01:00
Florian Roth 1cae016459 rule: fix and extend comsvcs minidump rule 2021-12-07 15:05:20 +01:00
Florian Roth 63fd1189e7 rule: improved comsvcs.dll Minidump rule 2021-12-07 12:59:20 +01:00
Florian Roth 507a0649f3 rule: suspicious process creation as SYSTEM user 2021-12-07 07:34:18 +01:00
Florian Roth 48b1ef02df rule: PowerShell as SYSTEM 2021-12-07 07:03:48 +01:00
Florian Roth 6c72657902 rule: Communication To Mega.nz 2021-12-06 18:35:04 +01:00
Florian Roth 0665cc6223 rule: add user to remote desktop users 2021-12-06 18:29:50 +01:00
Florian Roth 11d23a358d Merge pull request #2373 from SigmaHQ/master 
Created Rule for CVE-2021-42237 Sitecore Experience Platform Pre-Auth RCE
 2021-12-03 08:48:25 +01:00
Florian Roth 34c697cead Merge pull request #2370 from redsand/fix_fp_in_cmdline 
Fixing false positive when cmd.exe is called with full path
 2021-12-02 16:56:55 +01:00
Florian Roth 242d6cef84 Merge pull request #2368 from redsand/add_tomcat8_to_kerberos 
adding tomcat8 to allowed kerberos outbound.
 2021-12-02 16:55:25 +01:00
Florian Roth aad85f6477 Merge pull request #2362 from redsand/fix_fp_when_sys32_called_for_cmd 
fixing false positive due to direct calls to xcopy and cmd.exe
 2021-12-02 16:55:06 +01:00
Tim Shelton 384862b906 When command begins with C:\Windows\System32\cmd.exe it will always match susp_del_exe # ex - C:\Windows\System32\cmd.exe" /c del /f /q "C:\Program Files (x86)\Software Package\Client\tmpDir\" 2021-12-02 15:13:23 +00:00
Tim Shelton b1f7cf21dd adding tomcat8 to allowed kerberos outbound. 2021-12-02 14:55:12 +00:00
Florian Roth dc43403359 Merge pull request #2366 from SigmaHQ/aurora-false-positive-fixing 
fix: filter condition in SystemDrawing Load rule
 2021-12-02 15:35:01 +01:00
Florian Roth 6aed1a0d2a fix: FPs noticed with Aurora 2021-12-02 14:57:06 +01:00
Florian Roth 9597cc8063 fix: filter condition in SystemDrawing Load rule 2021-12-02 12:55:42 +01:00
frack113 0d57825c32 Merge pull request #2360 from redsand/adding_access_list_fp 
Adding filter for read only accesslist, attack cannot be triggered
 2021-12-02 09:20:35 +01:00
frack113 97d83b8290 Merge pull request #2336 from zakibro/master 
Linux Auditd - Discovery of Capabilities files
 2021-12-02 06:48:05 +01:00
frack113 686035d66e Order selection filter 2021-12-02 06:41:49 +01:00
frack113 712bb6467f Merge pull request #2361 from redsand/fix_filter_conflict 
Fixing conflict where both selection and filter have the same value.
 2021-12-02 06:36:47 +01:00
frack113 33b7ee58f6 Merge pull request #2363 from redsand/duplicate_matching_in_signature_needs_simplify 
Duplicate matching causes confusion. Converting to simplified selecti…
 2021-12-02 06:29:40 +01:00
frack113 da844da2a4 Merge pull request #2364 from redsand/fix_omgosh_syntax_err 
Fixes a syntax error in submitted change where : was intended to be |
 2021-12-02 06:27:54 +01:00
Tim Shelton 0e55a06e6e adding missing : 2021-12-01 23:14:57 +00:00
Tim Shelton bd13c7b77b fixing yaml formatting 2021-12-01 21:27:31 +00:00
Tim Shelton 1ebd75754f omgosh fix err in syntax on this.... sooo sorry! 2021-12-01 21:15:41 +00:00
Tim Shelton d90ddc097e adding additional filter for lsass: ShareName=\\*\IPC$ | ShareLocalPath= | RelativeTargetName=lsass | AccessMask=0x2019f 2021-12-01 18:36:38 +00:00
Tim Shelton 7626b73b8e Duplicate matching causes confusion. Converting to simplified selection (matching) and false positive (filtering) phases 2021-12-01 18:33:48 +00:00
Tim Shelton 86250b4acb fixing lint err 2021-12-01 18:15:39 +00:00
Tim Shelton 3aca9ad2ef fixing false positive due to direct calls to xcopy and cmd.exe 2021-12-01 18:01:36 +00:00
Tim Shelton 1e97156684 Fixing conflict where both selection and filter have the same value. 2021-12-01 17:29:00 +00:00
frack113 30a5838514 Merge pull request #2359 from phantinuss/master 
Add dll+exe files to rule because of CVE-2020-1599
 2021-12-01 16:46:04 +01:00
Tim Shelton 677bdd9768 oof, adding to selection and not filter 2021-12-01 15:37:11 +00:00
Tim Shelton 96295a717c Adding filter for read only accesslist, attack cannot be triggered 2021-12-01 15:35:51 +00:00
frack113 04d90ee007 Merge pull request #2350 from redsand/fp_format_list 
Filtering false positives of static arguments to wmic /format
 2021-12-01 16:29:47 +01:00
phantinuss 204c627991 add PE files because of CVE-2020-1599 2021-12-01 15:14:43 +01:00
phantinuss 1150e07121 fix: typo 2021-12-01 15:14:43 +01:00
Florian Roth e43d7f7e0e Merge pull request #2357 from redsand/hawk_backend_fix_added_double_backslash_from_sigmac 
Fixing added backslashes that are generated by sigma backend
 2021-12-01 15:11:32 +01:00
Florian Roth 0903b667c1 Merge pull request #2356 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-01 15:10:50 +01:00
Florian Roth f75ffb6141 Merge pull request #2358 from SigmaHQ/rule-devel 
rules: addition to APT UserAgents, new: NPPSpy Hacktool Usage
 2021-12-01 15:10:17 +01:00
Tim Shelton 6927b0e69f Fixing added backslashes that are generated by sigma backend 2021-12-01 13:29:15 +00:00
Florian Roth 7fad4768e4 rule: APT UA - new user agent 2021-12-01 14:20:05 +01:00
Florian Roth 6b7206ca2a fix: print driver FP 2021-12-01 14:14:53 +01:00
Florian Roth 5a01a88af1 fix: FPs with FileStream events 2021-12-01 14:10:56 +01:00
Florian Roth 4a136fdce6 simplified condition 2021-12-01 14:06:09 +01:00
Florian Roth f2199eacad fix: FPs noticed with Aurora 2021-12-01 13:39:53 +01:00
frack113 b71c2d7a07 Merge pull request #2355 from mgreen27/master 
Update win_renamed_binary.yml
 2021-12-01 08:12:08 +01:00
frack113 80a1b02fe5 Update win_renamed_binary.yml 2021-12-01 06:54:30 +01:00
frack113 25e9a6d13c Merge pull request #2352 from frack113/provider_name 
Add Provider Name to system and security channel
 2021-12-01 06:53:30 +01:00