security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,833 Commits 1 Branch 57 Tags
39dd3fbb5fbe467fbe83760737eb7ea3b37a1997
Commit Graph

7409 Commits

Author SHA1 Message Date
Florian Roth e0425f2167 Merge pull request #2620 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-01-29 19:34:02 +01:00
Florian Roth 8d5742e83e fix: fixing FPs with LSASS access mask in old rule 2022-01-29 18:17:46 +01:00
Florian Roth 642b3748fe Merge pull request #2615 from frack113/redcannary_20220128 
Add windows redcannary rules
 2022-01-29 15:25:40 +01:00
frack113 c3c13d6089 add lnx_pwnkit_local_privilege_escalation 2022-01-29 10:07:54 +01:00
Florian Roth dc19846101 fix: FPs in deprecated rule 2022-01-28 23:43:11 +01:00
Florian Roth 56fba15638 Update process_creation_tool_nircmd.yml 2022-01-28 23:14:17 +01:00
Florian Roth 34c8de908d Update process_creation_tool_nircmd_as_system.yml 2022-01-28 23:08:41 +01:00
Nasreddine Bencherchali 6f96372ece Update process_creation_tool_nircmd_as_system.yml 2022-01-28 21:10:52 +01:00
Nasreddine Bencherchali b0b9d32dfa Update process_creation_tool_nircmd.yml 2022-01-28 21:10:03 +01:00
Nasreddine Bencherchali 0b09dbdcd1 Update process_creation_tool_nircmd_as_system.yml 2022-01-28 21:01:43 +01:00
Florian Roth 883040ee96 Merge pull request #2617 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-01-28 18:06:39 +01:00
Florian Roth 0391cffab4 Merge pull request #2616 from SigmaHQ/rule-devel 
rule: xordump
 2022-01-28 18:06:21 +01:00
Florian Roth 7b05827326 fix: FPs noticed with Aurora 2022-01-28 17:26:51 +01:00
Florian Roth bfee0f8067 rule: xordump 2022-01-28 17:26:12 +01:00
frack113 5b30db61b0 Add windows redcannary rules 2022-01-28 16:12:38 +01:00
Florian Roth a5cb3ba37f Merge pull request #2598 from SigmaHQ/rule-devel 
rules: NirCmd, NSudo, RunX
 2022-01-28 12:18:15 +01:00
frack113 9a517bae7c Merge pull request #2614 from frack113/update_ref 
sysmon_proxy_execution_wuauclt Update References
 2022-01-28 11:51:45 +01:00
Florian Roth 982808c3db refactor: whoami / authority, rule: whoami as trusted installer 2022-01-28 11:30:30 +01:00
frack113 a6e3b4691b Update References 2022-01-28 10:30:39 +01:00
frack113 d4b4d4e382 Merge pull request #2612 from glennbarrett/patch-1 
Typo fix in win_plugx_susp_exe_locations.yml
 2022-01-28 10:00:07 +01:00
frack113 069d4ac8bd Update modified 2022-01-28 09:09:26 +01:00
frack113 4ef359a96f Merge pull request #2611 from redsand/fp_for_iexplorer 
adding filter for fp of iexplorer calling cpl
 2022-01-28 06:59:35 +01:00
Glenn Barrett edb769b086 Typo fix in win_plugx_susp_exe_locations.yml 
Change SysWowo64 to SysWow64
 2022-01-27 15:08:54 -05:00
frack113 1431992e4e Merge pull request #2604 from frack113/add_ps_version 
add posh_ps_clear_powershell_history
 2022-01-27 18:24:37 +01:00
Tim Shelton f8ce6d87a8 adding filter for fp of iexplorer calling cpls: C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:276824072 WinX:0 WinY:0 IEFrame:0000000000000000 2022-01-27 16:31:37 +00:00
Florian Roth a8cbfa832d Merge pull request #2609 from SigmaHQ/aurora-false-positive-fixing 
fix: too many false positives with certain access masks
 2022-01-27 16:53:34 +01:00
Florian Roth 03b0bd8bd0 Merge pull request #2610 from zakibro/master 
Adding auditd rule for CVE-2021-4034
 2022-01-27 16:47:15 +01:00
frack113 1aa7697ca8 Update posh_ps_clear_powershell_history.yml 2022-01-27 16:16:57 +01:00
frack113 79de1631de Merge pull request #2601 from secDre4mer/master 
fix: Add filter for empty image to rule
 2022-01-27 16:16:06 +01:00
zakibro c1c5ed0db7 Update lnx_auditd_cve_2021_4034.yml 2022-01-27 12:55:22 +01:00
zakibro bd9b5172cd Update lnx_auditd_cve_2021_4034.yml 2022-01-27 12:44:53 +01:00
Pawel Mazur c924977576 Adding auditd rule for CVE-2021-4034 2022-01-27 12:36:19 +01:00
Florian Roth 82d5f4a511 fix: too many false positives with certain access masks 2022-01-27 09:08:40 +01:00
Florian Roth d52602dd5e Update posh_ps_clear_powershell_history.yml 2022-01-26 18:09:09 +01:00
Florian Roth feedcee6bf Update posh_ps_clear_powershell_history.yml 2022-01-26 17:57:26 +01:00
mhaag-spl b3b37719e7 Update sysmon_lsass_memdump.yml 
Updated Sysmon Lsass Memdump to detect other memory dumping techniques from mimikatz, nanodump, invoke-mimikatz, and so forth. This adds additional GrantedAccess permissions and adds ntdll.dll to CallTrace. Tested with Atomic Red Team T1003.001, MimiKatz, Invoke-Mimikatz and Cobalt Strike.
 2022-01-26 08:12:49 -07:00
frack113 a68cf58264 Merge pull request #2596 from frack113/blackbyte 
Add win_re_blackbyte_ransomware
 2022-01-25 20:39:05 +01:00
frack113 818b20b949 add posh_ps_clear_powershell_history 2022-01-25 19:58:18 +01:00
Max Altgelt 51d9aca239 chore: update modified date 2022-01-25 11:46:16 +01:00
Max Altgelt 0cad38be34 fix: Add filter for empty image to rule 2022-01-25 11:43:35 +01:00
frack113 8a47c56397 Merge pull request #2595 from frack113/red_20220123b 
Windows Redcannary
 2022-01-25 06:21:17 +01:00
frack113 f634962420 Merge pull request #2594 from frack113/red_20220123 
Windows Redcannary tests
 2022-01-25 06:20:53 +01:00
frack113 0d5618f8ef Merge pull request #2593 from frack113/moonbounce 
add win_pc_susp_instalutil
 2022-01-25 06:20:38 +01:00
frack113 43690233fb Merge pull request #2572 from zeronetworks/master 
feat(rules): Adding rules for the rpc_firewall
 2022-01-24 18:18:22 +01:00
Florian Roth f80f0d3696 rules: nircmd, nsudo, runx 2022-01-24 13:37:28 +01:00
Florian Roth d9193efda3 Merge pull request #2597 from SigmaHQ/rule-devel 
AdvancedRun and Bugfix
 2022-01-24 12:39:51 +01:00
Florian Roth 9505a761e1 fix: bug in rule - missing backspace 2022-01-24 11:54:58 +01:00
frack113 4be9a6c3ad Add win_re_blackbyte_ransomware 2022-01-24 10:03:52 +01:00
frack113 2dc0c2a8a9 fix field name case 2022-01-23 19:12:12 +01:00
frack113 f1959f25d7 Windows Redcannary 2022-01-23 16:37:59 +01:00