security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,652 Commits 1 Branch 57 Tags
3cddcc906dcb275d2b2f034d669dc43b25973fa5
Commit Graph

8074 Commits

Author SHA1 Message Date
Max Altgelt 3cddcc906d feat: Add new rule for Creative Cloud node abuse 2022-04-07 10:50:50 +02:00
Max Altgelt 026490921c fix: Add FP exclusion for vss_ps.dll load 
The scheduled task that creates restore points apparently runs
rundll32.exe and loads this DLL.
 2022-04-07 10:49:10 +02:00
Florian Roth ac5346c2a5 Merge pull request #2881 from SigmaHQ/rule-devel 
DumpMinitool Usage
 2022-04-07 09:44:44 +02:00
Florian Roth 80d8010fbd Merge pull request #2883 from phantinuss/checkbaseline 
workflow: add checks against Windows 7 32-bit baseline
 2022-04-06 19:00:15 +02:00
megan201296 b0eaf3fb5a Rename proc_creation_win_coti_sqlcmd.yml to proc_creation_win_conti_sqlcmd.yml 
Fix typo in rule name
 2022-04-06 10:46:08 -05:00
phantinuss 9376859b06 fix: remove duplicate list entry 2022-04-06 17:14:34 +02:00
Florian Roth 5a4a2544dd refactor: extended rule 2022-04-06 17:07:51 +02:00
phantinuss 4780447102 fix: FPs from fresh Win7 install 2022-04-06 17:07:00 +02:00
phantinuss 7cbfc7f16a fix: remove . from title 2022-04-06 17:04:10 +02:00
phantinuss c2c3fff071 fix: typo in description 2022-04-06 16:09:53 +02:00
phantinuss 7edf04d9ff fix: FPs from fresh Windows install 2022-04-06 16:09:53 +02:00
Florian Roth 4a4d990151 fix: less strict directory filter 2022-04-06 14:02:01 +02:00
Florian Roth 3b25fba51a rule: DumpMinitool usage 2022-04-06 14:01:14 +02:00
Florian Roth 7ef4187875 Merge pull request #2879 from SigmaHQ/rule-devel 
Base64 Encoded CommandLine Params
 2022-04-05 20:17:59 +02:00
Florian Roth 774183f1eb refactor: lowered level to informational 2022-04-05 18:54:47 +02:00
Florian Roth a731446733 Revert "removed rule due to many FPs" 
This reverts commit 5bdb97ba17.
 2022-04-05 18:54:14 +02:00
Florian Roth 5bdb97ba17 removed rule due to many FPs 2022-04-05 18:53:45 +02:00
Florian Roth 7ee145fbce rule: base64 encoded value in command line 2022-04-05 13:09:57 +02:00
Florian Roth bcc9f96beb fix: add tags 2022-04-05 13:09:43 +02:00
Florian Roth b4cb047ae7 Merge pull request #2877 from frack113/conhost 
Conhost ForceV1
 2022-04-05 10:07:08 +02:00
frack113 6e67a6d520 Set to low for FP 2022-04-04 19:33:23 +02:00
frack113 b7675b8163 Add proc_creation_win_susp_conhost_option 2022-04-04 19:20:27 +02:00
frack113 fb72fb48a2 Order registry 2022-04-04 15:45:32 +02:00
frack113 0f4d61d04e Merge pull request #2872 from frack113/redcannay_20220404 
Windows Redcannary
 2022-04-04 13:23:47 +02:00
Florian Roth 43b7f544e0 Merge pull request #2871 from frack113/redcanary_20220402 
Windows Redcannary
 2022-04-04 13:09:18 +02:00
Florian Roth 7518970415 Update registry_set_install_root_or_ca_certificat.yml 2022-04-04 13:08:40 +02:00
Florian Roth 4ded5e498f Update registry_set_disable_system_restore.yml 2022-04-04 12:22:09 +02:00
Florian Roth f54e129c78 Update registry_set_add_load_service_in_safe_mode.yml 2022-04-04 12:21:18 +02:00
Florian Roth eaaabf2468 Update posh_ps_suspicious_get_current_user.yml 2022-04-04 12:19:47 +02:00
Florian Roth 4ca5f58081 Merge branch 'master' into rule-devel 2022-04-04 12:02:47 +02:00
Florian Roth 96499b52de fix: date in rule 2022-04-04 11:37:55 +02:00
Florian Roth 7423ad6ffa fix: missing timestamp 2022-04-04 11:34:26 +02:00
frack113 aaafef29b4 Redcannary 2022-04-04 10:57:23 +02:00
Florian Roth ad3c51be6a fix: registry target value details 2022-04-04 10:39:18 +02:00
Florian Roth 176a3c4c07 Update registry_set_hide_file.yml 2022-04-04 09:33:11 +02:00
Florian Roth 62096ec4d9 Update registry_set_powershell_logging_disabled.yml 2022-04-04 09:32:54 +02:00
Florian Roth dcce28a551 Update registry_set_hide_file.yml 2022-04-04 09:30:44 +02:00
Florian Roth b394702748 Update posh_ps_suspicious_gettypefromclsid.yml 2022-04-04 09:28:56 +02:00
frack113 d2b2362ce7 Redcannary 2022-04-02 11:55:02 +02:00
phantinuss 67ad16f411 edit because of ambiguous trailing space 2022-03-31 12:04:37 +02:00
phantinuss 51d45bae8b chore: promote status of rules 2022-03-31 12:04:37 +02:00
phantinuss 5ebb919472 fix: FP with intel graphics 2022-03-31 12:04:37 +02:00
phantinuss 8afe875ad6 update rule to also match on original sample 2022-03-31 12:04:36 +02:00
Florian Roth 08d3bd48ce Merge pull request #2868 from securepeacock/patch-11 
Create proc_creation_win_fsutil_drive_enumeration.yml
 2022-03-30 21:05:56 +02:00
securepeacock 35661df7e4 Update proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:45:01 -04:00
securepeacock 34182908c9 Update proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:38:28 -04:00
securepeacock 5e3a5642e8 Create proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:00:03 -04:00
Fred Frey 78aeee3054 added resource and improved MITRE Subtechnique 
Mavinject now has its own subtechnique
https://attack.mitre.org/techniques/T1218/013/
 2022-03-30 08:57:15 -04:00
phantinuss 7f030b250e fix: wrong mapping of Windows Audit Log EventID 4688 
reverts some changes introduced by commit c5fa73c328
    - removes the unnecessary/wrong field mapping
    - fixes the rules to apply to CommandLine instead of
      ParentCommandLine as the author probably intended
 2022-03-30 11:24:24 +02:00
phantinuss 3034d626ea chore: promote status of rules 2022-03-30 11:24:24 +02:00