security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,374 Commits 1 Branch 57 Tags
45253c62533f66101e4b3bf3cc40dbca4d080b2f
Commit Graph

9374 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 45253c6253 Merge pull request #2460 from phantinuss/master 
fix: FP in Aviar installer
 2021-12-17 19:55:02 +01:00
Florian Roth 4cdb23598f Merge branch 'master' into master 2021-12-17 17:46:05 +01:00
Florian Roth 859816695a Merge pull request #2464 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-17 17:44:10 +01:00
Florian Roth 865bf5f8a7 Merge branch 'master' into aurora-false-positive-fixing 2021-12-17 16:31:05 +01:00
Florian Roth a7b1ab0073 fix: bug in rule 2021-12-17 16:30:37 +01:00
Florian Roth 80f3ff9f65 Merge pull request #2461 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-17 14:05:11 +01:00
Florian Roth d0d9e74313 fix: FP noticed with Aurora 2021-12-17 12:32:48 +01:00
Florian Roth a3220ab72b Merge branch 'master' into aurora-false-positive-fixing 2021-12-17 12:32:14 +01:00
Florian Roth c7c4130c04 Update sysmon_alternate_powershell_hosts_pipe.yml 2021-12-17 12:31:08 +01:00
phantinuss 1c789bd080 fix: FP in Aviar installer 2021-12-17 09:20:21 +01:00
frack113 ab450e5782 Merge pull request #2458 from frack113/redcanary_20211216 
Windows Redcanary T1518.001 discovery
 2021-12-16 22:47:23 +01:00
frack113 4db3b63527 Merge pull request #2457 from frack113/aurora_fp_update 
Aurora fp update
 2021-12-16 22:45:47 +01:00
frack113 cdb4e70f2f Merge pull request #2456 from fryguy04/patch-1 
Log4j OR each section vs implicit AND
 2021-12-16 22:43:58 +01:00
Florian Roth d88f6b2208 Merge pull request #2459 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-16 20:34:30 +01:00
Florian Roth 84e5d60bbc fix: FPs noticed with Aurora 2021-12-16 19:54:22 +01:00
Fred Frey 44fecf8ebd typo 2021-12-16 12:12:37 -05:00
Fred Frey 05245b5ac7 implemented @frack113 1 of selection* suggestion 2021-12-16 12:09:39 -05:00
frack113 605ec35109 fix space 2021-12-16 10:41:07 +01:00
frack113 d7e9dccdbe Windows redcannary 2021-12-16 10:32:45 +01:00
frack113 73ee94d46b Fix aurora FP 2021-12-16 09:50:28 +01:00
frack113 372023d3c0 Fix aurora FP 2021-12-16 09:45:50 +01:00
frack113 1e42c8e69c Merge pull request #2455 from frack113/redcanary_20211215 
Windows redcannary discovery
 2021-12-16 08:38:05 +01:00
Fred Frey 972dfbc4d2 Log4j OR each section vs implicit AND 
When the original is compiled it requires one TRUE from each Field (implicit AND) ... believe the intent is to search all fields of any trace which hence explicit OR in "condition"
 2021-12-16 01:53:33 -05:00
frack113 426d8193ad Windows redcannary 2021-12-15 19:36:16 +01:00
frack113 177c80993b Merge pull request #2452 from secDre4mer/master 
fix: correct FP filter
 2021-12-15 10:07:44 +01:00
frack113 c88272c910 Merge pull request #2453 from redsand/hawk_web_translate 
adding additional translation fields for web based requests.
 2021-12-15 08:11:56 +01:00
Tim Shelton db97b29e35 addding missing entry 2021-12-14 21:52:57 +00:00
Tim Shelton 2a96f239a5 adding additional translation fields for web based requests. 2021-12-14 20:54:32 +00:00
Max Altgelt 7fea25085f fix: correct FP filter 2021-12-14 16:03:50 +01:00
Florian Roth 9a96b77f1f Merge pull request #2449 from SigmaHQ/rule-devel 
fix: referrer > referer adjustments
 2021-12-14 11:18:29 +01:00
frack113 c4f4397174 Merge pull request #2451 from frack113/aurora_fp 
Fix FP
 2021-12-14 09:32:51 +01:00
frack113 e100668ecf Merge pull request #2450 from frack113/redcannary 
Windows redcannary
 2021-12-14 09:31:51 +01:00
frack113 ac28a89258 Merge pull request #2448 from frack113/T1217 
Windows redcannay T1217
 2021-12-14 09:31:32 +01:00
frack113 0dc0fe5903 Fix FP 2021-12-13 20:19:15 +01:00
frack113 f8d4d23be5 Windows redcannary 2021-12-13 18:52:17 +01:00
Florian Roth baa5d3758d Merge branch 'master' into rule-devel 2021-12-13 18:05:17 +01:00
Florian Roth 51a4315ab9 fix: referrer > referer adjustments 2021-12-13 15:47:43 +01:00
Florian Roth fb167c5698 Merge pull request #2446 from izysec/patch-4 
Added current known bypass patterns
 2021-12-13 14:04:54 +01:00
Florian Roth 7b93291439 Merge pull request #2445 from izysec/patch-3 
Added current known bypass patterns
 2021-12-13 14:03:59 +01:00
Florian Roth 3a30d19cfd Merge pull request #2447 from SigmaHQ/rule-devel 
fix: FP with proc creation Image non .exe suffix
 2021-12-13 14:03:41 +01:00
frack113 37f1938a4a Rename powershell_ps_get_childitem_bookmarks 2021-12-13 12:04:00 +01:00
Florian Roth 04ff26c786 Update web_cve_2021_44228_log4j_fields.yml 2021-12-13 11:47:55 +01:00
Florian Roth ea3f1c6228 changed expression 
the last part is already covered by the expression in line 38 but we can add the one that obfuscates the `jndi`
 2021-12-13 11:47:12 +01:00
Florian Roth 55eb6b6a3c Merge pull request #2444 from SigmaHQ/rule-devel 
Another log4shell pattern
 2021-12-13 11:44:45 +01:00
Florian Roth cd63ce23ff fix: FP with proc creation Image non .exe suffix 2021-12-13 11:44:29 +01:00
izysec 5819aa9888 Added current known bypass patterns 
Source: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
 2021-12-13 15:51:25 +05:30
izysec 6c8b0c8fd8 Added current known bypass patterns 
Source: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
 2021-12-13 15:49:08 +05:30
frack113 6115eeda62 windows redcanary t1217 2021-12-13 11:02:33 +01:00
frack113 27f1edbc8f Merge pull request #2443 from secDre4mer/master 
feat: Add finer powershell log source distinguation
 2021-12-13 10:34:00 +01:00
Max Altgelt b4553dcd9d feat: Add finer powershell log source distinguation 
Credits for this go to @frack113
 2021-12-13 09:49:28 +01:00