security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,897 Commits 1 Branch 57 Tags
4cd99e71bf71c9dfd9d2cd3545602a7abdc88942
Commit Graph

2897 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
neu5ron 4cd99e71bf use the taxonomy which states to use c-uri instead of c-uri-path 2020-03-14 15:02:06 -04:00
neu5ron 4c94906d53 rule should be wildcard AND had a prepended ^ in one of the CommandLine conditions that would have caused to not trigger 2020-03-14 15:00:42 -04:00
neu5ron 4b572f3ccb newline in description - typo 2020-03-14 14:58:58 -04:00
neu5ron d212d43acf spelling 2020-03-14 14:58:25 -04:00
neu5ron 58ac26e531 more ECS to sigmac taxonomy for web/proxy 2020-03-14 14:57:38 -04:00
Florian Roth cbf0f43934 Merge pull request #655 from msec1203/msec1203-patch-1 
add rule for suspicious use of csharp console by scripting utility
 2020-03-09 18:01:12 +01:00
Florian Roth 6845fa21b3 fix: fixed several issues 2020-03-09 17:43:16 +01:00
Florian Roth 8a2033aaf9 Merge pull request #657 from EccoTheFlintstone/fix_registry 
sysmon registry events fix
 2020-03-09 17:38:58 +01:00
ecco 2489b8534c sysmon registry events fix 2020-03-09 12:02:04 -04:00
msec1203 f833407265 Initial upload 2020-03-08 19:06:10 +09:00
Florian Roth 3c3917c1d5 Merge pull request #654 from Neo23x0/devel 
Minor changes
 2020-03-07 11:20:45 +01:00
Florian Roth ddefb3bc58 Merge branch 'master' into devel 2020-03-07 11:06:25 +01:00
Florian Roth 54d3706a7f docs: removed outdated section from info graphic 2020-03-07 11:05:53 +01:00
Florian Roth 07914c2783 Merge pull request #652 from 2XXE-SRA/patch-1 
MMC Lateral Movement Rule 1
 2020-03-07 11:02:16 +01:00
Florian Roth 2e184382f5 fix: eventid in process_creation rules 2020-03-07 10:43:47 +01:00
Florian Roth 60279c7501 Merge pull request #610 from axi0m/patch-1 
Update proxy_raw_paste_service_access.yml
 2020-03-07 10:39:56 +01:00
Florian Roth 7e8b59abe6 Merge pull request #643 from grumo35/patch-2 
Update sysmon_cred_dump_tools_dropped_files.yml
 2020-03-07 10:39:35 +01:00
Florian Roth c609de4f27 Merge pull request #648 from NVISO-BE/patch-azure-ad-replication 
Exclude Azure AD sync accounts from AD Replication rule
 2020-03-07 10:39:04 +01:00
Florian Roth b040c129be fix: author field starting with an '@' symbol 2020-03-07 10:38:02 +01:00
2XXE (SRA) ae56db97ff mmc lateral movement detection 1 
see https://github.com/Neo23x0/sigma/issues/576
 2020-03-04 14:57:41 -05:00
Florian Roth 02d256b3b6 Merge pull request #651 from EccoTheFlintstone/fix_sysmon_registry 
fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon
 2020-03-04 20:25:11 +01:00
ecco b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth 6bbb166f3d rule: extended webshell rule with tomcat.exe 2020-03-04 14:25:57 +01:00
Florian Roth 53278c2a46 Merge pull request #649 from Neo23x0/devel 
fix: avoiding FPs with Citrix software
 2020-03-03 11:35:02 +01:00
Florian Roth f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth be4242aca8 fix avoiding FPs with MpCmdRun 
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
 2020-03-03 11:16:59 +01:00
Florian Roth 7139bfb0cb fix: avoiding FPs with Citrix software 
writing C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_r23phtye.jsp.ps1
 2020-03-03 11:01:42 +01:00
Remco Hofman d4b5dd5749 Exclude Azure AD sync accounts from AD Replication rule 2020-03-02 16:43:20 +01:00
Thomas Patzke b63889af75 Fixed rules that likely will cause false negatives by fix 2020-03-01 23:14:53 +01:00
Thomas Patzke 01bd5cf0e0 Merge branch 'issue-645' 2020-03-01 22:41:13 +01:00
Thomas Patzke 0a62b8747e Merge pull request #634 from EccoTheFlintstone/fp_fix3 
Rule: restore initial behaviour matching single word with spaces on each side
 2020-03-01 22:40:24 +01:00
Thomas Patzke a0f7da8c03 Splunk XML backend rule title 
Fixes #645
 2020-03-01 22:23:35 +01:00
Florian Roth a557c727dd Merge pull request #644 from Neo23x0/devel 
Devel
 2020-02-29 16:17:12 +01:00
Florian Roth 19d383989c fix: keyword expression in rule 2020-02-29 16:03:31 +01:00
Florian Roth 15a400ac51 fix: fixing bug in rule 2020-02-29 15:51:00 +01:00
Florian Roth fa6458b70f rule: two rules to detect CVE-2020-0688 exploitation 2020-02-29 15:45:45 +01:00
Florian Roth fdcba84fc8 fix: escaped backslash 2020-02-29 10:12:59 +01:00
grumo35 0d932810b5 Update sysmon_cred_dump_tools_dropped_files.yml 
Adding sysinternal's procdump utility more about this on : https://en.hackndo.com/remote-lsass-dump-passwords/
 2020-02-28 15:16:18 +01:00
Florian Roth 9e86170d79 Merge pull request #641 from NVISO-BE/web_exchange_cve_2020_0688_exploit 
CVE 2020-0688 Exploit attempt rule
 2020-02-27 13:34:05 +01:00
Remco Hofman 4f45e14a56 Match on c-uri instead of c-uri-path 2020-02-27 13:23:25 +01:00
Remco Hofman ff35eb0052 Title capitalization 2020-02-27 12:56:56 +01:00
Remco Hofman 72e34d2aa5 CVE 2020-0688 Exploit attempt rule 2020-02-27 12:51:10 +01:00
Florian Roth f88225dd2a Merge pull request #640 from Neo23x0/devel 
fix: broader exclusion for rule - OneDrive false positives
 2020-02-26 18:41:52 +01:00
Florian Roth 6bbd80a8ee fix: broader exclusion for rule - OneDrive false positives 2020-02-26 18:31:58 +01:00
Florian Roth ada0edb822 Merge pull request #621 from wagga40/new_koadic_rule 
New Koadic detection rule
 2020-02-26 13:25:03 +01:00
Florian Roth 0ba6874645 Merge pull request #638 from Neo23x0/devel 
Several false positives with new rules
 2020-02-26 09:46:02 +01:00
Florian Roth ca2cc87f0c fixed regex syntax to wildcard syntax 2020-02-26 09:43:29 +01:00
Florian Roth 1c90d6badd level increased 2020-02-26 09:42:31 +01:00
Florian Roth c8afd4a16b Merge pull request #637 from tjgeorgen/patch-1 
fix missing status & description in status field
 2020-02-26 09:40:55 +01:00
Florian Roth 031e6d3ee6 Merge pull request #635 from EccoTheFlintstone/fix_fp4 
wmiprvse subprocess: add fallback check on username instead of only l…
 2020-02-26 09:40:34 +01:00