blue-team-tools

Author	SHA1	Message	Date
$frack113$ frack113	c202d39acd	Merge pull request #2138 from frack113/conti_ransomware Conti ransomware commandline	2021-10-14 06:31:36 +01:00
$frack113$ frack113	1e0fde6975	Merge pull request #2135 from austinsonger/onelogin Onelogin Rules	2021-10-13 16:35:27 +01:00
Austin Songer	756d5b5aa6	Update onelogin_user_account_locked.yml	2021-10-13 07:02:01 -05:00
Austin Songer	4e43fce629	Update powershell_windows_firewall_profile_disabled.yml	2021-10-13 07:01:04 -05:00
$frack113$ frack113	5aa62bd342	fix yml	2021-10-12 21:02:15 +02:00
$frack113$ frack113	37c637066b	add process_creation_conti_cmd_ransomware.yml	2021-10-12 20:57:12 +02:00
Austin Songer	40eed2ec59	Rename powershell_windows_firewall_disabled.yml to powershell_windows_firewall_profile_disabled.yml	2021-10-12 11:57:37 -05:00
Austin Songer	d273bc25ea	Create powershell_windows_firewall_disabled.yml	2021-10-12 11:56:37 -05:00
Austin Songer	9faca2f3dc	Update onelogin_assumed_another_user.yml	2021-10-11 22:54:05 -05:00
Austin Songer	0978ca92d8	Update onelogin_assumed_another_user.yml	2021-10-11 21:18:31 -05:00
austinsonger	0bf9f1cfd6	Onelogin Rules	2021-10-11 21:03:48 -05:00
$frack113$ frack113	b9fc29bc05	Merge pull request #2131 from frack113/Powershell Powershell order	2021-10-11 15:43:32 +01:00
$frack113$ frack113	d081d20a13	Merge pull request #2119 from austinsonger/privilege_escalation_pass_role_to_lambda_function.yml passed_role_to_glue_development_endpoint.yml and passed_role_to_lambda_function.yml	2021-10-10 11:01:36 +02:00
$frack113$ frack113	7497fdb484	Merge pull request #2129 from d4rk-d4nph3/master Added rule for possible persistence via VMTools	2021-10-10 10:55:06 +02:00
$frack113$ frack113	1337116d84	Cleanup selection name	2021-10-10 10:17:24 +02:00
Bhabesh Rai	a241f526ef	Added more strict path	2021-10-10 07:54:40 +05:45
Austin Songer	1987897a76	Update aws_pass_role_to_lambda_function.yml	2021-10-09 15:26:38 -05:00
Austin Songer	de52890a62	Update passed_role_to_glue_development_endpoint.yml	2021-10-09 15:24:49 -05:00
Florian Roth	30213dba87	Merge pull request #2132 from SigmaHQ/rule-devel New Rules	2021-10-09 19:19:45 +02:00
Florian Roth	195db4cffc	refactor: made Apache RCE rule more robust	2021-10-09 18:48:02 +02:00
Florian Roth	4ab3ebf6b2	Merge pull request #2128 from OTRF/feature/Susp-ADFS-NamedPipe Detect suspicious named pipe connections to an AD FS WID	2021-10-09 16:47:25 +02:00
Florian Roth	2379907f26	docs: extended the description by a word	2021-10-09 16:42:42 +02:00
Florian Roth	f475b90ee3	fix: typo in description	2021-10-09 16:41:48 +02:00
$frack113$ frack113	5c68c42058	order powershell_script	2021-10-09 10:30:36 +02:00
Florian Roth	6c4e24d0de	rule: coin miner param --cpu-priority	2021-10-09 10:28:16 +02:00
$frack113$ frack113	77749510b7	fix yml	2021-10-09 10:01:40 +02:00
$frack113$ frack113	41d098b253	fix yml error	2021-10-09 09:59:21 +02:00
$frack113$ frack113	9b0f744f75	order powershell_script	2021-10-09 09:57:45 +02:00
$frack113$ frack113	fe7fbfd5fc	order powershell_module	2021-10-09 09:50:49 +02:00
Florian Roth	5b49b5ee17	Merge pull request #2130 from phantinuss/master fix: prevent FP triggering of other sources utilising ID 1102	2021-10-08 20:14:08 +02:00
phantinuss	04c37d977b	fix: prevent FP triggering of other sources utilising ID 1102	2021-10-08 16:43:14 +02:00
$frack113$ frack113	98b24d30ae	Merge pull request #2125 from frack113/nuclei_iis_fuzzing Nuclei iis fuzzing	2021-10-08 16:40:01 +02:00
Bhabesh Rai	a45e516f99	Added rule for possible persistence via VMTools	2021-10-08 13:28:35 +05:45
Roberto Rodriguez	7f17eaeb87	added rule to detect suspicious named pipe connections to an AD FS server	2021-10-08 01:57:22 -04:00
Mika Luhta	e70d17745e	Update modified field	2021-10-07 18:42:22 +02:00
Mika Luhta	0ee777e3b4	Fix rule detection logic Changed ParentImage to Image	2021-10-07 14:25:18 +03:00
$frack113$ frack113	0d04b469f7	order powershell_classic	2021-10-07 07:40:53 +02:00
$frack113$ frack113	930d2d4223	fix id	2021-10-06 17:53:16 +02:00
$frack113$ frack113	dfd316c0ce	Add web_iis_tilt_shortname_scan.yml	2021-10-06 17:46:15 +02:00
$frack113$ frack113	6d56e400d2	Merge pull request #2121 from frack113/update_test Update test adding logsource to duplicate logic test	2021-10-06 14:46:48 +02:00
Florian Roth	7cf01c2f0c	extended CVE-2021-41773 rule	2021-10-06 12:43:10 +02:00
Florian Roth	539756c884	Merge pull request #2124 from SigmaHQ/rule-devel rule: Apache Path Traversal - CVE-2021-41773	2021-10-06 10:55:26 +02:00
$frack113$ frack113	d0561d361b	Merge pull request #2123 from rachelrice/update_aws_rules Update AWS SAML and Lambda rules	2021-10-05 19:49:54 +02:00
Rachel Rice	d9e5da6c86	Use startswith for eventName selection Signed-off-by: Rachel Rice <rachel.rice@lacework.net>	2021-10-05 17:52:52 +01:00
Florian Roth	5576f50470	fix: title, add my name	2021-10-05 17:35:09 +02:00
Florian Roth	0fde46b602	Merge branch 'master' into rule-devel	2021-10-05 17:33:48 +02:00
Florian Roth	482df0a0ad	rule: Apache Vuln CVE-2021-41773	2021-10-05 17:33:37 +02:00
$frack113$ frack113	651d453aeb	Merge pull request #2122 from frack113/move_file Move file to correct directory	2021-10-05 16:58:26 +02:00
$frack113$ frack113	ba3356cdb0	Merge pull request #2120 from MetallicHack/master azure_ad_user_added_to_admin_role.yml	2021-10-05 16:57:58 +02:00
Rachel Rice	4ae3ece314	Update AWS SAML and Lambda rules Use correct case for `AssumeRoleWithSAML` event name. `UpdateFunctionConfiguration`, `UpdateFunctionConfiguration20150331` and `UpdateFunctionConfiguration20150331v2` are all valid event names for updating Lambda function configuration, added selection condition for any of these.	2021-10-05 14:08:40 +01:00

1 2 3 4 5 ...

6225 Commits