security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,491 Commits 1 Branch 57 Tags
62f2affd032fff63e086fdeefc1634cb40a809e0
Commit Graph

5514 Commits

Author SHA1 Message Date
Austin Songer 62f2affd03 Spelling fix 2021-08-24 14:15:50 +00:00
Florian Roth 9f69cead8a Merge pull request #1916 from SigmaHQ/rule-devel 
refactor: changed level of rule, refactored RazerInstaller rule
 2021-08-24 15:42:26 +02:00
Florian Roth 46e312ff0d fix: error in modifier 2021-08-24 15:03:23 +02:00
Florian Roth cc519552aa refactor: RazorInstaller integrity level system 2021-08-24 14:54:07 +02:00
Florian Roth 6ca30619ac Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-24 12:30:42 +02:00
Florian Roth 3cdb88ad55 refactor: level of suspicious parent for powershell rule 2021-08-24 12:30:40 +02:00
Florian Roth 0c69fd9c41 Merge pull request #1898 from SigmaHQ/rule-devel 
rule: EfsPotato Named Pipe, splwow64, RazerInstaller
 2021-08-24 09:20:54 +02:00
frack113 679651bdf9 Merge pull request #1913 from neu5ron/add_zeek_dce_rpc_printnightmare_print_driver_install 
Zeek DCE_RPC PrintNightmare
 2021-08-24 08:37:02 +02:00
frack113 e76c11da7f Merge pull request #1908 from neu5ron/patch-7 
improve rule logic zeek_default_cobalt_strike_certificate.yml
 2021-08-24 08:36:33 +02:00
frack113 293f422243 Merge pull request #1906 from neu5ron/patch-5 
improve zeek_dce_rpc_smb_spoolss_named_pipe
 2021-08-24 08:36:18 +02:00
frack113 81ec546e42 Merge pull request #1905 from neu5ron/patch-4 
improve rule
 2021-08-24 08:36:04 +02:00
Florian Roth 272625a005 Update win_susp_splwow64.yml 2021-08-24 08:34:08 +02:00
frack113 15aa0cb70e add modified 2021-08-24 08:02:24 +02:00
frack113 ade7295cab Merge pull request #1911 from austinsonger/gworkspace_granted_domain_api_access.yml 
gworkspace_granted_domain_api_access.yml
 2021-08-24 08:01:34 +02:00
frack113 4ee4f12f30 add modified 2021-08-24 08:01:01 +02:00
frack113 8ab90d8012 add modified 2021-08-24 07:59:36 +02:00
frack113 be43ecd70d Remove empty element in list 
Otherwise get a `null` when convert to some backend (es-rule,...)
 2021-08-24 07:57:16 +02:00
frack113 d8befe3a13 Update References 2021-08-24 07:34:33 +02:00
frack113 07dc04b1db Merge pull request #1910 from austinsonger/gworkspace_user_assigned_admin_role.yml 
gworkspace_user_assigned_admin_role.yml
 2021-08-24 07:22:25 +02:00
frack113 831a473c0d Merge pull request #1904 from austinsonger/365 
Microsoft 365 Rules
 2021-08-24 07:17:24 +02:00
neu5ron 9e588fdcf6 Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups. 2021-08-24 00:58:36 -04:00
Austin Songer facd58bd0a Delete gworkspace_user_granted_admin_privileges.yml 2021-08-23 21:19:51 -05:00
Austin Songer 3cd43bfd9b Create gworkspace_granted_domain_api_access.yml 2021-08-23 21:19:44 -05:00
Austin Songer aa7a8a3e71 Update gworkspace_user_granted_admin_privileges.yml 2021-08-23 19:58:20 -05:00
Austin Songer 0fe2b3f569 Update and rename gworkspace_user_assigned_admin_role.yml to gworkspace_user_granted_admin_privileges.yml 2021-08-23 19:52:32 -05:00
Austin Songer ede0332f22 Delete microsoft365_suspicious_inbox_manipulation_rules.yml 2021-08-23 19:40:20 -05:00
Austin Songer 3dd201d36f Rename workspace_user_assigned_admin_role.yml to gworkspace_user_assigned_admin_role.yml 2021-08-23 19:38:58 -05:00
Austin Songer 6b1f0b83f4 Create workspace_user_assigned_admin_role.yml 2021-08-23 19:38:47 -05:00
Austin Songer c767da91d1 Delete gworkspace_user_assigned_admin_role.yml 2021-08-23 19:38:01 -05:00
Austin Songer 8382bbfe09 Create gworkspace_user_assigned_admin_role.yml 2021-08-23 19:37:46 -05:00
Austin Songer edcb956f2a Merge branch 'SigmaHQ:master' into gworkspace_user_assigned_admin_role.yml 2021-08-23 19:37:06 -05:00
Austin Songer c0e58d3c27 Update 2021-08-23 23:00:58 +00:00
Austin Songer 29e1ce7e8f Update 2021-08-23 22:50:39 +00:00
Austin Songer ad892eb239 Update 2021-08-23 22:46:37 +00:00
Austin Songer 84944cf849 Update 2021-08-23 22:30:11 +00:00
Austin Songer 53482b7e9c Update 2021-08-23 22:19:41 +00:00
Austin Songer 754158bfd2 Update 2021-08-23 22:18:12 +00:00
Austin Songer da69b2f531 Update 2021-08-23 22:09:27 +00:00
Austin Songer 595bd3b80f Updated 2021-08-23 22:07:09 +00:00
Austin Songer 1fa32fcd1a Update 2021-08-23 22:02:47 +00:00
Austin Songer 4ab9519546 Update 2021-08-23 18:59:07 +00:00
Nate Guagenti b255586117 condition fix and add fields 
should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
 2021-08-23 14:59:06 -04:00
Austin Songer 8e4b8f45dd Update 2021-08-23 18:57:17 +00:00
Austin Songer a5c551ad61 Merge branch '365' of https://github.com/austinsonger/sigma into 365 2021-08-23 18:55:40 +00:00
Austin Songer 41786a1b63 In-Progress 2021-08-23 18:55:29 +00:00
Nate Guagenti 064d7b7b9f improve rule logic zeek_default_cobalt_strike_certificate.yml 
zeek logging for `certificate.serial` is all letters are capitalized
 2021-08-23 14:23:41 -04:00
Nate Guagenti cfc32e5950 correct fields for zeek_rdp_public_listener.yml 
correct zeek fields for `fields` section.
improve false positives information
 2021-08-23 14:16:55 -04:00
Nate Guagenti 1819e4b02b improve rule 
- improve rule logic
- match zeek fields for fields section
- add false positive information
- change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..)
 2021-08-23 14:12:50 -04:00
Nate Guagenti feb7d0e187 Update zeek_dns_mining_pools.yml 2021-08-23 14:11:04 -04:00
Nate Guagenti b00e1772b3 added logic and usage 
rule logic should be endswith.
match zeek fields for `fields` section
add false positive information
 2021-08-23 14:03:38 -04:00