security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,664 Commits 1 Branch 57 Tags
6bc5b8e29c8d33a0aeec7be4e0f70668d6c811fe
Commit Graph

2841 Commits

Author SHA1 Message Date
Amrik 6bc5b8e29c Fix: Typo in title 2022-04-07 19:30:00 -07:00
frack113 77e05ab762 Merge pull request #2887 from frack113/fix_tag 
Update tags
 2022-04-07 22:34:23 +02:00
Florian Roth e4503df4b1 Update proc_creation_win_powershell_public_folder.yml 2022-04-07 18:52:45 +02:00
frack113 7819a3b96e Update tags 2022-04-07 14:46:58 +02:00
Max Altgelt df41827266 feat: detect PS execution in public folder 2022-04-07 10:50:50 +02:00
Max Altgelt 3cddcc906d feat: Add new rule for Creative Cloud node abuse 2022-04-07 10:50:50 +02:00
Florian Roth ac5346c2a5 Merge pull request #2881 from SigmaHQ/rule-devel 
DumpMinitool Usage
 2022-04-07 09:44:44 +02:00
megan201296 b0eaf3fb5a Rename proc_creation_win_coti_sqlcmd.yml to proc_creation_win_conti_sqlcmd.yml 
Fix typo in rule name
 2022-04-06 10:46:08 -05:00
Florian Roth 5a4a2544dd refactor: extended rule 2022-04-06 17:07:51 +02:00
Florian Roth 4a4d990151 fix: less strict directory filter 2022-04-06 14:02:01 +02:00
Florian Roth 3b25fba51a rule: DumpMinitool usage 2022-04-06 14:01:14 +02:00
Florian Roth 7ef4187875 Merge pull request #2879 from SigmaHQ/rule-devel 
Base64 Encoded CommandLine Params
 2022-04-05 20:17:59 +02:00
Florian Roth 774183f1eb refactor: lowered level to informational 2022-04-05 18:54:47 +02:00
Florian Roth a731446733 Revert "removed rule due to many FPs" 
This reverts commit 5bdb97ba17.
 2022-04-05 18:54:14 +02:00
Florian Roth 5bdb97ba17 removed rule due to many FPs 2022-04-05 18:53:45 +02:00
Florian Roth 7ee145fbce rule: base64 encoded value in command line 2022-04-05 13:09:57 +02:00
Florian Roth bcc9f96beb fix: add tags 2022-04-05 13:09:43 +02:00
frack113 6e67a6d520 Set to low for FP 2022-04-04 19:33:23 +02:00
frack113 b7675b8163 Add proc_creation_win_susp_conhost_option 2022-04-04 19:20:27 +02:00
Florian Roth 4ca5f58081 Merge branch 'master' into rule-devel 2022-04-04 12:02:47 +02:00
Florian Roth 96499b52de fix: date in rule 2022-04-04 11:37:55 +02:00
Florian Roth 7423ad6ffa fix: missing timestamp 2022-04-04 11:34:26 +02:00
phantinuss 67ad16f411 edit because of ambiguous trailing space 2022-03-31 12:04:37 +02:00
phantinuss 51d45bae8b chore: promote status of rules 2022-03-31 12:04:37 +02:00
phantinuss 5ebb919472 fix: FP with intel graphics 2022-03-31 12:04:37 +02:00
phantinuss 8afe875ad6 update rule to also match on original sample 2022-03-31 12:04:36 +02:00
Florian Roth 08d3bd48ce Merge pull request #2868 from securepeacock/patch-11 
Create proc_creation_win_fsutil_drive_enumeration.yml
 2022-03-30 21:05:56 +02:00
securepeacock 35661df7e4 Update proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:45:01 -04:00
securepeacock 34182908c9 Update proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:38:28 -04:00
securepeacock 5e3a5642e8 Create proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:00:03 -04:00
Fred Frey 78aeee3054 added resource and improved MITRE Subtechnique 
Mavinject now has its own subtechnique
https://attack.mitre.org/techniques/T1218/013/
 2022-03-30 08:57:15 -04:00
phantinuss 7f030b250e fix: wrong mapping of Windows Audit Log EventID 4688 
reverts some changes introduced by commit c5fa73c328
    - removes the unnecessary/wrong field mapping
    - fixes the rules to apply to CommandLine instead of
      ParentCommandLine as the author probably intended
 2022-03-30 11:24:24 +02:00
phantinuss 3034d626ea chore: promote status of rules 2022-03-30 11:24:24 +02:00
Florian Roth 4b5a9db68a Merge pull request #2864 from SigmaHQ/rule-devel 
refactor: more robust reg add ImagePath rule
 2022-03-29 19:47:24 +02:00
Florian Roth 7cd65a737d Merge pull request #2861 from redsand/fp_msiexec_sccm 
FP filter to include without quotes
 2022-03-29 16:00:12 +02:00
Florian Roth cc45743669 refactor: more robust reg add ImagePath rule 2022-03-29 15:21:47 +02:00
Max Altgelt 36ba148616 fix: filter null image in process creation rule 2022-03-29 08:56:47 +02:00
Tim Shelton f4776fb081 FP filter to include without quotes 2022-03-28 18:50:00 +00:00
frack113 14ec2e7d7c Merge pull request #2859 from redsand/fp_msiexec_sccm 
Adding FP filter for ccm
 2022-03-27 08:44:50 +02:00
Tim Shelton 35bbd3727e Adding FP filter for ccm 2022-03-26 18:35:31 +00:00
Florian Roth 507551c631 fix: typo in modifier 2022-03-24 19:08:53 +01:00
Florian Roth 6970223872 fix: bug in modifier 2022-03-24 19:05:04 +01:00
Florian Roth f1b91ba8ac refactor: more powershell loader rules 2022-03-24 16:44:35 +01:00
Florian Roth a06b599bec rule: IEX patterns 2022-03-24 16:31:50 +01:00
Florian Roth f7cd8e3424 fix: duplicate id 2022-03-24 11:41:26 +01:00
Florian Roth f3abef8b5f fix: indentation 2022-03-24 11:34:00 +01:00
Florian Roth 53b450d377 rule: PowerShell Downloads 2022-03-24 09:16:12 +01:00
Florian Roth 7c4d198498 fix: FPs with win32calc.exe 2022-03-23 16:31:45 +01:00
Florian Roth 535e6ce0cc refactor: scheduled task patterns 2022-03-23 09:09:43 +01:00
Florian Roth d8046b5989 rules: registry, tamper with Defender & LSA 2022-03-22 16:10:11 +01:00