security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

1988 Commits

Author SHA1 Message Date
Florian Roth 17297193c7 Merge branch 'master' into devel 2020-03-25 14:18:11 +01:00
Florian Roth 50b0d04ee8 rule: Exploited CVE-2020-10189 Zoho ManageEngine 2020-03-25 14:02:53 +01:00
Florian Roth 28d8b87a0f rule: extended web shell spawn rule 2020-03-25 14:02:39 +01:00
j91321 1d86e0b4a5 Change falsepositives to array 2020-03-24 19:59:54 +01:00
j91321 c784adb10b Wrong indentation falsepositives 2020-03-24 19:55:41 +01:00
j91321 98a633e54c Add missing status and falsepositives 2020-03-24 19:53:41 +01:00
j91321 3c74d8b87d Add correct Source to detection to avoid FP 2020-03-24 19:49:24 +01:00
j91321 bc442d3021 Add path with lowercase system32 2020-03-24 19:48:24 +01:00
j91321 78bfa950d7 Add WinPrvSE.exe to detection 2020-03-24 19:47:10 +01:00
Thomas Patzke c10332b06c Merge pull request #663 from neu5ron/updates_sigmac_and_rules 
Updates sigmac and rules
 2020-03-22 00:22:31 +01:00
Harish SEGAR ba3994f319 Fix of '1 of x' condition 2020-03-21 12:19:01 +01:00
Harish SEGAR 81b277ba1a suspicious powershell parent process... 2020-03-21 00:26:30 +01:00
Harish SEGAR a88b22a1bd Fix namefield. 2020-03-20 23:34:15 +01:00
Harish SEGAR 67694e4ba7 Restructure new improvement to process_creation folder. 2020-03-20 23:29:32 +01:00
Harish SEGAR b9a916ceb4 Removed useless condition. 2020-03-20 22:50:26 +01:00
Harish SEGAR 30fac9545a Fixed author field. 2020-03-20 22:49:07 +01:00
Harish SEGAR 1f251cec07 Added missing action field 2020-03-20 22:46:19 +01:00
Harish SEGAR 293018a9e7 Added conditions... 2020-03-20 22:33:14 +01:00
Harish SEGAR 74b81120e4 Usage of value modifiers... 2020-03-20 22:03:48 +01:00
Harish SEGAR b129f09fee Improvement detection on downgrade of powershell 2020-03-20 21:48:19 +01:00
Maxime Thiebaut dce18b23b7 Add "Suspicious desktop.ini Action" rule 2020-03-19 21:43:03 +01:00
Florian Roth 6040b1f1f8 Merge pull request #668 from Neo23x0/devel 
Devel
 2020-03-19 18:36:31 +01:00
Florian Roth 8454f60a8e fix: reduced level due to false positives 2020-03-17 20:40:28 +01:00
neu5ron 4c94906d53 rule should be wildcard AND had a prepended ^ in one of the CommandLine conditions that would have caused to not trigger 2020-03-14 15:00:42 -04:00
neu5ron 4b572f3ccb newline in description - typo 2020-03-14 14:58:58 -04:00
Florian Roth cbf0f43934 Merge pull request #655 from msec1203/msec1203-patch-1 
add rule for suspicious use of csharp console by scripting utility
 2020-03-09 18:01:12 +01:00
Florian Roth 6845fa21b3 fix: fixed several issues 2020-03-09 17:43:16 +01:00
David Szili 0947538228 MDATP schema changes 
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
 2020-03-09 17:12:41 +01:00
ecco 2489b8534c sysmon registry events fix 2020-03-09 12:02:04 -04:00
Florian Roth ddefb3bc58 Merge branch 'master' into devel 2020-03-07 11:06:25 +01:00
Florian Roth 07914c2783 Merge pull request #652 from 2XXE-SRA/patch-1 
MMC Lateral Movement Rule 1
 2020-03-07 11:02:16 +01:00
Florian Roth 2e184382f5 fix: eventid in process_creation rules 2020-03-07 10:43:47 +01:00
Florian Roth 7e8b59abe6 Merge pull request #643 from grumo35/patch-2 
Update sysmon_cred_dump_tools_dropped_files.yml
 2020-03-07 10:39:35 +01:00
Florian Roth c609de4f27 Merge pull request #648 from NVISO-BE/patch-azure-ad-replication 
Exclude Azure AD sync accounts from AD Replication rule
 2020-03-07 10:39:04 +01:00
Florian Roth b040c129be fix: author field starting with an '@' symbol 2020-03-07 10:38:02 +01:00
2XXE (SRA) ae56db97ff mmc lateral movement detection 1 
see https://github.com/Neo23x0/sigma/issues/576
 2020-03-04 14:57:41 -05:00
ecco b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth 6bbb166f3d rule: extended webshell rule with tomcat.exe 2020-03-04 14:25:57 +01:00
Florian Roth 53278c2a46 Merge pull request #649 from Neo23x0/devel 
fix: avoiding FPs with Citrix software
 2020-03-03 11:35:02 +01:00
Florian Roth f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth be4242aca8 fix avoiding FPs with MpCmdRun 
ParentImage: C:\Windows\System32\services.exe
CommandLine: C:\Program Files\Microsoft Security Client\\MpCmdRun.exe
 2020-03-03 11:16:59 +01:00
Florian Roth 7139bfb0cb fix: avoiding FPs with Citrix software 
writing C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_r23phtye.jsp.ps1
 2020-03-03 11:01:42 +01:00
Remco Hofman d4b5dd5749 Exclude Azure AD sync accounts from AD Replication rule 2020-03-02 16:43:20 +01:00
Thomas Patzke b63889af75 Fixed rules that likely will cause false negatives by fix 2020-03-01 23:14:53 +01:00
Thomas Patzke 0a62b8747e Merge pull request #634 from EccoTheFlintstone/fp_fix3 
Rule: restore initial behaviour matching single word with spaces on each side
 2020-03-01 22:40:24 +01:00
Florian Roth 19d383989c fix: keyword expression in rule 2020-02-29 16:03:31 +01:00
Florian Roth fa6458b70f rule: two rules to detect CVE-2020-0688 exploitation 2020-02-29 15:45:45 +01:00
Florian Roth fdcba84fc8 fix: escaped backslash 2020-02-29 10:12:59 +01:00
grumo35 0d932810b5 Update sysmon_cred_dump_tools_dropped_files.yml 
Adding sysinternal's procdump utility more about this on : https://en.hackndo.com/remote-lsass-dump-passwords/
 2020-02-28 15:16:18 +01:00
Florian Roth f88225dd2a Merge pull request #640 from Neo23x0/devel 
fix: broader exclusion for rule - OneDrive false positives
 2020-02-26 18:41:52 +01:00