security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,814 Commits 1 Branch 57 Tags
99fc5fc3cc4cc15a67fae6bbb2f2dc7203b98dc1
Commit Graph

6573 Commits

Author SHA1 Message Date
Florian Roth 99fc5fc3cc refactor: reworked psexec / paexec rules 2021-11-23 16:34:31 +01:00
Florian Roth 75663ceb46 rule: file creation LPE CVE-2021-41379 2021-11-22 14:15:51 +01:00
Florian Roth 9a2e7a23fa docs: tags for CVE-2021-41379 2021-11-22 14:06:50 +01:00
Florian Roth 023a0f0685 Revert "refactor: rule could possible generate to many FPs" 
This reverts commit 24c4d51796.
 2021-11-22 14:03:59 +01:00
Florian Roth cda13acc83 Revert "refactor: add another flag set" 
This reverts commit ca62fe586f.
 2021-11-22 12:51:16 +01:00
Florian Roth ca62fe586f refactor: add another flag set 2021-11-22 12:21:19 +01:00
Florian Roth 01189dcef2 fix: rule condition 2021-11-22 11:47:39 +01:00
Florian Roth d2e45afc3c fix: typo in filename - missing period 2021-11-22 11:40:17 +01:00
Florian Roth d3ec743906 fix: changed modified date 2021-11-22 11:38:37 +01:00
Florian Roth fbd8df5768 rule: lsass access suspicious flags 2021-11-22 11:37:09 +01:00
Florian Roth 24c4d51796 refactor: rule could possible generate to many FPs 2021-11-22 11:28:32 +01:00
Florian Roth 7432aa37a0 refactor: lsass query info access 2021-11-22 11:02:01 +01:00
Florian Roth 0da02fbc46 fix: image_load in sysmon doesn't contain a command line 2021-11-20 19:58:21 +01:00
Florian Roth 1ce65c6730 rule: shell file write to suspicious folder 2021-11-20 15:37:10 +01:00
Florian Roth e73816bb22 fix: too many false positives with in-memory detection rule 2021-11-20 15:07:20 +01:00
Florian Roth 15a4938294 fix: wrong condition 2021-11-20 15:05:06 +01:00
Florian Roth c7462832fe fix: FPs with Wincred in log files 2021-11-20 15:03:11 +01:00
Florian Roth dfbaadf932 fix: FPs - extended filter 2021-11-20 13:01:24 +01:00
Florian Roth 8271b04f80 fix: FPs with ISO mount rule 2021-11-20 12:46:50 +01:00
Florian Roth f1d2903ec2 fix: FPs with rules 2021-11-20 12:32:15 +01:00
Florian Roth 6c040f0844 fix: more false positives 2021-11-20 12:00:18 +01:00
Florian Roth 5b8b622658 fix: too many false positives with WMI Modules Loaded 2021-11-20 11:54:19 +01:00
Florian Roth 1fffb57df0 fix: FPs with different rules 2021-11-20 11:33:43 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
frack113 0c61c444eb Merge pull request #2278 from zakibro/master 
Adding New Linux Auditd rule - Data Exfil with Wget
 2021-11-19 22:30:10 +01:00
frack113 13099ea9bf Merge pull request #2279 from frack113/malware 
Add sysmon_win_reg_persistence_recycle_bin.yml
 2021-11-19 19:11:06 +01:00
frack113 264db60c5e Merge pull request #2276 from phantinuss/master 
Rule Fix: Paths with Quotes
 2021-11-19 19:05:36 +01:00
Florian Roth 19a303bcfb Merge pull request #2282 from Karneades/exefile 
Update shell open key rule
 2021-11-19 17:40:35 +01:00
Andreas Hunkeler a1dc685ea4 Add note regarding persistence in shell open rule 2021-11-19 16:18:25 +01:00
Andreas Hunkeler 74eac016c8 Update date after shell open rule change 2021-11-19 16:17:21 +01:00
Florian Roth 4acbb15713 Merge branch 'master' into rule-devel 2021-11-19 15:52:21 +01:00
Andreas Hunkeler 79cf80fa6b Update shell open key rule 
* Make rule more generic regarding exefile detection instead of only naming it "uac bypass"
* Add further references and attack tags
 2021-11-19 14:03:56 +01:00
Florian Roth 3834048363 docs: extended false positive comment 2021-11-19 12:15:11 +01:00
Florian Roth 86f7c2b9f9 fix: FPs with WMI module rule 2021-11-19 12:15:01 +01:00
frack113 5e96a5c151 Merge pull request #2275 from WojciechLesicki/master 
Adding two more process, additional references, information about Cob…
 2021-11-19 06:46:10 +01:00
frack113 8176d9b47e Add sysmon_win_reg_persistence_recycle_bin.yml 2021-11-18 18:39:20 +01:00
Pawel Mazur 87f64e28fd Adding New Linux Auditd rule - Data Exfil with Wget 2021-11-18 18:03:17 +01:00
Florian Roth b91b43ad84 rule: Exchange CVE-2021-42321 2021-11-18 17:27:09 +01:00
Florian Roth ecc7181d6e fix: FP with Windows Update Client LOLBIN rule 2021-11-18 13:34:55 +01:00
phantinuss 84476e1dd4 fix: prevent possible FPs from non-windows native calls using paths surrounded by quotes 2021-11-18 10:06:03 +01:00
frack113 7a2ce744f1 Merge pull request #2272 from frack113/wmi_FP 
sysmon_wmi_module_load.yml add WMIC.exe
 2021-11-18 06:36:39 +01:00
frack113 4b13ece931 Merge pull request #2270 from phantinuss/master 
enhance emotet rundll32 execution pattern for current campaign
 2021-11-18 06:35:11 +01:00
frack113 a6771d684b Merge pull request #2269 from frack113/ntfs 
Add correct provider_name
 2021-11-18 06:32:01 +01:00
WojciechLesicki ba053ea19b Adding two more process, additional references, information about Cobalt Strike etc. 2021-11-17 22:37:23 +01:00
Florian Roth 7dce83033b rule: Winrar suspicious folder 2021-11-17 19:01:48 +01:00
Florian Roth c6564908ef rule: Sitecore Pre-Auth RCE CVE-2021-42237 2021-11-17 19:01:35 +01:00
Florian Roth 23220e7d78 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-17 19:00:06 +01:00
Florian Roth a921bd5ec8 style: reordered rule layout 2021-11-17 18:59:40 +01:00
Florian Roth c71d9dba89 fix: false positive with WMI rule 2021-11-17 18:59:22 +01:00
frack113 0605a1c64e add WMIC.exe 2021-11-17 16:37:27 +01:00