security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,605 Commits 1 Branch 57 Tags
aaafef29b4aa53e8ebb5cd488dbf873865402dcc
Commit Graph

2819 Commits

Author SHA1 Message Date
phantinuss 67ad16f411 edit because of ambiguous trailing space 2022-03-31 12:04:37 +02:00
phantinuss 51d45bae8b chore: promote status of rules 2022-03-31 12:04:37 +02:00
phantinuss 5ebb919472 fix: FP with intel graphics 2022-03-31 12:04:37 +02:00
phantinuss 8afe875ad6 update rule to also match on original sample 2022-03-31 12:04:36 +02:00
Florian Roth 08d3bd48ce Merge pull request #2868 from securepeacock/patch-11 
Create proc_creation_win_fsutil_drive_enumeration.yml
 2022-03-30 21:05:56 +02:00
securepeacock 35661df7e4 Update proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:45:01 -04:00
securepeacock 34182908c9 Update proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:38:28 -04:00
securepeacock 5e3a5642e8 Create proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:00:03 -04:00
Fred Frey 78aeee3054 added resource and improved MITRE Subtechnique 
Mavinject now has its own subtechnique
https://attack.mitre.org/techniques/T1218/013/
 2022-03-30 08:57:15 -04:00
phantinuss 7f030b250e fix: wrong mapping of Windows Audit Log EventID 4688 
reverts some changes introduced by commit c5fa73c328
    - removes the unnecessary/wrong field mapping
    - fixes the rules to apply to CommandLine instead of
      ParentCommandLine as the author probably intended
 2022-03-30 11:24:24 +02:00
phantinuss 3034d626ea chore: promote status of rules 2022-03-30 11:24:24 +02:00
Florian Roth 4b5a9db68a Merge pull request #2864 from SigmaHQ/rule-devel 
refactor: more robust reg add ImagePath rule
 2022-03-29 19:47:24 +02:00
Florian Roth 7cd65a737d Merge pull request #2861 from redsand/fp_msiexec_sccm 
FP filter to include without quotes
 2022-03-29 16:00:12 +02:00
Florian Roth cc45743669 refactor: more robust reg add ImagePath rule 2022-03-29 15:21:47 +02:00
Max Altgelt 36ba148616 fix: filter null image in process creation rule 2022-03-29 08:56:47 +02:00
Tim Shelton f4776fb081 FP filter to include without quotes 2022-03-28 18:50:00 +00:00
frack113 14ec2e7d7c Merge pull request #2859 from redsand/fp_msiexec_sccm 
Adding FP filter for ccm
 2022-03-27 08:44:50 +02:00
Tim Shelton 35bbd3727e Adding FP filter for ccm 2022-03-26 18:35:31 +00:00
Florian Roth 507551c631 fix: typo in modifier 2022-03-24 19:08:53 +01:00
Florian Roth 6970223872 fix: bug in modifier 2022-03-24 19:05:04 +01:00
Florian Roth f1b91ba8ac refactor: more powershell loader rules 2022-03-24 16:44:35 +01:00
Florian Roth a06b599bec rule: IEX patterns 2022-03-24 16:31:50 +01:00
Florian Roth f7cd8e3424 fix: duplicate id 2022-03-24 11:41:26 +01:00
Florian Roth f3abef8b5f fix: indentation 2022-03-24 11:34:00 +01:00
Florian Roth 53b450d377 rule: PowerShell Downloads 2022-03-24 09:16:12 +01:00
Florian Roth 7c4d198498 fix: FPs with win32calc.exe 2022-03-23 16:31:45 +01:00
Florian Roth 535e6ce0cc refactor: scheduled task patterns 2022-03-23 09:09:43 +01:00
Florian Roth d8046b5989 rules: registry, tamper with Defender & LSA 2022-03-22 16:10:11 +01:00
Florian Roth 63066ab5e1 Merge branch 'master' into rule-devel 2022-03-22 13:16:13 +01:00
Florian Roth 68542e20e9 fix: condition 2022-03-22 13:16:08 +01:00
Florian Roth 35828985e0 refactor: rule extended 2022-03-21 12:59:14 +01:00
Florian Roth 007e52ccb9 rule: suspicious parents, susp powershell parent rule 2022-03-21 12:57:59 +01:00
phantinuss f1dcaa02f4 fix: single list element 2022-03-21 12:33:55 +01:00
Florian Roth 816b11ab80 Merge branch 'master' into rule-devel 2022-03-21 11:19:22 +01:00
Florian Roth 056206627a minor changes to description and hash values 2022-03-21 11:19:05 +01:00
Florian Roth dd46054e17 Merge pull request #2834 from redsand/fp_missing_sys32_dir_rundll32 
Fp missing system32 dir rundll32 with invalid extension
 2022-03-20 22:31:58 +01:00
Tim Shelton 5086cde0dd updating to ensure match against all system32 execution path 2022-03-20 19:48:51 +00:00
Tim Shelton 3da10f30d8 Adding additional filter for system32 2022-03-20 19:45:33 +00:00
Paul Hager 68659cf5fd new susp service installation rules 2022-03-18 16:08:40 +01:00
Florian Roth fbf1b8456c Merge pull request #2825 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with EdgeTransport sub processes
 2022-03-18 11:04:10 +01:00
Florian Roth 2f51f8e1d2 fix: FPs noticed with EdgeTransport sub processes 2022-03-18 10:18:40 +01:00
Florian Roth d0eef19e95 Merge pull request #2822 from SigmaHQ/rule-devel 
Webshell detection rule refactoring
 2022-03-18 08:49:04 +01:00
Florian Roth e754849425 fix: missing space 2022-03-18 08:37:09 +01:00
frack113 41fce11b76 Merge pull request #2820 from frack113/day_off 
Windows Redcannary
 2022-03-18 08:18:18 +01:00
Florian Roth 59a8a6f952 Merge branch 'master' into rule-devel 2022-03-17 20:16:28 +01:00
Florian Roth 22133aaa07 Merge pull request #2821 from redsand/fp_tasktop_path_traversal 
Adding filter for java  tasktop
 2022-03-17 18:44:16 +01:00
Florian Roth 33617fd8b4 rule: new webshell detection rule 2022-03-17 18:31:11 +01:00
Tim Shelton 026677cf8a fixing spelling error 2022-03-17 17:27:11 +00:00
Florian Roth 8250dd73a2 refactor: webshell detection rules 2022-03-17 18:24:15 +01:00
Tim Shelton a1cb805913 Adding filter for java tasktop 2022-03-17 17:23:06 +00:00