security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,015 Commits 1 Branch 57 Tags
ab814cbc408234eddf538bc893fcbe00c32ca2e9
Commit Graph

9015 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth ab814cbc40 Merge pull request #2332 from frack113/promote_status 
Promote status old rules experimental  to test
 2021-11-27 18:02:33 +01:00
Florian Roth 330fcf485c Merge branch 'master' into promote_status 2021-11-27 17:15:56 +01:00
Florian Roth 1fd729c619 Merge pull request #2334 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-27 17:15:12 +01:00
frack113 9b27955dd7 Restore status 2021-11-27 16:09:33 +01:00
Florian Roth 91c83bbe09 docs: changed wording in rule descriptions 2021-11-27 15:20:37 +01:00
Florian Roth b1ee26c6aa fix: more FPs noticed with Aurora 2021-11-27 14:54:03 +01:00
Florian Roth 91c13584cf Merge pull request #2331 from frack113/small_fix 
Fix optional section name
 2021-11-27 14:42:42 +01:00
Florian Roth 227d99ff58 Merge pull request #2333 from SigmaHQ/rule-devel 
Suspicious LSASS Process Clone
 2021-11-27 14:42:14 +01:00
Florian Roth bd772975f7 rule: LSASS access from program in suspicious folder 2021-11-27 14:09:11 +01:00
Florian Roth 1f6fa6dd58 rule: ATPMiniDump extensions 2021-11-27 14:02:42 +01:00
Florian Roth 7489676404 refactor: removed unnecessary filter 2021-11-27 13:34:56 +01:00
Florian Roth f4e48f0e2a refactor: extended paths 2021-11-27 13:33:32 +01:00
Florian Roth c4cb309da5 rule: LSASS process clone 2021-11-27 13:32:41 +01:00
Florian Roth aca1a5d959 fix: microsoft edge filter 2021-11-27 13:10:53 +01:00
Florian Roth b05ac58503 Merge pull request #2330 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-11-27 12:57:21 +01:00
Florian Roth 2eb1f62477 Merge pull request #2328 from frack113/forget_status 
Forgot the status
 2021-11-27 12:01:30 +01:00
Florian Roth 55284839e1 fix: condition in PS AppData rule 2021-11-27 11:59:50 +01:00
Florian Roth 2844e58369 fix: FPs noticed with Aurora 2021-11-27 11:52:48 +01:00
frack113 f04a6bb1c6 Change status for old rules 2021-11-27 11:47:03 +01:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
frack113 c6caab9e1e Fix optional section name 2021-11-27 11:27:40 +01:00
Florian Roth 6664d6e522 Merge pull request #2329 from SigmaHQ/rule-devel 
fix: regex in lolbas rules
 2021-11-27 11:05:34 +01:00
Florian Roth 5a9f82206f Merge pull request #1045 from vburov/patch-9 
Create win_hack_hydra.yml
 2021-11-27 10:21:56 +01:00
Florian Roth 8e2be01845 Merge branch 'master' into rule-devel 2021-11-27 10:17:07 +01:00
Florian Roth 0593446f96 fix: regex in diantz rule 2021-11-27 10:16:27 +01:00
Florian Roth 62cd452c95 Merge branch 'master' into rule-devel 2021-11-27 10:16:10 +01:00
Florian Roth 0f6c2e007e fix: regex in Extract32 rule 2021-11-27 10:15:24 +01:00
Florian Roth ef13bea075 fix: regular expression in " 2021-11-27 10:05:51 +01:00
Florian Roth b899710021 Merge pull request #2327 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-27 10:03:29 +01:00
Florian Roth 97207bdf81 Merge branch 'master' into aurora-false-positive-fixing 2021-11-27 09:22:15 +01:00
Florian Roth 0ad9f9a859 fix: FPs noticed with Aurora 2021-11-27 09:13:53 +01:00
frack113 c1a5076185 Forget the status 2021-11-27 09:07:54 +01:00
Florian Roth a832b8ffb9 refactor: changed filter to be more explicit 2021-11-27 08:53:05 +01:00
Florian Roth 9d3ba0f432 refactor: reduce to medium 
since we cannot easily detect a real threat without a filter for every possible updater, we have to reduce level to medium here
 2021-11-27 08:52:33 +01:00
frack113 138b066283 Merge pull request #2326 from austinsonger/win_lolbas_dump64.yml 
process_creation_win_lolbas_dump64.yml
 2021-11-27 07:50:11 +01:00
frack113 ccc5c2220b Merge pull request #2323 from frack113/lolbas 
Lolbas rules
 2021-11-27 07:48:31 +01:00
frack113 efa099aec7 Merge pull request #2321 from austinsonger/Azure-Subscription-Permission-Elevation 
Azure subscription permission elevation
 2021-11-27 07:47:54 +01:00
frack113 7a5bf359a1 Merge pull request #2320 from austinsonger/azure_unusual_authentication_interruption.yml 
azure_unusual_authentication_interruption.yml
 2021-11-27 07:47:40 +01:00
frack113 5922483f2e Merge pull request #2322 from austinsonger/admission_controllers 
Updated Descriptions and Tags
 2021-11-27 07:44:48 +01:00
frack113 010a988fe5 Merge pull request #2318 from austinsonger/clearing_windows_console_history.yml 
clearing_windows_console_history.yml
 2021-11-27 07:43:52 +01:00
Florian Roth 46f0e32118 Update process_creation_win_lolbas_dump64.yml 2021-11-27 01:18:56 +01:00
Austin Songer 248dcbe735 Update process_creation_win_lolbas_dump64.yml 2021-11-26 14:34:32 -06:00
Florian Roth 0c5f4d854d Merge pull request #2325 from SigmaHQ/rule-devel 
fix: FPs noticed with Aurora
 2021-11-26 21:25:25 +01:00
Florian Roth 1b8a6b901b docs: change title and description 2021-11-26 21:24:54 +01:00
Florian Roth 83e4236edf fix: tag, changed rule to avoid FP with VS binary 
there is a legitimate binary used in Visual Studio named dump64.exe, we can exclude the original location and only report when we see it in a different location or used with procdump command line flags
https://www.advanceduninstaller.com/Visual-Studio-Professional-2019-dc240beb51a0e41e029278d4ad2a2e87-application.htm
 2021-11-26 21:23:21 +01:00
Austin Songer 18bab18dd9 Update process_creation_win_lolbas_dump64.yml 2021-11-26 14:19:10 -06:00
Austin Songer d485fa9b93 Create process_creation_win_lolbas_dump64.yml 2021-11-26 14:03:10 -06:00
Florian Roth 11b8ccfe8f Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-26 20:47:22 +01:00
Florian Roth eae38d08f0 fix: FPs 2021-11-26 20:46:52 +01:00
Austin Songer 98084e857c Update azure_subscription_permissions_elevation_via_auditlogs.yml 2021-11-26 13:42:48 -06:00