security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,870 Commits 1 Branch 57 Tags
ad75a9a5bf77fe2e75e35a6cde7935c1906f380e
Commit Graph

8870 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tim Shelton ad75a9a5bf updating hawk backend to provide additional tag enrichment. helps manage the state of each sigma rule, if experimental or not 2021-11-23 16:57:43 +00:00
Florian Roth 653950e456 Merge pull request #2300 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-23 10:52:54 +01:00
Florian Roth 0a682f6fe0 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-11-23 09:37:23 +01:00
Florian Roth 614046c241 fix: missing filter in condition 2021-11-23 09:37:20 +01:00
Florian Roth 17c04919af Merge pull request #2297 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-22 22:06:26 +01:00
Florian Roth f2585f44da fix: bug in filter 2021-11-22 21:30:19 +01:00
Florian Roth 7468d495ff fix: FP with LSASS access rule 2021-11-22 21:29:21 +01:00
Florian Roth 497a9d9e2a Merge pull request #2296 from SigmaHQ/rule-devel 
rules: InstallerFileTakeOver LPE CVE-2021-41379
 2021-11-22 17:12:03 +01:00
Florian Roth 42571791b3 Merge branch 'rule-devel' into aurora-false-positive-fixing 2021-11-22 15:24:46 +01:00
Florian Roth 2c5631f1bf Merge branch 'master' into aurora-false-positive-fixing 2021-11-22 15:23:43 +01:00
Florian Roth 68e4864069 fix: exclusions in new WinRAR rule 2021-11-22 15:23:28 +01:00
Florian Roth e778372d1f Merge pull request #2295 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-22 15:19:05 +01:00
Florian Roth 8fc93d3340 refactor: generic lsass access filter 2021-11-22 15:05:56 +01:00
Florian Roth 75663ceb46 rule: file creation LPE CVE-2021-41379 2021-11-22 14:15:51 +01:00
Florian Roth 9a2e7a23fa docs: tags for CVE-2021-41379 2021-11-22 14:06:50 +01:00
Florian Roth 023a0f0685 Revert "refactor: rule could possible generate to many FPs" 
This reverts commit 24c4d51796.
 2021-11-22 14:03:59 +01:00
Florian Roth ff6bb3acea extended filters and descriptions 2021-11-22 14:01:30 +01:00
Florian Roth d5eff9ef6d fix: FP with In-memory PowerShell rule and Visual Studio 2021-11-22 13:45:31 +01:00
Florian Roth 37ff832fda fix: FPs with LSASS access rule 2021-11-22 13:43:20 +01:00
Florian Roth 145d05e756 Merge pull request #2294 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs with Aurora
 2021-11-22 13:30:07 +01:00
Florian Roth db03d08b11 Merge pull request #2293 from SigmaHQ/rule-devel 
fix: 0x1000 access on LSASS, rule: new LSASS access, rule: CVE-2021-41379
 2021-11-22 13:29:31 +01:00
Florian Roth cda13acc83 Revert "refactor: add another flag set" 
This reverts commit ca62fe586f.
 2021-11-22 12:51:16 +01:00
Florian Roth ca62fe586f refactor: add another flag set 2021-11-22 12:21:19 +01:00
Florian Roth a5b7a92d91 fix: FPs with Aurora 2021-11-22 12:20:21 +01:00
Florian Roth 01189dcef2 fix: rule condition 2021-11-22 11:47:39 +01:00
Florian Roth d2e45afc3c fix: typo in filename - missing period 2021-11-22 11:40:17 +01:00
Florian Roth d3ec743906 fix: changed modified date 2021-11-22 11:38:37 +01:00
Florian Roth fbd8df5768 rule: lsass access suspicious flags 2021-11-22 11:37:09 +01:00
Florian Roth 24c4d51796 refactor: rule could possible generate to many FPs 2021-11-22 11:28:32 +01:00
Florian Roth 7432aa37a0 refactor: lsass query info access 2021-11-22 11:02:01 +01:00
frack113 e5404785d3 Merge pull request #2290 from frack113/fix_fieldname 
Fix field name in windows rules
 2021-11-21 09:09:40 +01:00
frack113 2bdfcc9ac2 Merge pull request #2291 from remotephone/remotephone-t1036_006 
Add Rule: MacOS - macos_space_after_filename.yml
 2021-11-21 09:09:26 +01:00
remotephone be59ca0f01 Update macos_space_after_filename.yml 
Fixing new line and updating change date
 2021-11-20 15:54:24 -06:00
remotephone 9530d67834 Create macos_space_after_filename.yml 
Adding coverage for macOS space after filename
 2021-11-20 15:43:51 -06:00
frack113 bac2e9f35e Merge pull request #2285 from frack113/sigma2attack 
Update Sigma2attack
 2021-11-20 20:45:43 +01:00
frack113 bc61fbeee2 Merge pull request #2281 from orlinum/patch-2 
Create win_ADCS_certificate_template_configuration_vulnerability.yml
 2021-11-20 20:45:04 +01:00
frack113 3162b7ccfe Merge pull request #2280 from orlinum/patch-1 
Create win_ADCS_certificate_template_configuration_vulnerability_EKU.yml
 2021-11-20 20:44:42 +01:00
frack113 4425f9cbcd Update sigma2attack.py 2021-11-20 19:59:57 +01:00
Florian Roth 0da02fbc46 fix: image_load in sysmon doesn't contain a command line 2021-11-20 19:58:21 +01:00
frack113 76da6e3fcc Merge pull request #2289 from V1D1AN/master 
add tag mitre t1041
 2021-11-20 19:57:35 +01:00
Orlinum c37f7aede9 path modified to rules/windows/builtin/ 2021-11-20 19:38:00 +01:00
Orlinum 89c20b2b28 path modified to rules/windows/builtin/ 2021-11-20 19:37:55 +01:00
frack113 83dee26262 Update net_pua_cryptocoin_mining_xmr.yml 2021-11-20 19:20:07 +01:00
frack113 ebcfcfebf4 Fix field name 2021-11-20 19:14:59 +01:00
Florian Roth 3eeeb81d00 Merge pull request #2288 from SigmaHQ/rule-devel 
fix: FPs; rule: Windows Shell File Write to Suspicious Folder
 2021-11-20 18:27:26 +01:00
V1D1AN d4976b015c add tag mitre attack.t1496 and attack.t1567 2021-11-20 16:34:41 +01:00
V1D1AN c190668166 add tag mitre t1041 for equation group c2 2021-11-20 16:23:27 +01:00
V1D1AN 97645add5b Merge branch 'SigmaHQ:master' into master 2021-11-20 16:16:00 +01:00
Florian Roth ed4e771700 Merge pull request #2287 from frack113/tags 
Add missing Mitre Techniques Tags for windows rules
 2021-11-20 15:38:25 +01:00
Florian Roth 9cbc026f43 Merge pull request #2283 from Karneades/new-filehandler 
rule: add new rule to detect the abuse of the exefile file handler
 2021-11-20 15:37:42 +01:00