security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,723 Commits 1 Branch 57 Tags
b2ca6754eac8b924c69f90e8024a29bbfb0e1971
Commit Graph

10723 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
sreehari3 b2ca6754ea mitre tags: Persistence (T1053) ,(T1053.005) 
added those  MITRE tags
 2022-04-14 09:09:03 +05:30
Florian Roth e4c8e62ba6 Merge pull request #2912 from SigmaHQ/rule-devel 
CVE-2022-24527 Microsoft Connected Cache LPE
 2022-04-13 20:07:25 +02:00
Florian Roth 0758b76488 Merge pull request #2911 from redsand/hawk_cfg_update 
Backend: updating hawk backend config, still pending file_rename and …
 2022-04-13 20:07:12 +02:00
Florian Roth 6e3078fbf5 Merge pull request #2913 from pH-T/master 
fix: fixed typo in rule
 2022-04-13 20:06:47 +02:00
Paul Hager aac1d47bef fix: fixed typo in rule 2022-04-13 19:27:11 +02:00
Florian Roth a10b8ae45b fix: MITRE tags 2022-04-13 19:25:11 +02:00
Florian Roth d8205de338 fix: typo in CVE number 2022-04-13 19:19:20 +02:00
Florian Roth 35770c7035 rule: CVE-2022-23527 LPE 
https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
 2022-04-13 19:18:15 +02:00
Florian Roth 3eafd9dfdb Merge pull request #2910 from SigmaHQ/rule-devel 
rule: RPCSS service process anomalies
 2022-04-13 19:04:44 +02:00
Tim Shelton 83ece8c9ca adding missing file_ entries 2022-04-13 15:57:54 +00:00
Tim Shelton bca687a1ad adding a couple more missing entries 2022-04-13 15:15:15 +00:00
Tim Shelton 500c97020f Backend: updating hawk backend config, still pending file_rename and other file_ categories 2022-04-13 14:38:18 +00:00
Florian Roth ed465ea36a rule: RPCSS service process anomalies 2022-04-13 15:44:10 +02:00
Florian Roth ecffc2e11e Merge pull request #2908 from secDre4mer/master 
fix: copy / paste issues
 2022-04-13 09:33:48 +02:00
Max Altgelt 98f313526d fix: copy / paste issues 2022-04-13 09:23:08 +02:00
frack113 aa96f8003d Merge pull request #2906 from megan201296/patch-24 
Typo fix
 2022-04-12 21:30:24 +02:00
megan201296 d6245133e3 Typo fix 
Fix unfinished word "legitimate" in false positives
 2022-04-12 11:05:09 -05:00
Florian Roth 76c730a831 Merge pull request #2903 from securepeacock/master 
Update Netsh Firewall Enumeration
 2022-04-12 17:24:51 +02:00
Florian Roth 482a2fdcf9 Update proc_creation_win_susp_netsh_command.yml 2022-04-12 07:55:58 +02:00
frack113 afa3fc9a41 Merge pull request #2901 from megan201296/patch-23 
Change ATT&CK technique
 2022-04-12 07:46:41 +02:00
frack113 dc3be676c9 Merge pull request #2900 from megan201296/patch-22 
Change MITRE ATT&CK tactic ID
 2022-04-12 07:43:44 +02:00
securepeacock 3f7c77256a Update proc_creation_win_susp_network_command.yml 2022-04-11 13:45:37 -04:00
securepeacock 162d577523 Update proc_creation_win_susp_network_command.yml 
Added route print
 2022-04-11 13:36:52 -04:00
securepeacock 869535be95 Merge pull request #1 from securepeacock/securepeacock-patch-2 
Update proc_creation_win_susp_netsh_command.yml
 2022-04-11 13:06:41 -04:00
securepeacock 38276d96b8 Update proc_creation_win_susp_netsh_command.yml 
Update to catch other procedures for Firewall Enumerations like run cmd.exe /c netsh firewall show state & netsh firewall show config.
 2022-04-11 13:06:15 -04:00
megan201296 c7a3834070 Change ATT&CK technique 
Per source reference, the ADS rule is T1564.004 BUT copying/downloading files is T1105 (hwich in turn is C&C, not defense evasion"
 2022-04-11 10:56:03 -05:00
megan201296 e01083a625 Change MITRE ATT&CK tactic ID 
The subtechnique `.011` is  specific to RunDLL32 proxy execution. There is no existing sub-technique specific to wuauclt.exe so only the top level technique should be referenced.
 2022-04-11 10:41:46 -05:00
Florian Roth 54d141eb58 Merge pull request #2899 from SigmaHQ/rule-devel 
fix: errors in file access rule
 2022-04-11 12:05:31 +02:00
Florian Roth 955dffc4bc Merge branch 'master' into rule-devel 2022-04-11 11:58:31 +02:00
Florian Roth 46ad590ab1 fix: errors in file access rule 2022-04-11 11:48:46 +02:00
Florian Roth 6c765caf42 Merge pull request #2898 from SigmaHQ/structure-refactoring 
Structure refactoring
 2022-04-11 11:44:25 +02:00
Florian Roth dff504c3b7 refactor: folder refactoring 
- new folder for deprecated rules
- removed "etw" sub folder under windows
 2022-04-11 11:35:19 +02:00
Florian Roth 2dee1faceb fix: bug in browser cred store access rule 2022-04-11 11:34:24 +02:00
frack113 525df9775a Merge pull request #2896 from hitenkoku/hitenkoku-patch-1 
changed windows-bits-client Channel
 2022-04-10 14:59:01 +02:00
DustInDark 1a7e03c96b changed windows-bits-client Channel 
windows-bits-client tag converted `WinEventlog:Microsoft-Windows-Bits-Client/Operational` but other channel is not add `WinEventLog:`.

Removed "WinEventlog" to unify with other channel conversions.

ex: https://answers.microsoft.com/en-us/windows/forum/all/unknown-events-in-windowsbits-clientoperational/c0856f82-44a2-4998-9a3b-9d6eda328136
 2022-04-10 21:18:53 +09:00
Florian Roth a3457babca Merge pull request #2893 from frack113/redcannary_20220409 
New Redcannary Windows Tests
 2022-04-09 21:03:26 +02:00
Florian Roth cbec7b274e Update proc_creation_win_susp_vaultcmd.yml 2022-04-09 20:02:34 +02:00
Florian Roth 2f0bce02ea Update proc_creation_win_sqlite_firefox_cookies.yml 2022-04-09 20:01:54 +02:00
Florian Roth 217f7d3c3c Update proc_creation_win_sqlite_firefox_cookies.yml 2022-04-09 19:43:03 +02:00
Florian Roth a46b6d751c Merge pull request #2895 from SigmaHQ/aurora-false-positive-fixing 
fix: removed base64 encoded param rule - too many FPs
 2022-04-09 19:40:04 +02:00
Florian Roth 87d06a4f6d fix: remove rule causing many FPs 2022-04-09 19:33:55 +02:00
Florian Roth ddfb7613fa Merge branch 'master' into aurora-false-positive-fixing 2022-04-09 19:33:10 +02:00
Florian Roth e8378779ea Merge pull request #2894 from SigmaHQ/rule-devel 
Reworked some rules and meta data
 2022-04-09 19:30:56 +02:00
Florian Roth 0857670a0c fix: removed base64 encoded param 2022-04-09 19:25:46 +02:00
Florian Roth ed90f8eefc docs: reworked rule 2022-04-09 19:22:28 +02:00
Florian Roth 1a5fc46d8d Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-04-09 19:19:12 +02:00
Florian Roth 8030af2ea8 Merge pull request #2892 from frack113/file_access 
Browser Credential Stealing
 2022-04-09 19:18:28 +02:00
frack113 e59c55b85f Update proc_creation_win_susp_vaultcmd.yml 2022-04-09 18:08:55 +02:00
frack113 89985b08c8 New Redcannary Windows Tests 2022-04-09 18:00:15 +02:00
frack113 efba7040f0 Add services FP 2022-04-09 17:51:01 +02:00