security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,723 Commits 1 Branch 57 Tags
b2ca6754eac8b924c69f90e8024a29bbfb0e1971
Commit Graph

8118 Commits

Author SHA1 Message Date
sreehari3 b2ca6754ea mitre tags: Persistence (T1053) ,(T1053.005) 
added those  MITRE tags
 2022-04-14 09:09:03 +05:30
Florian Roth e4c8e62ba6 Merge pull request #2912 from SigmaHQ/rule-devel 
CVE-2022-24527 Microsoft Connected Cache LPE
 2022-04-13 20:07:25 +02:00
Paul Hager aac1d47bef fix: fixed typo in rule 2022-04-13 19:27:11 +02:00
Florian Roth a10b8ae45b fix: MITRE tags 2022-04-13 19:25:11 +02:00
Florian Roth d8205de338 fix: typo in CVE number 2022-04-13 19:19:20 +02:00
Florian Roth 35770c7035 rule: CVE-2022-23527 LPE 
https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
 2022-04-13 19:18:15 +02:00
Florian Roth 3eafd9dfdb Merge pull request #2910 from SigmaHQ/rule-devel 
rule: RPCSS service process anomalies
 2022-04-13 19:04:44 +02:00
Florian Roth ed465ea36a rule: RPCSS service process anomalies 2022-04-13 15:44:10 +02:00
Max Altgelt 98f313526d fix: copy / paste issues 2022-04-13 09:23:08 +02:00
megan201296 d6245133e3 Typo fix 
Fix unfinished word "legitimate" in false positives
 2022-04-12 11:05:09 -05:00
Florian Roth 76c730a831 Merge pull request #2903 from securepeacock/master 
Update Netsh Firewall Enumeration
 2022-04-12 17:24:51 +02:00
Florian Roth 482a2fdcf9 Update proc_creation_win_susp_netsh_command.yml 2022-04-12 07:55:58 +02:00
frack113 afa3fc9a41 Merge pull request #2901 from megan201296/patch-23 
Change ATT&CK technique
 2022-04-12 07:46:41 +02:00
securepeacock 3f7c77256a Update proc_creation_win_susp_network_command.yml 2022-04-11 13:45:37 -04:00
securepeacock 162d577523 Update proc_creation_win_susp_network_command.yml 
Added route print
 2022-04-11 13:36:52 -04:00
securepeacock 38276d96b8 Update proc_creation_win_susp_netsh_command.yml 
Update to catch other procedures for Firewall Enumerations like run cmd.exe /c netsh firewall show state & netsh firewall show config.
 2022-04-11 13:06:15 -04:00
megan201296 c7a3834070 Change ATT&CK technique 
Per source reference, the ADS rule is T1564.004 BUT copying/downloading files is T1105 (hwich in turn is C&C, not defense evasion"
 2022-04-11 10:56:03 -05:00
megan201296 e01083a625 Change MITRE ATT&CK tactic ID 
The subtechnique `.011` is  specific to RunDLL32 proxy execution. There is no existing sub-technique specific to wuauclt.exe so only the top level technique should be referenced.
 2022-04-11 10:41:46 -05:00
Florian Roth 955dffc4bc Merge branch 'master' into rule-devel 2022-04-11 11:58:31 +02:00
Florian Roth 46ad590ab1 fix: errors in file access rule 2022-04-11 11:48:46 +02:00
Florian Roth dff504c3b7 refactor: folder refactoring 
- new folder for deprecated rules
- removed "etw" sub folder under windows
 2022-04-11 11:35:19 +02:00
Florian Roth 2dee1faceb fix: bug in browser cred store access rule 2022-04-11 11:34:24 +02:00
Florian Roth a3457babca Merge pull request #2893 from frack113/redcannary_20220409 
New Redcannary Windows Tests
 2022-04-09 21:03:26 +02:00
Florian Roth cbec7b274e Update proc_creation_win_susp_vaultcmd.yml 2022-04-09 20:02:34 +02:00
Florian Roth 2f0bce02ea Update proc_creation_win_sqlite_firefox_cookies.yml 2022-04-09 20:01:54 +02:00
Florian Roth 217f7d3c3c Update proc_creation_win_sqlite_firefox_cookies.yml 2022-04-09 19:43:03 +02:00
Florian Roth 87d06a4f6d fix: remove rule causing many FPs 2022-04-09 19:33:55 +02:00
Florian Roth ed90f8eefc docs: reworked rule 2022-04-09 19:22:28 +02:00
Florian Roth 1a5fc46d8d Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-04-09 19:19:12 +02:00
Florian Roth 8030af2ea8 Merge pull request #2892 from frack113/file_access 
Browser Credential Stealing
 2022-04-09 19:18:28 +02:00
frack113 e59c55b85f Update proc_creation_win_susp_vaultcmd.yml 2022-04-09 18:08:55 +02:00
frack113 89985b08c8 New Redcannary Windows Tests 2022-04-09 18:00:15 +02:00
frack113 efba7040f0 Add services FP 2022-04-09 17:51:01 +02:00
frack113 d8ae11b98c Add file_access_win_browser_credential_stealing 2022-04-09 17:44:12 +02:00
Florian Roth c18f246c23 docs: modified date 2022-04-08 16:33:19 +02:00
Florian Roth 8b2f23ffbb fix: possible FP with Veeam software 2022-04-08 16:32:46 +02:00
Amrik 6bc5b8e29c Fix: Typo in title 2022-04-07 19:30:00 -07:00
frack113 77e05ab762 Merge pull request #2887 from frack113/fix_tag 
Update tags
 2022-04-07 22:34:23 +02:00
Florian Roth eab098e9f8 Merge pull request #2885 from secDre4mer/master 
Add couple of new rules
 2022-04-07 19:00:52 +02:00
Florian Roth e4503df4b1 Update proc_creation_win_powershell_public_folder.yml 2022-04-07 18:52:45 +02:00
frack113 7819a3b96e Update tags 2022-04-07 14:46:58 +02:00
phantinuss f5ca5c0579 fix: FPs from fresh Windows 2022 install 2022-04-07 14:15:44 +02:00
Max Altgelt 47c685553d feat: Generate low sigma match for new credential logon 2022-04-07 10:50:50 +02:00
Max Altgelt df41827266 feat: detect PS execution in public folder 2022-04-07 10:50:50 +02:00
Max Altgelt 3cddcc906d feat: Add new rule for Creative Cloud node abuse 2022-04-07 10:50:50 +02:00
Max Altgelt 026490921c fix: Add FP exclusion for vss_ps.dll load 
The scheduled task that creates restore points apparently runs
rundll32.exe and loads this DLL.
 2022-04-07 10:49:10 +02:00
Florian Roth ac5346c2a5 Merge pull request #2881 from SigmaHQ/rule-devel 
DumpMinitool Usage
 2022-04-07 09:44:44 +02:00
Florian Roth 80d8010fbd Merge pull request #2883 from phantinuss/checkbaseline 
workflow: add checks against Windows 7 32-bit baseline
 2022-04-06 19:00:15 +02:00
megan201296 b0eaf3fb5a Rename proc_creation_win_coti_sqlcmd.yml to proc_creation_win_conti_sqlcmd.yml 
Fix typo in rule name
 2022-04-06 10:46:08 -05:00
phantinuss 9376859b06 fix: remove duplicate list entry 2022-04-06 17:14:34 +02:00