security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,160 Commits 1 Branch 57 Tags
c2e5ca2f128b570a7cc57524fb350f38c19fd85e
Commit Graph

6631 Commits

Author SHA1 Message Date
frack113 6e41ecdaaf Merge pull request #3059 from c3rb3ru5d3d53c/patch-1 
Follina — a Microsoft Office code execution vulnerability
 2022-05-30 06:50:53 +02:00
frack113 18dc60858a Fix selection1 2022-05-30 06:44:45 +02:00
c3rb3ru5 7cd648a1ed Update proc_creation_win_lolbins_by_office_applications.yml 
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
 2022-05-29 21:28:35 -03:00
Nasreddine Bencherchali e9d18b5075 Create proc_creation_win_msdt.yml 2022-05-29 12:53:45 +01:00
frack113 ff6c54ded6 Merge pull request #3044 from redsand/fp_file_event_win_webshell_creation 
FP: System image (driver) restoring files. Valid behavior
 2022-05-27 15:11:58 +02:00
frack113 61ee06897a Merge pull request #3054 from redsand/fp_proc_creation_ibm_desktop 
FP: IBM ClientSolutions is valid directory
 2022-05-27 07:00:01 +02:00
frack113 dc6640678a Merge pull request #3053 from redsand/fp_net_connection_from_desktop_ibm 
Fp net connection from desktop ibm
 2022-05-27 06:58:45 +02:00
Tim Shelton b1cbac0ae3 Adjusting condition 2022-05-26 18:39:22 +00:00
Tim Shelton 5e2e776bce Adjusting condition 2022-05-26 18:38:12 +00:00
Tim Shelton b35cb0d315 Merge branch 'master' of https://github.com/redsand/sigma into fp_file_event_win_webshell_creation 2022-05-26 18:31:37 +00:00
Tim Shelton 48e37241dd FP: IBM ClientSolutions is valid directory 2022-05-26 18:25:43 +00:00
Tim Shelton 8ac66efd73 updating modified 2022-05-26 18:17:40 +00:00
Tim Shelton 13d68d9671 False positive on IBM Client Solutions 2022-05-26 18:16:55 +00:00
Tim Shelton c1ef20761a Fixing condition 2022-05-26 16:14:37 +00:00
Tim Shelton 9086efa5cd Updating meta 2022-05-26 16:13:22 +00:00
Tim Shelton 295a984d89 Fixing order of items in yaml 2022-05-26 16:12:31 +00:00
Tim Shelton 879fccd266 merging locally 2022-05-26 15:27:13 +00:00
Tim Shelton b78386d372 FP: ignore Amazon aws powershell 2022-05-26 14:45:00 +00:00
Tim Shelton 8ef2a37fda clean up condition 2022-05-25 20:24:47 +00:00
phantinuss b80eb411ab Merge pull request #3032 from frack113/lolbin_20220522 
Add lolbas cl script
 2022-05-25 12:02:44 +02:00
phantinuss e475deaf4d Update proc_creation_win_lolbas_cl_mutexverifiers.yml 2022-05-25 11:56:52 +02:00
phantinuss 3bdf29033a Update proc_creation_win_lolbas_cl_loadassembly.yml 2022-05-25 11:55:37 +02:00
frack113 f737ba6e95 Fix duplicate cast 2022-05-25 11:19:09 +02:00
Tim Shelton 7369908284 fixing yaml syntax check 2022-05-24 22:52:04 +00:00
Tim Shelton 9a3fc4f543 FP: System image (driver) restoring files. Valid behavior 2022-05-24 22:31:05 +00:00
Nasreddine Bencherchali c3d807f53a Add More Malicious PowerShell Script/Cmdlet Names 2022-05-24 22:02:08 +01:00
Florian Roth c7b90f108f Merge pull request #3039 from jstnk9/master 
New sigma rule to detect the use of Jlaive antivirus defense evasion
 2022-05-24 20:25:42 +02:00
Florian Roth a6202f7961 Merge pull request #3041 from SigmaHQ/rule-devel 
refactor: old rule additions, rule: new powershell rules
 2022-05-24 20:24:42 +02:00
Florian Roth 4b100116d4 Merge pull request #3031 from CD-R0M/master 
Create proc_creation_win_rundll32_parent_explorer.yml
 2022-05-24 20:19:11 +02:00
Florian Roth 0e62d5b204 fix: bugs in rules 2022-05-24 20:18:41 +02:00
Florian Roth 37cef9b153 rule: PowerShell obfuscate Net.WebClient 2022-05-24 15:20:21 +02:00
Florian Roth 642a334d9e rule: suspicious PowerShell encoded command patterns 2022-05-24 15:20:01 +02:00
Florian Roth a296bfe667 rule: suspicious anydesk start location 2022-05-24 15:19:45 +02:00
Florian Roth 9d11505aa8 refactor: rule additions 2022-05-24 15:19:25 +02:00
jstnk9 6f1602d243 New sigma rule to detect the use of Jlaive antivirus defense evasion 2022-05-24 02:40:08 +02:00
Tim Shelton 0fb943dc2c FP: fixing modifier 2022-05-23 21:43:43 +00:00
Tim Shelton c807191ab7 FP: filtering out Amaazon AWS header 2022-05-23 21:41:13 +00:00
CD-R0M 87de0d39db Update proc_creation_win_rundll32_parent_explorer.yml 2022-05-23 16:49:40 -04:00
phantinuss 61c10d73e0 fix: FP found in testing environment 2022-05-23 16:45:27 +02:00
CD-R0M 9c26e12358 Update proc_creation_win_rundll32_parent_explorer.yml 2022-05-22 15:23:25 -04:00
CD-R0M e9976bc3db Update proc_creation_win_rundll32_parent_explorer.yml 2022-05-22 15:21:41 -04:00
frack113 03b304e6c4 Add lolbas cl script 2022-05-22 12:33:09 +02:00
CD-R0M 1e728d9598 Create proc_creation_win_rundll32_parent_explorer.yml 2022-05-21 17:07:31 -04:00
Florian Roth bea6f18d35 Merge pull request #3024 from redsand/win_system_susp_eventlog_cleared 
Making a derived detection for system/application/security event logs…
 2022-05-20 20:56:00 +02:00
Florian Roth 946e4582a3 Merge pull request #3030 from SigmaHQ/aurora-false-positive-fixing 
fix: detection with Windows Defender
 2022-05-20 20:05:43 +02:00
Florian Roth e86d007d35 Merge pull request #3027 from elhoim/rename_suspicious 
Renamed suspicious in filenames to susp
 2022-05-20 19:28:24 +02:00
Florian Roth e8f59c8d0f fix: detection with Windows Defender 2022-05-20 19:27:48 +02:00
MatilJ 10f0a82b94 Fix detection 2022-05-19 21:09:47 +03:00
Tim Shelton 600a7cd0e8 Re-adding accidently removed entry 2022-05-19 17:16:39 +00:00
Tim Shelton 60e6a147b4 merging remote change 2022-05-19 16:11:58 +00:00