security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,524 Commits 1 Branch 57 Tags
c33119563729eca8a2517d92aa7922ad2cd59cd9
Commit Graph

10524 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth c331195637 fix: empty query in rule > bug 2022-03-24 15:17:29 +01:00
Florian Roth f7cd8e3424 fix: duplicate id 2022-03-24 11:41:26 +01:00
Florian Roth f3abef8b5f fix: indentation 2022-03-24 11:34:00 +01:00
Florian Roth a10011cd03 Merge branch 'master' into rule-devel 2022-03-24 10:08:43 +01:00
Florian Roth 53b450d377 rule: PowerShell Downloads 2022-03-24 09:16:12 +01:00
Florian Roth a90148c414 Merge pull request #2844 from redsand/fp_av_printernightmare_symantec_more_generic 
FP another variation of symantec submitting file for analysis, reduce…
 2022-03-23 17:40:09 +01:00
Florian Roth c57c9b5649 Merge pull request #2847 from SigmaHQ/rule-devel 
fix: FP, refactor: scheduled task rule
 2022-03-23 17:22:15 +01:00
Florian Roth 7c4d198498 fix: FPs with win32calc.exe 2022-03-23 16:31:45 +01:00
Florian Roth 535e6ce0cc refactor: scheduled task patterns 2022-03-23 09:09:43 +01:00
Tim Shelton 6ab396fd66 FP another variation of symantec submitting file for analysis, reduced words to catch both 2022-03-22 21:43:33 +00:00
Florian Roth 811560a37d Merge pull request #2843 from SigmaHQ/rule-devel 
rule: new reg add tampering rules; some fixes
 2022-03-22 16:42:54 +01:00
Florian Roth d8046b5989 rules: registry, tamper with Defender & LSA 2022-03-22 16:10:11 +01:00
Florian Roth 8b7eaae6ec fix: ServiceFileName in 7045 events 2022-03-22 14:41:25 +01:00
Florian Roth 63066ab5e1 Merge branch 'master' into rule-devel 2022-03-22 13:16:13 +01:00
Florian Roth 68542e20e9 fix: condition 2022-03-22 13:16:08 +01:00
Florian Roth 8b9fc64170 Merge pull request #2832 from frack113/redcannay 
Redcannary
 2022-03-21 15:03:03 +01:00
Florian Roth 3ddb83fc74 Merge pull request #2839 from phantinuss/master 
hotfix: reenable rules check, might be refined later
 2022-03-21 14:03:42 +01:00
phantinuss 470bdd5252 hotfix: reenable rules check, might be refined later 2022-03-21 13:35:30 +01:00
Florian Roth 792c52671f Merge pull request #2838 from phantinuss/master 
fix: single list element
 2022-03-21 13:04:56 +01:00
Florian Roth 35828985e0 refactor: rule extended 2022-03-21 12:59:14 +01:00
Florian Roth 007e52ccb9 rule: suspicious parents, susp powershell parent rule 2022-03-21 12:57:59 +01:00
phantinuss f1dcaa02f4 fix: single list element 2022-03-21 12:33:55 +01:00
Florian Roth 3f1b8ff727 Update posh_ps_susp_get_addefaultdomainpasswordpolicy.yml 2022-03-21 12:09:33 +01:00
Florian Roth 026428640e Update registry_event_set_nopolicies_user.yml 2022-03-21 12:06:50 +01:00
Florian Roth 682b4852fc Update registry_event_hide_fonction_user.yml 2022-03-21 12:04:29 +01:00
Florian Roth a50cd510a5 Update registry_event_disable_fonction_user.yml 2022-03-21 12:01:54 +01:00
Florian Roth 7ebdfda1b8 Update posh_ps_susp_get_addefaultdomainpasswordpolicy.yml 2022-03-21 11:54:45 +01:00
Florian Roth 816b11ab80 Merge branch 'master' into rule-devel 2022-03-21 11:19:22 +01:00
Florian Roth 056206627a minor changes to description and hash values 2022-03-21 11:19:05 +01:00
Florian Roth b4245c561c Merge pull request #2836 from SigmaHQ/rule-devel 
fix: Service Installation 7045 field confusion
 2022-03-21 11:18:29 +01:00
Florian Roth ce4cdf06f0 fix: Service Installation 7045 field confusion 2022-03-21 11:10:03 +01:00
Florian Roth dd46054e17 Merge pull request #2834 from redsand/fp_missing_sys32_dir_rundll32 
Fp missing system32 dir rundll32 with invalid extension
 2022-03-20 22:31:58 +01:00
Tim Shelton 5086cde0dd updating to ensure match against all system32 execution path 2022-03-20 19:48:51 +00:00
Tim Shelton 3da10f30d8 Adding additional filter for system32 2022-03-20 19:45:33 +00:00
Florian Roth 13402ac95c Merge pull request #2833 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-03-20 18:05:44 +01:00
Florian Roth 7b8ead3f9c Merge branch 'master' into aurora-false-positive-fixing 2022-03-20 17:59:58 +01:00
Florian Roth b3d19126c7 docs: add FP conditions 2022-03-20 16:21:35 +01:00
Florian Roth 811ed59e27 fix: FPs with Aurora and THOR 2022-03-20 16:18:18 +01:00
frack113 ab471b11ae Redcannary 2022-03-20 08:36:07 +01:00
frack113 1116a09c90 Merge pull request #2831 from SigmaHQ/revert-2826-redcannary_20220318 
Revert "Redcannary"
 2022-03-20 08:14:37 +01:00
frack113 45cfdab828 Revert "Redcannary" 2022-03-20 08:11:11 +01:00
frack113 eb66c5530e Merge pull request #2826 from frack113/redcannary_20220318 
Redcannary
 2022-03-20 08:11:07 +01:00
Florian Roth 2c82434ed2 Merge pull request #2827 from pH-T/master 
new susp service installation rules
 2022-03-18 21:44:29 +01:00
Florian Roth e7a3e70e0e Merge pull request #2828 from phantinuss/master 
fix: FP with Sysinternal's handle
 2022-03-18 21:44:08 +01:00
Florian Roth fc9027d80f Merge pull request #2830 from SigmaHQ/Neo23x0-patch-1 
Update registry_event_powershell_in_run_keys.yml
 2022-03-18 21:43:58 +01:00
Florian Roth ec7a9793d7 Update registry_event_powershell_in_run_keys.yml 2022-03-18 20:58:16 +01:00
phantinuss 3ab601b334 fix: FP with Sysinternal's handle 2022-03-18 17:06:53 +01:00
Paul Hager 68659cf5fd new susp service installation rules 2022-03-18 16:08:40 +01:00
frack113 1060009949 Redcannary 2022-03-18 11:15:05 +01:00
Florian Roth fbf1b8456c Merge pull request #2825 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with EdgeTransport sub processes
 2022-03-18 11:04:10 +01:00