security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,918 Commits 1 Branch 57 Tags
ccaffc79f7c5be8aec26bce30310d3ec82cc751c
Commit Graph

6918 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
frack113 ccaffc79f7 update ref win_susp_psr_capture_screenshots.yml 2021-07-30 08:40:21 +02:00
frack113 dfa28944d0 update ref in sysmon_creation_mavinject_dll.yml 2021-07-30 08:31:37 +02:00
frack113 e33ec91b9a add powershell_keylogging.yml 2021-07-30 08:28:19 +02:00
frack113 38ede57cb4 add powershell_suspicious_recon.yml 2021-07-30 08:20:51 +02:00
frack113 eff6b50a89 add process_creation_susp_recon.yml 2021-07-30 08:15:13 +02:00
Florian Roth 03b68dcf10 Merge pull request #1756 from frack113/small_fix 
fix duplicate UUID
 2021-07-29 18:14:02 +02:00
Florian Roth f06f8a1191 Merge pull request #1757 from wietze/fix/carbon-black-eedr/field_renames 
[CarbonBlack EEDR] Several updates to config file
 2021-07-29 18:13:47 +02:00
Florian Roth d7710cdf03 Merge pull request #1758 from wietze/fix/carbon-black/hyphen 
[CarbonBlack] Adding extra escape character
 2021-07-29 18:13:17 +02:00
Wietze 687631ee20 Several updates to CarbonBlack EEDR config 2021-07-29 14:09:37 +01:00
Wietze e0d6856987 [CarbonBlack] Adding extra escape character 
Hyphens, especially when at the start of a query, need escaping since hyphens are also used to negate conditions
 2021-07-29 13:57:58 +01:00
Florian Roth 5ce5465559 Merge pull request #1755 from SigmaHQ/rule-devel 
Different rule updates
 2021-07-28 18:56:28 +02:00
frack113 bd123536df fix duplicate UUID 2021-07-28 18:19:23 +02:00
Florian Roth 8787e338bd Merge pull request #1734 from austinsonger/aws_elasticache_security_group_modified_or_deleted.yml 
aws_elasticache_security_group_modified_or_deleted.yml
 2021-07-28 16:25:39 +02:00
Florian Roth 358ec255a1 Merge pull request #1736 from austinsonger/azure_kubernetes_pods_delete.yml 
azure_kubernetes_pods_deleted.yml
 2021-07-28 16:25:19 +02:00
Florian Roth 3c6c2db11d Merge pull request #1737 from austinsonger/azure_kubernetes_events_deleted.yml 
azure_kubernetes_events_deleted.yml
 2021-07-28 16:25:05 +02:00
Florian Roth 25283948fc Merge pull request #1741 from austinsonger/aws_sts_getsessiontoken_misuse.yml 
aws_sts_getsessiontoken_misuse.yml
 2021-07-28 16:24:53 +02:00
Florian Roth 7c78f40372 Merge pull request #1744 from gliptak/patch-3 
Add yamllint to GHA
 2021-07-28 16:24:33 +02:00
Florian Roth 77c8225db3 Merge pull request #1745 from frack113/redcanary_t1115 
[OSCD]  process_creation_clip.yml t1115
 2021-07-28 16:24:15 +02:00
Florian Roth f57f5931ed Merge pull request #1746 from frack113/tune_sysmon_office_vsto_persistence.yml 
Tune sysmon_office_vsto_persistence.yml
 2021-07-28 16:23:49 +02:00
Florian Roth 59a93ef964 Merge pull request #1747 from frack113/tune_sysmon_taskcache_entry.yml 
Tune sysmon_taskcache_entry.yml
 2021-07-28 16:23:38 +02:00
Florian Roth c3eced4ae7 Merge pull request #1748 from frack113/update_win_susp_rar_flags.yml 
update win_susp_rar_flags.yml
 2021-07-28 16:23:14 +02:00
Florian Roth dc4380d459 Merge pull request #1750 from frack113/redcanary_t1560.001_winzip 
[OSCD] Redcanary t1560.001 winzip
 2021-07-28 16:22:48 +02:00
Florian Roth 321a15d004 Merge pull request #1751 from frack113/redcanary_t1560.001_7zip 
[OSCD] Redcanary t1560.001 7z
 2021-07-28 16:22:31 +02:00
Florian Roth 7688806c5e Merge pull request #1752 from frack113/test_author 
Add test_optional_author to test_rules.py
 2021-07-28 16:22:10 +02:00
Florian Roth 6d5e695cd1 Merge pull request #1753 from frack113/redcanary_t1119 
Redcanary t1119
 2021-07-28 16:21:40 +02:00
Florian Roth 4879b32081 Merge pull request #1754 from wietze/fix/local_path 
Fixing exception caused by incorrect type of passed 'path' parameter
 2021-07-28 16:21:11 +02:00
Florian Roth 7f820c7b29 rule updates 2021-07-28 16:20:21 +02:00
Wietze 46da416ad1 Fixing exception caused by incorrect type of passed 'path' parameter 2021-07-28 14:43:51 +01:00
Florian Roth aefd50f049 fix: avoid FPs with HTool string 2021-07-28 14:23:54 +02:00
frack113 2758c1aa93 add powershell_automated_collection.yml 2021-07-28 14:14:02 +02:00
frack113 8a885dd098 add process_creation_automated_collection.yml 2021-07-28 13:17:40 +02:00
Austin Songer 5818a0debe Update aws_elasticache_security_group_modified_or_deleted.yml 2021-07-27 17:14:28 -05:00
frack113 6b076d4360 Add test_optional_author 2021-07-27 19:14:00 +02:00
Florian Roth 87a911a15e Update process_creation_susp_7z.yml 2021-07-27 16:02:09 +02:00
Florian Roth 428995d00e Update process_creation_susp_7z.yml 2021-07-27 15:24:39 +02:00
Florian Roth c31bc05aae Update process_creation_susp_7z.yml 2021-07-27 15:22:44 +02:00
frack113 54e6e36ecc add process_creation_susp_7z.yml 2021-07-27 12:54:39 +02:00
Florian Roth ee85fdfa3f Merge pull request #1749 from SigmaHQ/rule-devel 
CobaltStrike Process Patterns and minor fixes
 2021-07-27 12:52:22 +02:00
Florian Roth 5d039dd138 rule: Cobalt Strike patterns 2021-07-27 11:24:40 +02:00
frack113 ea56db2bed forget date field 2021-07-27 11:09:35 +02:00
frack113 227e4bca13 add process_creation_susp_winzip.yml 2021-07-27 10:57:32 +02:00
frack113 8b82fbf36b update detection 2021-07-27 10:34:46 +02:00
Florian Roth 90ca1a8ad2 fix: bug in author field (cannot be a list) 2021-07-27 10:14:53 +02:00
Florian Roth 1a538371c9 fix: bug in author field (not list) 2021-07-27 10:14:03 +02:00
frack113 7287a46f2f Tune false positive 2021-07-27 10:05:57 +02:00
frack113 f3bcffeb0a Tune false positive 2021-07-27 09:58:00 +02:00
frack113 8aa79b9d86 add process_creation_clip.yml 2021-07-27 08:50:03 +02:00
Florian Roth cf221c08c8 Merge pull request #1743 from BlackB0lt/patch-13 
Create aws_macic_evasion
 2021-07-27 08:08:08 +02:00
Florian Roth cbadb3c239 Merge pull request #1740 from austinsonger/aws_sts_assumedrole_misuse.yml 
aws_sts_assumedrole_misuse.yml
 2021-07-27 08:07:25 +02:00
Florian Roth ade5e80f9d Update azure_kubernetes_events_deleted.yml 2021-07-27 08:07:00 +02:00