security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,106 Commits 1 Branch 57 Tags
cce90a669ae28fa5904154d8ebd18d335724fca3
Commit Graph

2054 Commits

Author SHA1 Message Date
Austin Songer ab613af365 Update sysmon_atlassian_confluence_cve_2021_26084_exploit.yml 2021-09-22 22:24:24 -05:00
unknown 9924cc3946 win-apt-greenbug-fix amend b64 value of /server= as seen in IOC 2021-09-22 10:33:04 -04:00
unknown 3ace73f9fd win-apt-greenbug-fix - change modified date as well 2021-09-21 16:59:32 -04:00
unknown 993bf46550 win-apt-greenbug-fix small change to B64encoded value of '/server=' in detection criteria 2021-09-21 16:56:01 -04:00
frack113 4718f914e9 split global sysmon_hack_dumpert.yml 2021-09-21 10:43:42 +02:00
frack113 318f8b714e split global win_tool_psexec.yml 2021-09-21 10:10:48 +02:00
Florian Roth 8909eefb90 Merge pull request #2052 from phantinuss/pr 
xwizard dll sideloading
 2021-09-20 12:35:42 +02:00
phantinuss 25a407e24f Update win_dll_sideload_xwizard.yml 2021-09-20 10:56:37 +02:00
Florian Roth 6c630502dc Update win_dll_sideload_xwizard.yml 2021-09-20 10:54:53 +02:00
phantinuss 4e794fe3e7 xwizard dll sideloading 2021-09-20 10:39:31 +02:00
frack113 d5108502a2 split win_apt_chafer_mar18.yml 2021-09-19 11:48:20 +02:00
frack113 faff9e6db7 spli win_apt_slingshot.yml 2021-09-19 11:36:40 +02:00
frack113 e69ec4624a split win_apt_gallium.yml 2021-09-19 11:24:17 +02:00
frack113 c43c12e557 split win_apt_turla_commands.yml 2021-09-19 11:17:50 +02:00
frack113 b576ad115b split win_apt_unidentified_nov_18.yml 2021-09-19 11:11:04 +02:00
frack113 06de91c92a split win_apt_wocao.yml 2021-09-19 11:07:24 +02:00
frack113 dc8ad15d1a split win_exchange_transportagent.yml 2021-09-19 11:03:16 +02:00
frack113 deb0ad5f58 split win_hktl_createminidump.yml 2021-09-19 10:19:34 +02:00
frack113 18e7e16005 split win_mal_adwind.yml 2021-09-19 10:12:03 +02:00
frack113 416b0556b1 split win_silenttrinity_stage_use.yml 2021-09-19 10:02:05 +02:00
frack113 7d000f2b1d split win_susp_winrm_AWL_bypass.yml 2021-09-19 09:41:17 +02:00
frack113 6dd4315f36 Merge pull request #2035 from frack113/fix_bad_category 
Fix bad category in possible_privilege_escalation_via_service_registry_permissions
 2021-09-17 06:35:29 +02:00
frack113 8a847e0538 Update process_creation_possible_privilege_escalation_via_service_registry_permissions.yml 2021-09-15 19:05:31 +02:00
frack113 973e0666ac Merge pull request #2020 from frack113/pc_global 
Split some global process_creation rules
 2021-09-15 19:03:30 +02:00
frack113 3b8282c221 fix detection 2021-09-15 16:21:30 +02:00
frack113 437ea3408b split sysmon_stickykey_like_backdoor.yml 2021-09-12 09:58:43 +02:00
frack113 81c2b2731c split sysmon_dns_serverlevelplugindll.yml 2021-09-12 09:53:20 +02:00
frack113 f3ad5953d5 split sysmon_apt_pandemic 2021-09-12 09:42:11 +02:00
frack113 3db427873a split sysinternals eula and uac bypass 2021-09-12 09:38:05 +02:00
frack113 830c0c9f22 Update process_creation_advanced_ip_scanner.yml 2021-09-12 08:53:10 +02:00
frack113 e355367c03 Clean SyncAppvPublishingServer rules 2021-09-12 07:46:35 +02:00
frack113 2223afb6fe split global rules 2021-09-11 20:30:32 +02:00
frack113 92999468ee Merge pull request #2012 from frack113/upgrade_test 
Upgrade test_rules.py
 2021-09-11 15:29:19 +02:00
frack113 d2e622f149 Merge pull request #2011 from d4rk-d4nph3/master 
Added rule for Atlassian Confluence CVE-2021-26084
 2021-09-11 07:24:58 +02:00
Austin Songer 57d349bfe5 Update process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 09:44:22 -05:00
Austin Songer 5aa5586c54 Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml 2021-09-10 09:43:11 -05:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
frack113 ac9ea531ae Merge pull request #1956 from Cyb3rEng/master 
Adding Various Rules To Monitor Process Creations in Sysmon, Event Logs & EDR
 2021-09-10 10:47:23 +02:00
frack113 fe035388f0 Rename Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml to process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 10:02:19 +02:00
Florian Roth 3824a12323 style: fixed indentation level, order of fields 2021-09-10 09:33:52 +02:00
Florian Roth 59b9902502 style: fixed indentation level 2021-09-10 09:33:09 +02:00
frack113 3d147f528f Rename Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml to process_creation_command_execution_by_office_applications.yml 2021-09-10 09:23:00 +02:00
Bhabesh Rai 91081a7fbc Added rule for Atlassian Confluence CVE-2021-26084 2021-09-10 10:04:16 +05:45
Cyb3rEng bcd043dd01 Merge branch 'SigmaHQ:master' into master 2021-09-09 21:48:33 -06:00
Cyb3rEng 44e39ec3ac Changed title 
changed title to stay within rule guideline
 2021-09-09 21:43:35 -06:00
Cyb3rEng 5547d274a0 Changed Title 
title: New LOLBin Process by Office Applications
 2021-09-09 21:41:56 -06:00
Cyb3rEng 9a42b690bd changed id uuid to v4 
8c6fd6fc-28fc-4597-a86a-fc1de20b039d
 2021-09-09 21:30:02 -06:00
Cyb3rEng 8b9cf80be2 changed id uuid to v4 
3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
 2021-09-09 21:29:31 -06:00
Cyb3rEng d65881b752 changed id uuid to v4 
04f5363a-6bca-42ff-be70-0d28bf629ead
 2021-09-09 21:28:58 -06:00
Cyb3rEng a334ea167c changed id uuid to v4 
c0e1c3d5-4381-4f18-8145-2583f06a1fe5
 2021-09-09 21:28:17 -06:00