security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

4601 Commits

Author SHA1 Message Date
Florian Roth 787bb9b32c refactor: adding OriginalFilename for better coverage 2022-04-27 11:30:09 +02:00
Florian Roth 5b2374475d fix: FP with whoami child 2022-04-26 17:28:17 +02:00
Florian Roth 55133898ee Revert "rule: suspicious PowerShell sub processes" 
This reverts commit e9adb6a8ca.
 2022-04-26 17:05:41 +02:00
Florian Roth e9adb6a8ca rule: suspicious PowerShell sub processes 2022-04-26 17:04:39 +02:00
Florian Roth f743062963 rule: KrbRelayUp usage 2022-04-26 16:43:50 +02:00
Florian Roth 0a55406444 fix: wording on two rules 2022-04-26 16:43:44 +02:00
frack113 914a2c71c8 Merge pull request #2940 from frack113/redcannary_20220424 
Redcannary T1218.007
 2022-04-26 06:23:09 +02:00
Aegide 06954761ab Update proc_creation_win_susp_whoami.yml 
minor typo
 2022-04-25 21:11:06 +02:00
frack113 fe4916e718 add proc_creation_win_msiexec_dll 2022-04-24 15:03:27 +02:00
Florian Roth e36c646933 Merge pull request #2932 from SigmaHQ/rule-devel 
Password Recon Rules
 2022-04-21 13:38:04 +02:00
phantinuss 13e31e8383 fix: FPs found in win2022 domain controller baseline 2022-04-21 10:48:59 +02:00
Florian Roth 9b2c35daa1 docs: false positive condition added 2022-04-21 09:13:06 +02:00
Florian Roth c7dada5e21 rule: invocation of key manager 2022-04-21 09:12:41 +02:00
Florian Roth 6e594875f3 refactor: cmdkey extended coverage 2022-04-21 09:12:13 +02:00
Florian Roth c85ad7b138 fix: event collectors that include spaces in cmd 2022-04-21 07:54:08 +02:00
Florian Roth fbba1e9c94 Merge branch 'master' into rule-devel 2022-04-21 07:52:54 +02:00
Paul Hager fc3c637bde fix: author remove 2022-04-20 19:35:59 +02:00
Florian Roth 50ca09c6a4 Merge branch 'master' into rule-devel 2022-04-20 17:54:11 +02:00
Paul Hager a71833767c new rule 2022-04-20 10:48:30 +02:00
Florian Roth f85ccba575 Merge pull request #2927 from humpalum/patch-5 
fix: Comma in title seems to break splunk search
 2022-04-19 18:51:31 +02:00
Florian Roth b30540f644 Merge pull request #2926 from pH-T/master 
new rule: Suspicious Powershell Execution
 2022-04-19 18:51:18 +02:00
Florian Roth 7f84e094c7 Merge pull request #2923 from frack113/7zip 
add proc_creation_win_7zip_cve_2022_29072
 2022-04-19 18:51:06 +02:00
frack113 7802601b7c Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:53:34 +02:00
Florian Roth 76bc06358e Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:35:40 +02:00
Florian Roth 938bd15d95 Update proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml 2022-04-19 17:32:39 +02:00
Florian Roth c9bae754a6 Update proc_creation_win_schtasks_powershell_windowsapps_execution.yml 2022-04-19 17:31:01 +02:00
Florian Roth fee402c183 Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:26:39 +02:00
Florian Roth c05bfce733 Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:25:25 +02:00
Florian Roth a1ded56b1f Update proc_creation_win_msiexec_embedding.yml 2022-04-19 17:23:45 +02:00
Tobias Michalski 992e70032e fix: Comma in title seems to break splunk search 
Most likely it comes from a bad parsing by Sigma2Splunkalert but since it is unmaintained and this is the only rule with a comma in title, this is the easy fix. 

Error in 'inputlookup' command: Invalid argument:
'_Privileged_Console_Access_whitelist.csv'

[| inputlookup "Using_Sticky-keys_To_Obtain_Unauthenticated,_Privileged_Console_Access_whitelist.csv]
 2022-04-19 17:22:01 +02:00
Paul Hager 93689d6029 new rule 2022-04-19 16:16:11 +02:00
frack113 174a34a9eb add proc_creation_win_7zip_cve_2022_29072 2022-04-17 12:36:04 +02:00
frack113 4df63f2c81 Add proc_creation_win_msiexec_embedding 2022-04-16 16:22:39 +02:00
Florian Roth 57a4bab682 rule: suspicious schtasks rule 2022-04-15 18:22:28 +02:00
Florian Roth 56f80cb0fc Merge pull request #2918 from SigmaHQ/rule-devel 
refactor: proposed changes from issue #2917
 2022-04-15 08:05:44 +02:00
Florian Roth d3ddefe096 refactor: proposed changes from issue #2917 
https://github.com/SigmaHQ/sigma/issues/2917
 2022-04-14 16:57:30 +02:00
frack113 6857301e6c Update proc_creation_win_apt_actinium_persistence.yml 2022-04-14 09:59:45 +02:00
sreehari3 b2ca6754ea mitre tags: Persistence (T1053) ,(T1053.005) 
added those  MITRE tags
 2022-04-14 09:09:03 +05:30
Florian Roth 3eafd9dfdb Merge pull request #2910 from SigmaHQ/rule-devel 
rule: RPCSS service process anomalies
 2022-04-13 19:04:44 +02:00
Florian Roth ed465ea36a rule: RPCSS service process anomalies 2022-04-13 15:44:10 +02:00
Max Altgelt 98f313526d fix: copy / paste issues 2022-04-13 09:23:08 +02:00
megan201296 d6245133e3 Typo fix 
Fix unfinished word "legitimate" in false positives
 2022-04-12 11:05:09 -05:00
Florian Roth 76c730a831 Merge pull request #2903 from securepeacock/master 
Update Netsh Firewall Enumeration
 2022-04-12 17:24:51 +02:00
Florian Roth 482a2fdcf9 Update proc_creation_win_susp_netsh_command.yml 2022-04-12 07:55:58 +02:00
frack113 afa3fc9a41 Merge pull request #2901 from megan201296/patch-23 
Change ATT&CK technique
 2022-04-12 07:46:41 +02:00
securepeacock 3f7c77256a Update proc_creation_win_susp_network_command.yml 2022-04-11 13:45:37 -04:00
securepeacock 162d577523 Update proc_creation_win_susp_network_command.yml 
Added route print
 2022-04-11 13:36:52 -04:00
securepeacock 38276d96b8 Update proc_creation_win_susp_netsh_command.yml 
Update to catch other procedures for Firewall Enumerations like run cmd.exe /c netsh firewall show state & netsh firewall show config.
 2022-04-11 13:06:15 -04:00
megan201296 c7a3834070 Change ATT&CK technique 
Per source reference, the ADS rule is T1564.004 BUT copying/downloading files is T1105 (hwich in turn is C&C, not defense evasion"
 2022-04-11 10:56:03 -05:00
megan201296 e01083a625 Change MITRE ATT&CK tactic ID 
The subtechnique `.011` is  specific to RunDLL32 proxy execution. There is no existing sub-technique specific to wuauclt.exe so only the top level technique should be referenced.
 2022-04-11 10:41:46 -05:00