security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth fe6c4cac9b Merge pull request #3553 from securepeacock/patch-29 
Update proc_creation_win_lolbins_by_office_applications.yml
 2022-10-03 19:54:52 +02:00
securepeacock 161c8e6c2c Update proc_creation_win_lolbins_by_office_applications.yml 
Adding msidb.exe references are below.
https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
 2022-10-03 11:56:06 -04:00
Thomas Patzke 5703e04e3a Merge pull request #3537 from mpgn/master 
Update datadog sigmac
 2022-10-03 14:16:49 +02:00
Nasreddine Bencherchali 809f45800e Update drivers list 2022-10-03 10:46:02 +02:00
frack113 5bd9dd76aa Redcannary rules 2022-10-02 11:34:33 +02:00
Florian Roth 41a7bdb250 Update proc_creation_win_susp_lolbin_non_c_drive.yml 2022-10-02 10:23:36 +02:00
Florian Roth 6af0e0c24f Apply suggestions from code review 2022-10-02 10:23:01 +02:00
Florian Roth 93004a3fd5 Update proc_creation_win_archiver_iso_phishing.yml 2022-10-02 10:21:04 +02:00
AaronHerman 47cd3d4e7b update for Image instead of CommandLine 2022-10-01 19:13:31 -05:00
AaronHerman 0710acf9e7 include any.run sample, add leading \ and filter env vars 2022-10-01 17:19:28 -05:00
Florian Roth abfcf34d5c Merge pull request #3550 from aaronherman/patch-2 
Update README for rule usage section
 2022-10-01 20:17:17 +02:00
Florian Roth 0612aec224 Update README.md 2022-10-01 20:10:41 +02:00
AaronHerman e8404ed146 updating title to conform with CICD 2022-10-01 12:05:22 -05:00
Aaron Herman 97fab49d09 Update README for rule usage section 
Based on line 3 where it mentions being inside of `./tools` directory, updating line 4 to include working example that I used
 2022-10-01 12:03:11 -05:00
AaronHerman ca5bad2c49 update description, removing regsvr since uses relative path 2022-10-01 11:53:52 -05:00
AaronHerman 42cc5d90f4 uppdate date 2022-10-01 11:50:53 -05:00
AaronHerman 5983bbfa50 Add rule for suspicious lolbin executing in non-c drive 2022-10-01 11:50:13 -05:00
Aaron Herman 580360b540 Update description typo 2022-10-01 10:52:35 -05:00
Florian Roth 3ae076f08d Merge pull request #3547 from SigmaHQ/rule-devel 
rules: Exchange exploitation, antSword UA
 2022-10-01 16:16:29 +02:00
Florian Roth 626a362e8f fix: missing condition 2022-10-01 16:09:53 +02:00
Florian Roth 65f531fb30 rule: Exchange Exploitation 2022-10-01 16:08:27 +02:00
Florian Roth b568328103 Merge branch 'master' into rule-devel 2022-10-01 16:08:13 +02:00
Florian Roth 76276f5bcb Merge pull request #3546 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-09-30 20:12:04 +02:00
Florian Roth cd8ed9870c fix: FPs noticed with Aurora 2022-09-30 20:01:07 +02:00
Nasreddine Bencherchali 7880e3a2b6 Fix FP 
Make the FP fix more broad to cover more future cases
 2022-09-29 22:29:47 +02:00
Nasreddine Bencherchali afb2e7567d Create web_cve_2022_36804_atlassian_bitbucket_command_injection.yml 2022-09-29 22:23:04 +02:00
Nasreddine Bencherchali 99a0c129ea Create registry_set_register_custom_protocol_handler.yml 2022-09-29 22:06:18 +02:00
Nasreddine Bencherchali bfc1d6a5b7 Create proc_creation_win_hh_chm_http.yml 2022-09-29 22:06:11 +02:00
Florian Roth 8341d505c4 Merge pull request #3543 from SigmaHQ/aurora-false-positive-fixing 
THOR false positive fixing
 2022-09-29 14:45:22 +02:00
Florian Roth f84cdd3b74 fix: filter definition 2022-09-29 14:07:38 +02:00
Florian Roth 14fdf75ab5 fix: FPs noticed with THOR 2022-09-29 13:51:09 +02:00
Florian Roth 5b5c261c98 Merge branch 'master' into aurora-false-positive-fixing 2022-09-29 13:41:25 +02:00
Florian Roth c31fe50f4d fix: FPs noticed in THOR testing 2022-09-29 13:41:20 +02:00
Florian Roth d8ff3339aa antSword webshell 2022-09-29 13:31:16 +02:00
Florian Roth 5e1b91a616 Merge pull request #3542 from nasbench/fix-false-positives 
Fix False Positives
 2022-09-29 12:54:29 +02:00
Nasreddine Bencherchali 47dbe6081d Update proc_creation_win_susp_conhost.yml 2022-09-29 12:15:10 +02:00
Tim Rauch 119c9f5275 fix: fixed rules after failed Sigma Rule Tests 2022-09-29 11:30:45 +02:00
Nasreddine Bencherchali cdd9aff032 Fix FP 2022-09-29 11:20:08 +02:00
Nasreddine Bencherchali e6d0f35c82 Merge branch 'SigmaHQ:master' into fix-false-positives 2022-09-29 11:16:56 +02:00
Nasreddine Bencherchali 6131c3df88 Revert "fix fp from testing" 
This reverts commit 94ec3126f7.
 2022-09-29 11:16:42 +02:00
Nasreddine Bencherchali 94ec3126f7 fix fp from testing 2022-09-29 11:15:10 +02:00
Florian Roth a888ecb8b8 Merge pull request #3535 from nasbench/nasbench-rule-devel 
New rules + update
 2022-09-29 11:01:29 +02:00
Florian Roth 5533d7367f Merge pull request #3539 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-09-29 11:01:13 +02:00
Tim Rauch 58e5b9f419 fix: removed ' from references 2022-09-29 10:21:01 +02:00
Tim Rauch 81a112e35b Fixed merge conflicts 2022-09-29 10:05:49 +02:00
Tim Rauch d35ea51136 Merge branch 'master' of https://github.com/Gude5/sigma 2022-09-29 09:57:29 +02:00
Tim Rauch 8695880f36 fix: fixed rulename 2022-09-29 09:55:14 +02:00
Florian Roth ec329f403a fix: Aurora FPs with Nvidia update 2022-09-28 19:31:22 +02:00
Florian Roth 428cb6ab74 Merge pull request #3538 from SigmaHQ/rule-devel 
fix: filter definition in userinit rule
 2022-09-28 17:26:34 +02:00
Florian Roth a563422c82 fix: filter definition in userinit rule 2022-09-28 17:08:23 +02:00