security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ali Saad Jaffer(ali42201) f62f2bb902 fix case on author for consistency 2022-08-18 17:48:44 -04:00
Nasreddine Bencherchali ed907f36d1 Update ID 2022-08-18 18:57:14 +01:00
Nasreddine Bencherchali 0e40cee045 Update rules 2022-08-18 18:22:28 +01:00
frack113 66c61877ed Merge pull request #3398 from redsand/fp_missellings_again 
Fixing spelling mistake. same as found the other day
 2022-08-18 18:51:04 +02:00
frack113 1675f50eb8 Merge pull request #3394 from danielgottt/patch-5 
Create web_cve_2022_27925_exploit.yml
 2022-08-18 18:45:35 +02:00
frack113 4316d9c500 Update condition 2022-08-18 18:38:14 +02:00
frack113 991560a746 Merge pull request #3392 from ionsor/patch-5 
Create net_connection_win_dead_drop_resolvers.yml
 2022-08-18 18:29:45 +02:00
Gott a9f22696d8 Update web_cve_2022_27925_exploit.yml 
consolidated selection logic and stripped "cs-cookie: 'ZM_AUTH_TOKEN'", as it is most likely not logged
 2022-08-18 12:27:58 -04:00
frack113 d94a538347 Merge pull request #3384 from sorchaa/patch-1 
Create win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
 2022-08-18 18:24:15 +02:00
frack113 1cb8e91487 Update win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml 2022-08-18 18:17:30 +02:00
Tim Shelton 9ddf0ce735 spelling mistake 2022-08-18 15:51:43 +00:00
Tim Shelton 65db776a9b Fixing spelling mistake. same as found the other day 2022-08-18 15:49:23 +00:00
Nasreddine Bencherchali 234484c399 Add rules 2022-08-18 15:30:17 +01:00
Nasreddine Bencherchali faa3f6b636 Create driver_load_vuln_drivers.yml 2022-08-18 13:45:25 +01:00
Gott c1dc90f9ed Update web_cve_2022_27925_exploit.yml 
Added additional logic looking for a call to an uploaded webshell, with a 200 response
 2022-08-18 07:30:23 -04:00
Gott 224e30c3f4 Update web_cve_2022_27925_exploit.yml 
corrected issues surrounding the sigma checks and added an additional reference
 2022-08-18 07:25:29 -04:00
Florian Roth 7f7fb6ab47 Merge branch 'master' into rule-devel 2022-08-18 13:02:29 +02:00
Florian Roth fe041ad3d4 HandleKatz usage 2022-08-18 13:02:20 +02:00
Florian Roth 2c0b9c11be Quasar RAT UA 2022-08-18 13:02:11 +02:00
Axel Olsson 47ecbe65a2 Rename file to start with proxy_ to follow standard 2022-08-18 09:36:23 +02:00
Tomasuh 8c339653c7 Feedback implemented 2022-08-18 09:34:53 +02:00
sorchaa 12f3307747 Update win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml 
test_rules.py passed
 2022-08-18 09:17:05 +02:00
sorchaa 95eeb3cebd Update win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml 2022-08-18 08:55:23 +02:00
Tim Shelton 8c027a17f2 FP: another false positive on using cmd exec to query service stats.... maybe theress a vuln opportunity here? 2022-08-18 04:51:38 +00:00
frack113 df9477c8ca Merge pull request #3393 from frack113/order_placeholder 
Order placerholder rules
 2022-08-18 06:25:43 +02:00
Nasreddine Bencherchali af765e6055 Update image_load_side_load_third_party_location.yml 2022-08-17 20:33:44 +01:00
Nasreddine Bencherchali 52f26a14a2 Rule Update 2022-08-17 20:27:55 +01:00
Gott 405b9aa563 Create web_cve_2022_27925_exploit.yml 2022-08-17 15:22:44 -04:00
frack113 288461ddbe Order placerholder rules 2022-08-17 21:05:34 +02:00
Mark Morowczynski 7a5d715d83 Last remaining AAD SecOps Guide rules (#3364) 
* Last remaining AAD SecOps Guide rules
 2022-08-17 20:57:58 +02:00
frack113 9322c6ee33 Merge pull request #3388 from frack113/placeholder 
Move placeholder rules
 2022-08-17 19:42:32 +02:00
frack113 cb9a999dce Merge pull request #3382 from alletrof/master 
Filter out FP of dnsZone
 2022-08-17 19:42:18 +02:00
Feathers 9f2ab4e047 Update net_connection_win_dead_drop_resolvers.yml 
added few more apps to which are triggering false positives and comments to identify the process with the application
 2022-08-17 18:43:47 +02:00
Feathers 41c3ea16b1 Update net_connection_win_dead_drop_resolvers.yml 
corrected the MITRE tags
 2022-08-17 18:14:43 +02:00
Florian Roth 31faadf5ce Merge pull request #3391 from SigmaHQ/rule-devel 
Rule updates
 2022-08-17 16:11:40 +02:00
Feathers 60ac757cf2 Create net_connection_win_dead_drop_resolvers.yml 
This detection is an attempt to spot dead drop resolvers for ones which don't have packet inspection. Most often dead drop resolvers are initiated from malware itself which makes it easy to detect since most often users access social media websites from internet browsers.
 2022-08-17 16:09:11 +02:00
Florian Roth d26aa9d9f0 docs: update modified date 2022-08-17 15:58:39 +02:00
Florian Roth 54473e852d fix: .NET imphash 2022-08-17 15:56:57 +02:00
Florian Roth 133a19e4a5 fix: FP imphash 2022-08-17 15:00:22 +02:00
Florian Roth b115f6ea1e Racoon Stealer UA 2022-08-17 14:40:36 +02:00
Florian Roth 059c7c4f9b Hacktool hashes update 2022-08-17 14:40:23 +02:00
Tomasuh 65c2659769 Correcting date 2022-08-17 12:47:54 +02:00
Tomasuh 6b32472d58 Correcting date format and MITRE fix 
Removed attack.T1046 from tags.
 2022-08-17 12:47:38 +02:00
Tomasuh 350bf80d93 Rule for Advanced IP/Port Scanner update check 
Rule for Advanced IP/Port Scanner update check

- http://www.advanced-port-scanner[.]com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps 
- http://www.advanced-ip-scanner[.]com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
 2022-08-17 11:24:00 +02:00
sorchaa 4a9da4907a Update win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml 2022-08-17 11:11:37 +02:00
Florian Roth fbc7519b94 Merge pull request #3385 from nasbench/nasbench-rule-devel 
Update Sysmon Config
 2022-08-17 09:29:54 +02:00
Florian Roth 736e058e71 Merge pull request #3389 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-08-17 09:28:41 +02:00
Florian Roth c5f4dbacd8 fix: wrong temp rule in folder 2022-08-17 09:28:21 +02:00
Florian Roth f154f7a091 Merge branch 'master' into aurora-false-positive-fixing 2022-08-17 09:20:22 +02:00
Florian Roth 068d312cfd Update create_remote_thread_win_susp_targets.yml 2022-08-17 09:19:15 +02:00