security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mark Morowczynski 7c1f1cd8ba Merge branch 'SigmaHQ:master' into markmorow 2022-08-05 06:06:05 -07:00
Mark Morowczynski 72167b6f2f Update azure_group_user_removal_ca_modification.yml 
Fix audit log syntax
 2022-08-05 06:05:24 -07:00
Yochana-H 92471574a4 Update azure_user_password_change.yml 
Space removed
 2022-08-05 13:21:12 +01:00
Yochana-H dce0962d10 Update azure_user_password_change.yml 
changed level
 2022-08-05 13:15:35 +01:00
Nasreddine Bencherchali 5cf67492b7 fix fp 2022-08-05 12:34:48 +01:00
Nasreddine Bencherchali a50b35cdfa Update reg 2022-08-05 12:29:36 +01:00
Florian Roth 68ff364654 Merge branch 'master' into rule-devel 2022-08-05 12:17:36 +02:00
frack113 cb5c245a3a Add proc_creation_win_shortname_use.yml 2022-08-05 12:04:00 +02:00
Nasreddine Bencherchali d259f9400e Update 2022-08-05 10:18:07 +01:00
Tomasuh 8bd1108b01 From cs-uri-query to cs-uri to enable matching 
Rule should be applied on uri and not the uri-query
 2022-08-05 09:49:24 +02:00
Florian Roth d5f7de1314 Merge pull request #3324 from SigmaHQ/rule-devel 
Suspicious IIS Registration, Plink refactoring, remove Github compromise rules
 2022-08-05 09:39:41 +02:00
Mark Morowczynski d0b0421783 Create azure_group_user_removal_ca_modification.yml 
Monitoring for removal of members of group that have CA modification access
 2022-08-04 16:45:59 -07:00
Nasreddine Bencherchali 07e55593c3 Update some registry rules 2022-08-05 00:39:32 +01:00
Nasreddine Bencherchali f2bec5c6af Update provider + rules 2022-08-04 21:58:07 +01:00
Nasreddine Bencherchali 23052b8b19 Update proc_creation_win_susp_copy_system32.yml 2022-08-04 19:43:36 +01:00
Nasreddine Bencherchali 751fbd7a2e Update proc_creation_win_susp_calc.yml 2022-08-04 19:36:07 +01:00
Nasreddine Bencherchali be40827c9b Update proc_creation_win_susp_calc.yml 2022-08-04 19:28:28 +01:00
Nasreddine Bencherchali fb1deb7fb2 Update pipe_created_psexec_default_pipe_from_susp_location.yml 2022-08-04 19:18:42 +01:00
Nasreddine Bencherchali 307f9c6a35 New rules 2022-08-04 19:11:16 +01:00
Florian Roth 664ec8b43e refactor: remove rules for false alarm 
https://twitter.com/cyb3rops/status/1555242921850544131
 2022-08-04 20:05:16 +02:00
Nasreddine Bencherchali d6a2c13738 Update rules (desc, selection, logic) 2022-08-04 18:08:08 +01:00
Florian Roth 7b6e92afca fix: attack tag 2022-08-04 18:51:44 +02:00
Yochana-H 8d94d315b2 Create azure_user_password_change.yml 2022-08-04 17:30:19 +01:00
Yochana-H b44aff5317 Update azure_legacy_authentication_protocols.yml 
Changes made OR not AND
 2022-08-04 17:19:24 +01:00
Nasreddine Bencherchali fe2e279cfa Add more comsvcs variations 
Based on this https://twitter.com/Wietze/status/1542107456507203586
 2022-08-04 16:18:51 +01:00
Nasreddine Bencherchali 2d46263054 Renamed rule filename for conformity 2022-08-04 15:57:43 +01:00
Nasreddine Bencherchali 6d66ed6267 Update description + Missing related field 2022-08-04 15:57:18 +01:00
Florian Roth c33ca5bb9d Merge pull request #3316 from redsand/fp_solarwinds_check_too_many_false_positives 
Narrowing the detection due to false positive matches of webresource.axd
 2022-08-04 16:57:05 +02:00
Nasreddine Bencherchali df74e42243 Add missing definition for named pipe rules 2022-08-04 15:56:47 +01:00
Florian Roth 850a5e2b25 Merge pull request #3323 from Phrozyn/mitre_update 
mitre_update: updates resulting json to current state
 2022-08-04 16:56:38 +02:00
Florian Roth 14dba5ba8b refactor: plink usage / tunneling 2022-08-04 16:54:15 +02:00
Florian Roth d535ff34b9 rule: Suspicious IIS module installation 2022-08-04 15:27:47 +02:00
Nasreddine Bencherchali 34bb346b5c Renamed because name too long 2022-08-04 13:45:35 +01:00
Nasreddine Bencherchali a073590c2f Add Security-Mitigations-User Mode log 2022-08-04 13:44:55 +01:00
Florian Roth d46d89e403 Merge pull request #3315 from nasbench/nasbench-rule-devel 
New Rules + Update
 2022-08-04 13:34:26 +02:00
Florian Roth 8396f87533 Update win_security_mitigations_unsigned_dll_from_susp_location.yml 2022-08-04 13:17:36 +02:00
Florian Roth f9b9af87ff fix: FP with MpCmdRun rule 2022-08-04 13:12:53 +02:00
Florian Roth 165afe7323 Merge branch 'master' into aurora-false-positive-fixing 2022-08-04 13:11:33 +02:00
Nasreddine Bencherchali 0e133f7d58 Additional updates 2022-08-04 11:53:09 +01:00
Nasreddine Bencherchali 58e82da488 Rename because too long 2022-08-04 11:20:28 +01:00
Nasreddine Bencherchali 3954585722 Create win_security_mitigations_code_integrity_unsigned_dll_from_susp_location.yml 2022-08-04 11:12:26 +01:00
Nasreddine Bencherchali 83451b3e6d Update proc_creation_win_exfil_data_via_cli.yml 2022-08-04 10:58:56 +01:00
Nasreddine Bencherchali 8e08ff3060 Fix 2022-08-04 10:58:34 +01:00
Sven Scharmentke b3088d45b4 Merge branch 'master' into feature/ame-6.3 2022-08-04 09:43:23 +02:00
Florian Roth 636602cf7c rule: additional rule using the obfuscated IPs 2022-08-04 08:59:04 +02:00
Phrozyn b9e78e4656 mitre_update: updates resulting json to current state 2022-08-03 14:05:34 -05:00
Florian Roth 3282c822a7 Merge pull request #3320 from redsand/reduce_level_time_modification 
Reducing to a low level, as this is not a single indicator of comprom…
 2022-08-03 18:13:44 +02:00
Florian Roth 4112dbeb3e Merge pull request #3321 from redsand/fp_workstation_authentication 
Ignore workstations/system execution.  Normal behavior for scheduled tasks
 2022-08-03 18:13:31 +02:00
Nasreddine Bencherchali 48a90c6342 DiagTrackEoP rules 2022-08-03 15:45:39 +01:00
Florian Roth 9eb0ea7284 Update web_cve_2020_10148_solarwinds_exploit.yml 2022-08-03 16:38:38 +02:00