blue-team-tools

Author	SHA1	Message	Date
Florian Roth	8a75890b51	Merge pull request #1702 from d4rk-d4nph3/master Added rule for ADRecon execution	2021-07-17 09:50:29 +02:00
Florian Roth	e838a1acc4	increased level	2021-07-17 09:50:11 +02:00
Florian Roth	715bca0fd2	Merge pull request #1704 from frack113/redcanary_t1216 Redcanary t1216	2021-07-17 09:48:43 +02:00
Florian Roth	56ae1938af	Merge pull request #1706 from BlackB0lt/patch-12 Create sysmon_cve_2021_31979_cve_2021_33771_exploits.yml	2021-07-17 09:46:35 +02:00
Florian Roth	b1a00152bc	Merge pull request #1698 from SigmaHQ/rule-devel several new rules and fixes	2021-07-17 09:39:47 +02:00
Florian Roth	b911175f28	Suspicious mshta patterns	2021-07-17 09:04:41 +02:00
Florian Roth	6c79115ce0	Regsvr32 Anomalies extended	2021-07-17 09:04:31 +02:00
Sittikorn S	d3a1fb8565	Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml	2021-07-17 06:49:37 +07:00
Sittikorn S	5e84a603d0	Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml	2021-07-17 01:04:07 +07:00
Sittikorn S	a3c4aa5dad	Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml	2021-07-17 01:02:14 +07:00
Sittikorn S	eea3675d4e	Rename sysmon_cve_2021_31979_cve-2021_33771_exploits.yml to sysmon_cve_2021_31979_cve_2021_33771_exploits.yml	2021-07-17 00:09:04 +07:00
Sittikorn S	90fc50e0a2	Update and rename sysmon_devilstongue_CVE_2021_31979_exploit.yml to sysmon_cve_2021_31979_cve-2021_33771_exploits.yml rename sysmon_cve_2021_31979_cve-2021_33771_exploits.yml	2021-07-17 00:02:15 +07:00
Sittikorn S	9fb589201e	Update and rename sysmon_devilstongue_exploit_0day.yml to sysmon_devilstongue_CVE_2021_31979_exploit.yml Change Title	2021-07-16 23:47:14 +07:00
Sittikorn S	f2187f05e6	Update and rename sysmon_devilstongue_CVE_2021_31979_CVE_2021_33771.yml to sysmon_devilstongue_exploit_0day.yml	2021-07-16 23:42:05 +07:00
Sittikorn S	91295cff21	Update sysmon_devilstongue_CVE_2021_31979_CVE_2021_33771.yml	2021-07-16 23:35:31 +07:00
Sittikorn S	dac72e2750	Update and rename sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml to sysmon_devilstongue_CVE_2021_31979_CVE_2021_33771.yml	2021-07-16 23:30:05 +07:00
Sittikorn S	10b7b6d640	Update sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml	2021-07-16 23:11:14 +07:00
Sittikorn S	94ba194b42	Update sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml	2021-07-16 23:09:51 +07:00
Sittikorn S	477ec060d2	Update and rename sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml to sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml	2021-07-16 22:47:04 +07:00
Sittikorn S	99e5990416	Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml	2021-07-16 22:30:06 +07:00
Sittikorn S	dc94c4e51e	Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml	2021-07-16 22:21:34 +07:00
Sittikorn S	0954163e9d	Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml	2021-07-16 22:19:07 +07:00
Sittikorn S	e094c76098	Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml	2021-07-16 22:14:22 +07:00
Sittikorn S	0506e10697	Create sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml	2021-07-16 22:09:07 +07:00
Bhabesh Rai	be8fce8e82	Added rule for ADRecon execution	2021-07-16 12:58:47 +05:45
$frack113$ frack113	9a7f3036e4	update ref in win_manage-bde_lolbas.yml	2021-07-16 08:34:30 +02:00
$frack113$ frack113	d6dc217c6d	Add process_creation_syncappvpublishingserver_vbs_execute_powershell.yml	2021-07-16 08:28:25 +02:00
Florian Roth	021f211c14	fix: FP with WCE and Windows Cluster Service	2021-07-15 12:09:28 +02:00
$frack113$ frack113	c6cb7f1247	fix missing references and duplicate UUID	2021-07-15 11:06:54 +02:00
Florian Roth	e40b859254	Merge pull request #1695 from frack113/fix_re escape / in regex	2021-07-15 09:25:58 +02:00
Florian Roth	abb8df887a	Merge pull request #1690 from WuerthIT/patch_rule update rule: powershell_accessing_win_api.yml	2021-07-15 08:36:38 +02:00
Florian Roth	f3d24e27c2	Merge pull request #1694 from leegengyu/patch-13 Update win_remote_powershell_session_process.yml	2021-07-15 08:36:12 +02:00
Florian Roth	2055da991f	Merge pull request #1691 from SigmaHQ/rule-devel Rules: scripts from Temp folders, reg disable sec services	2021-07-15 08:35:54 +02:00
$frack113$ frack113	0ef3dc2082	escape / in regex	2021-07-15 08:13:49 +02:00
G Y	8bbea58786	Update win_remote_powershell_session_process.yml Updated TTP and formatting.	2021-07-15 11:20:25 +08:00
Florian Roth	e516aecc74	fix: error in selector	2021-07-14 15:58:55 +02:00
Florian Roth	530e04faec	rule: Script Execution from Temp Folder	2021-07-14 15:52:52 +02:00
Florian Roth	0d794357e8	rule: reg disable security services	2021-07-14 15:52:35 +02:00
k-vdv	12b172039f	fixed some typos and adjusted capitalization to original	2021-07-14 15:47:17 +02:00
Florian Roth	3ff4e99d44	Merge pull request #1688 from SigmaHQ/rule-devel refactor: improved Raccine uninstall rule	2021-07-14 09:57:08 +02:00
Florian Roth	04370c7e91	refactor: improved Raccine uninstall rule	2021-07-14 09:56:35 +02:00
Florian Roth	1ec9473472	Merge pull request #1687 from SigmaHQ/rule-devel Rule adjustments and new Serv-U exploitation rules	2021-07-14 08:59:33 +02:00
Florian Roth	5e2e6c9b72	Merge branch 'config-adjustments' into rule-devel	2021-07-14 08:35:47 +02:00
Florian Roth	e0f166aba2	rule: Serv-U exploitation https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/	2021-07-14 08:35:25 +02:00
Florian Roth	85d47aeabc	Merge pull request #1678 from frack113/redcanary_t1228 Some Redcanary T1228	2021-07-14 08:18:52 +02:00
Florian Roth	9fce0fb42d	Merge pull request #1680 from phantinuss/master medium level Rule for Windows Defender Exclusions	2021-07-14 08:18:39 +02:00
$frack113$ frack113	8b14dc6c99	fix [colons] too many spaces after colon	2021-07-13 14:42:47 +02:00
$frack113$ frack113	c00dd0bf65	add win_susp_athremotefxvgpudisablementcommand.yml	2021-07-13 14:29:00 +02:00
$frack113$ frack113	6d1e8268ba	update win_workflow_compiler.yml	2021-07-13 13:55:27 +02:00
phantinuss	bf9b82fc45	medium level rule for Windows Defender Exclusions	2021-07-13 13:16:25 +02:00

1 2 3 4 5 ...

4888 Commits