security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth e91fc4486e refactor: first bigger log source refactoring 
see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
 2022-03-22 17:58:29 +01:00
Florian Roth a5281c0eaf Merge branch 'master' into log-source-cleanup 2022-03-22 15:16:14 +01:00
Florian Roth e3839ac282 removed: overlapping, unharmonised rule 
already covered in 04f5363a-6bca-42ff-be70-0d28bf629ead
 2022-03-22 09:58:29 +01:00
Florian Roth 8b9fc64170 Merge pull request #2832 from frack113/redcannay 
Redcannary
 2022-03-21 15:03:03 +01:00
Florian Roth 3ddb83fc74 Merge pull request #2839 from phantinuss/master 
hotfix: reenable rules check, might be refined later
 2022-03-21 14:03:42 +01:00
phantinuss 470bdd5252 hotfix: reenable rules check, might be refined later 2022-03-21 13:35:30 +01:00
Florian Roth 792c52671f Merge pull request #2838 from phantinuss/master 
fix: single list element
 2022-03-21 13:04:56 +01:00
phantinuss f1dcaa02f4 fix: single list element 2022-03-21 12:33:55 +01:00
Florian Roth 3f1b8ff727 Update posh_ps_susp_get_addefaultdomainpasswordpolicy.yml 2022-03-21 12:09:33 +01:00
Florian Roth 026428640e Update registry_event_set_nopolicies_user.yml 2022-03-21 12:06:50 +01:00
Florian Roth 682b4852fc Update registry_event_hide_fonction_user.yml 2022-03-21 12:04:29 +01:00
Florian Roth a50cd510a5 Update registry_event_disable_fonction_user.yml 2022-03-21 12:01:54 +01:00
Florian Roth 7ebdfda1b8 Update posh_ps_susp_get_addefaultdomainpasswordpolicy.yml 2022-03-21 11:54:45 +01:00
Florian Roth e477264aa0 fix: azure log source fix 2022-03-21 11:20:07 +01:00
Florian Roth 816b11ab80 Merge branch 'master' into rule-devel 2022-03-21 11:19:22 +01:00
Florian Roth 056206627a minor changes to description and hash values 2022-03-21 11:19:05 +01:00
Florian Roth b4245c561c Merge pull request #2836 from SigmaHQ/rule-devel 
fix: Service Installation 7045 field confusion
 2022-03-21 11:18:29 +01:00
Florian Roth ce4cdf06f0 fix: Service Installation 7045 field confusion 2022-03-21 11:10:03 +01:00
Florian Roth dd46054e17 Merge pull request #2834 from redsand/fp_missing_sys32_dir_rundll32 
Fp missing system32 dir rundll32 with invalid extension
 2022-03-20 22:31:58 +01:00
Tim Shelton 5086cde0dd updating to ensure match against all system32 execution path 2022-03-20 19:48:51 +00:00
Tim Shelton 3da10f30d8 Adding additional filter for system32 2022-03-20 19:45:33 +00:00
Florian Roth 13402ac95c Merge pull request #2833 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-03-20 18:05:44 +01:00
Florian Roth 7b8ead3f9c Merge branch 'master' into aurora-false-positive-fixing 2022-03-20 17:59:58 +01:00
Florian Roth b3d19126c7 docs: add FP conditions 2022-03-20 16:21:35 +01:00
Florian Roth 811ed59e27 fix: FPs with Aurora and THOR 2022-03-20 16:18:18 +01:00
frack113 ab471b11ae Redcannary 2022-03-20 08:36:07 +01:00
frack113 1116a09c90 Merge pull request #2831 from SigmaHQ/revert-2826-redcannary_20220318 
Revert "Redcannary"
 2022-03-20 08:14:37 +01:00
frack113 45cfdab828 Revert "Redcannary" 2022-03-20 08:11:11 +01:00
frack113 eb66c5530e Merge pull request #2826 from frack113/redcannary_20220318 
Redcannary
 2022-03-20 08:11:07 +01:00
Florian Roth 2c82434ed2 Merge pull request #2827 from pH-T/master 
new susp service installation rules
 2022-03-18 21:44:29 +01:00
Florian Roth e7a3e70e0e Merge pull request #2828 from phantinuss/master 
fix: FP with Sysinternal's handle
 2022-03-18 21:44:08 +01:00
Florian Roth fc9027d80f Merge pull request #2830 from SigmaHQ/Neo23x0-patch-1 
Update registry_event_powershell_in_run_keys.yml
 2022-03-18 21:43:58 +01:00
Florian Roth ec7a9793d7 Update registry_event_powershell_in_run_keys.yml 2022-03-18 20:58:16 +01:00
phantinuss 3ab601b334 fix: FP with Sysinternal's handle 2022-03-18 17:06:53 +01:00
Paul Hager 68659cf5fd new susp service installation rules 2022-03-18 16:08:40 +01:00
frack113 1060009949 Redcannary 2022-03-18 11:15:05 +01:00
Florian Roth fbf1b8456c Merge pull request #2825 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with EdgeTransport sub processes
 2022-03-18 11:04:10 +01:00
Florian Roth 2f51f8e1d2 fix: FPs noticed with EdgeTransport sub processes 2022-03-18 10:18:40 +01:00
Florian Roth d0eef19e95 Merge pull request #2822 from SigmaHQ/rule-devel 
Webshell detection rule refactoring
 2022-03-18 08:49:04 +01:00
Florian Roth e754849425 fix: missing space 2022-03-18 08:37:09 +01:00
frack113 41fce11b76 Merge pull request #2820 from frack113/day_off 
Windows Redcannary
 2022-03-18 08:18:18 +01:00
Florian Roth 1118189032 Update posh_ps_susp_get_adgroup.yml 2022-03-17 20:23:14 +01:00
Florian Roth 8c69b3977f Update posh_ps_susp_directory_enum.yml 2022-03-17 20:22:51 +01:00
Florian Roth a5cfb87ee1 Update posh_ps_as_rep_roasting.yml 2022-03-17 20:22:11 +01:00
Florian Roth 59a8a6f952 Merge branch 'master' into rule-devel 2022-03-17 20:16:28 +01:00
Florian Roth c855a38f98 Merge pull request #2819 from frack113/fp_test 
posh_ps_remove_item_path fix registry FP
 2022-03-17 18:44:53 +01:00
Florian Roth 22133aaa07 Merge pull request #2821 from redsand/fp_tasktop_path_traversal 
Adding filter for java  tasktop
 2022-03-17 18:44:16 +01:00
Florian Roth 33617fd8b4 rule: new webshell detection rule 2022-03-17 18:31:11 +01:00
Tim Shelton 026677cf8a fixing spelling error 2022-03-17 17:27:11 +00:00
Florian Roth 8250dd73a2 refactor: webshell detection rules 2022-03-17 18:24:15 +01:00