security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
Florian Roth ff6bb3acea extended filters and descriptions 2021-11-22 14:01:30 +01:00
Florian Roth d5eff9ef6d fix: FP with In-memory PowerShell rule and Visual Studio 2021-11-22 13:45:31 +01:00
Florian Roth 37ff832fda fix: FPs with LSASS access rule 2021-11-22 13:43:20 +01:00
Florian Roth 145d05e756 Merge pull request #2294 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs with Aurora
 2021-11-22 13:30:07 +01:00
Florian Roth db03d08b11 Merge pull request #2293 from SigmaHQ/rule-devel 
fix: 0x1000 access on LSASS, rule: new LSASS access, rule: CVE-2021-41379
 2021-11-22 13:29:31 +01:00
Florian Roth cda13acc83 Revert "refactor: add another flag set" 
This reverts commit ca62fe586f.
 2021-11-22 12:51:16 +01:00
Florian Roth ca62fe586f refactor: add another flag set 2021-11-22 12:21:19 +01:00
Florian Roth a5b7a92d91 fix: FPs with Aurora 2021-11-22 12:20:21 +01:00
Florian Roth 01189dcef2 fix: rule condition 2021-11-22 11:47:39 +01:00
Florian Roth d2e45afc3c fix: typo in filename - missing period 2021-11-22 11:40:17 +01:00
Florian Roth d3ec743906 fix: changed modified date 2021-11-22 11:38:37 +01:00
Florian Roth fbd8df5768 rule: lsass access suspicious flags 2021-11-22 11:37:09 +01:00
Florian Roth 24c4d51796 refactor: rule could possible generate to many FPs 2021-11-22 11:28:32 +01:00
Florian Roth 7432aa37a0 refactor: lsass query info access 2021-11-22 11:02:01 +01:00
frack113 e5404785d3 Merge pull request #2290 from frack113/fix_fieldname 
Fix field name in windows rules
 2021-11-21 09:09:40 +01:00
frack113 bc61fbeee2 Merge pull request #2281 from orlinum/patch-2 
Create win_ADCS_certificate_template_configuration_vulnerability.yml
 2021-11-20 20:45:04 +01:00
frack113 3162b7ccfe Merge pull request #2280 from orlinum/patch-1 
Create win_ADCS_certificate_template_configuration_vulnerability_EKU.yml
 2021-11-20 20:44:42 +01:00
Florian Roth 0da02fbc46 fix: image_load in sysmon doesn't contain a command line 2021-11-20 19:58:21 +01:00
Orlinum c37f7aede9 path modified to rules/windows/builtin/ 2021-11-20 19:38:00 +01:00
Orlinum 89c20b2b28 path modified to rules/windows/builtin/ 2021-11-20 19:37:55 +01:00
frack113 ebcfcfebf4 Fix field name 2021-11-20 19:14:59 +01:00
Florian Roth 3eeeb81d00 Merge pull request #2288 from SigmaHQ/rule-devel 
fix: FPs; rule: Windows Shell File Write to Suspicious Folder
 2021-11-20 18:27:26 +01:00
Florian Roth ed4e771700 Merge pull request #2287 from frack113/tags 
Add missing Mitre Techniques Tags for windows rules
 2021-11-20 15:38:25 +01:00
Florian Roth 9cbc026f43 Merge pull request #2283 from Karneades/new-filehandler 
rule: add new rule to detect the abuse of the exefile file handler
 2021-11-20 15:37:42 +01:00
Florian Roth 1ce65c6730 rule: shell file write to suspicious folder 2021-11-20 15:37:10 +01:00
Florian Roth e73816bb22 fix: too many false positives with in-memory detection rule 2021-11-20 15:07:20 +01:00
Florian Roth 15a4938294 fix: wrong condition 2021-11-20 15:05:06 +01:00
Florian Roth c7462832fe fix: FPs with Wincred in log files 2021-11-20 15:03:11 +01:00
Florian Roth dfbaadf932 fix: FPs - extended filter 2021-11-20 13:01:24 +01:00
Florian Roth 8271b04f80 fix: FPs with ISO mount rule 2021-11-20 12:46:50 +01:00
frack113 c6087bc988 fix tags errors 2021-11-20 12:35:41 +01:00
Florian Roth f1d2903ec2 fix: FPs with rules 2021-11-20 12:32:15 +01:00
frack113 f47d0da3f7 add missing MITRE Techniques 2021-11-20 12:26:01 +01:00
Florian Roth 6c040f0844 fix: more false positives 2021-11-20 12:00:18 +01:00
Florian Roth 5b8b622658 fix: too many false positives with WMI Modules Loaded 2021-11-20 11:54:19 +01:00
Florian Roth 1fffb57df0 fix: FPs with different rules 2021-11-20 11:33:43 +01:00
frack113 ab663f9bcf Add MITTRE Technique 2021-11-20 10:56:41 +01:00
frack113 8f0cee86ac Add Technique tags 2021-11-20 09:53:35 +01:00
Andreas Hunkeler a8f70e8031 Improve exefile rule logic 2021-11-20 00:18:55 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
Andreas Hunkeler a0eb895119 Fix file name by adding the missing file extension 
(facepalm) commit
 2021-11-19 21:08:59 +01:00
Andreas Hunkeler bccd89174f Fix file name for exefile rule 2021-11-19 20:27:51 +01:00
frack113 13099ea9bf Merge pull request #2279 from frack113/malware 
Add sysmon_win_reg_persistence_recycle_bin.yml
 2021-11-19 19:11:06 +01:00
frack113 264db60c5e Merge pull request #2276 from phantinuss/master 
Rule Fix: Paths with Quotes
 2021-11-19 19:05:36 +01:00
Florian Roth 19a303bcfb Merge pull request #2282 from Karneades/exefile 
Update shell open key rule
 2021-11-19 17:40:35 +01:00
Andreas Hunkeler 6cc12b9416 rule: fix title in new exefile rule 2021-11-19 17:32:37 +01:00
Andreas Hunkeler 85a7c71c8e rule: add new rule to detect the abuse of the exefile file handler 2021-11-19 17:23:03 +01:00
Andreas Hunkeler a1dc685ea4 Add note regarding persistence in shell open rule 2021-11-19 16:18:25 +01:00
Andreas Hunkeler 74eac016c8 Update date after shell open rule change 2021-11-19 16:17:21 +01:00
Florian Roth 4acbb15713 Merge branch 'master' into rule-devel 2021-11-19 15:52:21 +01:00