security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
Andreas Hunkeler 79cf80fa6b Update shell open key rule 
* Make rule more generic regarding exefile detection instead of only naming it "uac bypass"
* Add further references and attack tags
 2021-11-19 14:03:56 +01:00
Florian Roth 3834048363 docs: extended false positive comment 2021-11-19 12:15:11 +01:00
Florian Roth 86f7c2b9f9 fix: FPs with WMI module rule 2021-11-19 12:15:01 +01:00
frack113 fe87379747 Rename win_ADCS_certificate_template_configuration_vulnerability_EKU.yml to win_adcs_certificate_template_configuration_vulnerability_eku.yml 2021-11-19 08:47:40 +01:00
frack113 e8426c57cd fix title 2021-11-19 07:03:52 +01:00
frack113 f8e28c6519 Fix title 2021-11-19 07:00:05 +01:00
frack113 5e96a5c151 Merge pull request #2275 from WojciechLesicki/master 
Adding two more process, additional references, information about Cob…
 2021-11-19 06:46:10 +01:00
Orlinum 69bd0f9c8f Create win_ADCS_certificate_template_configuration_vulnerability.yml 
new rule
 2021-11-18 22:46:19 +01:00
Orlinum 15c042fca4 Create win_ADCS_certificate_template_configuration_vulnerability_EKU.yml 
new file
 2021-11-18 22:39:08 +01:00
frack113 8176d9b47e Add sysmon_win_reg_persistence_recycle_bin.yml 2021-11-18 18:39:20 +01:00
Florian Roth b91b43ad84 rule: Exchange CVE-2021-42321 2021-11-18 17:27:09 +01:00
Florian Roth ecc7181d6e fix: FP with Windows Update Client LOLBIN rule 2021-11-18 13:34:55 +01:00
phantinuss 84476e1dd4 fix: prevent possible FPs from non-windows native calls using paths surrounded by quotes 2021-11-18 10:06:03 +01:00
frack113 7a2ce744f1 Merge pull request #2272 from frack113/wmi_FP 
sysmon_wmi_module_load.yml add WMIC.exe
 2021-11-18 06:36:39 +01:00
frack113 4b13ece931 Merge pull request #2270 from phantinuss/master 
enhance emotet rundll32 execution pattern for current campaign
 2021-11-18 06:35:11 +01:00
frack113 a6771d684b Merge pull request #2269 from frack113/ntfs 
Add correct provider_name
 2021-11-18 06:32:01 +01:00
WojciechLesicki ba053ea19b Adding two more process, additional references, information about Cobalt Strike etc. 2021-11-17 22:37:23 +01:00
Florian Roth 7dce83033b rule: Winrar suspicious folder 2021-11-17 19:01:48 +01:00
Florian Roth 23220e7d78 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-17 19:00:06 +01:00
Florian Roth c71d9dba89 fix: false positive with WMI rule 2021-11-17 18:59:22 +01:00
frack113 0605a1c64e add WMIC.exe 2021-11-17 16:37:27 +01:00
phantinuss 0109694e26 enhance emotet rundll32 execution pattern for current campaign 2021-11-17 15:59:05 +01:00
Florian Roth dcfc9d562e fix: more false positives 2021-11-17 10:27:02 +01:00
frack113 6a9313535c Add correct provider_name 2021-11-17 06:59:57 +01:00
Florian Roth 7d4e3fd2ed fix: more false positive fixes 2021-11-16 23:27:00 +01:00
Florian Roth 97bc8aa6f2 rule: suspicious write to system tasks 2021-11-16 17:30:47 +01:00
Florian Roth 8d6d8c2c92 fix: several FPs 2021-11-16 17:30:23 +01:00
Florian Roth d29c353718 refactor: unnecessary filter 2021-11-16 13:47:41 +01:00
Florian Roth daff947d4b refactor: fixes without CommandLine field in ImageLoad events 2021-11-16 13:46:15 +01:00
Florian Roth 5e14b73b9c fix: FP with logman.exe 2021-11-16 13:39:32 +01:00
Florian Roth 2383b2b76b fix: problem with empty string 2021-11-16 13:33:00 +01:00
Florian Roth 98073049ba fix: FPs with Load of dbghelp/dbgcore DLL from Suspicious Process 2021-11-16 13:11:11 +01:00
Florian Roth 2448691ad0 fix: FPs 2021-11-16 13:04:52 +01:00
Florian Roth 4fb833700f Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-16 12:17:46 +01:00
Florian Roth 3be53dfb72 refactor: tightened rule 2021-11-16 12:17:43 +01:00
Florian Roth 760266ab34 Merge branch 'master' into rule-devel 2021-11-16 12:13:20 +01:00
Florian Roth 4c1fab644d fix: FPs with Windows Update Client LOLBIN rule 2021-11-16 12:09:03 +01:00
frack113 d4317d60a4 Merge pull request #2262 from frack113/dfir_20211115 
DFIR exchange-exploit-leads-to-domain-wide-ransomware
 2021-11-16 06:31:19 +01:00
frack113 42cbe8664b Update registry_event_mal_ursnif.yml 2021-11-15 20:21:20 +01:00
phantinuss c3ecbc52a9 add Exchange reference to title/description 2021-11-15 14:00:05 +01:00
frack113 51744b31b4 fix name 2021-11-15 13:38:38 +01:00
frack113 b9be5b262f Add win_pc_susp_reg_bitLocker 2021-11-15 13:24:26 +01:00
phantinuss f4d5238049 fix: FP 2021-11-15 12:30:51 +01:00
Florian Roth 20686c908d rules: lsass dumps 2021-11-15 12:16:44 +01:00
frack113 f647571478 fix logsource 2021-11-13 09:59:14 +01:00
frack113 f1958161d0 Merge pull request #2257 from frack113/optimize 
Optimize rules
 2021-11-13 08:21:12 +01:00
Florian Roth 8054ae005f Merge pull request #2228 from austinsonger/register 
win_susp_registration_via_cscript.yml
 2021-11-12 19:42:20 +01:00
Austin Songer 5a542431ac Update win_susp_registration_via_cscript.yml 2021-11-12 11:12:31 -06:00
frack113 64839d9e4f Fix detection field name 2021-11-12 14:21:53 +01:00
frack113 f145392b6a Fix detection field name 2021-11-12 13:55:45 +01:00