security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth 74f65eb004 Merge branch 'master' into aurora-false-positive-fixing 2022-01-29 19:37:26 +01:00
Florian Roth e0425f2167 Merge pull request #2620 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-01-29 19:34:02 +01:00
Florian Roth 8d5742e83e fix: fixing FPs with LSASS access mask in old rule 2022-01-29 18:17:46 +01:00
Florian Roth 642b3748fe Merge pull request #2615 from frack113/redcannary_20220128 
Add windows redcannary rules
 2022-01-29 15:25:40 +01:00
frack113 c3c13d6089 add lnx_pwnkit_local_privilege_escalation 2022-01-29 10:07:54 +01:00
Florian Roth dc19846101 fix: FPs in deprecated rule 2022-01-28 23:43:11 +01:00
Florian Roth 56fba15638 Update process_creation_tool_nircmd.yml 2022-01-28 23:14:17 +01:00
Florian Roth 34c8de908d Update process_creation_tool_nircmd_as_system.yml 2022-01-28 23:08:41 +01:00
Nasreddine Bencherchali 6f96372ece Update process_creation_tool_nircmd_as_system.yml 2022-01-28 21:10:52 +01:00
Nasreddine Bencherchali b0b9d32dfa Update process_creation_tool_nircmd.yml 2022-01-28 21:10:03 +01:00
Nasreddine Bencherchali 0b09dbdcd1 Update process_creation_tool_nircmd_as_system.yml 2022-01-28 21:01:43 +01:00
Florian Roth 883040ee96 Merge pull request #2617 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-01-28 18:06:39 +01:00
Florian Roth 0391cffab4 Merge pull request #2616 from SigmaHQ/rule-devel 
rule: xordump
 2022-01-28 18:06:21 +01:00
Florian Roth 7b05827326 fix: FPs noticed with Aurora 2022-01-28 17:26:51 +01:00
Florian Roth bfee0f8067 rule: xordump 2022-01-28 17:26:12 +01:00
frack113 5b30db61b0 Add windows redcannary rules 2022-01-28 16:12:38 +01:00
Florian Roth a5cb3ba37f Merge pull request #2598 from SigmaHQ/rule-devel 
rules: NirCmd, NSudo, RunX
 2022-01-28 12:18:15 +01:00
frack113 9a517bae7c Merge pull request #2614 from frack113/update_ref 
sysmon_proxy_execution_wuauclt Update References
 2022-01-28 11:51:45 +01:00
Florian Roth 982808c3db refactor: whoami / authority, rule: whoami as trusted installer 2022-01-28 11:30:30 +01:00
frack113 a6e3b4691b Update References 2022-01-28 10:30:39 +01:00
frack113 d4b4d4e382 Merge pull request #2612 from glennbarrett/patch-1 
Typo fix in win_plugx_susp_exe_locations.yml
 2022-01-28 10:00:07 +01:00
frack113 069d4ac8bd Update modified 2022-01-28 09:09:26 +01:00
frack113 4ef359a96f Merge pull request #2611 from redsand/fp_for_iexplorer 
adding filter for fp of iexplorer calling cpl
 2022-01-28 06:59:35 +01:00
Glenn Barrett edb769b086 Typo fix in win_plugx_susp_exe_locations.yml 
Change SysWowo64 to SysWow64
 2022-01-27 15:08:54 -05:00
frack113 1431992e4e Merge pull request #2604 from frack113/add_ps_version 
add posh_ps_clear_powershell_history
 2022-01-27 18:24:37 +01:00
Tim Shelton f8ce6d87a8 adding filter for fp of iexplorer calling cpls: C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:276824072 WinX:0 WinY:0 IEFrame:0000000000000000 2022-01-27 16:31:37 +00:00
Florian Roth a8cbfa832d Merge pull request #2609 from SigmaHQ/aurora-false-positive-fixing 
fix: too many false positives with certain access masks
 2022-01-27 16:53:34 +01:00
Florian Roth 03b0bd8bd0 Merge pull request #2610 from zakibro/master 
Adding auditd rule for CVE-2021-4034
 2022-01-27 16:47:15 +01:00
frack113 1aa7697ca8 Update posh_ps_clear_powershell_history.yml 2022-01-27 16:16:57 +01:00
frack113 79de1631de Merge pull request #2601 from secDre4mer/master 
fix: Add filter for empty image to rule
 2022-01-27 16:16:06 +01:00
zakibro c1c5ed0db7 Update lnx_auditd_cve_2021_4034.yml 2022-01-27 12:55:22 +01:00
zakibro bd9b5172cd Update lnx_auditd_cve_2021_4034.yml 2022-01-27 12:44:53 +01:00
Pawel Mazur c924977576 Adding auditd rule for CVE-2021-4034 2022-01-27 12:36:19 +01:00
Florian Roth 82d5f4a511 fix: too many false positives with certain access masks 2022-01-27 09:08:40 +01:00
Florian Roth d52602dd5e Update posh_ps_clear_powershell_history.yml 2022-01-26 18:09:09 +01:00
Florian Roth feedcee6bf Update posh_ps_clear_powershell_history.yml 2022-01-26 17:57:26 +01:00
Florian Roth e08e8dd3d4 Update sysmon_process_hollowing.yml 2022-01-26 17:53:46 +01:00
mhaag-spl b3b37719e7 Update sysmon_lsass_memdump.yml 
Updated Sysmon Lsass Memdump to detect other memory dumping techniques from mimikatz, nanodump, invoke-mimikatz, and so forth. This adds additional GrantedAccess permissions and adds ntdll.dll to CallTrace. Tested with Atomic Red Team T1003.001, MimiKatz, Invoke-Mimikatz and Cobalt Strike.
 2022-01-26 08:12:49 -07:00
securepeacock 364b5c9620 Create sysmon_process_hollowing.yml 
Closed old request, and put rule into its appropriate file directory.
 2022-01-25 15:57:03 -05:00
securepeacock 1cfa06e6e6 Update process_creation_rundll32_not_from_c_drive.yml 2022-01-25 14:43:30 -05:00
securepeacock 076b0c9246 Create process_creation_rundll32_not_from_c_drive.yml 
Sample Log:

Process Create: RuleName: - UtcTime: 2022-01-25 17:12:12.156 ProcessGuid: {A931971D-2F6C-61F0-D700-000000005200} ProcessId: 724 Image: C:\Windows\notepad.exe FileVersion: 10.0.14393.0 (rs1_release.160715-1616) Description: Notepad Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: NOTEPAD.EXE CommandLine: "c:\windows\notepad.exe" CurrentDirectory: E:\ User: WINDOMAIN\vagrant LogonGuid: {A931971D-283E-61F0-3DF7-080000000000} LogonId: 0x8F73D TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=40F2E778CF1EFFA957C719D2398E641EFF20E613,MD5=3B508CAE5DEBCBA928B5BC355517E2E6,SHA256=DA0ACEE8F60A460CFB5249E262D3D53211EBC4C777579E99C8202B761541110A,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82 ParentProcessGuid: {A931971D-2F57-61F0-D600-000000005200} ParentProcessId: 936 ParentImage: C:\Windows\System32\rundll32.exe ParentCommandLine: "C:\Windows\System32\rundll32.exe" SharedFiles.dll,BasicScore ParentUser: WINDOMAIN\vagrant
 2022-01-25 14:42:13 -05:00
frack113 a68cf58264 Merge pull request #2596 from frack113/blackbyte 
Add win_re_blackbyte_ransomware
 2022-01-25 20:39:05 +01:00
frack113 818b20b949 add posh_ps_clear_powershell_history 2022-01-25 19:58:18 +01:00
Max Altgelt 51d9aca239 chore: update modified date 2022-01-25 11:46:16 +01:00
Max Altgelt 0cad38be34 fix: Add filter for empty image to rule 2022-01-25 11:43:35 +01:00
frack113 8a47c56397 Merge pull request #2595 from frack113/red_20220123b 
Windows Redcannary
 2022-01-25 06:21:17 +01:00
frack113 f634962420 Merge pull request #2594 from frack113/red_20220123 
Windows Redcannary tests
 2022-01-25 06:20:53 +01:00
frack113 0d5618f8ef Merge pull request #2593 from frack113/moonbounce 
add win_pc_susp_instalutil
 2022-01-25 06:20:38 +01:00
frack113 43690233fb Merge pull request #2572 from zeronetworks/master 
feat(rules): Adding rules for the rpc_firewall
 2022-01-24 18:18:22 +01:00
Florian Roth f80f0d3696 rules: nircmd, nsudo, runx 2022-01-24 13:37:28 +01:00