security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
frack113 8b67ad069e Windows Redcannary 2022-01-02 10:36:52 +01:00
frack113 b5e14ac48f Update rule 2022-01-02 09:50:37 +01:00
frack113 e75e3dc1fb fix CommandLine 2022-01-02 09:17:10 +01:00
frack113 7eebc4d054 Windows redcannary 2022-01-01 08:42:40 +01:00
frack113 2eda4d51d5 Merge pull request #2500 from frack113/redcannary_20211229 
Windows Redcannary
 2021-12-31 17:29:09 +01:00
Florian Roth e141770b37 Update win_re_outlook_security.yml 2021-12-31 15:50:39 +01:00
Florian Roth dc1cd5e6bf Update win_re_chrome_extension.yml 2021-12-31 15:49:57 +01:00
Florian Roth 07036fd2a7 Update powershell_ps_office_comobject_registerxll.yml 2021-12-31 15:48:41 +01:00
Florian Roth dde4d25b6b Update powershell_ps_directoryservices_accountmanagement.yml 2021-12-31 15:48:15 +01:00
David ANDRE 90f984d255 Added InitialProgram registry key for RDP/TS 2021-12-31 14:12:02 +01:00
frack113 b3e49358fa Merge pull request #2503 from frack113/redcannary_20211230 
Windows persistence
 2021-12-30 14:22:00 +01:00
frack113 5d5b3e83b1 Windows persistence 2021-12-30 11:58:10 +01:00
frack113 6c5275253b Set level to medium 2021-12-29 19:00:07 +01:00
frack113 d8f5d3cca3 Windows Redcannay 2021-12-29 17:47:43 +01:00
Tim Shelton e596dab472 Allows PasswordState to initiate rdp connections, per feature "Passwordstate Remote Session Launcher" https://www.clickstudios.com.au/downloads/version9/Passwordstate_Remote_Session_Launcher_Gateway_Install_Guide.pdf 2021-12-29 14:27:22 +00:00
Florian Roth 274edc0c4d Merge pull request #2498 from redsand/filter_win_Defender 
filter windows defender in list
 2021-12-28 19:01:07 +01:00
Tim Shelton 30b328489b filter windows defender in list 2021-12-28 17:08:56 +00:00
frack113 1a877a5ccd Merge pull request #2495 from frack113/redcannary_20211227 
Windows redcannary rules
 2021-12-28 12:52:07 +01:00
frack113 1f1b0dc656 Merge pull request #2492 from frack113/redcannary_20211216 
Windows Redcannary impact
 2021-12-28 12:51:40 +01:00
Florian Roth ee0f216929 Update win_pc_hashcat.yml 2021-12-28 12:09:59 +01:00
Florian Roth 345aab18cb Update win_pc_susp_taskkill.yml 2021-12-28 12:05:20 +01:00
Florian Roth 6edd497bf6 Update win_pc_susp_taskkill.yml 2021-12-28 12:04:51 +01:00
Florian Roth 01021a585d Update powershell_ps_susp_win32_shadowcopy.yml 2021-12-28 12:04:14 +01:00
Florian Roth af3462f7e6 Update powershell_ps_susp_remove_adgroupmember.yml 2021-12-28 12:03:40 +01:00
Florian Roth 97600513bb Update win_fe_susp_desktop_txt.yml 2021-12-28 12:03:11 +01:00
Florian Roth 30d5a59165 Merge pull request #2497 from SigmaHQ/rule-devel 
rule: Suspicious Kernel Dump Using Dtrace
 2021-12-28 10:54:55 +01:00
Florian Roth 992237c9aa Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-12-28 10:01:14 +01:00
Florian Roth bfd8b62dfa rule: kernel dump using dtrace 2021-12-28 10:01:11 +01:00
Florian Roth 45d746c024 Merge pull request #2496 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-27 21:14:36 +01:00
frack113 f79e8ab449 Merge pull request #2494 from frack113/aurora_fp 
image_load_wsman_provider_image_load FP
 2021-12-27 21:09:03 +01:00
frack113 744b7602c9 Windows redcannary rules 2021-12-27 20:25:01 +01:00
Florian Roth f37603ab60 fix: filter FPs with Microsoft cloud 2021-12-27 19:47:32 +01:00
Florian Roth aa0094483a fix: FPs with MS Edge installers 2021-12-27 19:45:08 +01:00
Florian Roth 1c4688cbb6 Merge branch 'master' into rule-devel 2021-12-27 17:38:21 +01:00
Florian Roth 6540d2e924 rule: download from Microsoft domain 2021-12-27 17:22:34 +01:00
frack113 7d200d95f3 Aurora FP 2021-12-27 17:13:17 +01:00
Florian Roth 73c7c5790c docs: removed tracking info from reference link 2021-12-27 11:52:16 +01:00
Florian Roth 7a8f09a6b5 fix: FPs with 4688 events that can contain 'Registry' 2021-12-27 11:48:51 +01:00
frack113 b967deaabd Windows Redcannary impact 2021-12-26 12:09:42 +01:00
Florian Roth 4951e78c74 Merge pull request #2491 from SigmaHQ/rule-devel 
docs: title reordered
 2021-12-25 09:59:28 +01:00
Florian Roth 1609fbb2ac docs: title reordered 2021-12-24 09:13:25 +01:00
Florian Roth 41b29fb3b9 Merge pull request #2490 from SigmaHQ/rule-devel 
refactor: added curl.exe to the list
 2021-12-23 17:56:08 +01:00
Florian Roth db3ebaf97c refactor: added curl.exe to the list 2021-12-23 08:27:44 +01:00
eb8f9a 2ab0582fd1 (win_susp_rundll32_activity.yml) Rule syntax error 
es-dsl does not work properly because the rule syntax is not valid

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_rundll32_activity.yml

59 to 61 lines
     - CommandLine|contains|all:
       - 'syssetup.dll'
       - SetupInfObjectInstallAction'

should be like below
     - CommandLine|contains|all:
       - 'syssetup.dll'
       - 'SetupInfObjectInstallAction'
 2021-12-23 10:09:51 +09:00
Florian Roth c888e47471 Merge pull request #2488 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-22 22:02:45 +01:00
Florian Roth 1653f30953 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-22 19:00:35 +01:00
Florian Roth c4fa0c22ad fix: FPs noticed with Aurora 2021-12-22 19:00:32 +01:00
Florian Roth 6b233cc2ec Merge pull request #2487 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-22 15:37:42 +01:00
Florian Roth b276ccd121 fix: FPs noticed with THOR 2021-12-22 14:51:06 +01:00
Florian Roth e320a76039 Merge pull request #2486 from Karneades/keytool 
rule: add new rule to detect shell spawn by Java keytool
 2021-12-22 13:56:23 +01:00