security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth a9c9c9ae3a Merge pull request #2425 from SigmaHQ/aurora-false-positive-fixing 
fix: FP with new SYSTEM rule
 2021-12-10 13:50:04 +01:00
frack113 b56630ced1 Add lnx_susp_dev_tcp 2021-12-10 13:39:06 +01:00
Florian Roth 07e4a9209c docs: more links 2021-12-10 13:31:28 +01:00
Florian Roth 06e41b1e57 refactor: single slash uri scheme + dns 2021-12-10 13:07:32 +01:00
Florian Roth a51c03f54c log4j CVE-2021-44228 2021-12-10 13:05:40 +01:00
Florian Roth 8c85f4ffa4 fix: FP with new SYSTEM rule 2021-12-10 12:17:25 +01:00
Tim Shelton b503a11366 oof, wrong field, sorry! 2021-12-10 06:49:55 +00:00
redsand (Tim Shelton) 879a1325f9 Merge branch 'SigmaHQ:master' into fp_for_matching_msiexec_behavior 2021-12-10 00:47:49 -06:00
redsand (Tim Shelton) 6151094fdd Merge branch 'SigmaHQ:master' into detect_net_use_password_plaintext 2021-12-10 00:46:38 -06:00
frack113 8c77e4757f Merge pull request #2420 from redsand/fp_wsmprovhost_ps_pipe 
adding allow for wsmprovhost.exe to call powershell pipes
 2021-12-10 06:50:45 +01:00
Florian Roth baa1dcd608 Merge pull request #2417 from stbe/imp_lsass_defender 
Added Defender to win_susp_lsass_dump_generic.yml
 2021-12-10 00:00:22 +01:00
Florian Roth 834681c3b4 Update win_susp_net_use_password_plaintext.yml 2021-12-09 23:51:32 +01:00
stbe 44db55c4fd Refined definition of defender executable 2021-12-09 22:55:09 +01:00
Tim Shelton f59c8c3360 changing case of title 2021-12-09 20:53:07 +00:00
Tim Shelton 791f419b9e fixing column 2021-12-09 20:41:50 +00:00
Tim Shelton 19eff6952b Fixing format errors 2021-12-09 20:39:43 +00:00
Tim Shelton ae34e020c2 Adding new sig to detect password on commandline 2021-12-09 20:33:37 +00:00
Tim Shelton 06c7a7d445 adding allow for wsmprovhost.exe to call powershell pipes 2021-12-09 19:46:35 +00:00
Florian Roth 1574f13824 Merge pull request #2418 from secDre4mer/master 
Add rules for uncommon process creation events
 2021-12-09 16:51:45 +01:00
frack113 e049058d14 Merge pull request #2415 from frack113/condition 
builtin/security simplified condition
 2021-12-09 16:24:24 +01:00
frack113 cd87b2baa5 Merge pull request #2414 from frack113/fp 
sysmon_abusing_azure_browser_sso.yml FP
 2021-12-09 16:23:06 +01:00
Tim Shelton 88eaeca844 Adding filter for msiexec repair option 2021-12-09 15:16:52 +00:00
Florian Roth 0689e253b4 set level to "high" 2021-12-09 16:03:20 +01:00
Florian Roth a5c53789d9 set level to high 2021-12-09 16:03:06 +01:00
Max Altgelt 3c699a2272 fix: inline list with one argument 2021-12-09 15:49:18 +01:00
Max Altgelt ca2ead74b1 feat: Add rules to detect uncommon process creation events 2021-12-09 14:21:34 +01:00
Max Altgelt 538fb06f05 fix: mark string as regex 2021-12-09 14:09:19 +01:00
stbe 20f185f2b8 Added Defender to win_susp_lsass_dump_generic.yml 2021-12-09 13:57:09 +01:00
Florian Roth af2c6a0ecb Lower the level to "low" 
In case that some backends/scripts/tools don't respect the "deprecated" status
 2021-12-09 13:01:12 +01:00
frack113 62207b80ba Change to deprecated as too many FP 2021-12-09 09:34:08 +01:00
frack113 3ce9336e79 simplified condition 2021-12-08 20:12:57 +01:00
frack113 61a0f1a706 Merge pull request #2405 from mlp1515/sysmon_volume_shadow_copy_service_keys-false-positif 
False positives on sysmon_volume_shadow_copy_service_keys.yml
 2021-12-08 18:28:49 +01:00
frack113 4baeddbf16 change to test 2021-12-08 18:06:03 +01:00
frack113 f6af9f6f0b OneDrive FP 2021-12-08 17:31:41 +01:00
frack113 2e92bdb43b Update sysmon_esentutl_volume_shadow_copy_service_keys.yml 2021-12-08 17:25:03 +01:00
frack113 f59124e0ad Merge pull request #2404 from frack113/t1016 
Add some T1016 windows
 2021-12-08 17:22:37 +01:00
frack113 9e02a6002a Merge pull request #2402 from frack113/fp_reg 
sysmon_asep_reg_keys_modification_currentversion OneDriveSetup FP
 2021-12-08 17:21:45 +01:00
Florian Roth b315ff9786 Merge pull request #2408 from SigmaHQ/aurora-false-positive-fixing 
fix: multiple FPs with different rules
 2021-12-08 14:50:01 +01:00
Florian Roth 157fa31f1b Merge pull request #2400 from redsand/fixing_errs_with_invoke_obfus 
Fixing errs with invoke obfus
 2021-12-08 14:49:42 +01:00
stbe 7566207026 Corrected filter field name in win_pass_the_hash.yml 2021-12-08 14:03:13 +01:00
stbe 88b5e1bd9e Corrected filter field name in win_pass_the_hash_2.yml 2021-12-08 13:49:18 +01:00
Florian Roth b5493a6136 Merge pull request #2407 from SigmaHQ/rule-devel 
fix: dysfunctional imphash rules, rule: grafana rule
 2021-12-08 13:04:20 +01:00
Florian Roth 72e85fdc92 rule: Grafana CVE-2021-43798 2021-12-08 12:01:59 +01:00
Florian Roth 42e077d382 fix: Suspicious SYSTEM User Process Creation > schtasks 2021-12-08 11:44:30 +01:00
Florian Roth a502f316ef Merge pull request #2406 from SigmaHQ/rule-devel 
Rule refactoring, DInject rule
 2021-12-08 11:26:24 +01:00
Florian Roth b7f982734a fix: dysfunctional imphash rules 2021-12-08 11:26:17 +01:00
Florian Roth 33bdfd124d refactor: comsvcs.dll adjustments - run by ordinal variants 2021-12-08 10:02:21 +01:00
Florian Roth bfd6b48ee4 refactor: adjusted run by ordinal pattern for Sysmon 2021-12-08 10:01:54 +01:00
mlp1515 007a24f569 Replace sysmon_volume_shadow_copy_service_keys.yml rule by sysmon_esentutl_volume_shadow_copy_service_keys.yml because of too many false positives 2021-12-08 08:49:16 +00:00
Florian Roth c6f1398cfb rule: DInject usage 2021-12-08 09:38:23 +01:00