security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth 1b63c0f541 Merge pull request #2403 from redsand/fix_fp_in_ipv6_dllhost_req 
Adding filter for ipv6 local for rundll32 net connections
 2021-12-07 23:03:38 +01:00
Florian Roth 50ddc5f3ab style: new best practice filter condition 2021-12-07 20:58:03 +01:00
Tim Shelton f08a264986 fixing space 2021-12-07 19:47:13 +00:00
Tim Shelton d4b71dff88 Adding filter for ipv6 local for rundll32 net connections 2021-12-07 19:44:29 +00:00
frack113 592259af80 Add T1016 2021-12-07 20:41:49 +01:00
frack113 82dfc689e4 OneDriveSetup FP 2021-12-07 19:05:52 +01:00
Tim Shelton 3bf8eb6aff reverting modified date, batch 2 2021-12-07 17:55:52 +00:00
Tim Shelton d79a0e029b reverting modified date, batch 1 2021-12-07 17:53:50 +00:00
Florian Roth 69816e1395 Merge branch 'master' into aurora-false-positive-fixing 2021-12-07 18:39:28 +01:00
Tim Shelton c9e08884f6 updating date 2021-12-07 16:27:01 +00:00
Tim Shelton aa16afd09c updating date 2021-12-07 16:26:38 +00:00
Tim Shelton 3fa1624b68 order matters... need to use most intensive match last 2021-12-07 16:11:42 +00:00
Tim Shelton fddf423878 order matters... need to use most intensive match last 2021-12-07 16:10:33 +00:00
Tim Shelton 3873872381 order matters... need to use most intensive match last 2021-12-07 16:09:35 +00:00
Tim Shelton 8f20846524 order matters... need to use most intensive match last 2021-12-07 16:08:37 +00:00
Tim Shelton f31b3865ae order matters... need to use most intensive match last 2021-12-07 16:07:18 +00:00
Tim Shelton 8086c3446f order matters... need to use most intensive match last 2021-12-07 16:04:21 +00:00
Tim Shelton 9122b3c881 order matters... need to use most intensive match last 2021-12-07 16:03:09 +00:00
Tim Shelton 3fcda9704e order matters... need to use most intensive match last 2021-12-07 16:01:28 +00:00
Florian Roth c447cb4212 Merge pull request #2398 from SigmaHQ/rule-devel 
rule: improved comsvcs.dll Minidump rule
 2021-12-07 15:59:33 +01:00
Florian Roth 89e659355c fix: FPs noticed with Aurora 2021-12-07 15:06:49 +01:00
Florian Roth 1cae016459 rule: fix and extend comsvcs minidump rule 2021-12-07 15:05:20 +01:00
Florian Roth 63fd1189e7 rule: improved comsvcs.dll Minidump rule 2021-12-07 12:59:20 +01:00
Florian Roth 5fcf0d9e06 Merge pull request #2397 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-07 11:28:14 +01:00
Florian Roth 8700a144b6 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-07 10:38:11 +01:00
Florian Roth 506631485e fix: FPs noticed with Aurora 2021-12-07 10:38:10 +01:00
Florian Roth fc6ad3667c Merge pull request #2396 from SigmaHQ/rule-devel 
New rules - Suspicious SYSTEM context
 2021-12-07 08:24:12 +01:00
Florian Roth 507a0649f3 rule: suspicious process creation as SYSTEM user 2021-12-07 07:34:18 +01:00
Florian Roth 48b1ef02df rule: PowerShell as SYSTEM 2021-12-07 07:03:48 +01:00
frack113 777d218adc Merge pull request #2390 from frack113/t1007 
Add redcannary T1007
 2021-12-07 06:45:38 +01:00
Florian Roth dc3b6df0ee Merge pull request #2394 from redsand/fp_powershell_cmdline_special_chars 
Adding fp filter for ssm-document-worker
 2021-12-07 06:14:44 +01:00
Florian Roth a5bb64d479 Merge pull request #2395 from redsand/sql_query_to_name_pipes 
adding sql\query to name pipe list
 2021-12-07 06:13:20 +01:00
Florian Roth 59a44e1d6e Merge pull request #2393 from redsand/win_network_share_object_susp 
Adding new rule for network access/write to desktop.ini
 2021-12-07 06:12:14 +01:00
Tim Shelton ce496e6357 removing dot 2021-12-06 22:39:24 +00:00
Tim Shelton f52005e571 does this pass the test? 2021-12-06 22:30:41 +00:00
Tim Shelton 31be528fa0 adding sql\query to name pipe list 2021-12-06 22:27:57 +00:00
Tim Shelton 905d6bf8fd Adding fp filter for ssm-document-worker 2021-12-06 22:02:54 +00:00
Tim Shelton 3f8e35defa Adding new rule for network access/write to desktop.ini 2021-12-06 22:02:24 +00:00
Florian Roth 426d212dd7 Merge pull request #2389 from SigmaHQ/rule-devel 
New rules
 2021-12-06 20:14:01 +01:00
frack113 07560e61a0 Add redcannary T1007 2021-12-06 18:56:25 +01:00
Florian Roth 6c72657902 rule: Communication To Mega.nz 2021-12-06 18:35:04 +01:00
Florian Roth 0665cc6223 rule: add user to remote desktop users 2021-12-06 18:29:50 +01:00
Florian Roth 1aa607eeed Merge pull request #2387 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-06 17:37:48 +01:00
Florian Roth 28664dbf5a Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-06 16:35:34 +01:00
Florian Roth 6525771916 fix: FPs noticed with Aurora 2021-12-06 16:35:32 +01:00
Florian Roth dbd5d20eb3 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-06 16:09:51 +01:00
Florian Roth ea7de1f2dd fix: FPs noticed with Aurora 2021-12-06 16:09:50 +01:00
Florian Roth c241601fa9 fix: FPs noticed with Aurora 2021-12-06 13:45:59 +01:00
frack113 4d0eb604af Merge pull request #2385 from frack113/split_asep_reg 
Split sysmon_asep_reg_keys_modification
 2021-12-06 06:34:26 +01:00
frack113 bd575505ff Merge pull request #2384 from frack113/redcanary_1218_011 
Redcanary 1218 011
 2021-12-06 06:34:12 +01:00