security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth 75663ceb46 rule: file creation LPE CVE-2021-41379 2021-11-22 14:15:51 +01:00
Florian Roth 9a2e7a23fa docs: tags for CVE-2021-41379 2021-11-22 14:06:50 +01:00
Florian Roth 023a0f0685 Revert "refactor: rule could possible generate to many FPs" 
This reverts commit 24c4d51796.
 2021-11-22 14:03:59 +01:00
Florian Roth ff6bb3acea extended filters and descriptions 2021-11-22 14:01:30 +01:00
Florian Roth d5eff9ef6d fix: FP with In-memory PowerShell rule and Visual Studio 2021-11-22 13:45:31 +01:00
Florian Roth 37ff832fda fix: FPs with LSASS access rule 2021-11-22 13:43:20 +01:00
Florian Roth 145d05e756 Merge pull request #2294 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs with Aurora
 2021-11-22 13:30:07 +01:00
Florian Roth db03d08b11 Merge pull request #2293 from SigmaHQ/rule-devel 
fix: 0x1000 access on LSASS, rule: new LSASS access, rule: CVE-2021-41379
 2021-11-22 13:29:31 +01:00
Florian Roth cda13acc83 Revert "refactor: add another flag set" 
This reverts commit ca62fe586f.
 2021-11-22 12:51:16 +01:00
Florian Roth ca62fe586f refactor: add another flag set 2021-11-22 12:21:19 +01:00
Florian Roth a5b7a92d91 fix: FPs with Aurora 2021-11-22 12:20:21 +01:00
Florian Roth 01189dcef2 fix: rule condition 2021-11-22 11:47:39 +01:00
Florian Roth d2e45afc3c fix: typo in filename - missing period 2021-11-22 11:40:17 +01:00
Florian Roth d3ec743906 fix: changed modified date 2021-11-22 11:38:37 +01:00
Florian Roth fbd8df5768 rule: lsass access suspicious flags 2021-11-22 11:37:09 +01:00
Florian Roth 24c4d51796 refactor: rule could possible generate to many FPs 2021-11-22 11:28:32 +01:00
Florian Roth 7432aa37a0 refactor: lsass query info access 2021-11-22 11:02:01 +01:00
frack113 e5404785d3 Merge pull request #2290 from frack113/fix_fieldname 
Fix field name in windows rules
 2021-11-21 09:09:40 +01:00
remotephone be59ca0f01 Update macos_space_after_filename.yml 
Fixing new line and updating change date
 2021-11-20 15:54:24 -06:00
remotephone 9530d67834 Create macos_space_after_filename.yml 
Adding coverage for macOS space after filename
 2021-11-20 15:43:51 -06:00
frack113 bc61fbeee2 Merge pull request #2281 from orlinum/patch-2 
Create win_ADCS_certificate_template_configuration_vulnerability.yml
 2021-11-20 20:45:04 +01:00
frack113 3162b7ccfe Merge pull request #2280 from orlinum/patch-1 
Create win_ADCS_certificate_template_configuration_vulnerability_EKU.yml
 2021-11-20 20:44:42 +01:00
Florian Roth 0da02fbc46 fix: image_load in sysmon doesn't contain a command line 2021-11-20 19:58:21 +01:00
frack113 76da6e3fcc Merge pull request #2289 from V1D1AN/master 
add tag mitre t1041
 2021-11-20 19:57:35 +01:00
Orlinum c37f7aede9 path modified to rules/windows/builtin/ 2021-11-20 19:38:00 +01:00
Orlinum 89c20b2b28 path modified to rules/windows/builtin/ 2021-11-20 19:37:55 +01:00
frack113 83dee26262 Update net_pua_cryptocoin_mining_xmr.yml 2021-11-20 19:20:07 +01:00
frack113 ebcfcfebf4 Fix field name 2021-11-20 19:14:59 +01:00
Florian Roth 3eeeb81d00 Merge pull request #2288 from SigmaHQ/rule-devel 
fix: FPs; rule: Windows Shell File Write to Suspicious Folder
 2021-11-20 18:27:26 +01:00
V1D1AN d4976b015c add tag mitre attack.t1496 and attack.t1567 2021-11-20 16:34:41 +01:00
V1D1AN c190668166 add tag mitre t1041 for equation group c2 2021-11-20 16:23:27 +01:00
Florian Roth ed4e771700 Merge pull request #2287 from frack113/tags 
Add missing Mitre Techniques Tags for windows rules
 2021-11-20 15:38:25 +01:00
Florian Roth 9cbc026f43 Merge pull request #2283 from Karneades/new-filehandler 
rule: add new rule to detect the abuse of the exefile file handler
 2021-11-20 15:37:42 +01:00
Florian Roth 1ce65c6730 rule: shell file write to suspicious folder 2021-11-20 15:37:10 +01:00
Florian Roth e73816bb22 fix: too many false positives with in-memory detection rule 2021-11-20 15:07:20 +01:00
Florian Roth 15a4938294 fix: wrong condition 2021-11-20 15:05:06 +01:00
Florian Roth c7462832fe fix: FPs with Wincred in log files 2021-11-20 15:03:11 +01:00
Florian Roth dfbaadf932 fix: FPs - extended filter 2021-11-20 13:01:24 +01:00
Florian Roth 8271b04f80 fix: FPs with ISO mount rule 2021-11-20 12:46:50 +01:00
frack113 c6087bc988 fix tags errors 2021-11-20 12:35:41 +01:00
Florian Roth f1d2903ec2 fix: FPs with rules 2021-11-20 12:32:15 +01:00
frack113 f47d0da3f7 add missing MITRE Techniques 2021-11-20 12:26:01 +01:00
Florian Roth 6c040f0844 fix: more false positives 2021-11-20 12:00:18 +01:00
Florian Roth 5b8b622658 fix: too many false positives with WMI Modules Loaded 2021-11-20 11:54:19 +01:00
Florian Roth 1fffb57df0 fix: FPs with different rules 2021-11-20 11:33:43 +01:00
frack113 ab663f9bcf Add MITTRE Technique 2021-11-20 10:56:41 +01:00
frack113 8f0cee86ac Add Technique tags 2021-11-20 09:53:35 +01:00
Andreas Hunkeler a8f70e8031 Improve exefile rule logic 2021-11-20 00:18:55 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
frack113 0c61c444eb Merge pull request #2278 from zakibro/master 
Adding New Linux Auditd rule - Data Exfil with Wget
 2021-11-19 22:30:10 +01:00