security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Andreas Hunkeler a0eb895119 Fix file name by adding the missing file extension 
(facepalm) commit
 2021-11-19 21:08:59 +01:00
Andreas Hunkeler bccd89174f Fix file name for exefile rule 2021-11-19 20:27:51 +01:00
frack113 13099ea9bf Merge pull request #2279 from frack113/malware 
Add sysmon_win_reg_persistence_recycle_bin.yml
 2021-11-19 19:11:06 +01:00
frack113 264db60c5e Merge pull request #2276 from phantinuss/master 
Rule Fix: Paths with Quotes
 2021-11-19 19:05:36 +01:00
Florian Roth 19a303bcfb Merge pull request #2282 from Karneades/exefile 
Update shell open key rule
 2021-11-19 17:40:35 +01:00
Andreas Hunkeler 6cc12b9416 rule: fix title in new exefile rule 2021-11-19 17:32:37 +01:00
Andreas Hunkeler 85a7c71c8e rule: add new rule to detect the abuse of the exefile file handler 2021-11-19 17:23:03 +01:00
Andreas Hunkeler a1dc685ea4 Add note regarding persistence in shell open rule 2021-11-19 16:18:25 +01:00
Andreas Hunkeler 74eac016c8 Update date after shell open rule change 2021-11-19 16:17:21 +01:00
Florian Roth 4acbb15713 Merge branch 'master' into rule-devel 2021-11-19 15:52:21 +01:00
Andreas Hunkeler 79cf80fa6b Update shell open key rule 
* Make rule more generic regarding exefile detection instead of only naming it "uac bypass"
* Add further references and attack tags
 2021-11-19 14:03:56 +01:00
Florian Roth 3834048363 docs: extended false positive comment 2021-11-19 12:15:11 +01:00
Florian Roth 86f7c2b9f9 fix: FPs with WMI module rule 2021-11-19 12:15:01 +01:00
frack113 fe87379747 Rename win_ADCS_certificate_template_configuration_vulnerability_EKU.yml to win_adcs_certificate_template_configuration_vulnerability_eku.yml 2021-11-19 08:47:40 +01:00
frack113 e8426c57cd fix title 2021-11-19 07:03:52 +01:00
frack113 f8e28c6519 Fix title 2021-11-19 07:00:05 +01:00
frack113 5e96a5c151 Merge pull request #2275 from WojciechLesicki/master 
Adding two more process, additional references, information about Cob…
 2021-11-19 06:46:10 +01:00
Orlinum 69bd0f9c8f Create win_ADCS_certificate_template_configuration_vulnerability.yml 
new rule
 2021-11-18 22:46:19 +01:00
Orlinum 15c042fca4 Create win_ADCS_certificate_template_configuration_vulnerability_EKU.yml 
new file
 2021-11-18 22:39:08 +01:00
frack113 8176d9b47e Add sysmon_win_reg_persistence_recycle_bin.yml 2021-11-18 18:39:20 +01:00
Pawel Mazur 87f64e28fd Adding New Linux Auditd rule - Data Exfil with Wget 2021-11-18 18:03:17 +01:00
Florian Roth b91b43ad84 rule: Exchange CVE-2021-42321 2021-11-18 17:27:09 +01:00
Florian Roth ecc7181d6e fix: FP with Windows Update Client LOLBIN rule 2021-11-18 13:34:55 +01:00
phantinuss 84476e1dd4 fix: prevent possible FPs from non-windows native calls using paths surrounded by quotes 2021-11-18 10:06:03 +01:00
frack113 7a2ce744f1 Merge pull request #2272 from frack113/wmi_FP 
sysmon_wmi_module_load.yml add WMIC.exe
 2021-11-18 06:36:39 +01:00
frack113 4b13ece931 Merge pull request #2270 from phantinuss/master 
enhance emotet rundll32 execution pattern for current campaign
 2021-11-18 06:35:11 +01:00
frack113 a6771d684b Merge pull request #2269 from frack113/ntfs 
Add correct provider_name
 2021-11-18 06:32:01 +01:00
WojciechLesicki ba053ea19b Adding two more process, additional references, information about Cobalt Strike etc. 2021-11-17 22:37:23 +01:00
Florian Roth 7dce83033b rule: Winrar suspicious folder 2021-11-17 19:01:48 +01:00
Florian Roth c6564908ef rule: Sitecore Pre-Auth RCE CVE-2021-42237 2021-11-17 19:01:35 +01:00
Florian Roth 23220e7d78 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-17 19:00:06 +01:00
Florian Roth a921bd5ec8 style: reordered rule layout 2021-11-17 18:59:40 +01:00
Florian Roth c71d9dba89 fix: false positive with WMI rule 2021-11-17 18:59:22 +01:00
frack113 0605a1c64e add WMIC.exe 2021-11-17 16:37:27 +01:00
phantinuss 0109694e26 enhance emotet rundll32 execution pattern for current campaign 2021-11-17 15:59:05 +01:00
Florian Roth dcfc9d562e fix: more false positives 2021-11-17 10:27:02 +01:00
frack113 6a9313535c Add correct provider_name 2021-11-17 06:59:57 +01:00
Florian Roth 7d4e3fd2ed fix: more false positive fixes 2021-11-16 23:27:00 +01:00
Florian Roth 97bc8aa6f2 rule: suspicious write to system tasks 2021-11-16 17:30:47 +01:00
Florian Roth 8d6d8c2c92 fix: several FPs 2021-11-16 17:30:23 +01:00
Florian Roth d29c353718 refactor: unnecessary filter 2021-11-16 13:47:41 +01:00
Florian Roth daff947d4b refactor: fixes without CommandLine field in ImageLoad events 2021-11-16 13:46:15 +01:00
Florian Roth 5e14b73b9c fix: FP with logman.exe 2021-11-16 13:39:32 +01:00
Florian Roth 2383b2b76b fix: problem with empty string 2021-11-16 13:33:00 +01:00
Florian Roth 98073049ba fix: FPs with Load of dbghelp/dbgcore DLL from Suspicious Process 2021-11-16 13:11:11 +01:00
Florian Roth 2448691ad0 fix: FPs 2021-11-16 13:04:52 +01:00
Florian Roth 4fb833700f Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-16 12:17:46 +01:00
Florian Roth 3be53dfb72 refactor: tightened rule 2021-11-16 12:17:43 +01:00
Florian Roth 760266ab34 Merge branch 'master' into rule-devel 2021-11-16 12:13:20 +01:00
Florian Roth 4c1fab644d fix: FPs with Windows Update Client LOLBIN rule 2021-11-16 12:09:03 +01:00