security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
frack113 5c68c42058 order powershell_script 2021-10-09 10:30:36 +02:00
Florian Roth 6c4e24d0de rule: coin miner param --cpu-priority 2021-10-09 10:28:16 +02:00
frack113 77749510b7 fix yml 2021-10-09 10:01:40 +02:00
frack113 41d098b253 fix yml error 2021-10-09 09:59:21 +02:00
frack113 9b0f744f75 order powershell_script 2021-10-09 09:57:45 +02:00
frack113 fe7fbfd5fc order powershell_module 2021-10-09 09:50:49 +02:00
Florian Roth 5b49b5ee17 Merge pull request #2130 from phantinuss/master 
fix: prevent FP triggering of other sources utilising ID 1102
 2021-10-08 20:14:08 +02:00
phantinuss 04c37d977b fix: prevent FP triggering of other sources utilising ID 1102 2021-10-08 16:43:14 +02:00
frack113 98b24d30ae Merge pull request #2125 from frack113/nuclei_iis_fuzzing 
Nuclei iis fuzzing
 2021-10-08 16:40:01 +02:00
Bhabesh Rai a45e516f99 Added rule for possible persistence via VMTools 2021-10-08 13:28:35 +05:45
Roberto Rodriguez 7f17eaeb87 added rule to detect suspicious named pipe connections to an AD FS server 2021-10-08 01:57:22 -04:00
Mika Luhta e70d17745e Update modified field 2021-10-07 18:42:22 +02:00
Mika Luhta 0ee777e3b4 Fix rule detection logic 
Changed ParentImage to Image
 2021-10-07 14:25:18 +03:00
frack113 0d04b469f7 order powershell_classic 2021-10-07 07:40:53 +02:00
frack113 930d2d4223 fix id 2021-10-06 17:53:16 +02:00
frack113 dfd316c0ce Add web_iis_tilt_shortname_scan.yml 2021-10-06 17:46:15 +02:00
frack113 6d56e400d2 Merge pull request #2121 from frack113/update_test 
Update test  adding  logsource to duplicate logic test
 2021-10-06 14:46:48 +02:00
Florian Roth 7cf01c2f0c extended CVE-2021-41773 rule 2021-10-06 12:43:10 +02:00
Florian Roth 539756c884 Merge pull request #2124 from SigmaHQ/rule-devel 
rule: Apache Path Traversal - CVE-2021-41773
 2021-10-06 10:55:26 +02:00
frack113 d0561d361b Merge pull request #2123 from rachelrice/update_aws_rules 
Update AWS SAML and Lambda rules
 2021-10-05 19:49:54 +02:00
Rachel Rice d9e5da6c86 Use startswith for eventName selection 
Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2021-10-05 17:52:52 +01:00
Florian Roth 5576f50470 fix: title, add my name 2021-10-05 17:35:09 +02:00
Florian Roth 0fde46b602 Merge branch 'master' into rule-devel 2021-10-05 17:33:48 +02:00
Florian Roth 482df0a0ad rule: Apache Vuln CVE-2021-41773 2021-10-05 17:33:37 +02:00
frack113 651d453aeb Merge pull request #2122 from frack113/move_file 
Move file to correct directory
 2021-10-05 16:58:26 +02:00
frack113 ba3356cdb0 Merge pull request #2120 from MetallicHack/master 
azure_ad_user_added_to_admin_role.yml
 2021-10-05 16:57:58 +02:00
Rachel Rice 4ae3ece314 Update AWS SAML and Lambda rules 
Use correct case for `AssumeRoleWithSAML` event name.
`UpdateFunctionConfiguration`, `UpdateFunctionConfiguration20150331` and `UpdateFunctionConfiguration20150331v2` are all valid event names for updating Lambda function configuration, added selection condition for any of these.
 2021-10-05 14:08:40 +01:00
MetallicHack 030fc2a03e change title and tags in order to match sigmarules 2021-10-05 09:40:25 +02:00
MetallicHack a4100e76b9 change title and tags in order to match sigmarules 2021-10-05 09:39:03 +02:00
frack113 ad9362e043 Update passed_role_to_glue_development_endpoint.yml 2021-10-05 07:41:41 +02:00
frack113 3b01425936 Update aws_pass_role_to_lambda_function.yml 2021-10-05 07:40:42 +02:00
frack113 80d09483d9 move to builtin 2021-10-05 07:33:50 +02:00
frack113 4f86a245f8 Order file i correct directory 2021-10-05 07:30:43 +02:00
frack113 201708c097 Merge pull request #2103 from webboy2015/patch-1 
Create win_lolbas_execution_of_nltest.exe.yaml
 2021-10-05 07:24:05 +02:00
frack113 654b5b4bff Update win_lolbas_execution_of_nltest.yml 2021-10-04 22:08:47 +02:00
frack113 fd329f4f9b Remove unneeded EventID 2021-10-04 21:25:57 +02:00
MetallicHack fe439e1998 Rename azure_ad_user_added_to_sensitive_role.yml to azure_ad_user_added_to_admin_role.yml 2021-10-04 15:26:58 +02:00
MetallicHack 96f05f7f19 Update azure_ad_user_added_to_sensitive_role.yml 2021-10-04 15:25:55 +02:00
Austin Songer d694d6faa8 Create passed_role_to_glue_development_endpoint.yml 2021-10-03 23:03:39 -05:00
Austin Songer 60eccf711d Rename pass_role_to_lambda_function.yml to aws_pass_role_to_lambda_function.yml 2021-10-03 22:54:19 -05:00
Austin Songer 92b1ce4cf4 Create pass_role_to_lambda_function.yml 2021-10-03 22:54:01 -05:00
frack113 dc030e0128 Merge pull request #2114 from austinsonger/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml 
process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
 2021-10-03 08:24:52 +02:00
Austin Songer 81d1bb0e2b Update process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml 2021-10-02 13:32:20 -05:00
frack113 e666b7e1db Merge pull request #2116 from zakibro/master 
New Rule - Linux - Auditd - Clipboard Collection of Image Data with X…
 2021-10-02 11:06:24 +02:00
zakibro c2a26923c6 Update lnx_auditd_clipboard_image_collection.yml 2021-10-02 09:59:37 +02:00
frack113 f652745924 Update and rename win_lolbas_execution_of_nltest.exe to win_lolbas_execution_of_nltest.yml 2021-10-02 07:53:19 +02:00
frack113 e6b32b90af Update win_lolbas_execution_of_nltest.exe 2021-10-02 07:25:11 +02:00
frack113 d819d726eb Merge pull request #2112 from austinsonger/macos_suspicious_macos_firmware_activity.yml 
macos_suspicious_macos_firmware_activity.yml
 2021-10-02 07:09:11 +02:00
webboy2015 87df79302d Update win_lolbas_execution_of_nltest.exe 
Changed condition as follows:
   detection:
       selection:
          EventID: 4689
          ProcessName|endswith: nltest.exe
          Status: "0x0"
     condition: selection

Included  field - SubjectDomainName
 2021-10-01 12:55:37 -07:00
zakibro d40b42fc2c Update lnx_auditd_clipboard_image_collection.yml 
fixing a typo
 2021-10-01 18:54:12 +02:00