security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
frack113 e76c11da7f Merge pull request #1908 from neu5ron/patch-7 
improve rule logic zeek_default_cobalt_strike_certificate.yml
 2021-08-24 08:36:33 +02:00
frack113 293f422243 Merge pull request #1906 from neu5ron/patch-5 
improve zeek_dce_rpc_smb_spoolss_named_pipe
 2021-08-24 08:36:18 +02:00
frack113 81ec546e42 Merge pull request #1905 from neu5ron/patch-4 
improve rule
 2021-08-24 08:36:04 +02:00
Florian Roth 272625a005 Update win_susp_splwow64.yml 2021-08-24 08:34:08 +02:00
frack113 15aa0cb70e add modified 2021-08-24 08:02:24 +02:00
frack113 ade7295cab Merge pull request #1911 from austinsonger/gworkspace_granted_domain_api_access.yml 
gworkspace_granted_domain_api_access.yml
 2021-08-24 08:01:34 +02:00
frack113 4ee4f12f30 add modified 2021-08-24 08:01:01 +02:00
frack113 8ab90d8012 add modified 2021-08-24 07:59:36 +02:00
frack113 be43ecd70d Remove empty element in list 
Otherwise get a `null` when convert to some backend (es-rule,...)
 2021-08-24 07:57:16 +02:00
frack113 d8befe3a13 Update References 2021-08-24 07:34:33 +02:00
frack113 07dc04b1db Merge pull request #1910 from austinsonger/gworkspace_user_assigned_admin_role.yml 
gworkspace_user_assigned_admin_role.yml
 2021-08-24 07:22:25 +02:00
frack113 831a473c0d Merge pull request #1904 from austinsonger/365 
Microsoft 365 Rules
 2021-08-24 07:17:24 +02:00
neu5ron 9e588fdcf6 Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups. 2021-08-24 00:58:36 -04:00
Austin Songer facd58bd0a Delete gworkspace_user_granted_admin_privileges.yml 2021-08-23 21:19:51 -05:00
Austin Songer 3cd43bfd9b Create gworkspace_granted_domain_api_access.yml 2021-08-23 21:19:44 -05:00
Austin Songer aa7a8a3e71 Update gworkspace_user_granted_admin_privileges.yml 2021-08-23 19:58:20 -05:00
Austin Songer 0fe2b3f569 Update and rename gworkspace_user_assigned_admin_role.yml to gworkspace_user_granted_admin_privileges.yml 2021-08-23 19:52:32 -05:00
Austin Songer ede0332f22 Delete microsoft365_suspicious_inbox_manipulation_rules.yml 2021-08-23 19:40:20 -05:00
Austin Songer 3dd201d36f Rename workspace_user_assigned_admin_role.yml to gworkspace_user_assigned_admin_role.yml 2021-08-23 19:38:58 -05:00
Austin Songer 6b1f0b83f4 Create workspace_user_assigned_admin_role.yml 2021-08-23 19:38:47 -05:00
Austin Songer c767da91d1 Delete gworkspace_user_assigned_admin_role.yml 2021-08-23 19:38:01 -05:00
Austin Songer 8382bbfe09 Create gworkspace_user_assigned_admin_role.yml 2021-08-23 19:37:46 -05:00
Austin Songer edcb956f2a Merge branch 'SigmaHQ:master' into gworkspace_user_assigned_admin_role.yml 2021-08-23 19:37:06 -05:00
Austin Songer c0e58d3c27 Update 2021-08-23 23:00:58 +00:00
Austin Songer 29e1ce7e8f Update 2021-08-23 22:50:39 +00:00
Austin Songer ad892eb239 Update 2021-08-23 22:46:37 +00:00
Austin Songer 84944cf849 Update 2021-08-23 22:30:11 +00:00
Austin Songer 53482b7e9c Update 2021-08-23 22:19:41 +00:00
Austin Songer 754158bfd2 Update 2021-08-23 22:18:12 +00:00
Austin Songer da69b2f531 Update 2021-08-23 22:09:27 +00:00
Austin Songer 595bd3b80f Updated 2021-08-23 22:07:09 +00:00
Austin Songer 1fa32fcd1a Update 2021-08-23 22:02:47 +00:00
Austin Songer 4ab9519546 Update 2021-08-23 18:59:07 +00:00
Nate Guagenti b255586117 condition fix and add fields 
should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
 2021-08-23 14:59:06 -04:00
Austin Songer 8e4b8f45dd Update 2021-08-23 18:57:17 +00:00
Austin Songer a5c551ad61 Merge branch '365' of https://github.com/austinsonger/sigma into 365 2021-08-23 18:55:40 +00:00
Austin Songer 41786a1b63 In-Progress 2021-08-23 18:55:29 +00:00
Nate Guagenti 064d7b7b9f improve rule logic zeek_default_cobalt_strike_certificate.yml 
zeek logging for `certificate.serial` is all letters are capitalized
 2021-08-23 14:23:41 -04:00
Nate Guagenti cfc32e5950 correct fields for zeek_rdp_public_listener.yml 
correct zeek fields for `fields` section.
improve false positives information
 2021-08-23 14:16:55 -04:00
Nate Guagenti 1819e4b02b improve rule 
- improve rule logic
- match zeek fields for fields section
- add false positive information
- change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..)
 2021-08-23 14:12:50 -04:00
Nate Guagenti feb7d0e187 Update zeek_dns_mining_pools.yml 2021-08-23 14:11:04 -04:00
Nate Guagenti b00e1772b3 added logic and usage 
rule logic should be endswith.
match zeek fields for `fields` section
add false positive information
 2021-08-23 14:03:38 -04:00
Austin Songer 3d151ef9f1 Update microsoft365_logon_from_risky_ip_address.yml 2021-08-23 12:59:53 -05:00
Austin Songer 23e96712f8 Update microsoft365_data_exfiltration_to_unsanctioned_app.yml 2021-08-23 12:59:44 -05:00
frack113 a04fbe2a99 Merge pull request #1901 from frack113/redcanary 
Redcanary Powershell Suspicious Win32_PnPEntity T1120
 2021-08-23 19:44:16 +02:00
frack113 07c808d35c Merge pull request #1902 from neu5ron/patch-2 
Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
 2021-08-23 19:43:58 +02:00
Austin Songer 1834324a16 Update 2021-08-23 17:33:57 +00:00
Austin Songer 7d211f2487 Data exfiltration to unsanctioned apps 2021-08-23 17:33:00 +00:00
Austin Songer f5286905ff Merge branch 'SigmaHQ:master' into microsoft365 2021-08-23 12:22:58 -05:00
Austin Songer b52f4ba1c3 Merge branch 'master' of https://github.com/austinsonger/sigma 2021-08-23 17:22:08 +00:00