security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth abb8df887a Merge pull request #1690 from WuerthIT/patch_rule 
update rule: powershell_accessing_win_api.yml
 2021-07-15 08:36:38 +02:00
Florian Roth f3d24e27c2 Merge pull request #1694 from leegengyu/patch-13 
Update win_remote_powershell_session_process.yml
 2021-07-15 08:36:12 +02:00
Florian Roth 2055da991f Merge pull request #1691 from SigmaHQ/rule-devel 
Rules: scripts from Temp folders, reg disable sec services
 2021-07-15 08:35:54 +02:00
frack113 0ef3dc2082 escape / in regex 2021-07-15 08:13:49 +02:00
G Y 8bbea58786 Update win_remote_powershell_session_process.yml 
Updated TTP and formatting.
 2021-07-15 11:20:25 +08:00
Florian Roth e516aecc74 fix: error in selector 2021-07-14 15:58:55 +02:00
Florian Roth 530e04faec rule: Script Execution from Temp Folder 2021-07-14 15:52:52 +02:00
Florian Roth 0d794357e8 rule: reg disable security services 2021-07-14 15:52:35 +02:00
k-vdv 12b172039f fixed some typos and adjusted capitalization to original 2021-07-14 15:47:17 +02:00
Florian Roth 3ff4e99d44 Merge pull request #1688 from SigmaHQ/rule-devel 
refactor: improved Raccine uninstall rule
 2021-07-14 09:57:08 +02:00
Florian Roth 04370c7e91 refactor: improved Raccine uninstall rule 2021-07-14 09:56:35 +02:00
Florian Roth 1ec9473472 Merge pull request #1687 from SigmaHQ/rule-devel 
Rule adjustments and new Serv-U exploitation rules
 2021-07-14 08:59:33 +02:00
Florian Roth 5e2e6c9b72 Merge branch 'config-adjustments' into rule-devel 2021-07-14 08:35:47 +02:00
Florian Roth e0f166aba2 rule: Serv-U exploitation 
https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
 2021-07-14 08:35:25 +02:00
Florian Roth 85d47aeabc Merge pull request #1678 from frack113/redcanary_t1228 
Some Redcanary T1228
 2021-07-14 08:18:52 +02:00
Florian Roth 9fce0fb42d Merge pull request #1680 from phantinuss/master 
medium level Rule for Windows Defender Exclusions
 2021-07-14 08:18:39 +02:00
frack113 8b14dc6c99 fix [colons] too many spaces after colon 2021-07-13 14:42:47 +02:00
frack113 c00dd0bf65 add win_susp_athremotefxvgpudisablementcommand.yml 2021-07-13 14:29:00 +02:00
frack113 6d1e8268ba update win_workflow_compiler.yml 2021-07-13 13:55:27 +02:00
phantinuss bf9b82fc45 medium level rule for Windows Defender Exclusions 2021-07-13 13:16:25 +02:00
frack113 6b9466ec20 Add process_creation_protocolhandler_suspicious_file.yml 2021-07-13 12:19:07 +02:00
frack113 33832acf5b fix Error: [colons] too many spaces before colon 2021-07-13 10:09:52 +02:00
frack113 c2d9b05191 Add process_creation_infdefaultinstall.yml 2021-07-13 09:56:34 +02:00
frack113 fd377fe163 update process_creation_syncappvpublishingserver_execute_arbitrary_powershell 2021-07-13 09:45:46 +02:00
frack113 82f666c5da add process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml 2021-07-12 16:17:40 +02:00
frack113 d6a86a3fa0 add T1218 sysmon_creation_mavinject_dll.yml 2021-07-12 16:08:18 +02:00
Florian Roth 382d5b2adb Merge pull request #1674 from frack113/fix_small_errors 
Fix some typo error
 2021-07-12 15:23:55 +02:00
Florian Roth 682e0458a3 Merge pull request #1675 from frack113/redcanary_attack.t1562.001 
Atomic Red team T1562.001
 2021-07-12 15:23:35 +02:00
Florian Roth 677c53a262 Merge pull request #1676 from d4rk-d4nph3/master 
Added latest McAfee zloader's reference for Office Security Settings …
 2021-07-12 14:02:49 +02:00
Bhabesh Rai 1fc5ec981d Added latest McAfee zloader's reference for Office Security Settings Changed 2021-07-12 16:56:21 +05:45
frack113 a96678d725 test 21 to 24 from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md 2021-07-12 10:54:44 +02:00
Florian Roth 7f071d7851 Merge pull request #1554 from mlp1515/master 
Update win_multiple_suspicious_cli.yml
 2021-07-12 10:43:26 +02:00
Thomas Patzke 0b83c12dd1 Merge branch 'devel-tp' 2021-07-12 10:21:19 +02:00
frack113 af140ebf84 fix some typo error 2021-07-12 09:40:18 +02:00
Thomas Patzke 176514bd7a New rule: suspicious spoolsv child process 2021-07-12 08:48:59 +02:00
Thomas Patzke 0b590aba5d Adjusted Spool Service DLL load rule 2021-07-11 09:29:43 +02:00
Thomas Patzke 6d41d538b2 Title fixed 2021-07-11 09:25:33 +02:00
Florian Roth 58a634b0b6 Merge branch 'master' into master 2021-07-11 00:32:55 +02:00
frack113 17edaa0950 combines 2 rules 2021-07-09 16:41:03 +02:00
Florian Roth aa0231e1f8 Merge pull request #1664 from frack113/parentofparent 
Move to rules-unsupported as use special enrichment field
 2021-07-09 10:55:22 +02:00
frack113 a53e21eb77 2 more rule with custom field 2021-07-09 10:07:41 +02:00
frack113 14322393f7 fix more invalid windows field name 2021-07-09 10:02:05 +02:00
frack113 06a05cfad9 Move to rules-unsupported as use special enrichment field 2021-07-09 07:40:57 +02:00
Florian Roth db8cc0ee2d Merge pull request #1656 from SigmaHQ/rule-devel 
rule: suspicious vss ps load / PrinternightMare updates
 2021-07-08 15:03:28 +02:00
Florian Roth ec13c691ce Merge pull request #1585 from BlackB0lt/patch-6 
Create aws_ec2_disable_encryption.yml
 2021-07-08 14:54:02 +02:00
Florian Roth c91eda7660 Merge pull request #1610 from cianmcgovern/powershell-network-connection 
Move ipv6 check to selection fields as filter is negated
 2021-07-08 14:53:36 +02:00
Florian Roth 0518439de7 Merge pull request #1648 from frack113/fix_windows_fields 
Fix more windows fields name
 2021-07-08 14:53:14 +02:00
Florian Roth f78b353352 PrinterNightmare rule updates 2021-07-08 14:35:51 +02:00
Florian Roth 2055f78780 refactor: make the rule more usable 2021-07-08 09:05:57 +02:00
Florian Roth 79338b2dbd fix: title 2021-07-08 08:33:46 +02:00