security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
frack113 277d14f4ee Merge pull request #2696 from frack113/thedfirreport_qbot 
Missing Qbot rules
 2022-02-14 06:34:09 +01:00
frack113 7f15b7a802 Missing Qbot rules 2022-02-13 16:07:28 +01:00
frack113 82e08de42c Merge pull request #2693 from wagga40/master 
Correct a typo in rule name
 2022-02-13 16:00:40 +01:00
wagga40 fceb2c0de1 Correct bad commit 2022-02-13 13:34:28 +01:00
Florian Roth e49c142e08 Merge pull request #2695 from frack113/aurora_fp 
Aurora Office FP
 2022-02-13 12:34:40 +01:00
frack113 ce0a5033f8 Aurora Office FP 2022-02-13 11:29:52 +01:00
Florian Roth 22f23b654a fix: FPs noticed with Aurora 2022-02-13 11:24:28 +01:00
Florian Roth 1b7cc9b35a Merge pull request #2691 from frack113/red_20220212 
Windows Redcannary
 2022-02-13 11:23:20 +01:00
frack113 f288134b41 Windows Redcannary 2022-02-13 11:04:00 +01:00
wagga40 c840c1a7f7 Correct a typo in rule name 2022-02-13 09:34:43 +01:00
frack113 e61c9e4b2e Merge pull request #2690 from frack113/susp_temp_exe 
add win_pc_susp_run_folder
 2022-02-13 09:04:16 +01:00
frack113 7e3c088165 Windows Redcannary 2022-02-12 15:53:13 +01:00
Florian Roth 0feefdc751 Update win_pc_susp_run_folder.yml 2022-02-12 10:17:27 +01:00
Florian Roth 98dbfe1ff6 fix: too many matches on many programs 
... running from every other locations
 2022-02-12 00:44:42 +01:00
Florian Roth 12f7c58274 fix: FPs noticed with Aurora 2022-02-12 00:40:10 +01:00
Florian Roth 626b5a0488 Merge branch 'master' into aurora-false-positive-fixing 2022-02-12 00:36:33 +01:00
frack113 4e0b3d719a add win_pc_susp_run_folder 2022-02-11 21:37:11 +01:00
Florian Roth a7e4ef4442 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-11 20:21:37 +01:00
Florian Roth 85b25bf17e fix: FP noticed with Aurora 
VSCode installer uses .tmp extension
 2022-02-11 20:21:35 +01:00
Florian Roth 44616f6145 Merge pull request #2686 from Karneades/patch-2 
rule: add tag execution to new bpftrace rule
 2022-02-11 18:18:30 +01:00
Florian Roth 7e46d382f0 Merge pull request #2687 from nasbench/master 
Update win_susp_proc_access_lsass.yml
 2022-02-11 18:06:55 +01:00
Florian Roth c441852e5d Merge pull request #2688 from phantinuss/checkbaseline 
Fix FPs (Example Installation 3)
 2022-02-11 18:06:37 +01:00
Florian Roth 891475dccb Merge pull request #2684 from SigmaHQ/rule-devel 
rules: SAM dump, suspicious program names, iso/img mount
 2022-02-11 18:06:20 +01:00
Tim Shelton 6d27058ce0 updating, with suggestions 2022-02-11 16:12:43 +00:00
phantinuss 646ce36809 fix: use doublequotes instead of ' because of ' in string 2022-02-11 16:52:45 +01:00
phantinuss 809f7abbb8 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 3 2022-02-11 16:38:52 +01:00
Nasreddine Bencherchali d0b68c4483 Update win_susp_proc_access_lsass.yml 2022-02-11 14:20:42 +01:00
Florian Roth a72e432389 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-02-11 14:15:54 +01:00
Florian Roth 0476b8693d refactor: extended .iso rule 2022-02-11 14:15:51 +01:00
Andreas Hunkeler c8fa678a9b rule: add tag execution to new bpftrace rule 2022-02-11 14:14:22 +01:00
Florian Roth d15d5d839b Merge pull request #2685 from Karneades/patch-2 
rule: add new bpftrace unsafe option rule
 2022-02-11 12:53:59 +01:00
Florian Roth 635a5c7d41 fix: wrong condition 2022-02-11 12:47:34 +01:00
Florian Roth 06e62c48ee Merge pull request #2683 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-11 12:45:41 +01:00
Florian Roth 3fa2d13e10 rule: iso / img file mount 2022-02-11 12:37:35 +01:00
Florian Roth 8e255bfdaf refactor: sam hive dump filename rule 2022-02-11 12:16:40 +01:00
Andreas Hunkeler 66b9d35ee9 rule: add new bpftrace unsafe option rule 2022-02-11 12:08:53 +01:00
Florian Roth 1bf00333f7 fix: exclude empty OriginalName fields 2022-02-11 12:01:02 +01:00
Florian Roth 36b0a13e0f fix: better way to filter these events 2022-02-11 12:00:08 +01:00
Florian Roth 55a2fdd1c3 fix: FP noticed with Aurora 2022-02-11 11:58:30 +01:00
Florian Roth e6989f9efb rules: samdumps, suspicious program names 2022-02-11 11:58:02 +01:00
frack113 5f99b405e8 Merge pull request #2664 from ionsor/patch-2 
Create microsoft365_new_federated_domain_added.yml
 2022-02-11 06:40:44 +01:00
frack113 46c2da7f8a Merge pull request #2663 from ionsor/patch-1 
Create azure_mfa_disabled.yml
 2022-02-11 06:40:18 +01:00
frack113 6a69a06ea9 Merge pull request #2681 from johnpaulglab/patch-1 
Update win_pc_msiexec_install_quiet.yml
 2022-02-11 06:35:18 +01:00
johnpaulglab a8f8f88c34 Update win_pc_msiexec_execute_dll.yml 
Spelling error
 2022-02-10 14:41:22 -06:00
johnpaulglab 89e98db927 Update win_pc_msiexec_install_quiet.yml 
Spelling error
 2022-02-10 14:38:51 -06:00
phantinuss 97f4b8a1e9 fix: mandatory escaping of \* 2022-02-10 16:16:42 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
Florian Roth 47d9595123 Merge pull request #2677 from SigmaHQ/rule-devel 
refactor and new: lsass process dumping rules
 2022-02-10 15:51:19 +01:00
Florian Roth 5ab21fdd0a docs: wording 2022-02-10 12:49:23 +01:00
Florian Roth 3c7c348b89 refactor: extended rules and made them more exact 2022-02-10 12:46:24 +01:00