security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
wagga40 30ab88683c Replace double quoted string literals to single quoted (SQLite) 2022-02-12 19:49:30 +01:00
frack113 7e3c088165 Windows Redcannary 2022-02-12 15:53:13 +01:00
Florian Roth 0feefdc751 Update win_pc_susp_run_folder.yml 2022-02-12 10:17:27 +01:00
Florian Roth b1cd48c828 Merge pull request #2689 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-12 10:13:28 +01:00
Florian Roth 98dbfe1ff6 fix: too many matches on many programs 
... running from every other locations
 2022-02-12 00:44:42 +01:00
Florian Roth 12f7c58274 fix: FPs noticed with Aurora 2022-02-12 00:40:10 +01:00
Florian Roth f8995ef961 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-12 00:36:47 +01:00
Florian Roth 626b5a0488 Merge branch 'master' into aurora-false-positive-fixing 2022-02-12 00:36:33 +01:00
Florian Roth 894a34deb1 Merge branch 'master' into aurora-false-positive-fixing 2022-02-12 00:30:04 +01:00
frack113 4e0b3d719a add win_pc_susp_run_folder 2022-02-11 21:37:11 +01:00
Florian Roth a7e4ef4442 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-11 20:21:37 +01:00
Florian Roth 85b25bf17e fix: FP noticed with Aurora 
VSCode installer uses .tmp extension
 2022-02-11 20:21:35 +01:00
Florian Roth 44616f6145 Merge pull request #2686 from Karneades/patch-2 
rule: add tag execution to new bpftrace rule
 2022-02-11 18:18:30 +01:00
Florian Roth 7e46d382f0 Merge pull request #2687 from nasbench/master 
Update win_susp_proc_access_lsass.yml
 2022-02-11 18:06:55 +01:00
Florian Roth c441852e5d Merge pull request #2688 from phantinuss/checkbaseline 
Fix FPs (Example Installation 3)
 2022-02-11 18:06:37 +01:00
Florian Roth 891475dccb Merge pull request #2684 from SigmaHQ/rule-devel 
rules: SAM dump, suspicious program names, iso/img mount
 2022-02-11 18:06:20 +01:00
Tim Shelton 6d27058ce0 updating, with suggestions 2022-02-11 16:12:43 +00:00
phantinuss 646ce36809 fix: use doublequotes instead of ' because of ' in string 2022-02-11 16:52:45 +01:00
phantinuss 809f7abbb8 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 3 2022-02-11 16:38:52 +01:00
Nasreddine Bencherchali d0b68c4483 Update win_susp_proc_access_lsass.yml 2022-02-11 14:20:42 +01:00
Florian Roth a72e432389 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-02-11 14:15:54 +01:00
Florian Roth 0476b8693d refactor: extended .iso rule 2022-02-11 14:15:51 +01:00
Andreas Hunkeler c8fa678a9b rule: add tag execution to new bpftrace rule 2022-02-11 14:14:22 +01:00
Florian Roth d15d5d839b Merge pull request #2685 from Karneades/patch-2 
rule: add new bpftrace unsafe option rule
 2022-02-11 12:53:59 +01:00
Florian Roth 635a5c7d41 fix: wrong condition 2022-02-11 12:47:34 +01:00
Florian Roth 06e62c48ee Merge pull request #2683 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-11 12:45:41 +01:00
Florian Roth 3fa2d13e10 rule: iso / img file mount 2022-02-11 12:37:35 +01:00
Florian Roth 8e255bfdaf refactor: sam hive dump filename rule 2022-02-11 12:16:40 +01:00
Andreas Hunkeler 66b9d35ee9 rule: add new bpftrace unsafe option rule 2022-02-11 12:08:53 +01:00
Florian Roth 1bf00333f7 fix: exclude empty OriginalName fields 2022-02-11 12:01:02 +01:00
Florian Roth 36b0a13e0f fix: better way to filter these events 2022-02-11 12:00:08 +01:00
Florian Roth 55a2fdd1c3 fix: FP noticed with Aurora 2022-02-11 11:58:30 +01:00
Florian Roth e6989f9efb rules: samdumps, suspicious program names 2022-02-11 11:58:02 +01:00
frack113 5f99b405e8 Merge pull request #2664 from ionsor/patch-2 
Create microsoft365_new_federated_domain_added.yml
 2022-02-11 06:40:44 +01:00
frack113 46c2da7f8a Merge pull request #2663 from ionsor/patch-1 
Create azure_mfa_disabled.yml
 2022-02-11 06:40:18 +01:00
frack113 6a69a06ea9 Merge pull request #2681 from johnpaulglab/patch-1 
Update win_pc_msiexec_install_quiet.yml
 2022-02-11 06:35:18 +01:00
frack113 73fb8b7f80 Merge pull request #2682 from johnpaulglab/patch-2 
Update win_pc_msiexec_execute_dll.yml
 2022-02-11 06:35:08 +01:00
johnpaulglab a8f8f88c34 Update win_pc_msiexec_execute_dll.yml 
Spelling error
 2022-02-10 14:41:22 -06:00
johnpaulglab 89e98db927 Update win_pc_msiexec_install_quiet.yml 
Spelling error
 2022-02-10 14:38:51 -06:00
Florian Roth 288e3a0a61 Merge pull request #2679 from phantinuss/checkbaseline 
Fix FPs (Example Installation 2)
 2022-02-10 19:46:20 +01:00
phantinuss 97f4b8a1e9 fix: mandatory escaping of \* 2022-02-10 16:16:42 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
Florian Roth 47d9595123 Merge pull request #2677 from SigmaHQ/rule-devel 
refactor and new: lsass process dumping rules
 2022-02-10 15:51:19 +01:00
Florian Roth ae9983bc3d Merge pull request #2678 from humpalum/patch-2 
fix: False Positive fix
 2022-02-10 15:50:57 +01:00
Florian Roth 5ab21fdd0a docs: wording 2022-02-10 12:49:23 +01:00
Florian Roth 3c7c348b89 refactor: extended rules and made them more exact 2022-02-10 12:46:24 +01:00
Tobias Michalski 6af5d4b6f5 fix: False Positive fix 
Empty field CurrentDirectory should be "or"-ed
 2022-02-10 12:15:18 +01:00
Florian Roth a05b3e50e5 refactor and new: lsass process dumping rules 2022-02-10 09:17:25 +01:00
frack113 3ea09e9ec6 Update azure_mfa_disabled.yml 2022-02-10 06:40:03 +01:00
frack113 69413c26bb Update microsoft365_new_federated_domain_added.yml 2022-02-10 06:39:02 +01:00