security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 7b87b5a8d4 Merge pull request #2426 from SigmaHQ/rule-devel 
Log4j RCE CVE-2021-44228
 2021-12-10 15:15:07 +01:00
Florian Roth a9c9c9ae3a Merge pull request #2425 from SigmaHQ/aurora-false-positive-fixing 
fix: FP with new SYSTEM rule
 2021-12-10 13:50:04 +01:00
frack113 b56630ced1 Add lnx_susp_dev_tcp 2021-12-10 13:39:06 +01:00
Florian Roth 07e4a9209c docs: more links 2021-12-10 13:31:28 +01:00
Florian Roth 06e41b1e57 refactor: single slash uri scheme + dns 2021-12-10 13:07:32 +01:00
Florian Roth a51c03f54c log4j CVE-2021-44228 2021-12-10 13:05:40 +01:00
Florian Roth 8c85f4ffa4 fix: FP with new SYSTEM rule 2021-12-10 12:17:25 +01:00
frack113 27e3c13d11 Merge pull request #2419 from redsand/fp_for_matching_msiexec_behavior 
Adding filter for msiexec repair option
 2021-12-10 08:39:58 +01:00
Tim Shelton b503a11366 oof, wrong field, sorry! 2021-12-10 06:49:55 +00:00
redsand (Tim Shelton) 879a1325f9 Merge branch 'SigmaHQ:master' into fp_for_matching_msiexec_behavior 2021-12-10 00:47:49 -06:00
redsand (Tim Shelton) 6151094fdd Merge branch 'SigmaHQ:master' into detect_net_use_password_plaintext 2021-12-10 00:46:38 -06:00
frack113 8c77e4757f Merge pull request #2420 from redsand/fp_wsmprovhost_ps_pipe 
adding allow for wsmprovhost.exe to call powershell pipes
 2021-12-10 06:50:45 +01:00
frack113 bd90531f65 Merge pull request #2424 from redsand/hawk_add_translate 
hawk backend: fixing err where regex is mangled and should be left alone
 2021-12-10 06:45:25 +01:00
Florian Roth baa1dcd608 Merge pull request #2417 from stbe/imp_lsass_defender 
Added Defender to win_susp_lsass_dump_generic.yml
 2021-12-10 00:00:22 +01:00
Florian Roth 834681c3b4 Update win_susp_net_use_password_plaintext.yml 2021-12-09 23:51:32 +01:00
stbe 44db55c4fd Refined definition of defender executable 2021-12-09 22:55:09 +01:00
frack113 47570ee10c Merge pull request #2421 from redsand/hawk_add_User_transaltion 
backend hawk: adding translation for User, apparently its case sensitive
 2021-12-09 21:57:21 +01:00
Tim Shelton f59c8c3360 changing case of title 2021-12-09 20:53:07 +00:00
Tim Shelton d58bf20e4c fixing err where regex is mangled and should be left alone 2021-12-09 20:43:58 +00:00
Tim Shelton 791f419b9e fixing column 2021-12-09 20:41:50 +00:00
Tim Shelton 19eff6952b Fixing format errors 2021-12-09 20:39:43 +00:00
Tim Shelton ae34e020c2 Adding new sig to detect password on commandline 2021-12-09 20:33:37 +00:00
Tim Shelton d1b7eda60c adding translation for User, apparently its case sensitive 2021-12-09 20:04:20 +00:00
Tim Shelton 06c7a7d445 adding allow for wsmprovhost.exe to call powershell pipes 2021-12-09 19:46:35 +00:00
Florian Roth 1574f13824 Merge pull request #2418 from secDre4mer/master 
Add rules for uncommon process creation events
 2021-12-09 16:51:45 +01:00
frack113 e049058d14 Merge pull request #2415 from frack113/condition 
builtin/security simplified condition
 2021-12-09 16:24:24 +01:00
frack113 cd87b2baa5 Merge pull request #2414 from frack113/fp 
sysmon_abusing_azure_browser_sso.yml FP
 2021-12-09 16:23:06 +01:00
Tim Shelton 88eaeca844 Adding filter for msiexec repair option 2021-12-09 15:16:52 +00:00
Florian Roth 0689e253b4 set level to "high" 2021-12-09 16:03:20 +01:00
Florian Roth a5c53789d9 set level to high 2021-12-09 16:03:06 +01:00
Max Altgelt 3c699a2272 fix: inline list with one argument 2021-12-09 15:49:18 +01:00
Max Altgelt ca2ead74b1 feat: Add rules to detect uncommon process creation events 2021-12-09 14:21:34 +01:00
Max Altgelt 538fb06f05 fix: mark string as regex 2021-12-09 14:09:19 +01:00
stbe 20f185f2b8 Added Defender to win_susp_lsass_dump_generic.yml 2021-12-09 13:57:09 +01:00
Florian Roth 6edd674a55 Merge pull request #2416 from frack113/win_lateral_movement_condrv 
Change to deprecated as too many FP
 2021-12-09 13:17:04 +01:00
Florian Roth af2c6a0ecb Lower the level to "low" 
In case that some backends/scripts/tools don't respect the "deprecated" status
 2021-12-09 13:01:12 +01:00
frack113 62207b80ba Change to deprecated as too many FP 2021-12-09 09:34:08 +01:00
frack113 3ce9336e79 simplified condition 2021-12-08 20:12:57 +01:00
frack113 61a0f1a706 Merge pull request #2405 from mlp1515/sysmon_volume_shadow_copy_service_keys-false-positif 
False positives on sysmon_volume_shadow_copy_service_keys.yml
 2021-12-08 18:28:49 +01:00
frack113 4baeddbf16 change to test 2021-12-08 18:06:03 +01:00
frack113 f6af9f6f0b OneDrive FP 2021-12-08 17:31:41 +01:00
frack113 2e92bdb43b Update sysmon_esentutl_volume_shadow_copy_service_keys.yml 2021-12-08 17:25:03 +01:00
frack113 f59124e0ad Merge pull request #2404 from frack113/t1016 
Add some T1016 windows
 2021-12-08 17:22:37 +01:00
frack113 9e02a6002a Merge pull request #2402 from frack113/fp_reg 
sysmon_asep_reg_keys_modification_currentversion OneDriveSetup FP
 2021-12-08 17:21:45 +01:00
Florian Roth b315ff9786 Merge pull request #2408 from SigmaHQ/aurora-false-positive-fixing 
fix: multiple FPs with different rules
 2021-12-08 14:50:01 +01:00
Florian Roth 157fa31f1b Merge pull request #2400 from redsand/fixing_errs_with_invoke_obfus 
Fixing errs with invoke obfus
 2021-12-08 14:49:42 +01:00
Florian Roth 5f9cff1472 Merge pull request #2412 from stbe/bug_rule_pth2 
Corrected filter field name in win_pass_the_hash_2.yml
 2021-12-08 14:44:24 +01:00
stbe 7566207026 Corrected filter field name in win_pass_the_hash.yml 2021-12-08 14:03:13 +01:00
stbe 88b5e1bd9e Corrected filter field name in win_pass_the_hash_2.yml 2021-12-08 13:49:18 +01:00
Florian Roth b5493a6136 Merge pull request #2407 from SigmaHQ/rule-devel 
fix: dysfunctional imphash rules, rule: grafana rule
 2021-12-08 13:04:20 +01:00