security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,855 Commits 1 Branch 57 Tags
ea56db2bed0501319c61361b2e92c20f76fbfa7f
Commit Graph

4995 Commits

Author SHA1 Message Date
frack113 ea56db2bed forget date field 2021-07-27 11:09:35 +02:00
frack113 227e4bca13 add process_creation_susp_winzip.yml 2021-07-27 10:57:32 +02:00
Florian Roth cf221c08c8 Merge pull request #1743 from BlackB0lt/patch-13 
Create aws_macic_evasion
 2021-07-27 08:08:08 +02:00
Florian Roth cbadb3c239 Merge pull request #1740 from austinsonger/aws_sts_assumedrole_misuse.yml 
aws_sts_assumedrole_misuse.yml
 2021-07-27 08:07:25 +02:00
Florian Roth 3776ac6057 Merge pull request #1739 from austinsonger/aws_s3_data_management_tampering.yml 
aws_s3_data_management_tampering.yml
 2021-07-27 08:06:35 +02:00
Florian Roth 9f27ab5426 Merge pull request #1738 from JohnLaTwC/patch-4 
cover evasions from unicode substitutions
 2021-07-27 08:05:48 +02:00
Florian Roth 51e1074fa0 Merge pull request #1735 from austinsonger/aws_elasticache_security_group_created.yml 
aws_elasticache_security_group_created.yml
 2021-07-27 08:03:30 +02:00
Florian Roth 39a1328c58 Merge pull request #1727 from austinsonger/aws_route_53_domain_transferred_lock_disabled.yml 
Aws route 53 domain transferred lock disabled.yml
 2021-07-27 08:02:59 +02:00
Florian Roth e49f4c86b6 Merge pull request #1726 from austinsonger/aws_route_53_domain_transferred_to_another_account.yml 
Aws route 53 domain transferred to another account.yml
 2021-07-27 08:02:27 +02:00
Sittikorn S 015d179b41 Update aws_macic_evasion.yml 2021-07-26 21:27:59 +07:00
Sittikorn S 899baa073e Update aws_macic_evasion.yml 2021-07-26 17:21:47 +07:00
Sittikorn S d6078582d1 Rename aws_macic_evasion to aws_macic_evasion.yml 
extend .yml
 2021-07-26 17:16:12 +07:00
Sittikorn S b74ff205a3 Update aws_macic_evasion 2021-07-26 15:43:48 +07:00
Sittikorn S 819fcaea18 Update aws_macic_evasion 2021-07-26 15:38:34 +07:00
Sittikorn S 9de84bf82c Update aws_macic_evasion 2021-07-26 15:26:17 +07:00
Sittikorn S 288e4b502f Create aws_macic_evasion 2021-07-26 15:14:44 +07:00
Austin Songer 1be402e791 Update aws_s3_data_management_tampering.yml 2021-07-25 02:25:24 -05:00
Austin Songer 0a07795a4e Update aws_route_53_domain_transferred_to_another_account.yml 2021-07-25 02:24:22 -05:00
Austin Songer b7fc362f4a Update aws_route_53_domain_transferred_lock_disabled.yml 2021-07-25 02:22:13 -05:00
John Lambert 2b57f95e72 Update win_grabbing_sensitive_hives_via_reg.yml 2021-07-24 18:17:27 -05:00
Austin Songer 1405ae274e Update aws_elasticache_security_group_created.yml 2021-07-24 16:20:00 -05:00
Austin Songer 67c17b9330 Update aws_sts_assumedrole_misuse.yml 2021-07-24 16:18:34 -05:00
Austin Songer e023842463 Create aws_sts_assumedrole_misuse.yml 2021-07-24 12:03:35 -05:00
Austin Songer 9fe7b87995 Delete aws_sts_getsessiontoken_abuse.yml 2021-07-24 11:33:01 -05:00
Austin Songer 8a1909ccc2 Create aws_sts_getsessiontoken_abuse.yml 2021-07-24 11:32:07 -05:00
Austin Songer 99c2edb608 Update aws_s3_data_management_tampering.yml 2021-07-24 11:17:18 -05:00
Austin Songer d283e97415 Create aws_s3_data_management_tampering.yml 2021-07-24 11:12:19 -05:00
Austin Songer 64e655d6ef Delete aws_s3_data_management_tampering.yml 2021-07-24 11:11:21 -05:00
Austin Songer d7303ed7b2 Create aws_s3_data_management_tampering.yml 2021-07-24 11:09:31 -05:00
John Lambert da6e747547 cover evasions from unicode substitutions 
Add variations to cover unicode substitutions to avoid evasion.

> Unicode contains a range for Spacing Modifier Letters (0x02B0 - 0x02FF) [4], which includes characters such as ˪, ˣ and ˢ. Some command-line parsers recognise these as letters and convert them back to l, x and s respectively. 

See (https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation) by @Wietze
 2021-07-24 10:33:15 -05:00
Florian Roth 7cacc57313 Merge pull request #1733 from SigmaHQ/rule-devel 
New hive file pattern for C# version of HiveNightmare
 2021-07-24 16:41:51 +02:00
Austin Songer 5d3b687ce4 Update aws_elasticache_security_group_created.yml 2021-07-24 09:34:08 -05:00
Austin Songer e5edd03ff3 Create aws_elasticache_security_group_created.yml 2021-07-24 09:16:11 -05:00
Florian Roth 9771943116 refactor: new file pattern SeriousSAM 2021-07-24 16:13:36 +02:00
Florian Roth ae80f747ae fix: adding experimental status 2021-07-24 12:34:33 +02:00
Florian Roth a090feecf5 Merge pull request #1732 from SigmaHQ/rule-devel 
Relay attack tools and impacket binaries
 2021-07-24 12:33:48 +02:00
Florian Roth c0bc51e849 Merge pull request #1731 from frack113/more_check 
Update test_rules.py
 2021-07-24 11:10:00 +02:00
Florian Roth 3eb37c014c rule: Impacket tools and Relay attack tools 2021-07-24 11:08:35 +02:00
Florian Roth 07223baaeb fix: typo in date value 2021-07-24 10:22:07 +02:00
frack113 ffcd3a2112 Add test_optional_related test_optional_fields test_optional_falsepositives 2021-07-24 09:41:04 +02:00
Austin Songer ed04992905 Update aws_route_53_domain_transferred_lock_disabled.yml 2021-07-23 13:40:50 -05:00
Florian Roth 772cf4f5e4 Merge pull request #1730 from SigmaHQ/rule-devel 
fix: avoid false positives with MSF psexec rule
 2021-07-23 19:49:45 +02:00
Florian Roth 880a87ce91 fix: avoid false positives with MSF psexec rule 2021-07-23 18:33:38 +02:00
Austin Songer ada79fe05f Update aws_route_53_domain_transferred_to_another_account.yml 2021-07-23 08:36:39 -05:00
Austin Songer 9d00702797 Update aws_route_53_domain_transferred_lock_disabled.yml 2021-07-23 07:57:55 -05:00
Austin Songer 943d78f363 Update aws_route_53_domain_transferred_lock_disabled.yml 2021-07-23 07:57:37 -05:00
Austin Songer de6d48289c Update aws_route_53_domain_transferred_lock_disabled.yml 2021-07-23 07:56:56 -05:00
Austin Songer 844c08f26a Update aws_route_53_domain_transferred_lock_disabled.yml 2021-07-23 07:56:18 -05:00
Florian Roth 7ede42f78d Merge pull request #1729 from SigmaHQ/rule-devel 
add additional filename pattern to HiveNightmare rule
 2021-07-23 10:40:33 +02:00
Florian Roth c0138d5ced add additional filename pattern to HiveNightmare rule 2021-07-23 10:39:41 +02:00