security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,677 Commits 1 Branch 57 Tags
ed90f8eefca89c343e04a69e287c4c97a78ba16a
Commit Graph

10677 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth ed90f8eefc docs: reworked rule 2022-04-09 19:22:28 +02:00
Florian Roth 1a5fc46d8d Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-04-09 19:19:12 +02:00
Florian Roth 8030af2ea8 Merge pull request #2892 from frack113/file_access 
Browser Credential Stealing
 2022-04-09 19:18:28 +02:00
frack113 efba7040f0 Add services FP 2022-04-09 17:51:01 +02:00
frack113 d8ae11b98c Add file_access_win_browser_credential_stealing 2022-04-09 17:44:12 +02:00
Thomas Patzke 890810c61b Merge pull request #2891 from SigmaHQ/release 
Release 0.21
 2022-04-09 00:57:44 +02:00
Thomas Patzke 4028610580 Release 0.21 0.21 2022-04-09 00:49:38 +02:00
Florian Roth e73da1a7eb Merge pull request #2890 from brasitech/patch-1 
add Confluent Kafka to use cases
 2022-04-08 21:09:02 +02:00
Florian Roth c18f246c23 docs: modified date 2022-04-08 16:33:19 +02:00
Florian Roth 8b2f23ffbb fix: possible FP with Veeam software 2022-04-08 16:32:46 +02:00
Brasi Tech, LLC dcf8267552 Update README.md 2022-04-08 10:02:09 -04:00
Brasi Tech, LLC 7237e8ed7a add Confluent Kafka to use cases 
Confluent has a SIGMA plugin.
https://github.com/confluentinc/cyber/tree/master/confluent-sigma
 2022-04-08 10:01:08 -04:00
frack113 89280f4e70 Merge pull request #2889 from amrikr/patch-1 
Fix: Typo in title
 2022-04-08 09:16:38 +02:00
Amrik 6bc5b8e29c Fix: Typo in title 2022-04-07 19:30:00 -07:00
frack113 77e05ab762 Merge pull request #2887 from frack113/fix_tag 
Update tags
 2022-04-07 22:34:23 +02:00
Florian Roth eab098e9f8 Merge pull request #2885 from secDre4mer/master 
Add couple of new rules
 2022-04-07 19:00:52 +02:00
Florian Roth e4503df4b1 Update proc_creation_win_powershell_public_folder.yml 2022-04-07 18:52:45 +02:00
Florian Roth ddc9ddb1d3 Merge pull request #2888 from phantinuss/checkbaseline 
workflow: add checks against Windows 2022 baseline
 2022-04-07 16:13:21 +02:00
frack113 7819a3b96e Update tags 2022-04-07 14:46:58 +02:00
phantinuss 21b28e4119 local evtx baseline check using concurrency 2022-04-07 14:15:44 +02:00
phantinuss 8a8226317f fix: indentation 2022-04-07 14:15:44 +02:00
phantinuss f5ca5c0579 fix: FPs from fresh Windows 2022 install 2022-04-07 14:15:44 +02:00
phantinuss 25de8a926c workflow: new baseline check against Windows 2022 2022-04-07 14:15:44 +02:00
Max Altgelt 47c685553d feat: Generate low sigma match for new credential logon 2022-04-07 10:50:50 +02:00
Max Altgelt df41827266 feat: detect PS execution in public folder 2022-04-07 10:50:50 +02:00
Max Altgelt 3cddcc906d feat: Add new rule for Creative Cloud node abuse 2022-04-07 10:50:50 +02:00
Max Altgelt 026490921c fix: Add FP exclusion for vss_ps.dll load 
The scheduled task that creates restore points apparently runs
rundll32.exe and loads this DLL.
 2022-04-07 10:49:10 +02:00
Florian Roth ac5346c2a5 Merge pull request #2881 from SigmaHQ/rule-devel 
DumpMinitool Usage
 2022-04-07 09:44:44 +02:00
Florian Roth 80d8010fbd Merge pull request #2883 from phantinuss/checkbaseline 
workflow: add checks against Windows 7 32-bit baseline
 2022-04-06 19:00:15 +02:00
Florian Roth 893b13c5d3 Merge pull request #2884 from megan201296/patch-21 
Fix typo in rule name
 2022-04-06 18:59:49 +02:00
megan201296 b0eaf3fb5a Rename proc_creation_win_coti_sqlcmd.yml to proc_creation_win_conti_sqlcmd.yml 
Fix typo in rule name
 2022-04-06 10:46:08 -05:00
phantinuss 9376859b06 fix: remove duplicate list entry 2022-04-06 17:14:34 +02:00
Florian Roth 5a4a2544dd refactor: extended rule 2022-04-06 17:07:51 +02:00
phantinuss 4780447102 fix: FPs from fresh Win7 install 2022-04-06 17:07:00 +02:00
phantinuss d323753abd workflow: new baseline check against Windows 7 32-bit 2022-04-06 17:06:54 +02:00
phantinuss 7cbfc7f16a fix: remove . from title 2022-04-06 17:04:10 +02:00
Florian Roth b40b513d3f Merge pull request #2882 from phantinuss/checkbaseline 
workflow: add checks against Windows 11 baseline
 2022-04-06 16:48:04 +02:00
phantinuss c2c3fff071 fix: typo in description 2022-04-06 16:09:53 +02:00
phantinuss 49a38185b2 workflow: add known FP 2022-04-06 16:09:53 +02:00
phantinuss 7edf04d9ff fix: FPs from fresh Windows install 2022-04-06 16:09:53 +02:00
phantinuss b0c1c3e726 workflow: new baseline check against Windows 11 2022-04-06 16:09:51 +02:00
Florian Roth 4a4d990151 fix: less strict directory filter 2022-04-06 14:02:01 +02:00
Florian Roth 3b25fba51a rule: DumpMinitool usage 2022-04-06 14:01:14 +02:00
Florian Roth 7ef4187875 Merge pull request #2879 from SigmaHQ/rule-devel 
Base64 Encoded CommandLine Params
 2022-04-05 20:17:59 +02:00
Florian Roth 84dcde98d0 Merge pull request #2878 from SigmaHQ/aurora-false-positive-fixing 
Reduced Level of Suspicius Conhost Legacy Option rule
 2022-04-05 20:17:52 +02:00
Florian Roth 774183f1eb refactor: lowered level to informational 2022-04-05 18:54:47 +02:00
Florian Roth a731446733 Revert "removed rule due to many FPs" 
This reverts commit 5bdb97ba17.
 2022-04-05 18:54:14 +02:00
Florian Roth 5bdb97ba17 removed rule due to many FPs 2022-04-05 18:53:45 +02:00
Florian Roth 7ee145fbce rule: base64 encoded value in command line 2022-04-05 13:09:57 +02:00
Florian Roth bcc9f96beb fix: add tags 2022-04-05 13:09:43 +02:00