security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,749 Commits 1 Branch 57 Tags
f00aaf8461f97abec19f81aa4fc0edaa76ff6cf1
Commit Graph

1958 Commits

Author SHA1 Message Date
Florian Roth f00aaf8461 refactor: exclude case in which upper ticks are used 2021-09-09 12:55:10 +02:00
Florian Roth 6d86c7df6c Revert "refactor: 2nd condition in CVE-2021-40444 rule" 
This reverts commit 015573c450.
 2021-09-09 09:41:03 +02:00
Florian Roth 015573c450 refactor: 2nd condition in CVE-2021-40444 rule 2021-09-09 09:33:45 +02:00
Florian Roth 2777187fd9 docs: changed level and reference in CVE-2021-40444 rule 2021-09-09 08:46:34 +02:00
Florian Roth 36a5d7ec04 CVE-2021-40444 false positives 2021-09-09 08:12:36 +02:00
Florian Roth b1540d65b9 refactor: simplified rule 2021-09-08 17:35:50 +02:00
Florian Roth e388bc6bfa remove unsupported tag 2021-09-08 16:56:04 +02:00
Florian Roth c9b4f5d326 CVE-2021-40444 2021-09-08 16:49:49 +02:00
Florian Roth 6b2bacd2cc Merge pull request #1979 from frack113/test_global 
Change ID in global action rule
 2021-09-06 08:44:14 +02:00
frack113 6780182c37 Merge pull request #1974 from frack113/tags_pack2 
Add missing Tags
 2021-09-03 19:13:32 +02:00
frack113 688df3405a Merge pull request #1970 from frack113/red_T1564.004_1 
Redcanary  t1564.004  ADS test 1
 2021-09-03 19:06:51 +02:00
ncrqnt adc3c9e608 fixed date: switched day/month 2021-09-03 12:03:38 +02:00
frack113 11e4b900e4 Update global id 2021-09-03 06:59:40 +02:00
frack113 135d0a2c61 Update global id 2021-09-03 06:50:00 +02:00
frack113 a6bb5574fb Update global id 2021-09-03 06:35:35 +02:00
phantinuss ab721c736c chore: move level/falsepositives to bottom 2021-09-02 14:55:17 +02:00
phantinuss 0b373ff1e9 fix: remove 2nd selection due to FPs 2021-09-02 14:47:47 +02:00
frack113 6a1b95d947 Findstr covert by win_susp_findstr.yml 2021-09-02 14:22:59 +02:00
frack113 aaa568ff2d print covert by win_susp_print.yml 2021-09-02 14:18:38 +02:00
phantinuss 5cb6eed52e fix: remove single value lists 2021-09-02 14:09:03 +02:00
phantinuss f4a5df67ae further narrowing down of the selection, therefore removing the filter 2021-09-02 10:28:01 +02:00
frack113 6f1f70ca5e Add missing tags 2021-09-02 09:59:19 +02:00
frack113 e0cd35261c add missing tags 2021-09-01 20:01:03 +02:00
phantinuss 0b38237dbf fix: add relation to now obsolete rule 2021-09-01 15:38:29 +02:00
phantinuss ae9966bdcc fix: unifying two overlapping rules 2021-09-01 14:48:32 +02:00
phantinuss deefcaa8ac fix: prevent possible FPs with the respective command only used as the last parameter 2021-09-01 14:33:46 +02:00
frack113 2dbbaf0180 fix missing char in date 2021-09-01 14:00:55 +02:00
frack113 e71fce6f11 fix errors 2021-09-01 13:55:14 +02:00
frack113 80dbfa7af5 add process_creation_alternate_data_streams.yml 2021-09-01 13:52:09 +02:00
phantinuss 9ffdced740 fix: implement suggestions from PR discussion 2021-09-01 10:21:37 +02:00
phantinuss add1ad40f8 additional UAC bypass rule 2021-08-31 16:23:32 +02:00
phantinuss 59d8e0b866 add System IntegrityLevel to uac bypass rules, the level is not used most of the time, but might 2021-08-31 16:18:05 +02:00
phantinuss 3a9e10d081 bulk of new rules to match working UACMe UAC bypasses 2021-08-31 12:51:21 +02:00
phantinuss 50b8ca5110 add more COM interfaces and sharpen rule logic 2021-08-31 12:51:21 +02:00
frack113 b25fbbea54 Merge pull request #1957 from d4rk-d4nph3/master 
Added new malwarebytes reference for Cab File Expansion rule
 2021-08-31 09:54:47 +02:00
Bhabesh Rai 911c45201a Added -F option support 2021-08-31 13:02:53 +05:45
Bhabesh Rai e2bfaea10f Added new malwarebytes reference for Cab File Expansion rule 2021-08-31 11:35:54 +05:45
Florian Roth 36a227796a Merge pull request #1945 from SigmaHQ/rule-devel 
rules: cobalt strike rules refactored
 2021-08-30 15:48:01 +02:00
Florian Roth 1ded4eb913 rules: cobalt strike rules refactored 2021-08-30 15:10:30 +02:00
frack113 970dfa2f92 Merge pull request #1938 from EvanYu0816/upstream-fixes 
Fix Pass the Hash and NotPetya Ransomware rule
 2021-08-28 21:02:04 +02:00
frack113 3e355c64db Merge pull request #1939 from SigmaHQ/rule-devel 
rule: UAC bypass by mocking dirs
 2021-08-28 20:47:27 +02:00
Florian Roth f78225c394 rule: UAC bypass by mocking dirs 2021-08-27 18:12:21 +02:00
Evan Yu 178d82e9cd Fix NotPetya Ransomware rule 2021-08-27 11:53:50 -04:00
frack113 ff37a49dc0 Merge pull request #1930 from SigmaHQ/rule-devel 
fix: FPs with whoami rule and 4688 event IDs without parent info
 2021-08-27 06:27:30 +02:00
frack113 59000b993d Merge pull request #1932 from mlp1515/french_user 
Add French user
 2021-08-26 17:12:39 +02:00
mlp1515 e1aa82b412 Update win_susp_tscon_localsystem.yml 
French language settings
 2021-08-26 12:50:24 +00:00
mlp1515 e9ed5f592c Update sysmon_always_install_elevated_windows_installer.yml 
French language settings
 2021-08-26 12:48:59 +00:00
mlp1515 4f49f03460 Update sysmon_abusing_debug_privilege.yml 
French language settings
 2021-08-26 12:46:15 +00:00
mlp1515 a31422db74 Update win_susp_schtask_creation.yml 
French language settings
 2021-08-26 12:45:24 +00:00
mlp1515 5f419d6f35 Update win_susp_taskmgr_localsystem.yml 
French language settings
 2021-08-26 12:44:35 +00:00