security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,766 Commits 1 Branch 57 Tags
f0253eb67dee09ca38ef809e51eaeb0ffecd96e2
Commit Graph

6362 Commits

Author SHA1 Message Date
Florian Roth f0253eb67d some fixes and refactoring 2022-04-26 15:32:56 +02:00
Florian Roth 9b2c35daa1 docs: false positive condition added 2022-04-21 09:13:06 +02:00
Florian Roth c7dada5e21 rule: invocation of key manager 2022-04-21 09:12:41 +02:00
Florian Roth 6e594875f3 refactor: cmdkey extended coverage 2022-04-21 09:12:13 +02:00
Florian Roth d9fbdd4a56 fix: missing filter 2022-04-21 07:54:58 +02:00
Florian Roth c85ad7b138 fix: event collectors that include spaces in cmd 2022-04-21 07:54:08 +02:00
Florian Roth fbba1e9c94 Merge branch 'master' into rule-devel 2022-04-21 07:52:54 +02:00
Paul Hager fc3c637bde fix: author remove 2022-04-20 19:35:59 +02:00
Florian Roth 50ca09c6a4 Merge branch 'master' into rule-devel 2022-04-20 17:54:11 +02:00
Florian Roth 25ecef1748 rule: dropbox api use 2022-04-20 17:54:01 +02:00
Paul Hager a71833767c new rule 2022-04-20 10:48:30 +02:00
Florian Roth 130ce58ff6 Merge pull request #2928 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs
 2022-04-20 07:50:59 +02:00
Florian Roth 98db7bb137 Update file_event_win_susp_dropper.yml 2022-04-19 19:08:49 +02:00
Florian Roth 89d8851cca Update file_event_win_susp_dropper.yml 2022-04-19 18:53:18 +02:00
Florian Roth f85ccba575 Merge pull request #2927 from humpalum/patch-5 
fix: Comma in title seems to break splunk search
 2022-04-19 18:51:31 +02:00
Florian Roth b30540f644 Merge pull request #2926 from pH-T/master 
new rule: Suspicious Powershell Execution
 2022-04-19 18:51:18 +02:00
Florian Roth 7f84e094c7 Merge pull request #2923 from frack113/7zip 
add proc_creation_win_7zip_cve_2022_29072
 2022-04-19 18:51:06 +02:00
frack113 7802601b7c Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:53:34 +02:00
Florian Roth 76bc06358e Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:35:40 +02:00
Florian Roth 938bd15d95 Update proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml 2022-04-19 17:32:39 +02:00
Florian Roth c9bae754a6 Update proc_creation_win_schtasks_powershell_windowsapps_execution.yml 2022-04-19 17:31:01 +02:00
Florian Roth fee402c183 Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:26:39 +02:00
Florian Roth c05bfce733 Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:25:25 +02:00
Florian Roth a1ded56b1f Update proc_creation_win_msiexec_embedding.yml 2022-04-19 17:23:45 +02:00
Tobias Michalski 992e70032e fix: Comma in title seems to break splunk search 
Most likely it comes from a bad parsing by Sigma2Splunkalert but since it is unmaintained and this is the only rule with a comma in title, this is the easy fix. 

Error in 'inputlookup' command: Invalid argument:
'_Privileged_Console_Access_whitelist.csv'

[| inputlookup "Using_Sticky-keys_To_Obtain_Unauthenticated,_Privileged_Console_Access_whitelist.csv]
 2022-04-19 17:22:01 +02:00
Paul Hager 93689d6029 new rule 2022-04-19 16:16:11 +02:00
frack113 174a34a9eb add proc_creation_win_7zip_cve_2022_29072 2022-04-17 12:36:04 +02:00
Florian Roth 0bbf08640c fix: FPs increase level 2022-04-17 09:28:43 +02:00
frack113 4df63f2c81 Add proc_creation_win_msiexec_embedding 2022-04-16 16:22:39 +02:00
Florian Roth 57a4bab682 rule: suspicious schtasks rule 2022-04-15 18:22:28 +02:00
Sittikorn S 3db9232b67 Rename registry_delete_removeal_sd_value_scheduled_task_hide.yml to registry_delete_removal_sd_value_scheduled_task_hide.yml 2022-04-15 20:20:34 +07:00
Sittikorn S 45a0d404ae Create registry_delete_removeal_sd_value_scheduled_task_hide.yml 2022-04-15 20:17:14 +07:00
Florian Roth 56f80cb0fc Merge pull request #2918 from SigmaHQ/rule-devel 
refactor: proposed changes from issue #2917
 2022-04-15 08:05:44 +02:00
Florian Roth d3ddefe096 refactor: proposed changes from issue #2917 
https://github.com/SigmaHQ/sigma/issues/2917
 2022-04-14 16:57:30 +02:00
Max Altgelt e6dbb6ba00 feat: Add rule for equation editor network connections 2022-04-14 10:50:10 +02:00
frack113 6857301e6c Update proc_creation_win_apt_actinium_persistence.yml 2022-04-14 09:59:45 +02:00
sreehari3 b2ca6754ea mitre tags: Persistence (T1053) ,(T1053.005) 
added those  MITRE tags
 2022-04-14 09:09:03 +05:30
Florian Roth e4c8e62ba6 Merge pull request #2912 from SigmaHQ/rule-devel 
CVE-2022-24527 Microsoft Connected Cache LPE
 2022-04-13 20:07:25 +02:00
Paul Hager aac1d47bef fix: fixed typo in rule 2022-04-13 19:27:11 +02:00
Florian Roth a10b8ae45b fix: MITRE tags 2022-04-13 19:25:11 +02:00
Florian Roth d8205de338 fix: typo in CVE number 2022-04-13 19:19:20 +02:00
Florian Roth 35770c7035 rule: CVE-2022-23527 LPE 
https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
 2022-04-13 19:18:15 +02:00
Florian Roth 3eafd9dfdb Merge pull request #2910 from SigmaHQ/rule-devel 
rule: RPCSS service process anomalies
 2022-04-13 19:04:44 +02:00
Florian Roth ed465ea36a rule: RPCSS service process anomalies 2022-04-13 15:44:10 +02:00
Max Altgelt 98f313526d fix: copy / paste issues 2022-04-13 09:23:08 +02:00
megan201296 d6245133e3 Typo fix 
Fix unfinished word "legitimate" in false positives
 2022-04-12 11:05:09 -05:00
Florian Roth 76c730a831 Merge pull request #2903 from securepeacock/master 
Update Netsh Firewall Enumeration
 2022-04-12 17:24:51 +02:00
Florian Roth 482a2fdcf9 Update proc_creation_win_susp_netsh_command.yml 2022-04-12 07:55:58 +02:00
frack113 afa3fc9a41 Merge pull request #2901 from megan201296/patch-23 
Change ATT&CK technique
 2022-04-12 07:46:41 +02:00
securepeacock 3f7c77256a Update proc_creation_win_susp_network_command.yml 2022-04-11 13:45:37 -04:00