security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,766 Commits 1 Branch 57 Tags
f0253eb67dee09ca38ef809e51eaeb0ffecd96e2
Commit Graph

2890 Commits

Author SHA1 Message Date
Florian Roth 9b2c35daa1 docs: false positive condition added 2022-04-21 09:13:06 +02:00
Florian Roth c7dada5e21 rule: invocation of key manager 2022-04-21 09:12:41 +02:00
Florian Roth 6e594875f3 refactor: cmdkey extended coverage 2022-04-21 09:12:13 +02:00
Florian Roth c85ad7b138 fix: event collectors that include spaces in cmd 2022-04-21 07:54:08 +02:00
Florian Roth fbba1e9c94 Merge branch 'master' into rule-devel 2022-04-21 07:52:54 +02:00
Paul Hager fc3c637bde fix: author remove 2022-04-20 19:35:59 +02:00
Florian Roth 50ca09c6a4 Merge branch 'master' into rule-devel 2022-04-20 17:54:11 +02:00
Paul Hager a71833767c new rule 2022-04-20 10:48:30 +02:00
Florian Roth f85ccba575 Merge pull request #2927 from humpalum/patch-5 
fix: Comma in title seems to break splunk search
 2022-04-19 18:51:31 +02:00
Florian Roth b30540f644 Merge pull request #2926 from pH-T/master 
new rule: Suspicious Powershell Execution
 2022-04-19 18:51:18 +02:00
Florian Roth 7f84e094c7 Merge pull request #2923 from frack113/7zip 
add proc_creation_win_7zip_cve_2022_29072
 2022-04-19 18:51:06 +02:00
frack113 7802601b7c Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:53:34 +02:00
Florian Roth 76bc06358e Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:35:40 +02:00
Florian Roth 938bd15d95 Update proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml 2022-04-19 17:32:39 +02:00
Florian Roth c9bae754a6 Update proc_creation_win_schtasks_powershell_windowsapps_execution.yml 2022-04-19 17:31:01 +02:00
Florian Roth fee402c183 Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:26:39 +02:00
Florian Roth c05bfce733 Update proc_creation_win_7zip_cve_2022_29072.yml 2022-04-19 17:25:25 +02:00
Florian Roth a1ded56b1f Update proc_creation_win_msiexec_embedding.yml 2022-04-19 17:23:45 +02:00
Tobias Michalski 992e70032e fix: Comma in title seems to break splunk search 
Most likely it comes from a bad parsing by Sigma2Splunkalert but since it is unmaintained and this is the only rule with a comma in title, this is the easy fix. 

Error in 'inputlookup' command: Invalid argument:
'_Privileged_Console_Access_whitelist.csv'

[| inputlookup "Using_Sticky-keys_To_Obtain_Unauthenticated,_Privileged_Console_Access_whitelist.csv]
 2022-04-19 17:22:01 +02:00
Paul Hager 93689d6029 new rule 2022-04-19 16:16:11 +02:00
frack113 174a34a9eb add proc_creation_win_7zip_cve_2022_29072 2022-04-17 12:36:04 +02:00
frack113 4df63f2c81 Add proc_creation_win_msiexec_embedding 2022-04-16 16:22:39 +02:00
Florian Roth 57a4bab682 rule: suspicious schtasks rule 2022-04-15 18:22:28 +02:00
Florian Roth 56f80cb0fc Merge pull request #2918 from SigmaHQ/rule-devel 
refactor: proposed changes from issue #2917
 2022-04-15 08:05:44 +02:00
Florian Roth d3ddefe096 refactor: proposed changes from issue #2917 
https://github.com/SigmaHQ/sigma/issues/2917
 2022-04-14 16:57:30 +02:00
frack113 6857301e6c Update proc_creation_win_apt_actinium_persistence.yml 2022-04-14 09:59:45 +02:00
sreehari3 b2ca6754ea mitre tags: Persistence (T1053) ,(T1053.005) 
added those  MITRE tags
 2022-04-14 09:09:03 +05:30
Florian Roth 3eafd9dfdb Merge pull request #2910 from SigmaHQ/rule-devel 
rule: RPCSS service process anomalies
 2022-04-13 19:04:44 +02:00
Florian Roth ed465ea36a rule: RPCSS service process anomalies 2022-04-13 15:44:10 +02:00
Max Altgelt 98f313526d fix: copy / paste issues 2022-04-13 09:23:08 +02:00
megan201296 d6245133e3 Typo fix 
Fix unfinished word "legitimate" in false positives
 2022-04-12 11:05:09 -05:00
Florian Roth 76c730a831 Merge pull request #2903 from securepeacock/master 
Update Netsh Firewall Enumeration
 2022-04-12 17:24:51 +02:00
Florian Roth 482a2fdcf9 Update proc_creation_win_susp_netsh_command.yml 2022-04-12 07:55:58 +02:00
frack113 afa3fc9a41 Merge pull request #2901 from megan201296/patch-23 
Change ATT&CK technique
 2022-04-12 07:46:41 +02:00
securepeacock 3f7c77256a Update proc_creation_win_susp_network_command.yml 2022-04-11 13:45:37 -04:00
securepeacock 162d577523 Update proc_creation_win_susp_network_command.yml 
Added route print
 2022-04-11 13:36:52 -04:00
securepeacock 38276d96b8 Update proc_creation_win_susp_netsh_command.yml 
Update to catch other procedures for Firewall Enumerations like run cmd.exe /c netsh firewall show state & netsh firewall show config.
 2022-04-11 13:06:15 -04:00
megan201296 c7a3834070 Change ATT&CK technique 
Per source reference, the ADS rule is T1564.004 BUT copying/downloading files is T1105 (hwich in turn is C&C, not defense evasion"
 2022-04-11 10:56:03 -05:00
megan201296 e01083a625 Change MITRE ATT&CK tactic ID 
The subtechnique `.011` is  specific to RunDLL32 proxy execution. There is no existing sub-technique specific to wuauclt.exe so only the top level technique should be referenced.
 2022-04-11 10:41:46 -05:00
Florian Roth a3457babca Merge pull request #2893 from frack113/redcannary_20220409 
New Redcannary Windows Tests
 2022-04-09 21:03:26 +02:00
Florian Roth cbec7b274e Update proc_creation_win_susp_vaultcmd.yml 2022-04-09 20:02:34 +02:00
Florian Roth 2f0bce02ea Update proc_creation_win_sqlite_firefox_cookies.yml 2022-04-09 20:01:54 +02:00
Florian Roth 217f7d3c3c Update proc_creation_win_sqlite_firefox_cookies.yml 2022-04-09 19:43:03 +02:00
Florian Roth 87d06a4f6d fix: remove rule causing many FPs 2022-04-09 19:33:55 +02:00
Florian Roth 1a5fc46d8d Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-04-09 19:19:12 +02:00
frack113 e59c55b85f Update proc_creation_win_susp_vaultcmd.yml 2022-04-09 18:08:55 +02:00
frack113 89985b08c8 New Redcannary Windows Tests 2022-04-09 18:00:15 +02:00
Florian Roth c18f246c23 docs: modified date 2022-04-08 16:33:19 +02:00
Florian Roth 8b2f23ffbb fix: possible FP with Veeam software 2022-04-08 16:32:46 +02:00
Amrik 6bc5b8e29c Fix: Typo in title 2022-04-07 19:30:00 -07:00