security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
9,335 Commits 1 Branch 57 Tags
fb167c5698ff01a30d2ada8eaa53c4e2dee2e54a
Commit Graph

7015 Commits

Author SHA1 Message Date
Florian Roth fb167c5698 Merge pull request #2446 from izysec/patch-4 
Added current known bypass patterns
 2021-12-13 14:04:54 +01:00
Florian Roth 7b93291439 Merge pull request #2445 from izysec/patch-3 
Added current known bypass patterns
 2021-12-13 14:03:59 +01:00
Florian Roth 3a30d19cfd Merge pull request #2447 from SigmaHQ/rule-devel 
fix: FP with proc creation Image non .exe suffix
 2021-12-13 14:03:41 +01:00
Florian Roth 04ff26c786 Update web_cve_2021_44228_log4j_fields.yml 2021-12-13 11:47:55 +01:00
Florian Roth ea3f1c6228 changed expression 
the last part is already covered by the expression in line 38 but we can add the one that obfuscates the `jndi`
 2021-12-13 11:47:12 +01:00
Florian Roth 55eb6b6a3c Merge pull request #2444 from SigmaHQ/rule-devel 
Another log4shell pattern
 2021-12-13 11:44:45 +01:00
Florian Roth cd63ce23ff fix: FP with proc creation Image non .exe suffix 2021-12-13 11:44:29 +01:00
izysec 5819aa9888 Added current known bypass patterns 
Source: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
 2021-12-13 15:51:25 +05:30
izysec 6c8b0c8fd8 Added current known bypass patterns 
Source: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
 2021-12-13 15:49:08 +05:30
frack113 c358747cb2 Merge pull request #2439 from frack113/T1069_001 
Windows Redcannary T1069 001
 2021-12-13 09:24:08 +01:00
Florian Roth 758334ac1c Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-12-13 09:02:38 +01:00
Florian Roth ef6fb35e2b more patterns for log4shell 2021-12-13 09:02:24 +01:00
Florian Roth c840962a67 Merge pull request #2442 from SigmaHQ/rule-devel 
more Log4Shell patterns
 2021-12-12 22:33:42 +01:00
Florian Roth d8613fedfe more Log4Shell patterns 2021-12-12 21:27:01 +01:00
Florian Roth 98f5df89bb Merge pull request #2441 from SigmaHQ/rule-devel 
Log4Shell - more patterns
 2021-12-12 21:20:43 +01:00
Florian Roth 31ddcd4a0d Log4Shell - more patterns 2021-12-12 20:39:09 +01:00
Florian Roth 2f43e6815b Merge pull request #2440 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-12 14:20:09 +01:00
Florian Roth 39217d4b44 rule: JNDIExploit 2021-12-12 13:16:05 +01:00
Florian Roth c6819861c9 fix: FPs noticed with Aurora 2021-12-12 13:09:27 +01:00
Florian Roth 63bb7673d6 Merge branch 'master' into rule-devel 2021-12-12 12:47:33 +01:00
Florian Roth 5da7537375 Merge pull request #2436 from izysec/patch-1 
Additional IoC keywords added log4j detection
 2021-12-12 12:46:36 +01:00
Florian Roth 8cfe1b1a6c Merge pull request #2437 from izysec/patch-2 
Additional IoC keywords added log4j detection
 2021-12-12 12:46:21 +01:00
Florian Roth 23f59180d5 updated Log4Shell rules 2021-12-12 12:40:14 +01:00
frack113 97580d4fa1 fix space 2021-12-12 12:25:05 +01:00
frack113 221f479825 Windows Redcannay T1069.001 2021-12-12 12:15:27 +01:00
frack113 f956cd0c14 Merge pull request #2435 from redsand/fp_cylance_adsi_cache 
Adding allow for cylance when detecting adsi cache abuse
 2021-12-12 12:08:25 +01:00
frack113 12e7174a04 Update sysmon_susp_adsi_cache_usage.yml 2021-12-12 11:29:44 +01:00
frack113 d45dc2eaf3 Merge pull request #2434 from frack113/T1049 
Windows T1049 RedCannary
 2021-12-12 11:28:23 +01:00
izysec 0b9fd530e6 Additional IoC keywords added log4j detection 
Source: https://community.riskiq.com/article/505098fc/description
 2021-12-12 01:15:02 +05:30
izysec 61e7044d09 Additional IoC keywords added 
https://community.riskiq.com/article/505098fc/description
 2021-12-12 01:11:19 +05:30
Tim Shelton e7e456d1a5 Adding allow for cylance 2021-12-11 19:23:12 +00:00
Florian Roth 074c6b1714 Merge pull request #2423 from redsand/detect_net_use_password_plaintext 
Detect net use password plaintext
 2021-12-11 15:25:06 +01:00
Florian Roth 0a1d651bd3 Merge pull request #2433 from SigmaHQ/rule-devel 
improved log4j detection rule
 2021-12-11 15:24:38 +01:00
frack113 2b6c8ff02c Merge pull request #2431 from frack113/ft_aurora 
FP  perfmon.exe to sysmon_cred_dump_lsass_access.yml
 2021-12-11 12:29:12 +01:00
frack113 c91a4a1a75 Merge pull request #2430 from frack113/windows_t1046 
Add windows t1046 rules
 2021-12-11 12:28:47 +01:00
frack113 ef52389309 Merge pull request #2428 from elhoim/change_rdp_rules 
Added registry key to shadow RDP sessions
 2021-12-11 12:28:27 +01:00
frack113 c612d4f64e Merge pull request #2427 from frack113/lnx_dev_tcp 
Add lnx_susp_dev_tcp
 2021-12-11 12:27:03 +01:00
frack113 c53740296c Fix title 2021-12-11 10:26:47 +01:00
frack113 dc1af19336 Add win_pc_susp_tasklist_command 2021-12-11 10:20:21 +01:00
frack113 ee67779811 Windows T1049 RedCannary 2021-12-11 09:38:20 +01:00
Florian Roth a74eac7c7f refactor: added more variants to the field-based rule too 2021-12-11 08:23:43 +01:00
Florian Roth b9bc6646f9 improved log4j detection rule 2021-12-11 08:15:11 +01:00
frack113 58063d1113 FP add perfmon.exe 2021-12-10 19:19:55 +01:00
Tim Shelton b41471ed6b adds space to detect between : (drive argument) and \\ (network share path) 2021-12-10 18:10:37 +00:00
Florian Roth b408bc9701 Merge pull request #2429 from SigmaHQ/rule-devel 
Log4j exploitation rules
 2021-12-10 17:20:19 +01:00
frack113 a885d95aa3 Update pattern 2021-12-10 16:45:42 +01:00
frack113 904fb9181e Add windows t1046 rules 2021-12-10 16:31:16 +01:00
Florian Roth 8ae7646b73 fix: duplicate ids 2021-12-10 16:14:14 +01:00
David ANDRE 1f7764097e Added registry key to shadow RDP sessions 2021-12-10 16:03:35 +01:00
Florian Roth aef0179ba7 refactor: log4j rule refactoring 2021-12-10 16:01:43 +01:00