security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,018 Commits 1 Branch 57 Tags
fda536040e27eb6ece5a2f84cdc670ff25d025d4
Commit Graph

4534 Commits

Author SHA1 Message Date
frack113 81bf864d94 fix detection 2021-09-17 19:56:26 +02:00
frack113 509a4c2822 fix detection 2021-09-17 19:54:50 +02:00
frack113 d22382d0b9 fix detection 2021-09-17 19:52:40 +02:00
frack113 a1222c7716 Update sysmon_apt_oceanlotus_registry 2021-09-17 19:50:30 +02:00
Florian Roth 31021b9c32 Merge pull request #2040 from frack113/fix_win_outlook_registry_webview 
cleanup condition win_outlook_registry_webview.yml
 2021-09-17 14:49:35 +02:00
frack113 6e4edfdf20 fix detection 2021-09-17 09:11:53 +02:00
frack113 ebc5ebe7ba cleanup condition 2021-09-17 08:23:14 +02:00
frack113 158746a904 Merge pull request #2036 from frack113/sysmon_registry_persistence_search_order 
[Turla Mosquito] fix detection from references
 2021-09-17 06:36:46 +02:00
frack113 6dd4315f36 Merge pull request #2035 from frack113/fix_bad_category 
Fix bad category in possible_privilege_escalation_via_service_registry_permissions
 2021-09-17 06:35:29 +02:00
frack113 7a22fc6dba clean string 2021-09-16 16:26:53 +02:00
frack113 c36cf428ac clean list 1 elem 2021-09-16 16:18:30 +02:00
Florian Roth a926439b39 fix: default to (Default) 2021-09-16 11:39:45 +02:00
frack113 6e981f56df fix detection from references 2021-09-16 09:20:41 +02:00
frack113 8a847e0538 Update process_creation_possible_privilege_escalation_via_service_registry_permissions.yml 2021-09-15 19:05:31 +02:00
frack113 973e0666ac Merge pull request #2020 from frack113/pc_global 
Split some global process_creation rules
 2021-09-15 19:03:30 +02:00
frack113 3b8282c221 fix detection 2021-09-15 16:21:30 +02:00
frack113 b08b3e2b0d Merge pull request #2021 from frack113/global_registry 
Split registry Global rules
 2021-09-14 19:18:34 +02:00
frack113 d13af3e258 Merge pull request #2019 from frack113/normalise_name 
Split 2 global rules and normalyze name
 2021-09-14 19:17:55 +02:00
Florian Roth 4118402127 Merge pull request #2027 from frack113/fix_reg_key 
Fix registry TargetObject
 2021-09-13 15:59:47 +02:00
Sittikorn S dd9921b360 Update win_file_winword_cve_2021_40444.yml 
Add modified date
 2021-09-13 19:41:01 +07:00
frack113 047ebab36b fix HKCU 2021-09-13 14:01:39 +02:00
frack113 7b6ae81b8b fix TargetObject HK 2021-09-13 13:16:16 +02:00
frack113 bd3b1323b4 fix TargetObject HKCU 2021-09-13 12:45:10 +02:00
Sittikorn S edd5c2745e Update win_file_winword_cve_2021_40444.yml 
change TargetFilename|contains|all
 2021-09-13 16:05:56 +07:00
Sittikorn S 5977596e65 Update win_file_winword_cve_2021_40444.yml 2021-09-13 16:05:22 +07:00
Sittikorn S 7386904e42 Update win_file_winword_cve_2021_40444.yml 
Add new condition
 2021-09-13 15:33:14 +07:00
frack113 437ea3408b split sysmon_stickykey_like_backdoor.yml 2021-09-12 09:58:43 +02:00
frack113 81c2b2731c split sysmon_dns_serverlevelplugindll.yml 2021-09-12 09:53:20 +02:00
frack113 f3ad5953d5 split sysmon_apt_pandemic 2021-09-12 09:42:11 +02:00
frack113 3db427873a split sysinternals eula and uac bypass 2021-09-12 09:38:05 +02:00
frack113 830c0c9f22 Update process_creation_advanced_ip_scanner.yml 2021-09-12 08:53:10 +02:00
frack113 e355367c03 Clean SyncAppvPublishingServer rules 2021-09-12 07:46:35 +02:00
frack113 2223afb6fe split global rules 2021-09-11 20:30:32 +02:00
frack113 92999468ee Merge pull request #2012 from frack113/upgrade_test 
Upgrade test_rules.py
 2021-09-11 15:29:19 +02:00
frack113 a73d37cd72 fix related 2021-09-11 14:22:01 +02:00
frack113 338c9f5ae7 Split global rule 2021-09-11 13:45:41 +02:00
frack113 2a76c469e0 normalise name 2021-09-11 13:34:19 +02:00
frack113 d2e622f149 Merge pull request #2011 from d4rk-d4nph3/master 
Added rule for Atlassian Confluence CVE-2021-26084
 2021-09-11 07:24:58 +02:00
Florian Roth 7d6baaa79a Merge pull request #2014 from SigmaHQ/rule-devel 
CVE-2021-40444 file creation - winword.exe + .cab
 2021-09-10 18:50:59 +02:00
Florian Roth a4e2c0feba Revert "refactor: exclude case in which upper ticks are used" 
This reverts commit f00aaf8461.
 2021-09-10 18:13:36 +02:00
Florian Roth 9e7ede66cc CVE-2021-40444 file creation - winword.exe + .cab 2021-09-10 18:13:09 +02:00
Austin Songer 1ea9aab455 Update Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 09:44:31 -05:00
Austin Songer 57d349bfe5 Update process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 09:44:22 -05:00
Austin Songer 9d9a5088bb Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml 2021-09-10 09:43:24 -05:00
Austin Songer 5aa5586c54 Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml 2021-09-10 09:43:11 -05:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
frack113 ac9ea531ae Merge pull request #1956 from Cyb3rEng/master 
Adding Various Rules To Monitor Process Creations in Sysmon, Event Logs & EDR
 2021-09-10 10:47:23 +02:00
frack113 fe035388f0 Rename Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml to process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 10:02:19 +02:00
Florian Roth 3824a12323 style: fixed indentation level, order of fields 2021-09-10 09:33:52 +02:00
Florian Roth 59b9902502 style: fixed indentation level 2021-09-10 09:33:09 +02:00