security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

7892 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 6c79115ce0 Regsvr32 Anomalies extended 2021-07-17 09:04:31 +02:00
Ibrahim Ali Khan dbf924635d Update ecs-suricata.yml 
metadata items tag and cve mapping added.
 2021-07-17 04:55:46 +05:00
Sittikorn S d3a1fb8565 Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml 2021-07-17 06:49:37 +07:00
Ibrahim Ali Khan 7c6ef062c5 Create ala-suricata.yml 
Suricata logs mapping for Azure Log Analytics added
 2021-07-16 23:08:03 +05:00
Sittikorn S 5e84a603d0 Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml 2021-07-17 01:04:07 +07:00
Sittikorn S a3c4aa5dad Update sysmon_cve_2021_31979_cve_2021_33771_exploits.yml 2021-07-17 01:02:14 +07:00
Sittikorn S eea3675d4e Rename sysmon_cve_2021_31979_cve-2021_33771_exploits.yml to sysmon_cve_2021_31979_cve_2021_33771_exploits.yml 2021-07-17 00:09:04 +07:00
Sittikorn S 90fc50e0a2 Update and rename sysmon_devilstongue_CVE_2021_31979_exploit.yml to sysmon_cve_2021_31979_cve-2021_33771_exploits.yml 
rename sysmon_cve_2021_31979_cve-2021_33771_exploits.yml
 2021-07-17 00:02:15 +07:00
Sittikorn S 9fb589201e Update and rename sysmon_devilstongue_exploit_0day.yml to sysmon_devilstongue_CVE_2021_31979_exploit.yml 
Change Title
 2021-07-16 23:47:14 +07:00
Sittikorn S f2187f05e6 Update and rename sysmon_devilstongue_CVE_2021_31979_CVE_2021_33771.yml to sysmon_devilstongue_exploit_0day.yml 2021-07-16 23:42:05 +07:00
Sittikorn S 91295cff21 Update sysmon_devilstongue_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 23:35:31 +07:00
Sittikorn S dac72e2750 Update and rename sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml to sysmon_devilstongue_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 23:30:05 +07:00
Sittikorn S 10b7b6d640 Update sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 23:11:14 +07:00
Sittikorn S 94ba194b42 Update sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 23:09:51 +07:00
Sittikorn S 477ec060d2 Update and rename sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml to sysmon_exploit_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 22:47:04 +07:00
Sittikorn S 815f6a1745 Create sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 22:30:23 +07:00
Sittikorn S 99e5990416 Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 22:30:06 +07:00
Sittikorn S dc94c4e51e Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 22:21:34 +07:00
Sittikorn S 0954163e9d Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 22:19:07 +07:00
Sittikorn S e094c76098 Update sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 22:14:22 +07:00
Sittikorn S 0506e10697 Create sysmon_susp_devilstongue_CVE_2021_31979_CVE_2021_33771.yml 2021-07-16 22:09:07 +07:00
thegoatreich d14e0f1aaa add logrhythm lucene backend 
Copied and modded the es-qs backend for logrhythm's lucene syntax.
 2021-07-16 13:02:05 +01:00
thegoatreich f0f1653e42 config file for logrhythm support 
a config file and field mappings Windows event logs for LogRhythm using Lucene. 
This uses a custom backend which is mostly based on the es-qs backend.
 2021-07-16 07:54:02 -04:00
Tran Trung Hieu 8effde4e1d More suspicious flag fot bitsadmin execution 2021-07-16 16:40:00 +07:00
Tran Trung Hieu 1cb631017a Suspicious behaviours related to SOURGUM 2021-07-16 14:13:48 +07:00
Bhabesh Rai be8fce8e82 Added rule for ADRecon execution 2021-07-16 12:58:47 +05:45
frack113 9a7f3036e4 update ref in win_manage-bde_lolbas.yml 2021-07-16 08:34:30 +02:00
frack113 d6dc217c6d Add process_creation_syncappvpublishingserver_vbs_execute_powershell.yml 2021-07-16 08:28:25 +02:00
Ibrahim Ali Khan ce0d84acd7 Create ala-azure-aws_cloudtrail.yml 
AWS CloudTrail Logs mapping for Azure Log Analytics
 2021-07-15 21:51:41 +05:00
matsto f9997ace53 Fixed transformation modifier for keywords 2021-07-15 16:58:09 +02:00
Florian Roth e2e28e68e1 Merge pull request #1697 from frack113/small_fix 
fix missing references and duplicate UUID
 2021-07-15 12:47:06 +02:00
Florian Roth 021f211c14 fix: FP with WCE and Windows Cluster Service 2021-07-15 12:09:28 +02:00
frack113 c6cb7f1247 fix missing references and duplicate UUID 2021-07-15 11:06:54 +02:00
Florian Roth e40b859254 Merge pull request #1695 from frack113/fix_re 
escape / in regex
 2021-07-15 09:25:58 +02:00
Florian Roth 680e01d309 Merge pull request #1686 from leegengyu/patch-12 
Update winlogbeat-modules-enabled.yml
 2021-07-15 08:37:09 +02:00
Florian Roth abb8df887a Merge pull request #1690 from WuerthIT/patch_rule 
update rule: powershell_accessing_win_api.yml
 2021-07-15 08:36:38 +02:00
Florian Roth f3d24e27c2 Merge pull request #1694 from leegengyu/patch-13 
Update win_remote_powershell_session_process.yml
 2021-07-15 08:36:12 +02:00
Florian Roth 2055da991f Merge pull request #1691 from SigmaHQ/rule-devel 
Rules: scripts from Temp folders, reg disable sec services
 2021-07-15 08:35:54 +02:00
frack113 0ef3dc2082 escape / in regex 2021-07-15 08:13:49 +02:00
G Y 8bbea58786 Update win_remote_powershell_session_process.yml 
Updated TTP and formatting.
 2021-07-15 11:20:25 +08:00
Florian Roth e516aecc74 fix: error in selector 2021-07-14 15:58:55 +02:00
Florian Roth 530e04faec rule: Script Execution from Temp Folder 2021-07-14 15:52:52 +02:00
Florian Roth 0d794357e8 rule: reg disable security services 2021-07-14 15:52:35 +02:00
k-vdv 12b172039f fixed some typos and adjusted capitalization to original 2021-07-14 15:47:17 +02:00
Florian Roth 3ff4e99d44 Merge pull request #1688 from SigmaHQ/rule-devel 
refactor: improved Raccine uninstall rule
 2021-07-14 09:57:08 +02:00
Florian Roth 04370c7e91 refactor: improved Raccine uninstall rule 2021-07-14 09:56:35 +02:00
Florian Roth 1ec9473472 Merge pull request #1687 from SigmaHQ/rule-devel 
Rule adjustments and new Serv-U exploitation rules
 2021-07-14 08:59:33 +02:00
Florian Roth 5e2e6c9b72 Merge branch 'config-adjustments' into rule-devel 2021-07-14 08:35:47 +02:00
Florian Roth e0f166aba2 rule: Serv-U exploitation 
https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
 2021-07-14 08:35:25 +02:00
Florian Roth 85d47aeabc Merge pull request #1678 from frack113/redcanary_t1228 
Some Redcanary T1228
 2021-07-14 08:18:52 +02:00