security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

7892 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 32adf0c3ce fix: prone to FPs 2021-03-16 15:52:35 +01:00
libraco 3c5624ca88 Update winlogbeat.yml 
add `SAMAccountName: winlog.event_data.SamAccountName` mapping for rules/windows/builtin/win_vul_cve_2020_1472.yml
 2021-03-15 23:54:28 +08:00
libraco 2971a08734 Update winlogbeat.yml 
add AccessList mapping of winlogbeat for rules/windows/builtin/win_susp_lsass_dump_generic.yml.
 2021-03-15 23:01:07 +08:00
zikyhd e91822e070 Fix win_etw_trace_evasion rule 2021-03-15 15:02:18 +01:00
Cedric HIEN 864973888e Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8) 2021-03-15 12:07:05 +01:00
Cedric HIEN e4f24f4e1f Fix ProcessCommandLine field 2021-03-15 11:56:19 +01:00
Florian Roth 310888bae7 Merge pull request #1386 from SigmaHQ/rule-devel 
Rule devel
 2021-03-15 10:52:57 +01:00
Florian Roth 70f9480ec5 fix: wrong field name 2021-03-15 08:14:43 +01:00
Cyb3rPandaH f138a27426 CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property 
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
 2021-03-15 00:33:47 -04:00
Thomas Patzke f4734cd5e5 Merge pull request #1309 from WuerthIT:logsourcemerging 
functionality for parameter logsourcemerging
 2021-03-13 22:25:29 +01:00
Thomas Patzke c13f3f1383 Merge pull request #1325 from dennispo/align-simac-stixshifter 
sigmac to STIX enhancements
 2021-03-13 18:49:12 +01:00
Thomas Patzke bbe41fff95 Merge pull request #1364 from SigmaHQ/dependabot/pip/aiohttp-3.7.4 
build(deps): bump aiohttp from 3.6.2 to 3.7.4
 2021-03-13 18:47:33 +01:00
Thomas Patzke 99c7889363 Merge pull request #1368 from roysjosh/stable-risk-scores 
es-rule: make risk scores stable
 2021-03-13 18:46:37 +01:00
Thomas Patzke d4aa34c0ae Merge pull request #1385 from socprime/chronicle_security_backend 
Chronicle Security Backend contributed by SOC Prime.
 2021-03-13 18:45:12 +01:00
Florian Roth a0b034aa2b fix: better exclusion 2021-03-13 09:09:43 +01:00
Florian Roth 145c3bc2ca refactor: more hafnium indicators 2021-03-13 09:07:58 +01:00
Florian Roth 69ee1cece2 fix: FPs 2021-03-13 09:07:44 +01:00
vh 7eeed68fb4 Chronicle Security Backend contributed by SOC Prime. 2021-03-12 12:21:44 +02:00
Florian Roth 48da4e1314 Update win_apt_hafnium.yml 2021-03-11 13:55:31 +01:00
Florian Roth 9084fc4fa7 Update on HAFNIUM rule 
https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
 2021-03-11 13:38:07 +01:00
Florian Roth 27fef60ace Merge pull request #1383 from SigmaHQ/rule-devel 
fix: FPs with LSASS Access from Non System Account
 2021-03-10 18:59:29 +01:00
Florian Roth 78004cc29c fix: condition contains - values without 0x 2021-03-10 18:56:05 +01:00
Florian Roth 29dec7dd8b fix: FPs with LSASS Access from Non System Account 2021-03-10 18:51:27 +01:00
yugoslavskiy 519e480333 Merge pull request #1176 from concorde18/DLL-execution-via-register-cimprovider.exe 
Dll execution via register cimprovider.exe
 2021-03-10 17:40:54 +01:00
Bhabesh Rai a58c5ed7cc Added rule for CVE-2021-21978 in VMware View Planner 2021-03-10 18:05:15 +05:45
concorde18 87059fe80b Merge branch 'oscd' into DLL-execution-via-register-cimprovider.exe 2021-03-10 11:35:55 +03:00
concorde18 f694de74aa Create win_susp_diskshadow.yml 2021-03-10 11:33:12 +03:00
concorde18 b73815e883 Update win_susp_Register_cimprovider.yml 2021-03-10 11:25:13 +03:00
Johnny Walker 0873c57acf Update netwitness.py 
nullExpression fixed to be really null (missing exclamation mark)
 2021-03-09 17:43:44 +01:00
Johnny Walker 4e5a9a58a5 Update netwitness-epl.py 
nullExpression and notNullExpression fixed to be logically coherent and compatible with EPL syntax
 2021-03-09 17:41:54 +01:00
Florian Roth f0051ffcf6 Merge pull request #1378 from SigmaHQ/rule-devel 
HAFNIUM activity
 2021-03-09 15:42:32 +01:00
Florian Roth dca5c870d7 Merge pull request #1374 from hieuttmmo/master 
Detect HAFNIUM operations
 2021-03-09 09:16:52 +01:00
Florian Roth ec490b40ec fix: 1 of them condition 2021-03-09 09:15:12 +01:00
Florian Roth 563335ec5a rule: suspicious service binary location 2021-03-09 09:01:36 +01:00
Florian Roth 2ded9543f3 rule: HAFNIUM post-exploitation activity 2021-03-09 09:01:24 +01:00
BlueTeamOps 26a5300208 added spaces for oudmp and dclist 2021-03-09 08:22:36 +11:00
yugoslavskiy 319bce639e Merge pull request #1377 from aw350m33d/oscd 
[OSCD Sprint #2] Resolved new conflicts with the master branch.
 2021-03-07 22:42:58 +01:00
Anton Kutepov c68e3b7835 Merge branch 'oscd' of https://github.com/SigmaHQ/sigma into oscd 2021-03-07 23:47:02 +03:00
Anton Kutepov e4a38a8b71 Merge branch 'master' into oscd 2021-03-07 23:41:11 +03:00
Anton Kutepov 626d7ebd61 Applied the fixes made by the participants during the second sprint. 2021-03-07 23:40:08 +03:00
Anton Kutepov d7ef865bb9 Merge remote-tracking branch 'upstream/master' and fix conflicts 2021-03-07 23:36:13 +03:00
Anton Kutepov ff6f10b484 Added the author of the duplicated rule (finger.exe) 2021-03-07 23:20:21 +03:00
Florian Roth 2b5f9f994f Merge pull request #1376 from SigmaHQ/rule-devel 
UNC2452 rules - GoldMax, GoldFinder, Sibot
 2021-03-05 18:17:20 +01:00
Florian Roth a61fbe6bd8 fix: duplicate UUID 2021-03-05 12:09:43 +01:00
Florian Roth 3a0fc4835a Merge pull request #1363 from markus-nclose/master 
Fix CobaltStrike typo
 2021-03-05 12:06:31 +01:00
Florian Roth b864768de8 fix: wrong conditions 2021-03-05 11:55:49 +01:00
Florian Roth c3b84f2d5b UNC2452 rules - GoldMax, Sibot, GoldFinder 
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
 2021-03-05 11:54:35 +01:00
Florian Roth bdc35aa3ec Update win_webshell_spawn.yml 2021-03-05 11:34:17 +01:00
Florian Roth 62b65a3578 Merge pull request #1375 from SigmaHQ/rule-devel 
fix: description
 2021-03-04 17:35:53 +01:00
Florian Roth bea2f226c6 fix: description 2021-03-04 17:35:25 +01:00