security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,854 Commits 1 Branch 57 Tags
ff6384aabb2bf61410fcc335ff2edb3fa4a6e83a
Commit Graph

9075 Commits

Author SHA1 Message Date
Florian Roth ff6384aabb Merge pull request #3262 from redsand/improvement_add_additional_useragent 
Feature improvement to add an additional known user agent seen in the…
 2022-07-22 21:07:03 +02:00
Florian Roth 8f36f332fc Merge pull request #3264 from nasbench/persistence-methods 
New Persistence Rules
 2022-07-22 10:01:46 +02:00
Florian Roth d31c47e79a exclude changes by legitimate programs 2022-07-22 08:15:42 +02:00
Florian Roth 5cd2eaff99 Merge pull request #3260 from greg-workspace/master 
Detect RipZip attack
 2022-07-22 08:12:41 +02:00
Nasreddine Bencherchali eaa8167052 Fix FP 2022-07-21 22:23:11 +01:00
Nasreddine Bencherchali 2d28590ec3 Update registry_set_sip_persistence.yml 2022-07-21 21:50:46 +01:00
Nasreddine Bencherchali 16bcfd1c8b Fix FP 2022-07-21 21:46:34 +01:00
Nasreddine Bencherchali 4fa86ca772 Update registry_set_mpnotify_persistence.yml 2022-07-21 21:25:14 +01:00
Nasreddine Bencherchali f1673d13a6 Update proc_creation_win_susp_psexex_paexec_escalate_system.yml 2022-07-21 21:24:16 +01:00
Nasreddine Bencherchali ee2dd212a7 Update registry_set_ifilter_persistence.yml 2022-07-21 21:22:53 +01:00
Nasreddine Bencherchali 4e9e5450eb Update proc_creation_win_susp_psexex_paexec_escalate_system.yml 2022-07-21 21:20:25 +01:00
Nasreddine Bencherchali a949fecb1c Persistence Rules 2022-07-21 21:13:10 +01:00
Florian Roth f71504fb3f Merge pull request #3261 from SigmaHQ/rule-devel 
Some rule improvements
 2022-07-21 21:34:09 +02:00
Tim Shelton 3c015a9c78 Feature improvement to add an additional known user agent seen in the wild. 2022-07-21 19:28:10 +00:00
Florian Roth 7858d5e841 Merge pull request #3244 from frack113/icacls_deny 
Add proc_creation_win_icacls_deny
 2022-07-21 18:19:51 +02:00
Florian Roth a906dd89cb refactor: rewritten RipZip rule 2022-07-21 18:19:07 +02:00
Florian Roth 9fb737612f Merge branch 'master' into rule-devel 2022-07-21 18:16:34 +02:00
Florian Roth b3dd9f51f0 some rule improvements 2022-07-21 18:16:22 +02:00
Florian Roth 63963a9014 Merge pull request #3254 from nasbench/cve_2022_33891 
Create web_cve_2022_33891_spark_rce.yml
 2022-07-21 18:13:39 +02:00
Florian Roth de4dd20a82 Update web_cve_2022_33891_spark_shell_command_injection.yml 2022-07-21 18:02:44 +02:00
Nasreddine Bencherchali aa79f4a5ee Update web_cve_2022_33891_spark_shell_command_injection.yml 2022-07-21 15:34:11 +01:00
Nasreddine Bencherchali a0a318edfc Update proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml 2022-07-21 15:17:48 +01:00
Nasreddine Bencherchali a46b20b78c Update proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml 2022-07-21 14:42:54 +01:00
eiger 4d981fded8 Detect RipZip attack 2022-07-21 16:05:52 +08:00
Florian Roth de68fb244e Merge pull request #3251 from nasbench/CVE-2014-6287 
Create web_cve_2014_6287_hfs_rce.yml
 2022-07-20 23:24:42 +02:00
Florian Roth 289a3f3de3 Merge pull request #3253 from nasbench/susp-user-agents 
Create web_susp_useragents.yml
 2022-07-20 23:24:12 +02:00
Florian Roth 4a709eeea0 Merge pull request #3258 from BlackB0lt/patch-29 
Update proc_creation_win_lolbins_by_office_applications.yml
 2022-07-20 23:22:02 +02:00
Tim Shelton 3f6bbd0df9 False positive when box app uses regsvr32 2022-07-20 18:47:26 +00:00
Sittikorn S cac84f2d29 Update proc_creation_win_lolbins_by_office_applications.yml 
And control.exe reference from Splunk Detection
 2022-07-20 19:53:53 +07:00
Nasreddine Bencherchali a8b283ba5f Update 2022-07-20 13:40:24 +01:00
Nasreddine Bencherchali 4c5929416a Update web_cve_2014_6287_hfs_rce.yml 2022-07-20 13:26:19 +01:00
Florian Roth 776b3ff99c Update web_susp_useragents.yml 2022-07-20 14:21:41 +02:00
Florian Roth c107c27074 Update proc_creation_win_icacls_deny.yml 2022-07-20 14:05:06 +02:00
Florian Roth b3131a5a44 Merge pull request #3237 from frack113/fax 
Fax service persistance
 2022-07-20 14:03:56 +02:00
Florian Roth abe97c6ba8 Merge pull request #3245 from redsand/fp_epmap_from_amazon_ssm 
False positive from amazon ssm agent updater connecting to local ip a…
 2022-07-20 14:03:41 +02:00
Florian Roth 3286d16f3a Merge branch 'master' into aurora-false-positive-fixing 2022-07-20 13:03:56 +02:00
Florian Roth 634722c786 fix: FPs noticed with Aurora 2022-07-20 13:02:49 +02:00
Florian Roth 2bea984f0a fix: FPs with Rundll32 rule 2022-07-20 12:53:24 +02:00
Nasreddine Bencherchali 06c9ba2730 Renamed File 2022-07-19 18:38:10 +01:00
Nasreddine Bencherchali 32b028fb16 Create web_cve_2022_33891_spark_rce.yml 2022-07-19 17:15:14 +01:00
frack113 5edd024476 Merge pull request #3252 from frack113/yaml_fix 
Add azure_aad_secops_new_ca_policy_addedby_bad_actor
 2022-07-19 17:59:56 +02:00
Nasreddine Bencherchali 595af48863 Create web_susp_useragents.yml 2022-07-19 16:26:28 +01:00
frack113 a3b1cdc158 Add azure_aad_secops_new_ca_policy_addedby_bad_actor 2022-07-19 17:19:37 +02:00
Florian Roth fd30a06112 Merge pull request #3240 from nasbench/uac-bypass-image-load 
Iscsicpl UAC Bypass + Generic Rule
 2022-07-19 16:38:34 +02:00
Nasreddine Bencherchali 982038ebe3 Update web_cve_2014_6287_hfs_rce.yml 2022-07-19 15:27:16 +01:00
Nasreddine Bencherchali 8e5e71ea15 Create web_cve_2014_6287_hfs_rce.yml 2022-07-19 15:17:16 +01:00
Tim Shelton 785a31025c False positive from amazon ssm agent updater connecting to local ip address on this port 2022-07-18 19:51:00 +00:00
frack113 4ef0cc8c66 Add proc_creation_win_icacls_deny 2022-07-18 20:10:25 +02:00
Florian Roth 96f7750cb8 Merge pull request #3242 from nasbench/wpbbin-persistence 
UEFI Persistence - wpbbin
 2022-07-18 15:47:34 +02:00
Florian Roth 44b424e3cf refactor: WSMAN Provider Image Loads & empty cmdline 2022-07-18 13:55:14 +02:00