security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,404 Commits 1 Branch 57 Tags
ffc87968cfac542689aee001fc2fd39deefe67f8
Commit Graph

9404 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
frack113 ffc87968cf Merge pull request #2469 from frack113/aurora_fp 
Aurora FP
 2021-12-20 08:39:13 +01:00
Florian Roth cea0a760d7 Merge pull request #2468 from nasbench/master 
Add/Update Rules
 2021-12-19 20:25:18 +01:00
Florian Roth 89e1f491b3 refactor: add accepteula to flags 2021-12-19 19:43:37 +01:00
frack113 f8962bec98 Aurora FP 2021-12-19 10:35:39 +01:00
Nasreddine Bencherchali 70f3f4fa88 Create win_susp_psloglist.yml 
- The flags can be used with both "-" and "/" characters.
- This rule aims to detect any usage of psloglist, no matter if the binary is with the original name or not. This is achieved by looking for both the image name and the specific command line arguments
 2021-12-18 21:52:05 +01:00
Nasreddine Bencherchali 6f01874e07 Create win_susp_nt_resource_kit_auditpol_usage.yml 2021-12-18 21:06:46 +01:00
Florian Roth 91b51068ea fix condition 
https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:57 +01:00
Florian Roth 78900a7b96 fix condition 
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:35 +01:00
Florian Roth 61ae79bcff Condition changed 
see https://github.com/SigmaHQ/sigma/wiki/Specification#condition
 2021-12-18 20:26:12 +01:00
Florian Roth 4362060da6 Update process_creation_advanced_ip_scanner.yml 2021-12-18 20:24:11 +01:00
Nasreddine Bencherchali da5cb2116c Update process_creation_advanced_ip_scanner.yml 2021-12-18 20:08:00 +01:00
Nasreddine Bencherchali 8401ece3d6 Create process_creation_cleanwipe.yml 2021-12-18 20:05:49 +01:00
Nasreddine Bencherchali 92e7ff882f Create process_creation_advanced_port_scanner.yml 2021-12-18 20:00:40 +01:00
Florian Roth dbf3455990 Merge pull request #2467 from SigmaHQ/aurora-false-positive-fixing 
fix: exclude *.scr screensavers
 2021-12-18 19:00:20 +01:00
Florian Roth 3f5859bac5 fix: exclude *.scr screensavers 2021-12-18 15:40:12 +01:00
Florian Roth 68be189402 Merge pull request #2463 from Karneades/java 
rule: add new rule for java spawning suspicious binaries
 2021-12-18 07:56:53 +01:00
Florian Roth 8a3c521a34 Merge pull request #2466 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-18 07:16:16 +01:00
Florian Roth 8f36cb8b7e Merge pull request #2454 from frack113/CVE_2021_42278 
cve_2021_42278 or cve_2021_42287
 2021-12-18 06:46:47 +01:00
Florian Roth e20d8be164 refactor: split rule up into two, more susp sub procs 2021-12-18 06:39:14 +01:00
Florian Roth 529b35cd8b fix: more FPs noticed 2021-12-18 06:22:16 +01:00
Florian Roth 4e49c28472 fix: FPs noticed with Aurora 2021-12-18 06:19:35 +01:00
Florian Roth f1918e512c Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-18 00:18:00 +01:00
Florian Roth 4b7b829d18 fix: FPs noticed with Aurora 2021-12-18 00:17:58 +01:00
Florian Roth 8aec4e6d9e Merge pull request #2462 from Karneades/patch-1 
Move winrm rule to process creation
 2021-12-17 23:57:53 +01:00
Florian Roth 45253c6253 Merge pull request #2460 from phantinuss/master 
fix: FP in Aviar installer
 2021-12-17 19:55:02 +01:00
Florian Roth 4cdb23598f Merge branch 'master' into master 2021-12-17 17:46:05 +01:00
Florian Roth 859816695a Merge pull request #2464 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-17 17:44:10 +01:00
Andreas Hunkeler 55c83e31c2 rule: add new rule for java spawning suspicious binaries 2021-12-17 17:40:38 +01:00
Andreas Hunkeler 9ecacdaeea Move winrm rule to process creation 2021-12-17 17:31:06 +01:00
Florian Roth 865bf5f8a7 Merge branch 'master' into aurora-false-positive-fixing 2021-12-17 16:31:05 +01:00
Florian Roth a7b1ab0073 fix: bug in rule 2021-12-17 16:30:37 +01:00
Florian Roth 80f3ff9f65 Merge pull request #2461 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-17 14:05:11 +01:00
Florian Roth d0d9e74313 fix: FP noticed with Aurora 2021-12-17 12:32:48 +01:00
Florian Roth a3220ab72b Merge branch 'master' into aurora-false-positive-fixing 2021-12-17 12:32:14 +01:00
Florian Roth c7c4130c04 Update sysmon_alternate_powershell_hosts_pipe.yml 2021-12-17 12:31:08 +01:00
phantinuss 1c789bd080 fix: FP in Aviar installer 2021-12-17 09:20:21 +01:00
frack113 ab450e5782 Merge pull request #2458 from frack113/redcanary_20211216 
Windows Redcanary T1518.001 discovery
 2021-12-16 22:47:23 +01:00
frack113 4db3b63527 Merge pull request #2457 from frack113/aurora_fp_update 
Aurora fp update
 2021-12-16 22:45:47 +01:00
frack113 b368d036cf change level to medium 2021-12-16 22:44:45 +01:00
frack113 cdb4e70f2f Merge pull request #2456 from fryguy04/patch-1 
Log4j OR each section vs implicit AND
 2021-12-16 22:43:58 +01:00
Florian Roth d88f6b2208 Merge pull request #2459 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-16 20:34:30 +01:00
Florian Roth 84e5d60bbc fix: FPs noticed with Aurora 2021-12-16 19:54:22 +01:00
Fred Frey 44fecf8ebd typo 2021-12-16 12:12:37 -05:00
Fred Frey 05245b5ac7 implemented @frack113 1 of selection* suggestion 2021-12-16 12:09:39 -05:00
frack113 605ec35109 fix space 2021-12-16 10:41:07 +01:00
frack113 d7e9dccdbe Windows redcannary 2021-12-16 10:32:45 +01:00
frack113 73ee94d46b Fix aurora FP 2021-12-16 09:50:28 +01:00
frack113 372023d3c0 Fix aurora FP 2021-12-16 09:45:50 +01:00
frack113 1e42c8e69c Merge pull request #2455 from frack113/redcanary_20211215 
Windows redcannary discovery
 2021-12-16 08:38:05 +01:00
Fred Frey 972dfbc4d2 Log4j OR each section vs implicit AND 
When the original is compiled it requires one TRUE from each Field (implicit AND) ... believe the intent is to search all fields of any trace which hence explicit OR in "condition"
 2021-12-16 01:53:33 -05:00