security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,404 Commits 1 Branch 57 Tags
ffc87968cfac542689aee001fc2fd39deefe67f8
Commit Graph

946 Commits

Author SHA1 Message Date
frack113 b368d036cf change level to medium 2021-12-16 22:44:45 +01:00
frack113 4f866f8da3 fix detection 2021-12-15 10:04:37 +01:00
frack113 8908c4ca8e Add win_vul_cve_2021_42278_or_cve_2021_42287 2021-12-15 09:32:39 +01:00
frack113 93c5d8b361 Add win_vul_cve_2021_42278_or_cve_2021-42287 2021-12-15 09:24:23 +01:00
Florian Roth baa1dcd608 Merge pull request #2417 from stbe/imp_lsass_defender 
Added Defender to win_susp_lsass_dump_generic.yml
 2021-12-10 00:00:22 +01:00
stbe 44db55c4fd Refined definition of defender executable 2021-12-09 22:55:09 +01:00
frack113 e049058d14 Merge pull request #2415 from frack113/condition 
builtin/security simplified condition
 2021-12-09 16:24:24 +01:00
stbe 20f185f2b8 Added Defender to win_susp_lsass_dump_generic.yml 2021-12-09 13:57:09 +01:00
Florian Roth af2c6a0ecb Lower the level to "low" 
In case that some backends/scripts/tools don't respect the "deprecated" status
 2021-12-09 13:01:12 +01:00
frack113 62207b80ba Change to deprecated as too many FP 2021-12-09 09:34:08 +01:00
frack113 3ce9336e79 simplified condition 2021-12-08 20:12:57 +01:00
Florian Roth 157fa31f1b Merge pull request #2400 from redsand/fixing_errs_with_invoke_obfus 
Fixing errs with invoke obfus
 2021-12-08 14:49:42 +01:00
stbe 7566207026 Corrected filter field name in win_pass_the_hash.yml 2021-12-08 14:03:13 +01:00
stbe 88b5e1bd9e Corrected filter field name in win_pass_the_hash_2.yml 2021-12-08 13:49:18 +01:00
Tim Shelton 3bf8eb6aff reverting modified date, batch 2 2021-12-07 17:55:52 +00:00
Tim Shelton d79a0e029b reverting modified date, batch 1 2021-12-07 17:53:50 +00:00
Tim Shelton c9e08884f6 updating date 2021-12-07 16:27:01 +00:00
Tim Shelton aa16afd09c updating date 2021-12-07 16:26:38 +00:00
Tim Shelton 3fa1624b68 order matters... need to use most intensive match last 2021-12-07 16:11:42 +00:00
Tim Shelton fddf423878 order matters... need to use most intensive match last 2021-12-07 16:10:33 +00:00
Tim Shelton 3873872381 order matters... need to use most intensive match last 2021-12-07 16:09:35 +00:00
Tim Shelton 8f20846524 order matters... need to use most intensive match last 2021-12-07 16:08:37 +00:00
Tim Shelton f31b3865ae order matters... need to use most intensive match last 2021-12-07 16:07:18 +00:00
Tim Shelton 8086c3446f order matters... need to use most intensive match last 2021-12-07 16:04:21 +00:00
Tim Shelton 9122b3c881 order matters... need to use most intensive match last 2021-12-07 16:03:09 +00:00
Tim Shelton 3fcda9704e order matters... need to use most intensive match last 2021-12-07 16:01:28 +00:00
Tim Shelton 31be528fa0 adding sql\query to name pipe list 2021-12-06 22:27:57 +00:00
frack113 e2b70a2edb add win_susp_system_update_error rule 2021-12-04 13:02:12 +01:00
frack113 e215f4606b Order rules 2021-12-04 10:07:07 +01:00
phantinuss 07a0a37273 feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' 2021-12-02 14:47:39 +01:00
Tim Shelton d90ddc097e adding additional filter for lsass: ShareName=\\*\IPC$ | ShareLocalPath= | RelativeTargetName=lsass | AccessMask=0x2019f 2021-12-01 18:36:38 +00:00
Tim Shelton 7626b73b8e Duplicate matching causes confusion. Converting to simplified selection (matching) and false positive (filtering) phases 2021-12-01 18:33:48 +00:00
phantinuss 204c627991 add PE files because of CVE-2020-1599 2021-12-01 15:14:43 +01:00
Florian Roth 0903b667c1 Merge pull request #2356 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-01 15:10:50 +01:00
Florian Roth 5a01a88af1 fix: FPs with FileStream events 2021-12-01 14:10:56 +01:00
frack113 24d73a5f8a Add definition info 2021-11-30 15:10:36 +01:00
frack113 5c1b3f8362 Add Provider_Name 2021-11-30 15:03:53 +01:00
Florian Roth 820cc0ccf8 Merge branch 'master' into rule-devel 2021-11-29 11:00:25 +01:00
Florian Roth ef7810fa8b fix: fixing issues with wildcard symbol 
https://github.com/SigmaHQ/sigma/issues/2339
 2021-11-29 10:57:01 +01:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
Florian Roth d91b925873 fix: FPs 2021-11-26 14:42:21 +01:00
Florian Roth db03d08b11 Merge pull request #2293 from SigmaHQ/rule-devel 
fix: 0x1000 access on LSASS, rule: new LSASS access, rule: CVE-2021-41379
 2021-11-22 13:29:31 +01:00
Florian Roth 01189dcef2 fix: rule condition 2021-11-22 11:47:39 +01:00
Florian Roth d2e45afc3c fix: typo in filename - missing period 2021-11-22 11:40:17 +01:00
Florian Roth d3ec743906 fix: changed modified date 2021-11-22 11:38:37 +01:00
Florian Roth 7432aa37a0 refactor: lsass query info access 2021-11-22 11:02:01 +01:00
frack113 e5404785d3 Merge pull request #2290 from frack113/fix_fieldname 
Fix field name in windows rules
 2021-11-21 09:09:40 +01:00
frack113 bc61fbeee2 Merge pull request #2281 from orlinum/patch-2 
Create win_ADCS_certificate_template_configuration_vulnerability.yml
 2021-11-20 20:45:04 +01:00
frack113 3162b7ccfe Merge pull request #2280 from orlinum/patch-1 
Create win_ADCS_certificate_template_configuration_vulnerability_EKU.yml
 2021-11-20 20:44:42 +01:00
Orlinum c37f7aede9 path modified to rules/windows/builtin/ 2021-11-20 19:38:00 +01:00