security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,404 Commits 1 Branch 57 Tags
ffc87968cfac542689aee001fc2fd39deefe67f8
Commit Graph

137 Commits

Author SHA1 Message Date
frack113 12e7174a04 Update sysmon_susp_adsi_cache_usage.yml 2021-12-12 11:29:44 +01:00
Tim Shelton e7e456d1a5 Adding allow for cylance 2021-12-11 19:23:12 +00:00
Florian Roth fc6ad3667c Merge pull request #2396 from SigmaHQ/rule-devel 
New rules - Suspicious SYSTEM context
 2021-12-07 08:24:12 +01:00
Florian Roth 48b1ef02df rule: PowerShell as SYSTEM 2021-12-07 07:03:48 +01:00
Tim Shelton ce496e6357 removing dot 2021-12-06 22:39:24 +00:00
Tim Shelton f52005e571 does this pass the test? 2021-12-06 22:30:41 +00:00
Tim Shelton 3f8e35defa Adding new rule for network access/write to desktop.ini 2021-12-06 22:02:24 +00:00
Florian Roth ceea83ad48 Merge branch 'master' into aurora-false-positive-fixing 2021-12-03 14:42:18 +01:00
Florian Roth 8ea102ae72 fix: FPs with desktop.ini writes 2021-12-03 14:37:25 +01:00
frack113 0d57825c32 Merge pull request #2360 from redsand/adding_access_list_fp 
Adding filter for read only accesslist, attack cannot be triggered
 2021-12-02 09:20:35 +01:00
frack113 686035d66e Order selection filter 2021-12-02 06:41:49 +01:00
Tim Shelton 677bdd9768 oof, adding to selection and not filter 2021-12-01 15:37:11 +00:00
Tim Shelton 96295a717c Adding filter for read only accesslist, attack cannot be triggered 2021-12-01 15:35:51 +00:00
Florian Roth 0903b667c1 Merge pull request #2356 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-01 15:10:50 +01:00
Florian Roth 6b7206ca2a fix: print driver FP 2021-12-01 14:14:53 +01:00
Florian Roth 97d2ce0297 NPPSpy file creation rule 2021-11-29 16:03:03 +01:00
Florian Roth 330fcf485c Merge branch 'master' into promote_status 2021-11-27 17:15:56 +01:00
Florian Roth 1f6fa6dd58 rule: ATPMiniDump extensions 2021-11-27 14:02:42 +01:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
Florian Roth 3ace3808a5 refactor: Shell File Write to Suspicious Folder rule 2021-11-24 15:54:42 +01:00
Florian Roth 42571791b3 Merge branch 'rule-devel' into aurora-false-positive-fixing 2021-11-22 15:24:46 +01:00
Florian Roth 75663ceb46 rule: file creation LPE CVE-2021-41379 2021-11-22 14:15:51 +01:00
Florian Roth 3eeeb81d00 Merge pull request #2288 from SigmaHQ/rule-devel 
fix: FPs; rule: Windows Shell File Write to Suspicious Folder
 2021-11-20 18:27:26 +01:00
Florian Roth 1ce65c6730 rule: shell file write to suspicious folder 2021-11-20 15:37:10 +01:00
frack113 c6087bc988 fix tags errors 2021-11-20 12:35:41 +01:00
frack113 f47d0da3f7 add missing MITRE Techniques 2021-11-20 12:26:01 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
WojciechLesicki ba053ea19b Adding two more process, additional references, information about Cobalt Strike etc. 2021-11-17 22:37:23 +01:00
Florian Roth 97bc8aa6f2 rule: suspicious write to system tasks 2021-11-16 17:30:47 +01:00
Florian Roth 760266ab34 Merge branch 'master' into rule-devel 2021-11-16 12:13:20 +01:00
Florian Roth 20686c908d rules: lsass dumps 2021-11-15 12:16:44 +01:00
frack113 f01523d791 Integrity do not exist in file_event 2021-11-10 19:51:01 +01:00
frack113 da8fcabe0c Fix TargetFilename case 2021-11-10 19:49:25 +01:00
frack113 b6f6beda3c FileMagicBytes do not exist in file_event 2021-11-10 19:44:08 +01:00
Florian Roth 37b9abd827 fix: date field 2021-11-09 16:52:19 +01:00
Florian Roth 77e9decc64 Merge branch 'master' into rule-devel 2021-11-09 16:45:49 +01:00
Florian Roth 3f57251768 Merge branch 'master' into rule-devel 2021-11-08 11:46:35 +01:00
Florian Roth 20f4099cec rule: Kirbi file creation 2021-11-08 11:21:40 +01:00
frack113 a3f3ec84c9 fix product windows case 2021-11-05 13:16:24 +01:00
S.kiran kumar 802cdb0189 Added another application 2021-11-01 21:41:57 +05:30
frack113 bcdf13c680 Merge pull request #2213 from frack113/fix_rule 
Fix detection file_event_mal_vhd_download.yml
 2021-10-29 12:26:06 +02:00
phantinuss 4b18d5e45c chore: set status to test 2021-10-29 09:57:19 +02:00
frack113 ef0f836a71 Fix detection 2021-10-29 08:21:41 +02:00
phantinuss 6fb27eeb76 fix: fix FPs found in production environment 2021-10-28 13:32:15 +02:00
frack113 765acac374 Merge pull request #2195 from frack113/cve_attack 
CVE attack
 2021-10-26 10:40:13 +02:00
frack113 b17c4fab33 Merge pull request #2193 from frack113/vhd_dowload 
Add file_event_mal_vhd_download.yml
 2021-10-25 20:30:11 +02:00
frack113 f8574fcd81 Add cve tags 2021-10-25 18:40:50 +02:00
frack113 162d869e2b Add cve tags 2021-10-25 18:14:03 +02:00
frack113 5294e91828 Update file_event_mal_vhd_download.yml 2021-10-25 17:29:01 +02:00
frack113 12707f8ec5 fix level 2021-10-25 09:16:59 +02:00