security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,902 Commits 1 Branch 57 Tags
0bd33e994408cfdb90c2013b194ca7eeb698e2b2
Commit Graph

3324 Commits

Author SHA1 Message Date
phantinuss 0bd33e9944 add UACMe reference Id 2022-07-27 11:13:48 +02:00
frack113 884b2fc3b7 Update title 2022-07-27 11:08:55 +02:00
frack113 bbf07649b1 MS Update FP 2022-07-27 08:09:11 +02:00
Florian Roth 70d84f972c Merge pull request #3272 from redsand/fp_manage_engine_elastic 
False positive when running Manage Engine and elastic
 2022-07-26 18:24:45 +02:00
Tim Shelton fb95703685 False positive when running Manage Engine and elastic 2022-07-25 21:33:39 +00:00
Florian Roth add077b8f5 Merge pull request #3270 from nasbench/nasbench-rule-dev 
Rule Update
 2022-07-25 19:03:41 +02:00
Nasreddine Bencherchali 38543ff5d9 Update proc_creation_win_lolbin_winword.yml 2022-07-25 17:53:23 +01:00
Florian Roth e170be9f45 Merge pull request #3269 from nasbench/windowsTerminal-persistence 
WindowsTerminal Rule
 2022-07-25 18:26:20 +02:00
Nasreddine Bencherchali 236587ee7a Rule Update 2022-07-25 16:50:19 +01:00
Nasreddine Bencherchali f897cae1b0 Create proc_creation_win_windows_terminal_susp_children.yml 2022-07-25 15:54:21 +01:00
Florian Roth 4af35c6794 Merge pull request #3263 from RomaissaAdjailia/master 
Suspicious processes Started From PSExec service
 2022-07-25 07:50:52 +02:00
Florian Roth b1c1650897 Merge pull request #3265 from nasbench/pdq-deploy 
PDQDeploy Rules
 2022-07-23 15:23:23 +02:00
Nasreddine Bencherchali e7951c26fd Update proc_creation_win_pdqdeploy_runner_susp_children.yml 2022-07-23 13:04:27 +01:00
Nasreddine Bencherchali 2b96def495 Add more stuff 2022-07-23 13:03:56 +01:00
Florian Roth 402f171a89 Update proc_creation_win_pdqdeploy_runner_susp_children.yml 2022-07-23 12:08:29 +02:00
Florian Roth 6d537dbdd5 refactor: new PSEXEC related rule ideas 2022-07-23 11:27:29 +02:00
Florian Roth 06dac9f4a1 Update proc_creation_suspicious_process_started_from_psexec.yml 2022-07-23 11:01:21 +02:00
Florian Roth 6a3bfb57c0 Update proc_creation_win_pdqdeploy_runner_susp_children.yml 2022-07-23 10:45:36 +02:00
Florian Roth 5833e636d8 rule: process id spoofers 2022-07-23 10:37:57 +02:00
Nasreddine Bencherchali d348e17fd9 Update proc_creation_win_pdqdeploy_runner_susp_children.yml 2022-07-22 23:55:21 +01:00
Nasreddine Bencherchali 075906dbc2 PDQDeploy Rules 2022-07-22 23:52:34 +01:00
ROMAISSA Adjailia 1b52ff43af Update proc_creation_suspicious_process_started_from_psexec.yml 2022-07-22 23:26:53 +01:00
Florian Roth 8f36f332fc Merge pull request #3264 from nasbench/persistence-methods 
New Persistence Rules
 2022-07-22 10:01:46 +02:00
Nasreddine Bencherchali f1673d13a6 Update proc_creation_win_susp_psexex_paexec_escalate_system.yml 2022-07-21 21:24:16 +01:00
Nasreddine Bencherchali 4e9e5450eb Update proc_creation_win_susp_psexex_paexec_escalate_system.yml 2022-07-21 21:20:25 +01:00
Nasreddine Bencherchali a949fecb1c Persistence Rules 2022-07-21 21:13:10 +01:00
RomaissaAdjailia 3b91308d16 update 2022-07-21 20:34:18 +01:00
Florian Roth f71504fb3f Merge pull request #3261 from SigmaHQ/rule-devel 
Some rule improvements
 2022-07-21 21:34:09 +02:00
RomaissaAdjailia 2ff1a4529c Create proc_creation_suspicious_process_started_from_psexec .yml 2022-07-21 20:32:50 +01:00
Florian Roth 7858d5e841 Merge pull request #3244 from frack113/icacls_deny 
Add proc_creation_win_icacls_deny
 2022-07-21 18:19:51 +02:00
Florian Roth 9fb737612f Merge branch 'master' into rule-devel 2022-07-21 18:16:34 +02:00
Florian Roth b3dd9f51f0 some rule improvements 2022-07-21 18:16:22 +02:00
Florian Roth 4a709eeea0 Merge pull request #3258 from BlackB0lt/patch-29 
Update proc_creation_win_lolbins_by_office_applications.yml
 2022-07-20 23:22:02 +02:00
Tim Shelton 3f6bbd0df9 False positive when box app uses regsvr32 2022-07-20 18:47:26 +00:00
Sittikorn S cac84f2d29 Update proc_creation_win_lolbins_by_office_applications.yml 
And control.exe reference from Splunk Detection
 2022-07-20 19:53:53 +07:00
Florian Roth c107c27074 Update proc_creation_win_icacls_deny.yml 2022-07-20 14:05:06 +02:00
Florian Roth 3286d16f3a Merge branch 'master' into aurora-false-positive-fixing 2022-07-20 13:03:56 +02:00
Florian Roth 634722c786 fix: FPs noticed with Aurora 2022-07-20 13:02:49 +02:00
Florian Roth 2bea984f0a fix: FPs with Rundll32 rule 2022-07-20 12:53:24 +02:00
frack113 4ef0cc8c66 Add proc_creation_win_icacls_deny 2022-07-18 20:10:25 +02:00
Florian Roth 96f7750cb8 Merge pull request #3242 from nasbench/wpbbin-persistence 
UEFI Persistence - wpbbin
 2022-07-18 15:47:34 +02:00
Nasreddine Bencherchali 492f754f29 UEFI Persistence - wpbbin 2022-07-18 12:45:44 +01:00
Florian Roth a62fb4d501 Merge branch 'master' into rule-devel 2022-07-18 13:16:26 +02:00
frack113 f161f6d051 Fix modified 2022-07-16 20:56:13 +02:00
frack113 79f6b200cc Add csrstub.exe 2022-07-16 19:54:16 +02:00
frack113 00886a2b33 Add proc_creation_win_susp_16bit_application 2022-07-16 17:36:53 +02:00
Florian Roth 749a7b4df5 Merge branch 'master' into rule-devel 2022-07-16 08:15:20 +02:00
Florian Roth b52b279f30 Merge pull request #3225 from nasbench/master 
New Rules + Update
 2022-07-14 21:58:01 +02:00
Tim Shelton 6187cfdfd6 False positive when amazon workspaces is running and doing its weird little things 2022-07-14 19:41:52 +00:00
Nasreddine Bencherchali e4f964879e Fix after review 2022-07-14 19:34:59 +01:00