blue-team-tools

Author	SHA1	Message	Date
Florian Roth	0cd5eb375d	Merge branch 'master' into rule-devel	2022-12-27 11:58:53 +01:00
Florian Roth	65f92dcd47	rule: HTran / NATBypass usage	2022-12-27 11:58:44 +01:00
$frack113$ frack113	8ea3999754	Merge pull request #3302 from memory-shards/master Create proc_creation_win_lolbin_agentexecutor.yml	2022-12-24 15:45:35 +01:00
Nasreddine Bencherchali	794d93c298	fix: broken selection	2022-12-24 14:11:32 +01:00
Nasreddine Bencherchali	e7d6bf7cab	fix: enhance logic of `AgentExecutor` rules	2022-12-24 14:10:21 +01:00
$frack113$ frack113	271460062e	Merge pull request #3815 from nasbench/aadinternals-rules feat: new aadinternals related rules	2022-12-23 20:20:07 +01:00
$frack113$ frack113	5fdad241ea	Update proc_creation_win_lolbin_agentexecutor.yml	2022-12-23 20:11:55 +01:00
Nasreddine Bencherchali	5a8808e0ac	fix: wrong category	2022-12-23 19:27:34 +01:00
Nasreddine Bencherchali	1f38e15bb4	fix: fp section	2022-12-23 19:24:08 +01:00
Nasreddine Bencherchali	92e4081de3	fix: duplicate title	2022-12-23 19:20:43 +01:00
Nasreddine Bencherchali	28664d5bb3	feat: new aadinternals related rules	2022-12-23 19:16:17 +01:00
Nasreddine Bencherchali	0aa6f26a6f	feat: updates and enhancements	2022-12-23 18:37:59 +01:00
$frack113$ frack113	df015e555c	Add more ref	2022-12-23 13:22:50 +01:00
$frack113$ frack113	546e53fb35	Apply suggestions from code review Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2022-12-23 12:34:56 +01:00
$frack113$ frack113	bee5b2f252	Issue 575 page 43	2022-12-23 11:10:17 +01:00
$frack113$ frack113	b200b5dedb	Fix title	2022-12-23 10:58:11 +01:00
$frack113$ frack113	9617cdd4ea	Issue 575 page 42	2022-12-23 10:50:34 +01:00
Nasreddine Bencherchali	03cc78e916	feat: filename test enhancements (#3812 )	2022-12-23 09:25:16 +01:00
$frack113$ frack113	a9a0d6217d	Merge pull request #3808 from veramine/patch-11 Remove Logitech auto-updater false positive	2022-12-22 10:37:45 +01:00
Nasreddine Bencherchali	653b498315	fix: update modified field	2022-12-22 10:31:25 +01:00
Veramine	5bdf52beae	Remove Logitech auto-updater false positive	2022-12-21 23:49:14 -08:00
Veramine	3bb741af66	Remove Windows 10 volume control false positive https://superuser.com/questions/1175267/what-is-this-rundll32-instance-running	2022-12-21 23:41:39 -08:00
sai prashanth pulisetti	3b6100ccd9	Create Possible Manipulation Of Tokens on a Windows computers remotely Detected via impersonate (#3803 ) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2022-12-21 13:27:22 +01:00
Florian Roth	f9d1eb1f2d	Update proc_creation_win_renamed_office_processes.yml	2022-12-21 09:18:06 +01:00
Florian Roth	9372987801	fix: missing upper tick Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>	2022-12-21 08:57:37 +01:00
Florian Roth	7e7cbe41c3	docs: change modified date	2022-12-21 08:57:05 +01:00
Nasreddine Bencherchali	beccf416da	feat: add two new rules	2022-12-20 23:44:44 +01:00
Nasreddine Bencherchali	6679347fe3	fix: rename files to follow convention	2022-12-20 22:25:49 +01:00
Nasreddine Bencherchali	68f1ce8b9e	Merge branch 'SigmaHQ:master' into nasbench-rule-devel	2022-12-20 22:24:56 +01:00
Nasreddine Bencherchali	3f48eb4963	fix: selection name and add old path	2022-12-20 10:42:21 +01:00
Nasreddine Bencherchali	de5345cfd2	fix: add permalink instead of master	2022-12-20 10:25:52 +01:00
Nasreddine Bencherchali	22761ec2c3	fix: add missing id	2022-12-20 10:25:03 +01:00
MetaOSINT	ba52dc2aa8	T1539 Steal Web Session Cookie rules Update existing rule and add one new rule related to Steal Web Session Cookie technique (T1539)	2022-12-19 23:20:13 -05:00
Nasreddine Bencherchali	ba3e985bed	feat: multiple update and enhancements	2022-12-19 17:41:40 +01:00
Nasreddine Bencherchali	025c1a4aae	fix: enhance logic and severity	2022-12-19 11:21:24 +01:00
Qasim Qlf	9318c05751	fix: modify the detection and condtion	2022-12-19 15:00:00 +05:00
$frack113$ frack113	646351808e	Refractor (#3794 ) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2022-12-18 21:00:14 +01:00
$frack113$ frack113	41d841ada2	Merge pull request #3793 from nasbench/nasbench-rule-devel feat: updates and enhancements	2022-12-18 18:48:06 +01:00
Nasreddine Bencherchali	3f6bcb6cee	fix: fp found in testing	2022-12-18 15:07:47 +01:00
Nasreddine Bencherchali	dbe3c80dd3	fix: fp found with baseline	2022-12-16 18:50:38 +01:00
Nasreddine Bencherchali	b108c1189d	Merge pull request #3717 from redsand/fp_convert_guidcompress FP: ignore calling function Convert-GuidToCompressedGuid, …	2022-12-16 18:44:44 +01:00
Nasreddine Bencherchali	7ef1945ce5	Merge pull request #3791 from veramine/patch-6 Update proc_creation_win_rundll32_parent_explorer.yml	2022-12-16 18:43:54 +01:00
Nasreddine Bencherchali	1e2cd1655e	fix: add more filters and update image field	2022-12-16 17:59:24 +01:00
Nasreddine Bencherchali	c67960d162	fix: update logic	2022-12-16 17:46:35 +01:00
Nasreddine Bencherchali	2b9048b6c8	fix: update detection logic	2022-12-16 17:09:34 +01:00
Nasreddine Bencherchali	f0ff97be9b	fix: update description	2022-12-16 17:07:52 +01:00
Nasreddine Bencherchali	3868dd91c6	feat: updates and enhancements	2022-12-16 16:52:12 +01:00
$frack113$ frack113	bfa5e4ecf5	Update rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2022-12-16 08:28:45 +01:00
Nasreddine Bencherchali	b8503a0d40	Merge pull request #3790 from SigmaHQ/aurora-false-positive-fixing Aurora false positive fixing	2022-12-16 00:34:21 +01:00
Veramine	3b6403fc8a	Update proc_creation_win_rundll32_parent_explorer.yml Remove the false positive of explorer.exe launching rundll32.exe to load a DLL already present on the system. The specific false positive case we encountered was "CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" C:\\Windows\\System32\\LogiLDA.dll,LogiFetch". The BumbleBee case loaded a DLL from the ISO so that should still be detected.	2022-12-15 14:54:46 -08:00

1 2 3 4 5 ...

4198 Commits