security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,510 Commits 1 Branch 57 Tags
1f7e37d2a083209888d13dfd2987b72aff39b09f
Commit Graph

8764 Commits

Author SHA1 Message Date
Bhabesh 1f7e37d2a0 Fixed CallTrace 2022-06-28 10:56:18 +05:45
Bhabesh e0f8506c1b Rule for HandleKatz 2022-06-27 17:25:21 +05:45
Bhabesh 7afe938d49 Fixed the missing all modifier 2022-06-22 15:14:39 +05:45
Bhabesh d9836d9fe4 Fixed my rule bug 2022-06-22 15:13:51 +05:45
Bhabesh f55e3451cf Removed bypass for SyncAppvPublishingServer 2022-06-22 15:12:17 +05:45
Bhabesh 023306e09f Added alternative cmd format 2022-06-22 10:16:39 +05:45
Nasreddine Bencherchali efbfc7fe67 New Rule (https://twitter.com/nas_bench/status/1537919885031772161) 2022-06-21 19:13:53 +01:00
Nasreddine Bencherchali e25ad42b5b Reverted Rule + New Rule 2022-06-21 19:03:47 +01:00
Nasreddine Bencherchali 0c2f1bfce5 Fix review comments 2022-06-21 17:22:39 +01:00
Nasreddine Bencherchali 11dca18b5b Merge branch 'SigmaHQ:master' into master 2022-06-21 15:57:06 +01:00
Nasreddine Bencherchali f12f6e3646 Update ID's 2022-06-21 15:46:00 +01:00
Nasreddine Bencherchali 27e73278e7 Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:37:39 +01:00
Nasreddine Bencherchali b2ce10ea2a Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:36:21 +01:00
Tim Shelton 6ae85eb557 Adding support for mozilla download via bits 2022-06-21 12:38:06 +00:00
Nasreddine Bencherchali e3bfb18f64 New Rules 2022-06-21 11:47:18 +01:00
Nasreddine Bencherchali 62a7d755cc Update proc_creation_win_service_stop.yml 
Refactored the rule and added originalfilename
 2022-06-21 11:46:32 +01:00
Nasreddine Bencherchali f2bc1be460 Update proc_creation_win_service_execution.yml 2022-06-21 11:46:06 +01:00
Nasreddine Bencherchali 40ccd91a94 Update proc_creation_win_msdt_diagcab.yml 
In my testing i found that ".diagcab" extension is not required. You can use .txt with the /cab flag and it'll spawn an msdt process.

Also I added the "-" (dash) version of the flag
 2022-06-21 11:45:53 +01:00
Nasreddine Bencherchali d2ef62a49d Update proc_creation_win_enumeration_for_credentials_in_registry.yml 2022-06-21 11:45:01 +01:00
Nasreddine Bencherchali 4eb6b3509e Update proc_creation_win_accesschk_usage_after_priv_escalation.yml 
Changed the rule as the original was flagging on every usage of "accessChk" which was not the intended behaviour as described.

The modification take into consideration usage of the tool as seen in the referenced presentation and adds some more.
 2022-06-21 11:44:51 +01:00
Nasreddine Bencherchali 71d895c17b Update file_event_win_notepad_plus_plus_persistence.yml 
Reduce level to account for FP found in testing env
 2022-06-21 11:43:42 +01:00
Nasreddine Bencherchali ce8ce2a91d Removed related field 
The rule referenced in the field doesn't exist
 2022-06-21 11:43:18 +01:00
Nasreddine Bencherchali 0a39827674 Renamed + Refactor "findstr" rule 2022-06-21 11:42:14 +01:00
Nasreddine Bencherchali 78dfcd6299 Renamed "Ps_Recon_Rule" 2022-06-21 11:41:43 +01:00
phantinuss 9475153292 fix: FPs found in testing environment 2022-06-20 16:17:54 +02:00
Florian Roth 50b2fad091 Merge branch 'master' into aurora-false-positive-fixing 2022-06-20 13:43:36 +02:00
Florian Roth accf27b771 fix: FPs 2022-06-20 13:39:47 +02:00
Florian Roth ccd6fc5a7b fix: FPs 2022-06-20 13:04:49 +02:00
Florian Roth 72de90d2aa fix: FPs 2022-06-20 12:52:23 +02:00
Florian Roth fef851a918 fix: FPs with Aurora 2022-06-20 12:01:25 +02:00
frack113 477e8fc180 Merge pull request #3149 from redsand/fp_sentinel_one 
False positive from SentinelOne Ranger Agent
 2022-06-19 22:25:19 +02:00
Tim Shelton 80ee980b1d False positive from SentinelOne Ranger Agent 2022-06-19 14:31:10 +00:00
Florian Roth 10e39e41f7 Merge pull request #3143 from SigmaHQ/rule-devel 
Rule level refactoring: critical > high
 2022-06-19 15:04:46 +02:00
frack113 55f1f6dd1e Fix ServiceName 2022-06-19 11:59:48 +02:00
frack113 272c29caea Merge pull request #3138 from Yochana-H/Yochana-H 
create azure_blocked_account_attempt.yml
 2022-06-19 08:36:30 +02:00
Florian Roth 37ed5f4bc5 Update azure_blocked_account_attempt.yml 2022-06-18 18:22:43 +02:00
Florian Roth 6caeb2fff6 docs: added link 2022-06-18 18:19:55 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Florian Roth 7425a73203 Merge pull request #3142 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs with Browser Credential Store Access
 2022-06-18 09:45:51 +02:00
Florian Roth 2105b8ecf6 fix: FPs with Browser Credential Store Access 2022-06-18 09:10:17 +02:00
Florian Roth f3a08b5691 Merge pull request #3141 from SigmaHQ/rule-devel 
Rule adjustments based on hayabusa noisy rules
 2022-06-18 08:45:08 +02:00
Florian Roth c9f45cf528 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-06-18 08:39:04 +02:00
Florian Roth db55be82b6 refactor: rule adjustments based on hayabusa 
https://github.com/Yamato-Security/hayabusa-rules/blob/deb6026fcf452600829c52852f6283d2c808bc69/config/noisy_rules.txt
 2022-06-18 08:39:02 +02:00
frack113 e3ea9f7b42 Update azure_blocked_account_attempt.yml 2022-06-17 20:43:07 +02:00
frack113 5b2fac3739 Merge pull request #3135 from nasbench/master 
Small Updates and New Rules
 2022-06-17 20:41:10 +02:00
Florian Roth 186f10fb21 Merge pull request #3136 from greg-workspace/master 
Rule: Follina and DogWalk exploit msdt.exe loading sdiageng.dll
 2022-06-17 18:52:31 +02:00
Florian Roth fda9c753e2 Update image_load_msdt_sdiageng.yml 2022-06-17 18:46:14 +02:00
Florian Roth e4493d945f Merge pull request #3139 from redsand/fp_direct_syscall_amazonssmagentsetup 
False positive: ignore amazon ssm agent setup
 2022-06-17 18:45:49 +02:00
Tim Shelton e56dab0016 False positive: ignore amazon ssm agent setup 2022-06-17 16:33:47 +00:00
Yochana-H d659088d4b Merge branch 'Yochana-H' of https://github.com/Yochana-H/sigma into Yochana-H 2022-06-17 15:44:51 +01:00