security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
11,510 Commits 1 Branch 57 Tags
1f7e37d2a083209888d13dfd2987b72aff39b09f
Commit Graph

3170 Commits

Author SHA1 Message Date
Bhabesh 7afe938d49 Fixed the missing all modifier 2022-06-22 15:14:39 +05:45
Bhabesh d9836d9fe4 Fixed my rule bug 2022-06-22 15:13:51 +05:45
Bhabesh f55e3451cf Removed bypass for SyncAppvPublishingServer 2022-06-22 15:12:17 +05:45
Bhabesh 023306e09f Added alternative cmd format 2022-06-22 10:16:39 +05:45
Nasreddine Bencherchali efbfc7fe67 New Rule (https://twitter.com/nas_bench/status/1537919885031772161) 2022-06-21 19:13:53 +01:00
Nasreddine Bencherchali e25ad42b5b Reverted Rule + New Rule 2022-06-21 19:03:47 +01:00
Nasreddine Bencherchali 0c2f1bfce5 Fix review comments 2022-06-21 17:22:39 +01:00
Nasreddine Bencherchali f12f6e3646 Update ID's 2022-06-21 15:46:00 +01:00
Nasreddine Bencherchali 27e73278e7 Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:37:39 +01:00
Nasreddine Bencherchali b2ce10ea2a Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:36:21 +01:00
Nasreddine Bencherchali e3bfb18f64 New Rules 2022-06-21 11:47:18 +01:00
Nasreddine Bencherchali 62a7d755cc Update proc_creation_win_service_stop.yml 
Refactored the rule and added originalfilename
 2022-06-21 11:46:32 +01:00
Nasreddine Bencherchali f2bc1be460 Update proc_creation_win_service_execution.yml 2022-06-21 11:46:06 +01:00
Nasreddine Bencherchali 40ccd91a94 Update proc_creation_win_msdt_diagcab.yml 
In my testing i found that ".diagcab" extension is not required. You can use .txt with the /cab flag and it'll spawn an msdt process.

Also I added the "-" (dash) version of the flag
 2022-06-21 11:45:53 +01:00
Nasreddine Bencherchali d2ef62a49d Update proc_creation_win_enumeration_for_credentials_in_registry.yml 2022-06-21 11:45:01 +01:00
Nasreddine Bencherchali 4eb6b3509e Update proc_creation_win_accesschk_usage_after_priv_escalation.yml 
Changed the rule as the original was flagging on every usage of "accessChk" which was not the intended behaviour as described.

The modification take into consideration usage of the tool as seen in the referenced presentation and adds some more.
 2022-06-21 11:44:51 +01:00
Nasreddine Bencherchali 0a39827674 Renamed + Refactor "findstr" rule 2022-06-21 11:42:14 +01:00
phantinuss 9475153292 fix: FPs found in testing environment 2022-06-20 16:17:54 +02:00
Florian Roth 50b2fad091 Merge branch 'master' into aurora-false-positive-fixing 2022-06-20 13:43:36 +02:00
Florian Roth 72de90d2aa fix: FPs 2022-06-20 12:52:23 +02:00
Florian Roth 10e39e41f7 Merge pull request #3143 from SigmaHQ/rule-devel 
Rule level refactoring: critical > high
 2022-06-19 15:04:46 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Nasreddine Bencherchali f84c1436a3 Add missing "contains" modifier 2022-06-17 14:06:14 +01:00
Nasreddine Bencherchali 32c772d0df Update proc_creation_win_lolbin_openconsole.yml 2022-06-16 23:41:57 +01:00
Nasreddine Bencherchali 2ab106ddee Small Update and New Rule 2022-06-16 23:37:50 +01:00
G Y 1eb02a0025 Update proc_creation_win_sysinternals_eula_accepted.yml 
Description changed (original description was taken from registry_add_sysinternals_eula_accepted.yml).
 2022-06-16 14:49:17 +08:00
Nasreddine Bencherchali bc94d575b7 Update proc_creation_win_susp_explorer_break_proctree.yml 2022-06-14 19:31:25 +01:00
Nasreddine Bencherchali 3b7a405492 Update proc_creation_win_lolbin_forfiles.yml 2022-06-14 18:18:14 +01:00
Nasreddine Bencherchali 7f75aceaf7 Update proc_creation_win_lolbin_pcalua.yml 2022-06-14 17:41:09 +01:00
Nasreddine Bencherchali f9bbe7e423 Update proc_creation_win_susp_explorer_break_proctree.yml 2022-06-14 17:40:01 +01:00
Nasreddine Bencherchali f065928dc0 Create proc_creation_win_lolbin_pcalua.yml 2022-06-14 17:39:58 +01:00
Nasreddine Bencherchali f34bc22537 Create proc_creation_win_lolbin_forfiles.yml 2022-06-14 17:39:55 +01:00
Nasreddine Bencherchali 6476152624 Create proc_creation_win_conhost_path_traversal.yml 2022-06-14 17:39:52 +01:00
Florian Roth afce3ffcae Merge branch 'master' into msdt-rules 2022-06-13 22:55:40 +02:00
Florian Roth 2a4e6d8ebe Merge pull request #3123 from phantinuss/master 
fix FP and add Follina reference to description
 2022-06-13 22:54:54 +02:00
Florian Roth 037bf0f6bb Update proc_creation_win_lolbin_susp_certreq_download.yml 2022-06-13 18:27:56 +02:00
Nasreddine Bencherchali 0e0f44fc0c Update proc_creation_win_msdt.yml 2022-06-13 16:36:19 +01:00
Nasreddine Bencherchali 8ca55de64c Update proc_creation_win_msdt.yml 2022-06-13 14:33:12 +01:00
Nasreddine Bencherchali ffd236158c Update MSDT Rules 2022-06-13 14:30:35 +01:00
phantinuss 92c2976793 docs: add Follina reference in description 2022-06-13 13:30:21 +02:00
Nasreddine Bencherchali e96532344f Removed "modified" date 2022-06-13 11:31:47 +01:00
Nasreddine Bencherchali 21f20c9e7a Renamed to shorter names 2022-06-13 00:52:53 +01:00
Nasreddine Bencherchali 7b3e6c7f59 Update proc_creation_win_lolbin_rasautou_dll_execution.yml 2022-06-13 00:21:32 +01:00
Nasreddine Bencherchali ffd135c6b6 Renamed LOLBIN rules + Other 2022-06-12 23:59:25 +01:00
Nasreddine Bencherchali 13b02a2aec Renamed LOLBIN Rules 2 2022-06-12 21:37:42 +01:00
Nasreddine Bencherchali 3cfb370266 Renamed LOLBIN Rules 2022-06-12 21:36:52 +01:00
Florian Roth 6d07a3aaff Merge pull request #3121 from frack113/Cmdkey 
Update Cmdkey
 2022-06-12 18:37:19 +02:00
Florian Roth 1c8c9d4ff2 refactor: one more space char 2022-06-12 18:06:51 +02:00
frack113 dc67990e07 Update proc_creation_win_local_system_owner_account_discovery.yml 2022-06-12 17:58:33 +02:00
frack113 fb0618795f Update proc_creation_win_mstsc.yml 2022-06-12 17:52:37 +02:00