security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,779 Commits 1 Branch 57 Tags
3291db17dad748487af178ee7dfdcecdeac0e152
Commit Graph

11779 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 3291db17da Update file_rename_win_ransomware.yml 2022-07-18 12:43:54 +02:00
Florian Roth 5bfd9b78f1 Update file_rename_win_ransomware.yml 2022-07-18 12:23:23 +02:00
frack113 5364af737b Update file_rename_win_ransomware.yml 2022-07-16 20:53:11 +02:00
frack113 04594d5556 Add file_rename_win_ransomware 2022-07-16 20:43:24 +02:00
Florian Roth b24e7ae984 Merge pull request #3233 from frack113/16bit 
Add proc_creation_win_susp_16bit_application
 2022-07-16 17:58:43 +02:00
frack113 00886a2b33 Add proc_creation_win_susp_16bit_application 2022-07-16 17:36:53 +02:00
Florian Roth f1082ba790 Merge pull request #3232 from pH-T/master 
blackbyte rules
 2022-07-15 17:31:00 +02:00
Florian Roth c232aaa7d8 Update dns_query_win_anonymfiles_com.yml 2022-07-15 16:20:10 +02:00
Paul Hager e35587e922 fix: fixed rule condition 2022-07-15 12:28:11 +02:00
Paul Hager 1529d0377e blackbyte rules 2022-07-15 12:09:55 +02:00
frack113 73d87029ab Merge pull request #3227 from frack113/related 
Add related for remove rules
 2022-07-15 09:10:53 +02:00
frack113 e3d3979786 Add related for remove rules 2022-07-15 08:36:51 +02:00
Thomas Patzke 30d4c8f102 Merge pull request #3222 from akshay-chaturvedi/dnif-backend 
New backend for DNIF Hyperscale SIEM
 2022-07-15 08:04:22 +02:00
Florian Roth 6217eb2a26 Merge pull request #3224 from frack113/rpc_135 
RPC epmap tools
 2022-07-14 21:58:13 +02:00
Florian Roth b52b279f30 Merge pull request #3225 from nasbench/master 
New Rules + Update
 2022-07-14 21:58:01 +02:00
Florian Roth f0e7a0aa2a Merge pull request #3226 from redsand/fp_aws_workspaces 
False positive when amazon workspaces is running and doing its weird …
 2022-07-14 21:55:51 +02:00
Tim Shelton 6187cfdfd6 False positive when amazon workspaces is running and doing its weird little things 2022-07-14 19:41:52 +00:00
Nasreddine Bencherchali e4f964879e Fix after review 2022-07-14 19:34:59 +01:00
Nasreddine Bencherchali 92b0239f27 Update proc_creation_win_powershell_susp_parameter_variation.yml 2022-07-14 17:43:04 +01:00
Nasreddine Bencherchali 16b2945027 New Rules + Update 2022-07-14 17:35:50 +01:00
frack113 97cd835d34 Update description 2022-07-14 17:30:06 +02:00
frack113 09841c9caf Add net_connection_win_susps_epmap 2022-07-14 17:25:56 +02:00
Florian Roth 8ace9631d0 Merge pull request #3220 from frack113/Eventdata_Data 
Remove some keywords
 2022-07-14 08:31:43 +02:00
akshay-chaturvedi 4625d8fb6c Merge branch 'SigmaHQ:master' into dnif-backend 2022-07-13 17:30:17 +05:30
frack113 33b370d49b Merge pull request #3221 from bornatalebi/patch-1 
Add FP from reference link
 2022-07-13 06:52:45 +02:00
frack113 9b319f0569 Update win_account_discovery.yml 2022-07-13 06:45:39 +02:00
Borna Talebi f9faeacb5a Update win_account_discovery.yml 2022-07-12 23:58:40 +04:30
Borna Talebi 0850419c95 Add FP from reference link 
According to the query in reference, computer accounts should be excluded: "and not (SourceUserName IMATCHES '.*\$')"
 2022-07-12 23:32:00 +04:30
frack113 0fbbbd19dc fix list 2022-07-12 19:44:41 +02:00
frack113 c0b580169d Change keywords to Data 2022-07-12 19:20:43 +02:00
frack113 198b4c657a Merge pull request #3219 from nasbench/master 
Fix Error in logsource
 2022-07-12 17:57:56 +02:00
Nasreddine Bencherchali 3a1bb6f7de Fix Error in logsource 2022-07-12 16:50:08 +01:00
Florian Roth 98a7d2f76e Merge pull request #3216 from nasbench/master 
DFIR Report - SELECT XMRig FROM SQLServer (New Rules)
 2022-07-12 17:40:44 +02:00
Nasreddine Bencherchali 3838c4dc22 Add "warning" section 2022-07-12 16:38:48 +01:00
Florian Roth 739a54289e Update proc_creation_win_inline_base64_mz_header.yml 2022-07-12 17:33:04 +02:00
Nasreddine Bencherchali ac76e31f95 Add missing references 2022-07-12 16:23:42 +01:00
Florian Roth 730ee2cc9b Merge pull request #3217 from phantinuss/master 
Fix FPs
 2022-07-12 17:16:04 +02:00
Florian Roth 5a97b0553f Merge pull request #3218 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs wtih csc.exe as child of sdiagnhost
 2022-07-12 17:00:11 +02:00
Florian Roth 31ee9b7104 Merge branch 'master' into aurora-false-positive-fixing 2022-07-12 16:54:10 +02:00
phantinuss b6025adaa8 fix: found on several systems in prod environment 2022-07-12 16:41:10 +02:00
Nasreddine Bencherchali aeecd0530d xp_cmdshell rules 2022-07-12 14:56:22 +01:00
Florian Roth e79e4d6c3b fix: FPs wtih csc.exe as child of sdiagnhost 2022-07-12 14:32:22 +02:00
phantinuss 7ca54a691b fix: FP found in testing 2022-07-12 13:47:13 +02:00
Nasreddine Bencherchali a41a73d721 DFIR Report - SELECT XMRig FROM SQLServer 2022-07-12 01:27:51 +01:00
Florian Roth 9b50323bc1 Merge pull request #3215 from nasbench/master 
Reference+Selection Updates [Final Batch]
 2022-07-11 22:47:17 +02:00
Nasreddine Bencherchali 1392ca1ec5 Fix review 2022-07-11 20:27:42 +01:00
Florian Roth 6dde3012cc refactor: some changes 2022-07-11 19:55:54 +02:00
Florian Roth 51373dfacc Merge pull request #3214 from phantinuss/master 
fix: FPs found in prod environment
 2022-07-11 19:47:19 +02:00
Nasreddine Bencherchali 476f395126 Fix FP's 2022-07-11 18:33:54 +01:00
Nasreddine Bencherchali 614fe69363 Update proc_creation_win_susp_use_of_sqltoolsps_bin.yml 2022-07-11 18:27:06 +01:00