security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,815 Commits 1 Branch 57 Tags
362f4e4e603a4ade05c0bfac2274f1dafa5bb28e
Commit Graph

11579 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 362f4e4e60 fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-16 11:05:38 +01:00
Nasreddine Bencherchali 7ec76db26c Merge branch 'master' into wmic-rules-updates 2023-02-15 19:58:11 +01:00
frack113 e52edb69c4 Merge pull request #4039 from fornotes/master 
Added New Rule for LPE via StorSvc DLL Hijack
 2023-02-15 19:18:39 +01:00
Nasreddine Bencherchali 39e957d7ee fix: update title 2023-02-15 19:11:39 +01:00
Nasreddine Bencherchali 33207aa7ab fix: change link to permalink 2023-02-15 13:37:05 +01:00
Nasreddine Bencherchali 2fd43cbe82 fix: typo in field 2023-02-15 13:27:56 +01:00
Nasreddine Bencherchali c99d1f1876 fix: add some missing fields 2023-02-15 13:25:59 +01:00
fornotes 8876b4ba01 added SprintCSP.dll for StorSvc DLL Hijack 2023-02-15 11:37:18 +00:00
Nasreddine Bencherchali 5b3f97776a Merge pull request #4042 from nasbench/localpotato-binary-rule 
feat: add localpotato binary rule
 2023-02-15 12:30:41 +01:00
Moti-H ff4242dadd feat: add new application vulnerability rules (#4034) 2023-02-15 12:29:53 +01:00
Nasreddine Bencherchali 5aeedfa813 fix: increase severity 2023-02-14 23:35:09 +01:00
Nasreddine Bencherchali 8506dcaec8 feat: add related field 2023-02-14 23:34:14 +01:00
Nasreddine Bencherchali cbbf443eb5 feat: add localpotato binary rule 2023-02-14 19:57:26 +01:00
Nasreddine Bencherchali 514eeb63fd fix: typo in related field 2023-02-14 19:43:20 +01:00
Nasreddine Bencherchali 7b86bea7ac fix: add missing modified 2023-02-14 19:30:19 +01:00
Nasreddine Bencherchali 2ef681291a feat: more rules updates 2023-02-14 19:30:18 +01:00
Nasreddine Bencherchali 4f59a13d46 feat: update wmic rules 2023-02-14 19:30:18 +01:00
IsaAlMannaei d9d9227910 feat: new rule related to CVE-2022-21587 (#4037) 2023-02-14 14:30:12 +01:00
Nasreddine Bencherchali a79abaaf45 Merge pull request #4033 from qasimqlf/patch-32 
feat: add missing `OriginalFileName` field
 2023-02-13 14:48:10 +01:00
Qasim Qlf 1adec45ca6 fix: add OriginalFileName (#4032) 2023-02-13 14:40:54 +01:00
Qasim Qlf ab611c29ba fix: updated condition (#4031) 2023-02-13 14:37:33 +01:00
Qasim Qlf 7b435afa4d feat: add missing OriginalFileName field 2023-02-11 23:04:18 +05:00
Nasreddine Bencherchali 095b41370f Merge pull request #4027 from nasbench/nasbench-rule-devel 
feat: updates and enhancements
 2023-02-10 10:59:14 +01:00
Nasreddine Bencherchali 1d89b041ae fix: change title from domain to wbesites 2023-02-10 10:49:52 +01:00
Nasreddine Bencherchali 5e3aae4970 fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-02-10 10:38:45 +01:00
Nasreddine Bencherchali 82d0b9e10c fix: add missing modified and improve test 2023-02-10 00:56:07 +01:00
Nasreddine Bencherchali 5f6258fe57 fix: add missing modified 2023-02-10 00:48:13 +01:00
Nasreddine Bencherchali 82cde0e10c feat: update rules related to onenote and more 2023-02-10 00:40:16 +01:00
Abe bea7614718 Remove Trailing space 
The trailing space causes this rule not to trigger when the extension is used (cmd.exe), eg: 
CommandLine: "C:\Windows\system32\cmd.exe" /r < "C:\Users\Administrator\desktop\test.txt"
 2023-02-09 18:07:56 -05:00
Nasreddine Bencherchali c4d8be3780 fix: duplicate titles 2023-02-09 16:06:09 +01:00
Nasreddine Bencherchali da012ad80d fix: resolves #4014 2023-02-09 15:48:13 +01:00
Qasim Qlf c8c32bf1d4 feat: add missing OriginalFileName field (#4026) 
Add missing 'rundll32' OriginalFileName field to some process creation rules
 2023-02-09 15:09:23 +01:00
Nasreddine Bencherchali ba80fc1372 Merge pull request #4024 from nasbench/nasbench-rule-devel 
feat: updates and enhancements
 2023-02-09 14:50:04 +01:00
Nasreddine Bencherchali 9ddedc8958 fix: add fp filter 2023-02-09 14:27:12 +01:00
Matthew Sexton 288914fe42 Add common childprocess filter for OneNote 
Slight reoranization of the rule with an additional relevant reference.

Additionally adds the `filter_common_childproc` filter to
`proc_creation_win_susp_microsoft_onenote_child_process.yml` for common
processes that are launched from OneNote. OneNote will commonly launch
`Teams.exe -Embedded` for opening documents in Teams, as well as
`FileCoAuth.exe` when people are sharing/editing specific documents
through OneNote. For some organizations these can create enough noise
that it may be warranted to filter out as a part of the rule. Thusfar
malicious execution for `Teams.exe` and `FileCoAuth.exe` have not been
observed.
 2023-02-09 14:20:22 +01:00
Nasreddine Bencherchali 6d14a14f9e fix: typos 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-09 13:09:46 +01:00
Nasreddine Bencherchali 8c1a5fb834 fix: remove sysmon definition 
Removed this definition for now as it's too generic and "obvious"

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-02-09 11:01:58 +01:00
Nasreddine Bencherchali a24012b2b5 fix: apply suggestions 2023-02-09 10:41:41 +01:00
Nasreddine Bencherchali b7a3000bb2 fix: update modified date 2023-02-09 10:38:21 +01:00
Nasreddine Bencherchali 0c581fb62a fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-02-09 10:31:11 +01:00
Nasreddine Bencherchali a175354a6f fix: add missing modified 2023-02-08 22:10:05 +01:00
Nasreddine Bencherchali 814ace9eaf feat: more updates 2023-02-08 22:08:47 +01:00
Nasreddine Bencherchali c060127e67 fix: remove duplicate title 2023-02-08 20:04:46 +01:00
Nasreddine Bencherchali 4bb2beeb15 fix: duplicate ids and small updates 2023-02-08 19:36:55 +01:00
Nasreddine Bencherchali 4d1bd7663b fix: update duplicate title 2023-02-08 19:16:53 +01:00
Nasreddine Bencherchali d78e66dde3 fix: yaml error 2023-02-08 19:14:18 +01:00
Nasreddine Bencherchali 0717634671 feat: updates and enhancements 2023-02-08 19:12:35 +01:00
Nasreddine Bencherchali 3e75e9022e Merge branch 'SigmaHQ:master' into registry-rules-update 2023-02-08 18:27:36 +01:00
phantinuss bd1d4825a3 fix: FP found in prod environment 
Also seen in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
 2023-02-08 17:58:35 +01:00
Nasreddine Bencherchali 8851420b92 feat: update registry_delete rules 2023-02-08 12:48:51 +01:00