blue-team-tools

Author	SHA1	Message	Date
Nasreddine Bencherchali	362f4e4e60	fix: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>	2023-02-16 11:05:38 +01:00
Nasreddine Bencherchali	7ec76db26c	Merge branch 'master' into wmic-rules-updates	2023-02-15 19:58:11 +01:00
Nasreddine Bencherchali	5aeedfa813	fix: increase severity	2023-02-14 23:35:09 +01:00
Nasreddine Bencherchali	8506dcaec8	feat: add related field	2023-02-14 23:34:14 +01:00
Nasreddine Bencherchali	cbbf443eb5	feat: add localpotato binary rule	2023-02-14 19:57:26 +01:00
Nasreddine Bencherchali	514eeb63fd	fix: typo in related field	2023-02-14 19:43:20 +01:00
Nasreddine Bencherchali	2ef681291a	feat: more rules updates	2023-02-14 19:30:18 +01:00
Nasreddine Bencherchali	4f59a13d46	feat: update wmic rules	2023-02-14 19:30:18 +01:00
Nasreddine Bencherchali	a79abaaf45	Merge pull request #4033 from qasimqlf/patch-32 feat: add missing `OriginalFileName` field	2023-02-13 14:48:10 +01:00
Qasim Qlf	1adec45ca6	fix: add OriginalFileName (#4032 )	2023-02-13 14:40:54 +01:00
Qasim Qlf	ab611c29ba	fix: updated condition (#4031 )	2023-02-13 14:37:33 +01:00
Qasim Qlf	7b435afa4d	feat: add missing `OriginalFileName` field	2023-02-11 23:04:18 +05:00
Nasreddine Bencherchali	095b41370f	Merge pull request #4027 from nasbench/nasbench-rule-devel feat: updates and enhancements	2023-02-10 10:59:14 +01:00
Nasreddine Bencherchali	5e3aae4970	fix: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>	2023-02-10 10:38:45 +01:00
Nasreddine Bencherchali	5f6258fe57	fix: add missing modified	2023-02-10 00:48:13 +01:00
Nasreddine Bencherchali	82cde0e10c	feat: update rules related to onenote and more	2023-02-10 00:40:16 +01:00
Abe	bea7614718	Remove Trailing space The trailing space causes this rule not to trigger when the extension is used (cmd.exe), eg: CommandLine: "C:\Windows\system32\cmd.exe" /r < "C:\Users\Administrator\desktop\test.txt"	2023-02-09 18:07:56 -05:00
Nasreddine Bencherchali	c4d8be3780	fix: duplicate titles	2023-02-09 16:06:09 +01:00
Nasreddine Bencherchali	da012ad80d	fix: resolves #4014	2023-02-09 15:48:13 +01:00
Qasim Qlf	c8c32bf1d4	feat: add missing `OriginalFileName` field (#4026 ) Add missing 'rundll32' OriginalFileName field to some process creation rules	2023-02-09 15:09:23 +01:00
Nasreddine Bencherchali	ba80fc1372	Merge pull request #4024 from nasbench/nasbench-rule-devel feat: updates and enhancements	2023-02-09 14:50:04 +01:00
Nasreddine Bencherchali	9ddedc8958	fix: add fp filter	2023-02-09 14:27:12 +01:00
Matthew Sexton	288914fe42	Add common childprocess filter for OneNote Slight reoranization of the rule with an additional relevant reference. Additionally adds the `filter_common_childproc` filter to `proc_creation_win_susp_microsoft_onenote_child_process.yml` for common processes that are launched from OneNote. OneNote will commonly launch `Teams.exe -Embedded` for opening documents in Teams, as well as `FileCoAuth.exe` when people are sharing/editing specific documents through OneNote. For some organizations these can create enough noise that it may be warranted to filter out as a part of the rule. Thusfar malicious execution for `Teams.exe` and `FileCoAuth.exe` have not been observed.	2023-02-09 14:20:22 +01:00
Nasreddine Bencherchali	6d14a14f9e	fix: typos Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>	2023-02-09 13:09:46 +01:00
Nasreddine Bencherchali	a175354a6f	fix: add missing modified	2023-02-08 22:10:05 +01:00
Nasreddine Bencherchali	814ace9eaf	feat: more updates	2023-02-08 22:08:47 +01:00
Nasreddine Bencherchali	c060127e67	fix: remove duplicate title	2023-02-08 20:04:46 +01:00
Nasreddine Bencherchali	d78e66dde3	fix: yaml error	2023-02-08 19:14:18 +01:00
Nasreddine Bencherchali	0717634671	feat: updates and enhancements	2023-02-08 19:12:35 +01:00
phantinuss	bd1d4825a3	fix: FP found in prod environment Also seen in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18	2023-02-08 17:58:35 +01:00
Qasim Qlf	6da1431612	fix: added originalfilename	2023-02-08 16:18:58 +05:00
Nasreddine Bencherchali	de7b59c4d1	fix: add missing modified and new selection	2023-02-08 10:37:24 +01:00
Nasreddine Bencherchali	518ff956ef	fix: typos and improve wording Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>	2023-02-08 10:29:48 +01:00
Nasreddine Bencherchali	75df97b4bc	fix: apply suggestions from code review	2023-02-07 18:44:26 +01:00
Nasreddine Bencherchali	9e7d7510db	fix: remove duplicate uuid	2023-02-07 17:22:02 +01:00
Nasreddine Bencherchali	5fd152cd51	feat: more updates	2023-02-07 17:12:26 +01:00
Nasreddine Bencherchali	b662042405	Merge branch 'SigmaHQ:master' into nasbench-rule-devel	2023-02-07 16:02:28 +01:00
Qasim Qlf	2938a3fdb5	chore: minor stylistic changes to `selection` names	2023-02-07 16:01:42 +01:00
Nasreddine Bencherchali	a19a75b0b0	fix: resolves #4015	2023-02-07 14:33:56 +01:00
phantinuss	d187470c38	Merge pull request #3960 from tropChaud/patch-3 Create proc_creation_win_wmic_system_info_discovery.yml	2023-02-07 14:24:12 +01:00
Nasreddine Bencherchali	a7a4bce9b8	feat: update and enhancements	2023-02-07 13:55:14 +01:00
Nasreddine Bencherchali	dc2d2f9d6d	fix: update title	2023-02-06 14:03:37 +01:00
Nasreddine Bencherchali	4808025de3	fix: remove cli option	2023-02-06 13:58:03 +01:00
Nasreddine Bencherchali	ce608f4103	fix: update description Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>	2023-02-06 13:56:09 +01:00
Wagga	273fdb9985	fix: typos in multiple rules (#4011 )	2023-02-06 13:53:23 +01:00
Florian Roth	22e0f96f66	Merge pull request #4012 from SigmaHQ/aurora-false-positive-fixing Aurora false positive fixing	2023-02-06 13:02:43 +01:00
Nasreddine Bencherchali	11d6db92ff	fix: change modifier to `startswith`	2023-02-06 12:56:32 +01:00
Florian Roth	a5311c3981	Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing	2023-02-06 12:48:47 +01:00
Florian Roth	80b588d7fc	fix: FP with wermgr in WinSXS	2023-02-06 12:48:45 +01:00
Nasreddine Bencherchali	3ee01d500c	fix: remove unnecessary filter	2023-02-06 12:36:41 +01:00

1 2 3 4 5 ...

4508 Commits