security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,978 Commits 1 Branch 57 Tags
412edd1e1abb29a021e51d2aca7abbbe47afca25
Commit Graph

86 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 412edd1e1a Merge PR #4631 from @nasbench - add rules related to CISA aa23-347a advisory and other updates 
new: DLL Names Used By SVR For GraphicalProton Backdoor
new: Enable LM Hash Storage
new: Enable LM Hash Storage - ProcCreation
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
update: Compress-Archive Cmdlet Execution - Reudced Level to low and moved to Threat Hunting folder.
update: Disabled Volume Snapshots - Update logic by removing the reg string to also account for potential renamed executions
update: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Update logic to be more specific
update: Potential Recon Activity Via Nltest.EXE - Add dnsgetdc coverage and enhance logic by removing /
update: Potential System DLL Sideloading From Non System Locations - Enhance logic by removing hardcoded C: value to account for other potential system locations
update: RestrictedAdminMode Registry Value Tampering - ProcCreation - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: RestrictedAdminMode Registry Value Tampering - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: Write Protect For Storage Disabled - Update logic by removing the reg string to also account for potential renamed executions
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Update logic to be more specific

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-12-18 16:46:46 +01:00
github-actions[bot] ae960f0881 Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2023-12-01 12:50:36 +01:00
github-actions[bot] a6e7cce606 Merge PR #4533 from @nasbench - Promote experimental rules 
chore: promote older rules status from `experimental` to `test`

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-11-02 10:48:45 +01:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
Nasreddine Bencherchali 0cb01970e7 feat: new rules, updates and goofy guineapig stuff (#4229) 2023-05-15 15:53:39 +02:00
Nasreddine Bencherchali aa22c02039 chore: order list 2023-04-21 11:14:55 +02:00
Paul Hager 0420e9c3bb feat: various new hktl rules 2023-04-17 12:08:30 +02:00
Nasreddine Bencherchali 1378cf6d75 feat: update cmd based rules 2023-03-07 14:13:57 +01:00
Nasreddine Bencherchali a19a75b0b0 fix: resolves #4015 2023-02-07 14:33:56 +01:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
frack113 1033b3f404 change status to test 2023-01-27 06:48:34 +01:00
Nasreddine Bencherchali 9a03e4e13d fix: fp found in testing 2023-01-24 16:51:37 +01:00
Nasreddine Bencherchali c9b230de6d feat: update pwsh ad module rules 2023-01-22 20:07:42 +01:00
Nasreddine Bencherchali ecaf89dd91 fix: fp with powercat 2023-01-21 18:15:37 +01:00
Nasreddine Bencherchali dfdc232f55 fix: optimize "Invoke-Sharp" coverage 2023-01-21 12:28:08 +01:00
Nasreddine Bencherchali ea536c33b3 feat: update and merge some pwsh rules 2023-01-20 17:07:23 +01:00
Nasreddine Bencherchali 7e73028c5e feat: updates and enhancements 2023-01-06 16:35:34 +01:00
Nasreddine Bencherchali e43371ffcf fix: small typos 2023-01-04 17:51:34 +01:00
Nasreddine Bencherchali 711ba956e3 feat: updates and enhancements 2023-01-04 17:49:32 +01:00
Nasreddine Bencherchali 843506c9f0 fix: update modified field 2023-01-03 17:46:39 +01:00
Tim (Bobby-Tablez) Peck 0391f127c4 Update posh_pm_susp_invocation_generic.yml 2023-01-03 09:38:26 -07:00
fukusuket 9298295c15 fix: remove invalid backslash escape 2022-12-31 21:35:07 +09:00
Nasreddine Bencherchali a25027fef8 fix: rename links from old repo to SigmaHQ 2022-12-27 21:05:16 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali 5232094c71 fix: more fp found in testing and enhance fp metadata 2022-12-13 11:25:23 +01:00
frack113 064132a5a8 Merge pull request #3744 from fukusuket/refactor-remove-unnecessary-escape 
refactor: remove unneeded escapes(in `|re` block)
 2022-12-03 09:36:09 +01:00
frack113 0f3eefdc9c Update title (#3746) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-02 18:10:43 +01:00
fukusuket ead6831b25 update modified date. 2022-12-02 21:57:37 +09:00
fukusuket a05742b420 refactor: remove unnesessary escape. 2022-12-02 21:26:45 +09:00
fukusuket 7b1d23621c refactor: remove unnesessary escape. 2022-12-02 20:17:39 +09:00
frack113 a674ee246b Update Title (#3739) 2022-11-30 11:44:15 +01:00
Fukusuke Takahashi 76fece654a fix: explicitly escape { to make it clear that it is a literal (#3737) 2022-11-30 11:43:49 +01:00
frack113 c820216541 Update Title (#3733) 2022-11-28 06:43:17 +01:00
Nasreddine Bencherchali 5ee9428e59 Fix 2022-11-03 09:39:48 +01:00
frack113 1e5ae09c4b Order yaml field 2022-10-26 09:43:39 +02:00
Nasreddine Bencherchali bf9bfa9a97 Add more FP filters 2022-10-13 12:36:25 +02:00
Nasreddine Bencherchali bf28e42f01 Fix FP Found In Testing 2022-10-10 17:33:14 +02:00
Nasreddine Bencherchali 2c26614ce4 Update Wildcard + Int to Str fields 2022-10-05 23:15:20 +02:00
phantinuss b7f20b884c fix: FPs from new evtx-baseline 2022-09-21 13:51:19 +02:00
Florian Roth 968f0ae11f Merge pull request #3508 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-09-18 13:24:07 +02:00
Florian Roth 34d7ad03f7 fix: FPs noticed with Aurora 2022-09-18 12:54:37 +02:00
Borna Talebi 4ede1b413f Update reference 2022-09-16 21:46:45 +04:30
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Nasreddine Bencherchali b26c28972d Add missing definition fields and references 2022-07-07 19:13:01 +01:00
Nasreddine Bencherchali ce8ce2a91d Removed related field 
The rule referenced in the field doesn't exist
 2022-06-21 11:43:18 +01:00
Florian Roth 72de90d2aa fix: FPs 2022-06-20 12:52:23 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
phantinuss 6f92a11c02 chore: test rules: check for all modifier with single item 2022-05-11 11:06:09 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00