security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,978 Commits 1 Branch 57 Tags
412edd1e1abb29a021e51d2aca7abbbe47afca25
Commit Graph

392 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 412edd1e1a Merge PR #4631 from @nasbench - add rules related to CISA aa23-347a advisory and other updates 
new: DLL Names Used By SVR For GraphicalProton Backdoor
new: Enable LM Hash Storage
new: Enable LM Hash Storage - ProcCreation
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
update: Compress-Archive Cmdlet Execution - Reudced Level to low and moved to Threat Hunting folder.
update: Disabled Volume Snapshots - Update logic by removing the reg string to also account for potential renamed executions
update: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Update logic to be more specific
update: Potential Recon Activity Via Nltest.EXE - Add dnsgetdc coverage and enhance logic by removing /
update: Potential System DLL Sideloading From Non System Locations - Enhance logic by removing hardcoded C: value to account for other potential system locations
update: RestrictedAdminMode Registry Value Tampering - ProcCreation - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: RestrictedAdminMode Registry Value Tampering - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: Write Protect For Storage Disabled - Update logic by removing the reg string to also account for potential renamed executions
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Update logic to be more specific

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-12-18 16:46:46 +01:00
Swachchhanda Shrawan Poudel f07e2b37c0 Merge PR #4529 from @swachchhanda000 - Add New Rules Related To WinPwn Execution
Create Release / Create Release (push) Has been cancelled
Details 
new: HackTool - WinPwn Execution - ScriptBlock
new: HackTool - WinPwn Execution

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-12-04 14:24:19 +01:00
github-actions[bot] ae960f0881 Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2023-12-01 12:50:36 +01:00
frack113 56ac238027 Merge PR #4591 from @frack113 - Update tests to pySigma 0.10.9 
chore: update tests to pySigma 0.10.9
chore: add Summiting the Pyramid v1.0.0 tags

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-11-27 09:08:01 +01:00
github-actions[bot] a6e7cce606 Merge PR #4533 from @nasbench - Promote experimental rules 
chore: promote older rules status from `experimental` to `test`

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-11-02 10:48:45 +01:00
Wagga 8bf3282194 Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields 
update: Registry Persistence via Service in Safe Mode - Fix typo in title
chore: Fix multiple typo in metadata fields and comments

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-10-28 13:15:09 +02:00
Tuutaans 1d40bd3ae2 Merge PR #4498 from @Tuutaans - Update PowerShell Security Software Discovery Rule 
update: Security Software Discovery Via Powershell Script - Enhance logic, increase level to medium and demote to experimental

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: “Anish <“07tutaans@gmail.com”>
 2023-10-28 12:41:41 +02:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
Tessa Georgen 60b8e9b70f Merge PR #4392 from @tjgeorgen - Update MITRE Tags 
- update: update MITRE tags for multiple rules

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-08-28 16:53:27 +02:00
Nasreddine Bencherchali be9abb9364 feat: update cl diag script rules 2023-08-17 19:26:21 +02:00
Nasreddine Bencherchali e69daf27a1 fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-07-31 12:28:34 +02:00
Nasreddine Bencherchali 9a73c33554 fix: duplicate ids and missing selections 2023-07-27 14:58:47 +02:00
Nasreddine Bencherchali b20e7b449c feat: rules update 2023-07-26 10:56:18 +02:00
Nasreddine Bencherchali ad0d3f58ac fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-07-24 12:35:11 +02:00
Nasreddine Bencherchali f7acf07882 Merge branch 'SigmaHQ:master' into new-rules-13-07-23 2023-07-20 13:51:48 +02:00
frack113 9acc4e1823 feat: add rules related to pwsh set-acl cmdlet usage (#4352) 2023-07-20 11:08:44 +02:00
Nasreddine Bencherchali 08e0a297f3 feat: new rules and updates 2023-07-13 17:31:13 +02:00
Nasreddine Bencherchali ccec820a01 feat: new rules & updates (#4328) 2023-07-13 10:01:05 +02:00
frack113 101fe1a355 Update posh_ps_get_adcomputer 
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-07-08 18:02:06 +02:00
Ryan Plas cda0fbff62 fix:F multiple 404 links in references (#4332) 2023-06-26 10:10:04 +01:00
phantinuss 6c4408ddff chore: fix typo of lowercase Windows in description 2023-06-21 09:52:43 +02:00
Nasreddine Bencherchali 715cc0589c Merge pull request #4232 from swachchhanda000/master 
feat: extended coverage of existing defender tampering rules
 2023-06-05 13:26:03 +02:00
Nasreddine Bencherchali 899c2ff23a chore: update defender rules 2023-06-05 11:50:43 +02:00
frack113 b249536e3d Merge pull request #4236 from YamatoSecurity/update-Suspicious-Export-PfxCertificate 
update "Suspicious Export-PfxCertificate" rule
 2023-05-19 09:19:10 +02:00
Nasreddine Bencherchali a6e5a93e32 feat: update metadata and add process creation version 2023-05-18 23:45:48 +02:00
Nasreddine Bencherchali 0cb01970e7 feat: new rules, updates and goofy guineapig stuff (#4229) 2023-05-15 15:53:39 +02:00
Yamato Security 4f36d69eb2 update Suspicious Export-PfxCertificate rule 2023-05-15 12:00:55 +09:00
Swachchhanda Shrawan Poudel d56c9d9006 Extended the coverage of existing defender tampering related rules 2023-05-10 21:23:47 +05:45
Nasreddine Bencherchali bbf1e54510 fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-05-09 16:04:24 +02:00
Nasreddine Bencherchali bd0a9e2bae fix: missing modifier 2023-05-05 12:34:29 +02:00
Nasreddine Bencherchali 6f659d1c1a fix: fp found in testing 2023-05-05 12:24:54 +02:00
Nasreddine Bencherchali 24ed6be065 feat: updates and new rules related to fin7 2023-05-05 01:26:06 +02:00
phantinuss 6a88ece238 fix: adapt level to high 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-04-27 16:59:35 +02:00
phantinuss cf585abe51 feat: new rule for Rubeus in pwsh scriptblock log 2023-04-27 16:39:17 +02:00
phantinuss d82d387071 Merge pull request #4189 from tuanhxh1/tuan.le.ncs 
Update Script Block Text When Run Phant0m Script
 2023-04-21 11:42:55 +02:00
Nasreddine Bencherchali 95edf4c9d6 Merge pull request #4177 from pH-T/master 
feat: new hktl related rules and pwsh cmdlet updates
 2023-04-21 11:24:57 +02:00
Nasreddine Bencherchali ba63f4a222 fix: reduce level and update title 2023-04-21 11:21:13 +02:00
Nasreddine Bencherchali aa22c02039 chore: order list 2023-04-21 11:14:55 +02:00
tuan 26583da2ea Update Script Block Text When Run Phant0m Script 2023-04-21 15:41:27 +07:00
phantinuss 7f056da95b fix: FPs found in different environments 2023-04-20 09:48:47 +02:00
Paul Hager 0420e9c3bb feat: various new hktl rules 2023-04-17 12:08:30 +02:00
Nasreddine Bencherchali 2710bf4710 feat: new rules, updates and fp fixes (#4162) 2023-04-11 13:04:22 +02:00
phantinuss 85423f784c fix: condition filtering on all filters 2023-03-24 10:59:01 +01:00
phantinuss aa1ab49773 fix: FPs found in testing environment 2023-03-24 10:41:21 +01:00
Nasreddine Bencherchali 1378cf6d75 feat: update cmd based rules 2023-03-07 14:13:57 +01:00
Nasreddine Bencherchali 587fbbce58 chore: update pipe-notation rules to unsupported 2023-02-24 19:54:14 +01:00
phantinuss ecc41ad20b fix: FP with chocolatey 2023-02-21 16:38:05 +01:00
Wagga 273fdb9985 fix: typos in multiple rules (#4011) 2023-02-06 13:53:23 +01:00
Florian Roth 205f6a4de7 fix: FP with Get-ADObject 2023-02-06 13:26:37 +01:00