security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,209 Commits 1 Branch 57 Tags
4f7738b8674efdfd1908b40c851a739176ac2c2b
Commit Graph

12209 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nasreddine Bencherchali 4f7738b867 Add rule CVE-2022-31656 2022-08-12 16:29:52 +01:00
Nasreddine Bencherchali b6fda3e758 Fix FP 2022-08-12 16:09:20 +01:00
Nasreddine Bencherchali 4a0c1b41f2 Update proc_creation_win_renamed_procdump.yml 2022-08-12 16:04:38 +01:00
Nasreddine Bencherchali 8477c4976b Update proc_creation_win_renamed_procdump.yml 2022-08-12 16:02:54 +01:00
Nasreddine Bencherchali cf2a817801 New Rules 2022-08-12 13:44:16 +01:00
Nasreddine Bencherchali e4e24a00a7 Update procdump rules 2022-08-12 13:44:03 +01:00
Nasreddine Bencherchali b1e0668ae3 Update adfind rules 2022-08-12 13:43:36 +01:00
Nasreddine Bencherchali d7bc975c71 Update meta 2022-08-12 13:42:52 +01:00
Nasreddine Bencherchali 0214a0632a Fix FP 2022-08-12 11:47:15 +01:00
frack113 9a64b6660f Merge pull request #3338 from Tomasuh/master 
proxy_susp_flash_download_loc.yml: c-uri inst. of c-uri-query and r-dns inst of c-uri-stem, proxy_ua_susp.yml: Avoid adobe false positives
 2022-08-11 19:57:19 +02:00
Florian Roth 835b54c05c Merge pull request #3362 from MarkMorow/markmorow 
Create azure_privileged_account_creation.yml
 2022-08-11 18:43:32 +02:00
Florian Roth b5ebc2033e Update azure_privileged_account_creation.yml 2022-08-11 18:25:10 +02:00
Florian Roth b199e50898 Merge pull request #3358 from frack113/fix_3351 
Fix condition
 2022-08-11 18:24:43 +02:00
Florian Roth 3fd33a6e1f Merge pull request #3360 from martinspielmann/master 
Reduced False Positives for Java Running with Remote Debugging Rule
 2022-08-11 18:23:59 +02:00
Florian Roth 3666e79a64 Merge pull request #3361 from phantinuss/master 
fix: FP with office click to run
 2022-08-11 18:22:22 +02:00
Mark Morowczynski 10871396c4 Create azure_privileged_account_creation.yml 
Detects when a priv account is created
 2022-08-11 07:08:15 -07:00
Martin 41d79d4d1b Update proc_creation_win_vul_java_remote_debugging.yml 
simplified rule
 2022-08-11 13:29:15 +02:00
Martin 8da1502e5d Update proc_creation_win_vul_java_remote_debugging.yml 
For Java Running with Remote Debugging, add filtering to vulnerable jvm versions. Later jvm versions limit remote debugging access to localhost by default.
 2022-08-11 13:20:40 +02:00
phantinuss a75e9a41a2 fix: FP with office click to run 2022-08-11 09:53:25 +02:00
Tomasuh 7f86fcf89d Update to use cs-host instead of r-dns 2022-08-11 08:36:23 +02:00
Tomasuh 61c2e6b532 Update proxy_susp_flash_download_loc.yml 2022-08-11 08:33:07 +02:00
frack113 80df54d092 Fix condition 2022-08-11 06:59:01 +02:00
frack113 1b60c9b6f1 Merge pull request #3357 from MarkMorow/markmorow 
Create azure_guest_invite_failure.yml
 2022-08-11 06:40:32 +02:00
frack113 1a57509e85 Merge pull request #3346 from nasbench/nasbench-rule-devel 
Updates + New Rules
 2022-08-11 06:26:57 +02:00
frack113 634397e855 Merge pull request #3353 from nasbench/tune-fp-short-path-rules 
Fix FP - Short Path Rules
 2022-08-11 06:26:41 +02:00
frack113 4d6eda3488 Merge pull request #3348 from lawndoc/master 
BloodHound Collection Files
 2022-08-11 06:26:05 +02:00
Nasreddine Bencherchali f34a60b215 Update proc_creation_win_rundll32_unc_path.yml 2022-08-10 22:08:03 +01:00
Nasreddine Bencherchali f51547fe96 Update proc_creation_win_rundll32_unc_path.yml 2022-08-10 21:15:12 +01:00
Mark Morowczynski 8a750770cf Create azure_guest_invite_failure.yml 
Detection when a user without proper permissions attempts to invite a guest account.
 2022-08-10 11:01:40 -07:00
Nasreddine Bencherchali 3201b68004 Final update 2022-08-10 18:33:17 +01:00
Nasreddine Bencherchali 0f8ad22b9a Update proc_creation_win_susp_wmic_proc_create.yml 2022-08-10 17:53:09 +01:00
Nasreddine Bencherchali 021c297e96 Update title and description 2022-08-10 17:48:48 +01:00
Nasreddine Bencherchali 80ee1192e6 Update file_event_win_error_handler_cmd_persistence.yml 2022-08-10 17:45:25 +01:00
frack113 004409ff87 Merge pull request #3352 from MarkMorow/markmorow 
Create azure_tap_added.yml
 2022-08-10 18:40:42 +02:00
phantinuss 4a9b214f94 Merge pull request #3354 from phantinuss/master 
Fix FPs found in testing
 2022-08-10 18:25:49 +02:00
phantinuss 6d1dad51fe fix: typo in filter name 2022-08-10 18:09:55 +02:00
phantinuss b0f07faa85 fix: FP with poqexec.exe 2022-08-10 17:28:03 +02:00
phantinuss 7b9cd0e74c fix: remove TargetObject restriction bc of too many FPs 2022-08-10 17:28:02 +02:00
phantinuss 5cde4a2d7e fix: FP with Avast 2022-08-10 17:28:02 +02:00
Nasreddine Bencherchali babdecc642 Update proc_creation_win_ntfs_short_name_use_image.yml 2022-08-10 15:25:10 +01:00
Nasreddine Bencherchali 14277c5b6d Fix FP 2022-08-10 15:15:49 +01:00
Mark Morowczynski d1c5153103 Create azure_tap_added.yml 
Detection for temporary access pass (TAP) added to an account.
 2022-08-10 07:09:09 -07:00
Florian Roth c2b415601e Merge pull request #3344 from phantinuss/master 
fix: FP found in testing
 2022-08-10 14:04:37 +02:00
Nasreddine Bencherchali 405ed7e6d2 Update file_event_win_error_handler_cmd_persistence.yml 2022-08-10 13:02:08 +01:00
phantinuss 8e63a4b2e1 fix: another Win7 i386 path 2022-08-10 13:54:19 +02:00
Nasreddine Bencherchali b5c15c5137 More additions and updates 2022-08-10 12:52:49 +01:00
frack113 34a0cc204a Merge pull request #3350 from wagga40/master 
Restore ruamel in sigmac to allow output in YAML
 2022-08-10 13:47:20 +02:00
Wagga ac203f99b5 Restore ruamel in sigmac to allow output in YAML 
This commit definitely fix the #3337 issue. The commit #3349 restored the commented lines but the ruamel import was not in it.
 2022-08-10 11:42:27 +02:00
phantinuss 342ec1c9cc fix: FP with wrongly matching folders 2022-08-10 11:23:42 +02:00
frack113 fc52a1f760 Merge pull request #3349 from frack113/fix_issues 
Fix some issues
 2022-08-10 08:46:03 +02:00