security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,755 Commits 1 Branch 57 Tags
6187cfdfd6d2f7ff199beb6e08fd2234a8e8eb0e
Commit Graph

8990 Commits

Author SHA1 Message Date
Tim Shelton 6187cfdfd6 False positive when amazon workspaces is running and doing its weird little things 2022-07-14 19:41:52 +00:00
Florian Roth 8ace9631d0 Merge pull request #3220 from frack113/Eventdata_Data 
Remove some keywords
 2022-07-14 08:31:43 +02:00
frack113 9b319f0569 Update win_account_discovery.yml 2022-07-13 06:45:39 +02:00
Borna Talebi f9faeacb5a Update win_account_discovery.yml 2022-07-12 23:58:40 +04:30
Borna Talebi 0850419c95 Add FP from reference link 
According to the query in reference, computer accounts should be excluded: "and not (SourceUserName IMATCHES '.*\$')"
 2022-07-12 23:32:00 +04:30
frack113 0fbbbd19dc fix list 2022-07-12 19:44:41 +02:00
frack113 c0b580169d Change keywords to Data 2022-07-12 19:20:43 +02:00
Nasreddine Bencherchali 3a1bb6f7de Fix Error in logsource 2022-07-12 16:50:08 +01:00
Florian Roth 98a7d2f76e Merge pull request #3216 from nasbench/master 
DFIR Report - SELECT XMRig FROM SQLServer (New Rules)
 2022-07-12 17:40:44 +02:00
Nasreddine Bencherchali 3838c4dc22 Add "warning" section 2022-07-12 16:38:48 +01:00
Florian Roth 739a54289e Update proc_creation_win_inline_base64_mz_header.yml 2022-07-12 17:33:04 +02:00
Nasreddine Bencherchali ac76e31f95 Add missing references 2022-07-12 16:23:42 +01:00
Florian Roth 730ee2cc9b Merge pull request #3217 from phantinuss/master 
Fix FPs
 2022-07-12 17:16:04 +02:00
Florian Roth 31ee9b7104 Merge branch 'master' into aurora-false-positive-fixing 2022-07-12 16:54:10 +02:00
phantinuss b6025adaa8 fix: found on several systems in prod environment 2022-07-12 16:41:10 +02:00
Nasreddine Bencherchali aeecd0530d xp_cmdshell rules 2022-07-12 14:56:22 +01:00
Florian Roth e79e4d6c3b fix: FPs wtih csc.exe as child of sdiagnhost 2022-07-12 14:32:22 +02:00
phantinuss 7ca54a691b fix: FP found in testing 2022-07-12 13:47:13 +02:00
Nasreddine Bencherchali a41a73d721 DFIR Report - SELECT XMRig FROM SQLServer 2022-07-12 01:27:51 +01:00
Florian Roth 9b50323bc1 Merge pull request #3215 from nasbench/master 
Reference+Selection Updates [Final Batch]
 2022-07-11 22:47:17 +02:00
Nasreddine Bencherchali 1392ca1ec5 Fix review 2022-07-11 20:27:42 +01:00
Florian Roth 6dde3012cc refactor: some changes 2022-07-11 19:55:54 +02:00
Nasreddine Bencherchali 476f395126 Fix FP's 2022-07-11 18:33:54 +01:00
Nasreddine Bencherchali 614fe69363 Update proc_creation_win_susp_use_of_sqltoolsps_bin.yml 2022-07-11 18:27:06 +01:00
Nasreddine Bencherchali 3aab1cc54c Update proc_creation_win_susp_service_path_modification.yml 2022-07-11 18:25:54 +01:00
Nasreddine Bencherchali 987b694223 Update proc_creation_win_susp_runscripthelper.yml 2022-07-11 18:24:17 +01:00
Nasreddine Bencherchali 093aff99b0 Update proc_creation_win_lsass_dump.yml 2022-07-11 18:22:50 +01:00
Nasreddine Bencherchali f2d9299703 Update proc_creation_win_susp_runonce_execution.yml 2022-07-11 18:21:46 +01:00
Nasreddine Bencherchali 9feec535f6 Update proc_creation_win_base64_listing_shadowcopy.yml 2022-07-11 18:19:46 +01:00
Nasreddine Bencherchali cee1206b18 Update proc_creation_lnx_system_network_discovery.yml 2022-07-11 18:18:38 +01:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali 12d187bc91 Update Ref+Selection 2 2022-07-11 17:48:40 +01:00
phantinuss e31d752146 fix: FPs found in prod environment 2022-07-11 15:47:11 +02:00
Nasreddine Bencherchali fb73dfca88 Merge branch 'master' of https://github.com/nasbench/sigma 2022-07-11 14:11:59 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth e7f5b07f2d Merge pull request #3213 from SigmaHQ/rule-devel 
refactor: another Follina process pattern observed ITW
 2022-07-11 13:00:51 +02:00
Florian Roth 5b8f7d977f Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-07-11 12:52:08 +02:00
Florian Roth a17364104b refactor: Follina patterns 2022-07-11 12:52:06 +02:00
Nasreddine Bencherchali d2f08cca5d New Rules 2022-07-11 10:22:45 +01:00
frack113 792fde6466 Merge pull request #3206 from baileybercik/baileybercik 
Create azure_app_highly_privileged_permissions.yml
 2022-07-10 07:59:01 +02:00
frack113 0f1c8183a1 fix references 2022-07-09 08:51:45 +02:00
frack113 b923260be4 Update azure_app_highly_privileged_permissions.yml 2022-07-09 08:42:54 +02:00
Florian Roth 9daef055ae Merge pull request #3211 from SigmaHQ/rule-devel 
fix: FPs with notepad as parent
 2022-07-08 20:40:49 +02:00
Florian Roth 079a41b087 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-07-08 19:28:46 +02:00
Florian Roth 0640695258 fix: FPs with notepad.exe as parent 
Closing https://github.com/SigmaHQ/sigma/issues/3208
 2022-07-08 19:28:43 +02:00
frack113 4f21febbb4 Fix detection 2022-07-08 18:20:37 +02:00
Florian Roth d15f3d738b Merge pull request #3207 from SigmaHQ/rule-devel 
fix: missing Windows Defender source, rule: Proxy UA Base64
 2022-07-08 11:14:00 +02:00
Florian Roth 9b47c868bc fix: list and add base64 encoded Mozilla keyword 2022-07-08 10:50:52 +02:00
Florian Roth 578c838277 Merge pull request #3203 from nasbench/master 
Reference Update [Batch 1]
 2022-07-08 10:47:50 +02:00
Florian Roth 6fc782958a rule: Proxy UA Base64 value 2022-07-08 10:40:35 +02:00