security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,664 Commits 1 Branch 57 Tags
6bc5b8e29c8d33a0aeec7be4e0f70668d6c811fe
Commit Graph

10664 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Amrik 6bc5b8e29c Fix: Typo in title 2022-04-07 19:30:00 -07:00
frack113 77e05ab762 Merge pull request #2887 from frack113/fix_tag 
Update tags
 2022-04-07 22:34:23 +02:00
Florian Roth eab098e9f8 Merge pull request #2885 from secDre4mer/master 
Add couple of new rules
 2022-04-07 19:00:52 +02:00
Florian Roth e4503df4b1 Update proc_creation_win_powershell_public_folder.yml 2022-04-07 18:52:45 +02:00
Florian Roth ddc9ddb1d3 Merge pull request #2888 from phantinuss/checkbaseline 
workflow: add checks against Windows 2022 baseline
 2022-04-07 16:13:21 +02:00
frack113 7819a3b96e Update tags 2022-04-07 14:46:58 +02:00
phantinuss 21b28e4119 local evtx baseline check using concurrency 2022-04-07 14:15:44 +02:00
phantinuss 8a8226317f fix: indentation 2022-04-07 14:15:44 +02:00
phantinuss f5ca5c0579 fix: FPs from fresh Windows 2022 install 2022-04-07 14:15:44 +02:00
phantinuss 25de8a926c workflow: new baseline check against Windows 2022 2022-04-07 14:15:44 +02:00
Max Altgelt 47c685553d feat: Generate low sigma match for new credential logon 2022-04-07 10:50:50 +02:00
Max Altgelt df41827266 feat: detect PS execution in public folder 2022-04-07 10:50:50 +02:00
Max Altgelt 3cddcc906d feat: Add new rule for Creative Cloud node abuse 2022-04-07 10:50:50 +02:00
Max Altgelt 026490921c fix: Add FP exclusion for vss_ps.dll load 
The scheduled task that creates restore points apparently runs
rundll32.exe and loads this DLL.
 2022-04-07 10:49:10 +02:00
Florian Roth ac5346c2a5 Merge pull request #2881 from SigmaHQ/rule-devel 
DumpMinitool Usage
 2022-04-07 09:44:44 +02:00
Florian Roth 80d8010fbd Merge pull request #2883 from phantinuss/checkbaseline 
workflow: add checks against Windows 7 32-bit baseline
 2022-04-06 19:00:15 +02:00
Florian Roth 893b13c5d3 Merge pull request #2884 from megan201296/patch-21 
Fix typo in rule name
 2022-04-06 18:59:49 +02:00
megan201296 b0eaf3fb5a Rename proc_creation_win_coti_sqlcmd.yml to proc_creation_win_conti_sqlcmd.yml 
Fix typo in rule name
 2022-04-06 10:46:08 -05:00
phantinuss 9376859b06 fix: remove duplicate list entry 2022-04-06 17:14:34 +02:00
Florian Roth 5a4a2544dd refactor: extended rule 2022-04-06 17:07:51 +02:00
phantinuss 4780447102 fix: FPs from fresh Win7 install 2022-04-06 17:07:00 +02:00
phantinuss d323753abd workflow: new baseline check against Windows 7 32-bit 2022-04-06 17:06:54 +02:00
phantinuss 7cbfc7f16a fix: remove . from title 2022-04-06 17:04:10 +02:00
Florian Roth b40b513d3f Merge pull request #2882 from phantinuss/checkbaseline 
workflow: add checks against Windows 11 baseline
 2022-04-06 16:48:04 +02:00
phantinuss c2c3fff071 fix: typo in description 2022-04-06 16:09:53 +02:00
phantinuss 49a38185b2 workflow: add known FP 2022-04-06 16:09:53 +02:00
phantinuss 7edf04d9ff fix: FPs from fresh Windows install 2022-04-06 16:09:53 +02:00
phantinuss b0c1c3e726 workflow: new baseline check against Windows 11 2022-04-06 16:09:51 +02:00
Florian Roth 4a4d990151 fix: less strict directory filter 2022-04-06 14:02:01 +02:00
Florian Roth 3b25fba51a rule: DumpMinitool usage 2022-04-06 14:01:14 +02:00
Florian Roth 7ef4187875 Merge pull request #2879 from SigmaHQ/rule-devel 
Base64 Encoded CommandLine Params
 2022-04-05 20:17:59 +02:00
Florian Roth 84dcde98d0 Merge pull request #2878 from SigmaHQ/aurora-false-positive-fixing 
Reduced Level of Suspicius Conhost Legacy Option rule
 2022-04-05 20:17:52 +02:00
Florian Roth 774183f1eb refactor: lowered level to informational 2022-04-05 18:54:47 +02:00
Florian Roth a731446733 Revert "removed rule due to many FPs" 
This reverts commit 5bdb97ba17.
 2022-04-05 18:54:14 +02:00
Florian Roth 5bdb97ba17 removed rule due to many FPs 2022-04-05 18:53:45 +02:00
Florian Roth 7ee145fbce rule: base64 encoded value in command line 2022-04-05 13:09:57 +02:00
Florian Roth bcc9f96beb fix: add tags 2022-04-05 13:09:43 +02:00
Florian Roth b4cb047ae7 Merge pull request #2877 from frack113/conhost 
Conhost ForceV1
 2022-04-05 10:07:08 +02:00
Florian Roth 2222b7b706 Merge pull request #2875 from frack113/order_reg 
Order registry folder
 2022-04-05 10:06:37 +02:00
frack113 6e67a6d520 Set to low for FP 2022-04-04 19:33:23 +02:00
frack113 b7675b8163 Add proc_creation_win_susp_conhost_option 2022-04-04 19:20:27 +02:00
frack113 fb72fb48a2 Order registry 2022-04-04 15:45:32 +02:00
frack113 0f4d61d04e Merge pull request #2872 from frack113/redcannay_20220404 
Windows Redcannary
 2022-04-04 13:23:47 +02:00
Florian Roth 43b7f544e0 Merge pull request #2871 from frack113/redcanary_20220402 
Windows Redcannary
 2022-04-04 13:09:18 +02:00
Florian Roth 7518970415 Update registry_set_install_root_or_ca_certificat.yml 2022-04-04 13:08:40 +02:00
Florian Roth 4ded5e498f Update registry_set_disable_system_restore.yml 2022-04-04 12:22:09 +02:00
Florian Roth f54e129c78 Update registry_set_add_load_service_in_safe_mode.yml 2022-04-04 12:21:18 +02:00
Florian Roth eaaabf2468 Update posh_ps_suspicious_get_current_user.yml 2022-04-04 12:19:47 +02:00
Florian Roth 78416bbd22 Merge pull request #2873 from SigmaHQ/rule-devel 
fix: various fixes
 2022-04-04 12:18:49 +02:00
Florian Roth 4ca5f58081 Merge branch 'master' into rule-devel 2022-04-04 12:02:47 +02:00