security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,664 Commits 1 Branch 57 Tags
6bc5b8e29c8d33a0aeec7be4e0f70668d6c811fe
Commit Graph

8082 Commits

Author SHA1 Message Date
Amrik 6bc5b8e29c Fix: Typo in title 2022-04-07 19:30:00 -07:00
frack113 77e05ab762 Merge pull request #2887 from frack113/fix_tag 
Update tags
 2022-04-07 22:34:23 +02:00
Florian Roth eab098e9f8 Merge pull request #2885 from secDre4mer/master 
Add couple of new rules
 2022-04-07 19:00:52 +02:00
Florian Roth e4503df4b1 Update proc_creation_win_powershell_public_folder.yml 2022-04-07 18:52:45 +02:00
frack113 7819a3b96e Update tags 2022-04-07 14:46:58 +02:00
phantinuss f5ca5c0579 fix: FPs from fresh Windows 2022 install 2022-04-07 14:15:44 +02:00
Max Altgelt 47c685553d feat: Generate low sigma match for new credential logon 2022-04-07 10:50:50 +02:00
Max Altgelt df41827266 feat: detect PS execution in public folder 2022-04-07 10:50:50 +02:00
Max Altgelt 3cddcc906d feat: Add new rule for Creative Cloud node abuse 2022-04-07 10:50:50 +02:00
Max Altgelt 026490921c fix: Add FP exclusion for vss_ps.dll load 
The scheduled task that creates restore points apparently runs
rundll32.exe and loads this DLL.
 2022-04-07 10:49:10 +02:00
Florian Roth ac5346c2a5 Merge pull request #2881 from SigmaHQ/rule-devel 
DumpMinitool Usage
 2022-04-07 09:44:44 +02:00
Florian Roth 80d8010fbd Merge pull request #2883 from phantinuss/checkbaseline 
workflow: add checks against Windows 7 32-bit baseline
 2022-04-06 19:00:15 +02:00
megan201296 b0eaf3fb5a Rename proc_creation_win_coti_sqlcmd.yml to proc_creation_win_conti_sqlcmd.yml 
Fix typo in rule name
 2022-04-06 10:46:08 -05:00
phantinuss 9376859b06 fix: remove duplicate list entry 2022-04-06 17:14:34 +02:00
Florian Roth 5a4a2544dd refactor: extended rule 2022-04-06 17:07:51 +02:00
phantinuss 4780447102 fix: FPs from fresh Win7 install 2022-04-06 17:07:00 +02:00
phantinuss 7cbfc7f16a fix: remove . from title 2022-04-06 17:04:10 +02:00
phantinuss c2c3fff071 fix: typo in description 2022-04-06 16:09:53 +02:00
phantinuss 7edf04d9ff fix: FPs from fresh Windows install 2022-04-06 16:09:53 +02:00
Florian Roth 4a4d990151 fix: less strict directory filter 2022-04-06 14:02:01 +02:00
Florian Roth 3b25fba51a rule: DumpMinitool usage 2022-04-06 14:01:14 +02:00
Florian Roth 7ef4187875 Merge pull request #2879 from SigmaHQ/rule-devel 
Base64 Encoded CommandLine Params
 2022-04-05 20:17:59 +02:00
Florian Roth 774183f1eb refactor: lowered level to informational 2022-04-05 18:54:47 +02:00
Florian Roth a731446733 Revert "removed rule due to many FPs" 
This reverts commit 5bdb97ba17.
 2022-04-05 18:54:14 +02:00
Florian Roth 5bdb97ba17 removed rule due to many FPs 2022-04-05 18:53:45 +02:00
Florian Roth 7ee145fbce rule: base64 encoded value in command line 2022-04-05 13:09:57 +02:00
Florian Roth bcc9f96beb fix: add tags 2022-04-05 13:09:43 +02:00
Florian Roth b4cb047ae7 Merge pull request #2877 from frack113/conhost 
Conhost ForceV1
 2022-04-05 10:07:08 +02:00
frack113 6e67a6d520 Set to low for FP 2022-04-04 19:33:23 +02:00
frack113 b7675b8163 Add proc_creation_win_susp_conhost_option 2022-04-04 19:20:27 +02:00
frack113 fb72fb48a2 Order registry 2022-04-04 15:45:32 +02:00
frack113 0f4d61d04e Merge pull request #2872 from frack113/redcannay_20220404 
Windows Redcannary
 2022-04-04 13:23:47 +02:00
Florian Roth 43b7f544e0 Merge pull request #2871 from frack113/redcanary_20220402 
Windows Redcannary
 2022-04-04 13:09:18 +02:00
Florian Roth 7518970415 Update registry_set_install_root_or_ca_certificat.yml 2022-04-04 13:08:40 +02:00
Florian Roth 4ded5e498f Update registry_set_disable_system_restore.yml 2022-04-04 12:22:09 +02:00
Florian Roth f54e129c78 Update registry_set_add_load_service_in_safe_mode.yml 2022-04-04 12:21:18 +02:00
Florian Roth eaaabf2468 Update posh_ps_suspicious_get_current_user.yml 2022-04-04 12:19:47 +02:00
Florian Roth 4ca5f58081 Merge branch 'master' into rule-devel 2022-04-04 12:02:47 +02:00
Florian Roth 96499b52de fix: date in rule 2022-04-04 11:37:55 +02:00
Florian Roth 7423ad6ffa fix: missing timestamp 2022-04-04 11:34:26 +02:00
frack113 aaafef29b4 Redcannary 2022-04-04 10:57:23 +02:00
Florian Roth ad3c51be6a fix: registry target value details 2022-04-04 10:39:18 +02:00
Florian Roth 176a3c4c07 Update registry_set_hide_file.yml 2022-04-04 09:33:11 +02:00
Florian Roth 62096ec4d9 Update registry_set_powershell_logging_disabled.yml 2022-04-04 09:32:54 +02:00
Florian Roth dcce28a551 Update registry_set_hide_file.yml 2022-04-04 09:30:44 +02:00
Florian Roth b394702748 Update posh_ps_suspicious_gettypefromclsid.yml 2022-04-04 09:28:56 +02:00
frack113 d2b2362ce7 Redcannary 2022-04-02 11:55:02 +02:00
phantinuss 67ad16f411 edit because of ambiguous trailing space 2022-03-31 12:04:37 +02:00
phantinuss 51d45bae8b chore: promote status of rules 2022-03-31 12:04:37 +02:00
phantinuss 5ebb919472 fix: FP with intel graphics 2022-03-31 12:04:37 +02:00