security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,747 Commits 1 Branch 57 Tags
6e529bb9c8fe7054adf25dfd6ee413d31614feed
Commit Graph

9871 Commits

Author SHA1 Message Date
frack113 6e529bb9c8 Merge pull request #3484 from elhoim/add_samtheadmin 
Add rule to detect samtheadmin computer name used by hacktool
 2022-09-10 12:34:51 +02:00
frack113 21435629a0 Merge pull request #3482 from nasbench/nasbench-rule-devel 
Rule Devel (New+Update)
 2022-09-10 12:34:26 +02:00
Florian Roth e7084eee04 Merge pull request #3487 from SigmaHQ/aurora-false-positive-fixing 
fix: fixing multiple FPs with the use of VSCode
 2022-09-10 12:07:01 +02:00
Florian Roth 0a5cfb93b3 fix: condition 2022-09-10 11:53:42 +02:00
Florian Roth 7dbdd4d1c6 fix: fixing multiple FPs with the use of VSCode 2022-09-10 11:42:44 +02:00
Florian Roth a053be791c Update proc_creation_win_user_discovery_get_aduser.yml 2022-09-10 09:49:14 +02:00
Florian Roth a616647b08 lowered score of scheduled task + SYSTEM rule 2022-09-10 09:48:50 +02:00
Florian Roth 9ed14ce571 tightened the regular expression 2022-09-10 09:34:16 +02:00
Nasreddine Bencherchali 2552b75e72 Delete proc_creation_win_net_add_local_user.yml 2022-09-09 23:11:28 +02:00
frack113 b9cc206d9d Update win_susp_computer_name.yml 2022-09-09 18:53:48 +02:00
frack113 3b8184a6b7 Merge pull request #3480 from phantinuss/master 
fix: FP with windows defender
 2022-09-09 18:49:37 +02:00
David ANDRE 9a77542bc6 Add comment to explain lack of eventID\nBetter description 2022-09-09 16:11:07 +02:00
David ANDRE b170af5687 Added rule for sam the admin suspicious computer 2022-09-09 16:08:19 +02:00
nasreddine.bencherchali@nextron-systems.com 14db9c9fb1 Update proc_creation_win_wmic_computersystem_recon.yml 2022-09-09 15:43:07 +02:00
nasreddine.bencherchali@nextron-systems.com a71ce185d7 Fix 2022-09-09 15:32:03 +02:00
David André ae5dc248c8 Merge branch 'SigmaHQ:master' into rename_suspicious2 2022-09-09 15:18:35 +02:00
David ANDRE b75fb5abf5 Renamed suspicious in rules file names to susp 2022-09-09 15:12:47 +02:00
nasreddine.bencherchali@nextron-systems.com 051397b533 Update proc_creation_win_susp_schtasks_delete_all.yml 2022-09-09 15:10:49 +02:00
nasreddine.bencherchali@nextron-systems.com c8fc1cf21e Update proc_creation_win_user_discovery_get_aduser.yml 2022-09-09 15:04:36 +02:00
nasreddine.bencherchali@nextron-systems.com 70f9ff61ca Big Update 2022-09-09 15:02:31 +02:00
phantinuss 43e0d4fe6a fix: FP with windows defender 2022-09-09 13:51:53 +02:00
phantinuss 38a2e76af8 fix: general filter should filter on both selections 2022-09-09 10:03:50 +02:00
Nasreddine Bencherchali fbc7733078 Update proc_creation_win_susp_reg_add.yml 2022-09-08 22:52:24 +02:00
Nasreddine Bencherchali dd67c4fd73 Dev 2022-09-08 22:50:57 +02:00
phantinuss 586b1c449f fix: FP on race condition 2022-09-08 16:28:05 +02:00
Nasreddine Bencherchali 15713918cd Rename 2022-09-08 10:26:23 +02:00
Nasreddine Bencherchali baf603bb5c Fix FP in testing 2022-09-08 10:24:27 +02:00
Florian Roth 358e8a567e Merge pull request #3474 from SigmaHQ/aurora-false-positive-fixing 
fix: schtasks in suspicious parents rule
 2022-09-08 09:09:26 +02:00
Florian Roth de68bf5559 fix: schtasks in suspicious parents rule 2022-09-08 09:00:58 +02:00
frack113 6813043323 Merge pull request #3468 from nasbench/nasbench-rule-devel 
Rule Devel
 2022-09-08 06:29:36 +02:00
frack113 6fea0e2c79 Merge pull request #3471 from qasimqlf/patch-5 
Update proc_creation_win_bad_opsec_sacrificial_processes.yml
 2022-09-08 06:28:25 +02:00
Nasreddine Bencherchali b70ac17676 Fix 2022-09-07 21:58:22 +02:00
Florian Roth 43b56fed23 Merge pull request #3472 from SigmaHQ/rule-devel 
rules: SysmonEnte, SharpEvtMute, sdelete rework
 2022-09-07 21:06:03 +02:00
Florian Roth 1641f4590a fix: duplicate UUIDs 2022-09-07 17:12:12 +02:00
Florian Roth a69d256367 rule: SharpEvtMute 2022-09-07 16:33:52 +02:00
Florian Roth 2ac92283e6 indentation and new hashes 2022-09-07 16:05:48 +02:00
Florian Roth b293a7a181 refactor: SysmonEnte, SharpEvtMute, SysmonQuiet 2022-09-07 16:01:05 +02:00
Florian Roth 6f1ff59027 SysmonEnte Hashes 2022-09-07 15:29:09 +02:00
Florian Roth e4dea01521 Merge pull request #3469 from phantinuss/master 
fix: new FP with Onedrive
 2022-09-07 14:35:18 +02:00
Florian Roth 6ad167a4f3 rule: SysmonEnte usage 2022-09-07 14:33:44 +02:00
Nasreddine Bencherchali 88e9794a74 Update proc_creation_win_system_exe_anomaly.yml 2022-09-07 14:15:10 +02:00
Nasreddine Bencherchali c6dc31fb48 Remove duplicate casing 
Removed cased names as SIGMA is case insensitive and the logs should searched case insensitively
 2022-09-07 14:07:04 +02:00
Qasim Qlf bdccc5440a Update proc_creation_win_bad_opsec_sacrificial_processes.yml 2022-09-07 15:28:06 +05:00
Nasreddine Bencherchali df257caa4c Update create_stream_hash_susp_ip_domains.yml 2022-09-07 12:17:18 +02:00
Nasreddine Bencherchali dc90e08f3e More updates 2022-09-07 12:02:09 +02:00
Nasreddine Bencherchali 62f5b327fa Update proc_creation_win_inline_win_api_access.yml 2022-09-06 23:04:48 +02:00
Nasreddine Bencherchali f952c02a5f Update after review 2022-09-06 22:59:24 +02:00
nasreddine.bencherchali@nextron-systems.com 1e2a894c2e Update posh_ps_adrecon_execution.yml 2022-09-06 17:19:46 +02:00
Nasreddine Bencherchali 4f69b7058f Update proc_creation_win_inline_win_api_access.yml 2022-09-06 16:57:55 +02:00
phantinuss 513922de9c fix: new FP with Onedrive 2022-09-06 16:53:53 +02:00