security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,069 Commits 1 Branch 57 Tags
751fbd7a2e4f8375d6ec517ceeb4e08f62016e31
Commit Graph

9270 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 751fbd7a2e Update proc_creation_win_susp_calc.yml 2022-08-04 19:36:07 +01:00
Nasreddine Bencherchali be40827c9b Update proc_creation_win_susp_calc.yml 2022-08-04 19:28:28 +01:00
Nasreddine Bencherchali fb1deb7fb2 Update pipe_created_psexec_default_pipe_from_susp_location.yml 2022-08-04 19:18:42 +01:00
Nasreddine Bencherchali 307f9c6a35 New rules 2022-08-04 19:11:16 +01:00
Nasreddine Bencherchali d6a2c13738 Update rules (desc, selection, logic) 2022-08-04 18:08:08 +01:00
Nasreddine Bencherchali fe2e279cfa Add more comsvcs variations 
Based on this https://twitter.com/Wietze/status/1542107456507203586
 2022-08-04 16:18:51 +01:00
Nasreddine Bencherchali 2d46263054 Renamed rule filename for conformity 2022-08-04 15:57:43 +01:00
Nasreddine Bencherchali 6d66ed6267 Update description + Missing related field 2022-08-04 15:57:18 +01:00
Nasreddine Bencherchali df74e42243 Add missing definition for named pipe rules 2022-08-04 15:56:47 +01:00
Nasreddine Bencherchali 34bb346b5c Renamed because name too long 2022-08-04 13:45:35 +01:00
Florian Roth d46d89e403 Merge pull request #3315 from nasbench/nasbench-rule-devel 
New Rules + Update
 2022-08-04 13:34:26 +02:00
Florian Roth 8396f87533 Update win_security_mitigations_unsigned_dll_from_susp_location.yml 2022-08-04 13:17:36 +02:00
Nasreddine Bencherchali 0e133f7d58 Additional updates 2022-08-04 11:53:09 +01:00
Nasreddine Bencherchali 58e82da488 Rename because too long 2022-08-04 11:20:28 +01:00
Nasreddine Bencherchali 3954585722 Create win_security_mitigations_code_integrity_unsigned_dll_from_susp_location.yml 2022-08-04 11:12:26 +01:00
Nasreddine Bencherchali 83451b3e6d Update proc_creation_win_exfil_data_via_cli.yml 2022-08-04 10:58:56 +01:00
Nasreddine Bencherchali 8e08ff3060 Fix 2022-08-04 10:58:34 +01:00
Florian Roth 636602cf7c rule: additional rule using the obfuscated IPs 2022-08-04 08:59:04 +02:00
Florian Roth 3282c822a7 Merge pull request #3320 from redsand/reduce_level_time_modification 
Reducing to a low level, as this is not a single indicator of comprom…
 2022-08-03 18:13:44 +02:00
Florian Roth 4112dbeb3e Merge pull request #3321 from redsand/fp_workstation_authentication 
Ignore workstations/system execution.  Normal behavior for scheduled tasks
 2022-08-03 18:13:31 +02:00
Nasreddine Bencherchali 48a90c6342 DiagTrackEoP rules 2022-08-03 15:45:39 +01:00
Tim Shelton 0d9223c45e Doesnt like single ticks around author 2022-08-03 13:36:50 +00:00
Tim Shelton 474c8d934e Ignore workstations/system execution. Normal behavior for scheduled tasks 2022-08-03 13:29:34 +00:00
Tim Shelton 74fc8903ff Reducing to a low level, as this is not a single indicator of compromise. Users and scripts from time sensitive applications such as mfa/oauth will execute net time \\host /set /y 2022-08-03 13:18:32 +00:00
Nasreddine Bencherchali 521987eaa6 Create proc_creation_win_obfuscated_ip_via_cli.yml 2022-08-03 12:16:50 +01:00
Florian Roth 3f402e3007 Merge pull request #3304 from d4rk-d4nph3/master 
Added rule for Defender DLL sideloading
 2022-08-03 10:46:37 +02:00
Florian Roth 3c67479ce2 Merge pull request #3318 from SigmaHQ/rule-devel 
rule: myjino github repo compromise
 2022-08-03 08:42:17 +02:00
Florian Roth 72dbfffc0f rule: myjino github repo compromise 2022-08-03 08:34:28 +02:00
Nasreddine Bencherchali 30a43d5110 Update image_load_susp_dll_load_system_process.yml 2022-08-02 21:23:15 +01:00
Nasreddine Bencherchali d99c92b726 Update image_load_susp_dll_load_system_process.yml 2022-08-02 21:18:07 +01:00
Nasreddine Bencherchali 716ece8b4c Update proc_creation_win_exfil_data_via_cli.yml 2022-08-02 21:12:24 +01:00
Nasreddine Bencherchali d7d8a8fbc0 Fix typo 2022-08-02 21:06:52 +01:00
Nasreddine Bencherchali 37b97c4e66 New Rules 2022-08-02 21:05:07 +01:00
Nasreddine Bencherchali 5ca7846450 Renamed rule 2022-08-02 21:04:18 +01:00
Nasreddine Bencherchali 845b5c1b5d Update 2022-08-02 21:04:03 +01:00
Bhabesh 8174ca9108 Removing list with only value to pass test 2022-08-02 22:34:45 +05:45
Bhabesh 1c0c9bfbe3 Added the missing backslash 2022-08-02 22:26:32 +05:45
Bhabesh 249e20b741 Added image_load rule 2022-08-02 22:25:06 +05:45
Bhabesh 8df1415616 Removed image condition 2022-08-02 22:12:43 +05:45
Florian Roth 87a0c9e1b9 Merge branch 'master' into master 2022-08-02 18:10:24 +02:00
Florian Roth e7c57671bd reworked rule 2022-08-02 18:08:39 +02:00
Florian Roth f0d240059e Merge pull request #3313 from isstabb/patch-1 
chore: fix case on author for consistency
 2022-08-02 17:46:47 +02:00
Florian Roth 46f47e53a3 Merge pull request #3311 from frack113/sysmon_start 
Add Filter sysmon start
 2022-08-02 16:38:48 +02:00
isstabb baac2bd1f7 chore: fix case on author for consistency 2022-08-02 08:39:57 -04:00
frack113 b897015300 Merge pull request #3312 from nasbench/nasbench-rule-devel 
Update proc_creation_win_file_permission_modifications.yml
 2022-08-02 12:50:54 +02:00
Florian Roth ff6e50bc43 Merge pull request #3306 from nasbench/nasbench-rule-devel 
Update + New Rules
 2022-08-02 12:18:47 +02:00
Nasreddine Bencherchali 87ab157844 Update proc_creation_win_file_permission_modifications.yml 2022-08-02 11:17:27 +01:00
frack113 4312151b2b Filter start 2022-08-02 10:42:03 +02:00
Bhabesh 4bbc1bc119 Support for Security-Mitigations provider 2022-08-02 13:32:22 +05:45
frack113 4ce8600749 Merge pull request #3310 from frack113/issue_3309 
Update option
 2022-08-02 09:46:46 +02:00