security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,069 Commits 1 Branch 57 Tags
751fbd7a2e4f8375d6ec517ceeb4e08f62016e31
Commit Graph

230 Commits

Author SHA1 Message Date
Florian Roth d46d89e403 Merge pull request #3315 from nasbench/nasbench-rule-devel 
New Rules + Update
 2022-08-04 13:34:26 +02:00
Nasreddine Bencherchali 30a43d5110 Update image_load_susp_dll_load_system_process.yml 2022-08-02 21:23:15 +01:00
Nasreddine Bencherchali d99c92b726 Update image_load_susp_dll_load_system_process.yml 2022-08-02 21:18:07 +01:00
Nasreddine Bencherchali d7d8a8fbc0 Fix typo 2022-08-02 21:06:52 +01:00
Nasreddine Bencherchali 37b97c4e66 New Rules 2022-08-02 21:05:07 +01:00
Nasreddine Bencherchali 5ca7846450 Renamed rule 2022-08-02 21:04:18 +01:00
Nasreddine Bencherchali 845b5c1b5d Update 2022-08-02 21:04:03 +01:00
Bhabesh 8174ca9108 Removing list with only value to pass test 2022-08-02 22:34:45 +05:45
Bhabesh 1c0c9bfbe3 Added the missing backslash 2022-08-02 22:26:32 +05:45
Bhabesh 249e20b741 Added image_load rule 2022-08-02 22:25:06 +05:45
frack113 bbf07649b1 MS Update FP 2022-07-27 08:09:11 +02:00
Florian Roth da1ad54a41 refactor: vulnerable driver loads 2022-07-26 14:56:28 +02:00
Nasreddine Bencherchali 524ea4bfeb Fix typo 2022-07-25 11:12:00 +01:00
Florian Roth e1afd68f40 docs: wording 2022-07-25 10:22:36 +02:00
Florian Roth 2cbdd50927 rule: vulnerable gigabyte driver load 2022-07-25 10:08:05 +02:00
Florian Roth fd30a06112 Merge pull request #3240 from nasbench/uac-bypass-image-load 
Iscsicpl UAC Bypass + Generic Rule
 2022-07-19 16:38:34 +02:00
Florian Roth 44b424e3cf refactor: WSMAN Provider Image Loads & empty cmdline 2022-07-18 13:55:14 +02:00
Nasreddine Bencherchali d32816f7a2 Iscsicpl UAC Bypass + Generic Rule 2022-07-18 11:50:55 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth c2c25acbb6 docs: rules adjusted 2022-06-21 17:21:55 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Florian Roth fda9c753e2 Update image_load_msdt_sdiageng.yml 2022-06-17 18:46:14 +02:00
Florian Roth 725cadc902 Update image_load_msdt_sdiageng.yml 2022-06-17 08:49:17 +02:00
eiger 764dbc4e3c Fix: Sigma title error 2022-06-17 14:40:01 +08:00
eiger e4ab54d60f Rule: Follina and DogWalk exploit msdt.exe loading sdiageng.dll 2022-06-17 09:41:08 +08:00
eiger 7444869de3 Rule: Follina and DogWalk exploit msdt.exe loading sdiageng.dll 2022-06-17 09:29:20 +08:00
eiger 21edcafa36 Rule: Follina or DogWalk exploit sdiageng.dll 2022-06-17 09:21:57 +08:00
Nasreddine Bencherchali 97856b562a Add "\" to "Image|endswith" modifier 
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on  default windows binaries to avoid changing logic of other rules.
 2022-06-02 13:39:07 +01:00
phantinuss 465886d6e3 fix: FP found in testing 2022-05-27 15:16:30 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
frack113 196aa6d83d move deprecated rules 2022-05-14 09:42:32 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Tobias Michalski cf608cf730 fix: false positive fix 2022-05-06 14:24:04 +02:00
Florian Roth 892025474d fix: FPs noticed with Aurora 2022-05-02 16:25:33 +02:00
phantinuss 13e31e8383 fix: FPs found in win2022 domain controller baseline 2022-04-21 10:48:59 +02:00
Max Altgelt 026490921c fix: Add FP exclusion for vss_ps.dll load 
The scheduled task that creates restore points apparently runs
rundll32.exe and loads this DLL.
 2022-04-07 10:49:10 +02:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Tobias Michalski 15c61b42bf fix: Set rule to medium due to too many filters 2022-02-23 11:03:23 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
Florian Roth 2500c16aea fix: FPs noticed with Aurora 2022-02-16 17:00:27 +01:00
Florian Roth 98dbfe1ff6 fix: too many matches on many programs 
... running from every other locations
 2022-02-12 00:44:42 +01:00
phantinuss 97f4b8a1e9 fix: mandatory escaping of \* 2022-02-10 16:16:42 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
phantinuss 43bae23f23 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:47:22 +01:00
frack113 54c2dcdafb Add CVE-2022–22718 2022-02-09 08:40:04 +01:00
Florian Roth 8aad83a737 fix: far too many FPs with new Advapi31.dll rule 2022-02-04 14:03:14 +01:00
frack113 d56261cd70 aurora OneDrive FP 2022-02-04 09:32:29 +01:00