security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,036 Commits 1 Branch 57 Tags
77cd0bf6c0a250877244f7a07e1ad2edc19fa196
Commit Graph

65 Commits

Author SHA1 Message Date
Nasreddine Bencherchali f23780de6f feat: update and fixes 2023-03-09 22:10:42 +01:00
phantinuss b61ec0d515 restrict System process using PID 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-02-28 12:16:55 +01:00
phantinuss 8cf0de3776 fix: FP found in testing environment 2023-02-28 10:22:47 +01:00
frack113 d7e8407d0d Update detection 2023-02-26 16:28:46 +01:00
Nasreddine Bencherchali a19a75b0b0 fix: resolves #4015 2023-02-07 14:33:56 +01:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali 03cc78e916 feat: filename test enhancements (#3812) 2022-12-23 09:25:16 +01:00
Nasreddine Bencherchali 7c46e4c3c0 fix: fix #2479 2022-12-21 00:11:04 +01:00
frack113 646351808e Refractor (#3794) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-18 21:00:14 +01:00
Florian Roth 643a06766e fix: FP with NVIDIA driver installation 2022-12-14 13:21:54 +01:00
frack113 dfdaecc52c Order yaml field 2022-10-25 12:00:56 +02:00
Florian Roth f84cdd3b74 fix: filter definition 2022-09-29 14:07:38 +02:00
Florian Roth 5b5c261c98 Merge branch 'master' into aurora-false-positive-fixing 2022-09-29 13:41:25 +02:00
Florian Roth c31fe50f4d fix: FPs noticed in THOR testing 2022-09-29 13:41:20 +02:00
nasreddine.bencherchali@nextron-systems.com d262ea2df8 New rules 2022-09-28 09:51:13 +02:00
nasreddine.bencherchali@nextron-systems.com 43d12249a0 Renamed create remote thread rules 2022-09-27 12:13:16 +02:00
phantinuss 5367e74eef fix: FP found in testing environment 2022-08-29 16:58:12 +02:00
Florian Roth 33cd3e9fd9 Merge branch 'master' into rule-devel 2022-08-26 22:49:54 +02:00
Florian Roth 3c363f6bf4 refactor: sliver service rule, fix: FP 2022-08-26 18:09:11 +02:00
Florian Roth bb1d30b79d refactor: renamed rule 2022-08-26 17:48:14 +02:00
Florian Roth c374703ff5 rules: more sliver rules 2022-08-26 17:48:02 +02:00
phantinuss e80116e704 fix: FPs found in testing environment 2022-08-26 17:29:49 +02:00
Florian Roth 31faadf5ce Merge pull request #3391 from SigmaHQ/rule-devel 
Rule updates
 2022-08-17 16:11:40 +02:00
Florian Roth f154f7a091 Merge branch 'master' into aurora-false-positive-fixing 2022-08-17 09:20:22 +02:00
Florian Roth 068d312cfd Update create_remote_thread_win_susp_targets.yml 2022-08-17 09:19:15 +02:00
Florian Roth eeeae44db5 Merge branch 'master' into rule-devel 2022-08-17 09:14:47 +02:00
Florian Roth 96276dc36e Rule Updates / New Rules 2022-08-17 09:14:13 +02:00
Nasreddine Bencherchali d7bc975c71 Update meta 2022-08-12 13:42:52 +01:00
Florian Roth 3870fd81a1 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-07-31 13:23:11 +02:00
Florian Roth 9795bf6f57 fix: FPs with git.exe 2022-07-31 13:22:39 +02:00
Florian Roth 9ca043863e fix: FPs noticed with Aurora 2022-07-28 16:58:24 +02:00
Florian Roth 3286d16f3a Merge branch 'master' into aurora-false-positive-fixing 2022-07-20 13:03:56 +02:00
Florian Roth 634722c786 fix: FPs noticed with Aurora 2022-07-20 13:02:49 +02:00
Nasreddine Bencherchali 16b2945027 New Rules + Update 2022-07-14 17:35:50 +01:00
Nasreddine Bencherchali 8b9307de30 Update selections 2022-07-07 20:55:19 +01:00
Nasreddine Bencherchali aec95b6d65 Update selections and indentation 2022-07-07 20:13:45 +01:00
Florian Roth 3754075ae6 fix: FP with git.exe 2022-06-30 18:25:31 +02:00
Florian Roth fd7b8d1c4f fix: FPs 2022-06-29 13:20:57 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Nasreddine Bencherchali 97856b562a Add "\" to "Image|endswith" modifier 
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on  default windows binaries to avoid changing logic of other rules.
 2022-06-02 13:39:07 +01:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
Florian Roth 69afab9b9a Update create_remote_thread_win_ttdinjec.yml 2022-05-16 16:52:27 +02:00
frack113 c240824bd0 ttdinject lolbin 2022-05-16 09:10:28 +02:00
Timon Hackenjos 649d2b2a22 rule: KeePass password dumping 2022-04-23 18:25:11 +02:00
phantinuss f5ca5c0579 fix: FPs from fresh Windows 2022 install 2022-04-07 14:15:44 +02:00
phantinuss 9376859b06 fix: remove duplicate list entry 2022-04-06 17:14:34 +02:00
phantinuss 4780447102 fix: FPs from fresh Win7 install 2022-04-06 17:07:00 +02:00
phantinuss 7cbfc7f16a fix: remove . from title 2022-04-06 17:04:10 +02:00
frack113 becf3baeb4 Merge pull request #2813 from phantinuss/master 
Changes to falsepositives metadata
 2022-03-17 14:31:27 +01:00