security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,584 Commits 1 Branch 57 Tags
80098113d06750ddb9ab275d7df1049f88d4ea7c
Commit Graph

87 Commits

Author SHA1 Message Date
Nasreddine Bencherchali ea183cae13 Updates+New Rules 2022-08-31 09:39:16 +02:00
Wagga f73e1c9b36 Update win_system_application_sysmon_crash.yml 2022-08-29 07:37:40 +02:00
Wagga 560bd7848e Update win_service_install_pdqdeploy_runner.yml 2022-08-29 07:31:18 +02:00
Florian Roth 33cd3e9fd9 Merge branch 'master' into rule-devel 2022-08-26 22:49:54 +02:00
Florian Roth 7c486fcf83 refactor: removed unfitting tags 2022-08-26 20:53:54 +02:00
Florian Roth dcec3280fc merge: Nasreddine's Sliver rules 2022-08-26 20:51:39 +02:00
Florian Roth d74558c31d fix: uuid 2022-08-26 20:46:23 +02:00
Florian Roth c374703ff5 rules: more sliver rules 2022-08-26 17:48:02 +02:00
Nasreddine Bencherchali afff53b812 Add '/k' option to CMD rules 2022-08-24 12:48:23 +01:00
frack113 1cb8e91487 Update win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml 2022-08-18 18:17:30 +02:00
sorchaa 12f3307747 Update win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml 
test_rules.py passed
 2022-08-18 09:17:05 +02:00
sorchaa 95eeb3cebd Update win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml 2022-08-18 08:55:23 +02:00
sorchaa 4a9da4907a Update win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml 2022-08-17 11:11:37 +02:00
sorchaa 1bc4e9f430 Create win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml 2022-08-16 17:49:53 +02:00
Nasreddine Bencherchali cf2a817801 New Rules 2022-08-12 13:44:16 +01:00
Nasreddine Bencherchali 8d615c9d78 Update rules 2022-08-01 16:02:07 +01:00
Nasreddine Bencherchali 075906dbc2 PDQDeploy Rules 2022-07-22 23:52:34 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth e366cc15b5 rule: new services with two ampersands 2022-07-05 16:02:06 +02:00
Florian Roth b40a3e2aba refactor: reduced mshta service rule 2022-07-05 16:01:46 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
Florian Roth bea6f18d35 Merge pull request #3024 from redsand/win_system_susp_eventlog_cleared 
Making a derived detection for system/application/security event logs…
 2022-05-20 20:56:00 +02:00
Tim Shelton 600a7cd0e8 Re-adding accidently removed entry 2022-05-19 17:16:39 +00:00
Tim Shelton 60e6a147b4 merging remote change 2022-05-19 16:11:58 +00:00
Tim Shelton 3f6cabcae8 Updating to include match on Channel 2022-05-19 16:08:34 +00:00
Florian Roth 28e0e157fe Update win_system_susp_eventlog_cleared.yml 2022-05-17 21:32:00 +02:00
Tim Shelton 60a38a95ef removing duplicate keywords entry 2022-05-17 18:54:01 +00:00
Tim Shelton b5b7adcb9c Making a derived detection for system/application/security event logs being cleared, vs any in general. fp due to custom applications clearing their eventlog 2022-05-17 18:49:54 +00:00
Tim Shelton 4bafd1317b User meant to use service vs category. currently no category assignment for "system". We need a unit test to detect new sections here, vs backends. this was untested in the field. 2022-05-16 22:18:35 +00:00
Florian Roth ee3aba2541 Merge pull request #3005 from BlackB0lt/patch-27 
Create win_security_krbrelayup_service_installation.yml
 2022-05-12 13:01:44 +02:00
Florian Roth fe312319d3 Update win_security_krbrelayup_service_installation.yml 2022-05-12 13:01:24 +02:00
Sittikorn S 800669d90c Update win_security_krbrelayup_service_installation.yml 2022-05-11 18:59:37 +07:00
Sittikorn S df8c6c118f Create win_security_krbrelayup_service_installation.yml 
Detects service creation from KrbRelayUp tool
 2022-05-11 18:59:14 +07:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Florian Roth 17a1a035c5 doc: change titles to avoid duplicates 2022-05-04 11:30:30 +02:00
Florian Roth 5a619f5bab Merge pull request #2977 from phantinuss/master 
fix: FPs in prod environment
 2022-05-02 16:51:38 +02:00
phantinuss 97de80a9e1 fix: FPs in prod environment 2022-05-02 16:44:15 +02:00
Florian Roth b19c3e154c fix: FPs with new NTLMv1 rule 2022-05-02 16:32:18 +02:00
Florian Roth 1254fbd8d0 Merge pull request #2948 from redsand/sysmon_crash 
Sysmon crash
 2022-04-27 10:44:49 +02:00
Florian Roth f5c39d5cd2 Update win_lsasrv_ntlmv1.yml 2022-04-27 09:40:56 +02:00
Florian Roth 3c21c8ab00 Update win_system_application_sysmon_crash.yml 2022-04-27 09:39:56 +02:00
Tim Shelton 613d49bd56 Detect sysmon crash 2022-04-26 19:27:47 +00:00
Tim Shelton 12ac0f7de1 updating level 2022-04-26 18:41:58 +00:00
Tim Shelton 62b0b2fcf7 Detect the presence of ntlm1 in use on boot or 1st time 2022-04-26 18:38:57 +00:00
Florian Roth 1724c6378c Merge pull request #2945 from SigmaHQ/rule-devel 
Refactoring and KrbRelayUp rule
 2022-04-26 16:55:30 +02:00
Florian Roth cd069c2cbe Merge branch 'master' into rule-devel 2022-04-26 15:34:33 +02:00
Florian Roth f0253eb67d some fixes and refactoring 2022-04-26 15:32:56 +02:00
Hendrik Baecker d0bc498d9b String 2 Int for EventIDs 2022-04-26 15:12:42 +02:00
frack113 468e51af3b Add a ref 2022-04-23 10:05:27 +02:00