security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,576 Commits 1 Branch 57 Tags
96e424bd4e2154237a409130147757ac45d8eefa
Commit Graph

3203 Commits

Author SHA1 Message Date
Florian Roth e07b2f115b Merge pull request #3173 from nasbench/master 
Update + New Rules
 2022-06-29 17:22:02 +02:00
Nasreddine Bencherchali 80346a82b6 Changes From Meeting 2022-06-29 15:25:50 +01:00
Nasreddine Bencherchali c99a48437d Update proc_creation_win_susp_regsvr32_no_dll.yml 2022-06-29 12:52:04 +01:00
Florian Roth 3607cf878c fix: FP with explorer.exe 2022-06-29 13:22:35 +02:00
Nasreddine Bencherchali 08981a4a41 Add more options to "where" command 2022-06-29 12:22:00 +01:00
Nasreddine Bencherchali 13488e0ad6 Update proc_creation_win_attrib_system_susp_paths.yml 2022-06-29 12:19:33 +01:00
Nasreddine Bencherchali 9d511b75f8 Update proc_creation_win_susp_regsvr32_no_dll.yml 2022-06-29 12:17:59 +01:00
frack113 afc3625791 Merge pull request #3161 from alexmcdonald1124/msra-injection 
Msra.exe process injection rule
 2022-06-29 06:30:00 +02:00
Nasreddine Bencherchali a39f140255 Update proc_creation_win_change_default_file_assoc_susp.yml 2022-06-28 22:48:46 +01:00
Nasreddine Bencherchali 3818c77b03 Fix Error 2022-06-28 22:40:42 +01:00
Nasreddine Bencherchali 467b120259 Update proc_creation_win_susp_dllhost_no_cli.yml 2022-06-28 22:32:54 +01:00
Nasreddine Bencherchali 3756925dcd Update ETW Rule 2022-06-28 22:22:23 +01:00
Nasreddine Bencherchali f57b35e992 New Rules 2022-06-28 22:22:12 +01:00
Nasreddine Bencherchali 875233ca43 Update rules syntax 2022-06-28 22:21:46 +01:00
Nasreddine Bencherchali fb46b97f46 Rename + Delete Duplicate Rule 2022-06-28 22:18:02 +01:00
Florian Roth 2da48f5052 Merge pull request #3167 from SigmaHQ/rule-devel 
Rules: Bitsadmin coverage and minor improvements
 2022-06-28 17:25:03 +02:00
Florian Roth 991ff677c3 rule: bitsadmin coverage 2022-06-28 15:34:19 +02:00
Florian Roth 6f26e26846 rules: bitsadmin coverage 2022-06-28 15:16:52 +02:00
Florian Roth f54f660efb Merge pull request #3164 from pH-T/master 
rule cleanup and new rules
 2022-06-27 23:58:05 +02:00
Paul Hager d7f983340b rule cleanup and new rules 2022-06-27 16:35:22 +02:00
phantinuss ab5d2ed711 fix: FPs in testing environment 2022-06-27 08:47:27 +02:00
Florian Roth 1b08ee7916 Update proc_creation_win_msra_process_injection.yml 2022-06-25 08:47:36 +02:00
Alexander McDonald e740cbcaa3 Including id number per the error reported in testing 2022-06-24 16:55:10 -04:00
Alexander McDonald fd1be59f55 New experimental rule designed to find process injection 2022-06-24 16:44:40 -04:00
Florian Roth d78818e27d Merge pull request #3157 from d4rk-d4nph3/master 
To account for SyncAppvPublishingServer bypass
 2022-06-22 21:28:38 +02:00
Florian Roth cdfd908627 Merge branch 'master' into rule-devel 2022-06-22 21:16:29 +02:00
Florian Roth 940e4149f7 fix: wrong rule title 2022-06-22 21:15:00 +02:00
Bhabesh 7afe938d49 Fixed the missing all modifier 2022-06-22 15:14:39 +05:45
Bhabesh d9836d9fe4 Fixed my rule bug 2022-06-22 15:13:51 +05:45
Bhabesh f55e3451cf Removed bypass for SyncAppvPublishingServer 2022-06-22 15:12:17 +05:45
Florian Roth a601ce4098 Merge pull request #3145 from frack113/chromeloader 
Add proc_creation_win_chrome_load_extension
 2022-06-22 10:26:07 +02:00
Florian Roth fedc465b00 Merge pull request #3155 from SigmaHQ/rule-devel 
Linux - suspicious command lines
 2022-06-22 10:25:42 +02:00
Bhabesh 023306e09f Added alternative cmd format 2022-06-22 10:16:39 +05:45
Nasreddine Bencherchali efbfc7fe67 New Rule (https://twitter.com/nas_bench/status/1537919885031772161) 2022-06-21 19:13:53 +01:00
Nasreddine Bencherchali e25ad42b5b Reverted Rule + New Rule 2022-06-21 19:03:47 +01:00
Nasreddine Bencherchali 0c2f1bfce5 Fix review comments 2022-06-21 17:22:39 +01:00
Florian Roth c2c25acbb6 docs: rules adjusted 2022-06-21 17:21:55 +02:00
Nasreddine Bencherchali f12f6e3646 Update ID's 2022-06-21 15:46:00 +01:00
Florian Roth 7ecf771cb5 fix: rule that covers unrelated activity 2022-06-21 16:38:30 +02:00
Nasreddine Bencherchali 27e73278e7 Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:37:39 +01:00
Nasreddine Bencherchali b2ce10ea2a Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:36:21 +01:00
Florian Roth 9fdf396314 Update proc_creation_win_chrome_load_extension.yml 2022-06-21 16:30:38 +02:00
Nasreddine Bencherchali e3bfb18f64 New Rules 2022-06-21 11:47:18 +01:00
Nasreddine Bencherchali 62a7d755cc Update proc_creation_win_service_stop.yml 
Refactored the rule and added originalfilename
 2022-06-21 11:46:32 +01:00
Nasreddine Bencherchali f2bc1be460 Update proc_creation_win_service_execution.yml 2022-06-21 11:46:06 +01:00
Nasreddine Bencherchali 40ccd91a94 Update proc_creation_win_msdt_diagcab.yml 
In my testing i found that ".diagcab" extension is not required. You can use .txt with the /cab flag and it'll spawn an msdt process.

Also I added the "-" (dash) version of the flag
 2022-06-21 11:45:53 +01:00
Nasreddine Bencherchali d2ef62a49d Update proc_creation_win_enumeration_for_credentials_in_registry.yml 2022-06-21 11:45:01 +01:00
Nasreddine Bencherchali 4eb6b3509e Update proc_creation_win_accesschk_usage_after_priv_escalation.yml 
Changed the rule as the original was flagging on every usage of "accessChk" which was not the intended behaviour as described.

The modification take into consideration usage of the tool as seen in the referenced presentation and adds some more.
 2022-06-21 11:44:51 +01:00
Nasreddine Bencherchali 0a39827674 Renamed + Refactor "findstr" rule 2022-06-21 11:42:14 +01:00
phantinuss 9475153292 fix: FPs found in testing environment 2022-06-20 16:17:54 +02:00