security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,659 Commits 1 Branch 57 Tags
9b47c868bcdd42dca8a3935ca9517d3fa3ece90f
Commit Graph

8901 Commits

Author SHA1 Message Date
Florian Roth 9b47c868bc fix: list and add base64 encoded Mozilla keyword 2022-07-08 10:50:52 +02:00
Florian Roth 6fc782958a rule: Proxy UA Base64 value 2022-07-08 10:40:35 +02:00
Florian Roth e366cc15b5 rule: new services with two ampersands 2022-07-05 16:02:06 +02:00
Florian Roth 280d416e16 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-07-05 16:01:49 +02:00
Florian Roth b40a3e2aba refactor: reduced mshta service rule 2022-07-05 16:01:46 +02:00
Nasreddine Bencherchali 22a17fbf64 Merge branch 'SigmaHQ:master' into master 2022-07-04 18:47:53 +01:00
Florian Roth dc16208fe3 Merge branch 'master' into rule-devel 2022-07-04 19:07:35 +02:00
Florian Roth 1694101893 fix: indentation 2022-07-04 17:09:53 +02:00
Florian Roth 86c3062b34 refactor: curl changes 2022-07-04 17:08:23 +02:00
Nasreddine Bencherchali 485bbd52a9 Update proc_creation_win_system_exe_anomaly.yml 2022-07-04 14:31:54 +01:00
Nasreddine Bencherchali 145ec908ca Update file_event_win_uac_bypass_idiagnostic_profile.yml 2022-07-04 14:03:26 +01:00
Florian Roth 6238c6fd2c refactor: curl refactoring 2022-07-04 14:50:44 +02:00
Nasreddine Bencherchali f2cc5c8ce7 Add more processes 2022-07-04 13:38:18 +01:00
Nasreddine Bencherchali 8afa3ed1b6 Renamed + Update 2022-07-04 13:38:08 +01:00
frack113 c43b958ac1 Merge pull request #3168 from mepples21/miepping-dev 
Added device registration w/o MFA sigma rule
 2022-07-04 13:29:58 +02:00
frack113 fa4af14545 Merge pull request #3174 from mepples21/miepping-dev6 
Create azure_ad_users_added_to_device_admin_roles.yml
 2022-07-04 13:28:57 +02:00
Florian Roth 5b2c38d05b refactor: curl rules refactored 2022-07-04 13:24:56 +02:00
Florian Roth de15afbbf7 refactor: improved old rule 2022-07-04 13:20:40 +02:00
Florian Roth 2781e2e5c7 rule: Disabled Windows Defender Eventlog 2022-07-04 13:20:20 +02:00
Florian Roth 6fb1a22e77 regsvr rule extended 2022-07-04 12:39:31 +02:00
Nasreddine Bencherchali 75117927f0 Fix field name 2022-07-03 20:24:10 +01:00
Nasreddine Bencherchali 6eaafa7b92 Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 20:16:43 +01:00
Nasreddine Bencherchali 30baccb49c Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 19:54:11 +01:00
Nasreddine Bencherchali ab4242b8f5 Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 19:47:11 +01:00
Nasreddine Bencherchali 78f039311a Fix error 2022-07-03 19:45:18 +01:00
Nasreddine Bencherchali 5770b3190c Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 19:43:24 +01:00
Nasreddine Bencherchali f9d6f468c3 Update 2022-07-03 19:43:03 +01:00
Nasreddine Bencherchali da370f8ce3 Update proc_creation_win_cmstp_com_object_access.yml 2022-07-03 19:26:47 +01:00
Florian Roth c4021267ec Merge pull request #3193 from SigmaHQ/rule-devel 
Multiple changes, new rule, some docs
 2022-07-03 16:30:36 +02:00
Florian Roth 881890177b rule: suspicious network connections no cmdline 2022-07-03 15:58:54 +02:00
Florian Roth a75a8ce526 docs: add reference 2022-07-03 15:58:44 +02:00
Florian Roth b4751520c5 refactor: more domains 2022-07-03 15:58:36 +02:00
Nasreddine Bencherchali 8b876bb737 Update proc_creation_win_lolbin_presentationhost.yml 2022-07-01 20:18:15 +01:00
frack113 f5668cd223 fix id 2022-07-01 21:04:56 +02:00
Nasreddine Bencherchali 5c17ff1d0c Update proc_creation_win_lolbin_presentationhost.yml 2022-07-01 16:59:48 +01:00
Nasreddine Bencherchali c95df56222 New Rules 2022-07-01 16:56:45 +01:00
frack113 8109af3ea3 Merge pull request #3170 from mepples21/miepping-dev3 
Create azure_ad_device_registration_policy_changes.yml
 2022-07-01 15:49:02 +02:00
frack113 2f19daed62 Merge pull request #3163 from d4rk-d4nph3/master 
Rule for HandleKatz
 2022-07-01 14:29:45 +02:00
frack113 d12293d3c1 Update azure_ad_device_registration_or_join_without_mfa.yml 2022-07-01 14:25:20 +02:00
frack113 d4c9e5640f Update azure_ad_sign_ins_from_noncompliant_devices.yml 2022-07-01 14:24:38 +02:00
frack113 fa1eb1669c Update azure_ad_users_added_to_device_admin_roles.yml 2022-07-01 14:18:26 +02:00
frack113 a2c10bcade Update azure_ad_device_registration_policy_changes.yml 2022-07-01 14:17:21 +02:00
Florian Roth f29c01e1d9 fix: wrong field selection 2022-07-01 12:29:23 +02:00
phantinuss 15cd71403a fix: FP found in testing 2022-07-01 11:11:08 +02:00
Florian Roth 21ab44acbf Merge pull request #3188 from redsand/fp_powershell_long_entries_not_high_indicator_cite_devops_behavior 
Reducing level due to it being a minor indicator and not strong enoug…
 2022-07-01 08:25:07 +02:00
Tim Shelton 98227206e0 Reducing level due to it being a minor indicator and not strong enough to warrant an investigation on its own. 2022-07-01 01:43:42 +00:00
Florian Roth e1fc02e7d2 Merge pull request #3186 from redsand/fp_scm_db_mgmt_by_services.exe 
False positive filtering out of behavior by services.exe which is exp…
 2022-06-30 23:29:07 +02:00
Florian Roth 952d244a19 Merge pull request #3187 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-06-30 22:15:23 +02:00
Florian Roth d059d34fab fix: wrong field selection 
don't use PE header field, but the source image
 2022-06-30 21:33:23 +02:00
Florian Roth 3754075ae6 fix: FP with git.exe 2022-06-30 18:25:31 +02:00