security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,305 Commits 1 Branch 57 Tags
9f2ab4e0475f4e77a6595c2640be9bb3e6e6ee6f
Commit Graph

9477 Commits

Author SHA1 Message Date
Feathers 9f2ab4e047 Update net_connection_win_dead_drop_resolvers.yml 
added few more apps to which are triggering false positives and comments to identify the process with the application
 2022-08-17 18:43:47 +02:00
Feathers 41c3ea16b1 Update net_connection_win_dead_drop_resolvers.yml 
corrected the MITRE tags
 2022-08-17 18:14:43 +02:00
Feathers 60ac757cf2 Create net_connection_win_dead_drop_resolvers.yml 
This detection is an attempt to spot dead drop resolvers for ones which don't have packet inspection. Most often dead drop resolvers are initiated from malware itself which makes it easy to detect since most often users access social media websites from internet browsers.
 2022-08-17 16:09:11 +02:00
Florian Roth fbc7519b94 Merge pull request #3385 from nasbench/nasbench-rule-devel 
Update Sysmon Config
 2022-08-17 09:29:54 +02:00
Florian Roth f154f7a091 Merge branch 'master' into aurora-false-positive-fixing 2022-08-17 09:20:22 +02:00
Florian Roth 068d312cfd Update create_remote_thread_win_susp_targets.yml 2022-08-17 09:19:15 +02:00
Florian Roth 9e730d0a62 Merge pull request #3383 from phantinuss/master 
fix: FP in testing from localhost to localhost from BITs service
 2022-08-17 08:52:37 +02:00
frack113 b02b964956 Merge pull request #3386 from redsand/fp_spelling_mistake 
Fixes spelling mistake of success (missing a c)
 2022-08-16 21:37:33 +02:00
Tim Shelton cfd3e17bc7 Fixes spelling mistake of success (missing a c) 2022-08-16 19:27:06 +00:00
frack113 1fde506c8b Merge pull request #3381 from Tomasuh/proxy-dev 
proxy_ua_bitsadmin_susp_tld.yml fp filter
 2022-08-16 20:48:58 +02:00
frack113 07004f0252 Merge pull request #3380 from redsand/fp_landesk_adsi_cache_usage 
Filter out FP for LANDesk app
 2022-08-16 20:48:05 +02:00
Nasreddine Bencherchali d5133bcdd7 Update Sysmon 2022-08-16 19:47:44 +01:00
phantinuss 48f8f788e8 fix: FP in testing from localhost to localhost from BITs service 2022-08-16 17:02:49 +02:00
phantinuss bc2188c72b Merge pull request #3375 from nasbench/nasbench-rule-devel 
Rule Dev [New Rules+Updates]
 2022-08-16 16:46:27 +02:00
Tomasuh 2964506834 proxy_ua_bitsadmin_susp_tld.yml fp filter 2022-08-16 16:14:08 +02:00
Tim Shelton b6c5967443 Filter out FP for LANDesk app 2022-08-16 13:45:20 +00:00
Florian Roth 588e863bc2 Merge pull request #3366 from Tomasuh/master 
Escape wildcard character ? repetitively unescaped in proxy rules
 2022-08-16 14:06:33 +02:00
Ben4FH bebeedb623 Update EID 5156 field names 
Update to keep field names consistent for all rules using EID 5156
 2022-08-15 18:28:15 +01:00
frack113 80632dc4d0 Update proxy_ios_implant.yml 2022-08-15 17:33:39 +02:00
frack113 91dbc5e721 Update proxy_ursnif_malware_download_url.yml 2022-08-15 17:33:17 +02:00
frack113 9d914ac240 Update proxy_cobalt_onedrive.yml 2022-08-15 17:33:00 +02:00
frack113 2ea7fc0c51 Update proxy_turla_comrat.yml 2022-08-15 17:32:34 +02:00
frack113 f50de1d4e1 Update proxy_chafer_malware.yml 2022-08-15 17:32:20 +02:00
frack113 29901228fd Update proxy_baby_shark.yml 2022-08-15 17:32:07 +02:00
Nasreddine Bencherchali a0f8e508b5 Update image_load_side_load_from_non_system_location.yml 2022-08-15 12:49:46 +01:00
Nasreddine Bencherchali 306fc8aba0 Fix typo 2022-08-15 12:46:59 +01:00
Nasreddine Bencherchali 6407089a40 Change service to diagnosis scripted 2022-08-15 12:45:12 +01:00
frack113 eded7e479d Merge pull request #3374 from frack113/netsh 
Netsh Delete
 2022-08-15 11:53:27 +02:00
Florian Roth 3bce90d9e8 Merge pull request #3373 from frack113/backslash 
Update backslash
 2022-08-15 11:39:44 +02:00
Florian Roth 643f77aaff Update proc_creation_win_netsh_fw_delete.yml 2022-08-15 11:38:50 +02:00
Nasreddine Bencherchali 44d8f5bc9a Update win_esent_ntdsutil_abuse.yml 2022-08-15 00:51:19 +01:00
Nasreddine Bencherchali 1bb24879fe Update image_load_side_load_from_non_system_location.yml 2022-08-15 00:42:46 +01:00
Nasreddine Bencherchali 2879329818 Update image_load_side_load_from_non_system_location.yml 2022-08-15 00:34:58 +01:00
Nasreddine Bencherchali 11b4b46258 Update win_shell_core_susp_packages_installed.yml 2022-08-15 00:32:18 +01:00
Nasreddine Bencherchali e092872e87 Update proc_creation_win_susp_mshtml_runhtmlapplication.yml 2022-08-15 00:26:15 +01:00
Nasreddine Bencherchali 8869bc6cff New rules 2022-08-15 00:22:16 +01:00
Nasreddine Bencherchali 6798d69d00 Update 2022-08-15 00:22:08 +01:00
frack113 bd3502148f Filter dropbax 2022-08-14 20:22:25 +02:00
frack113 db137c4855 Add proc_creation_win_netsh_fw_delete 2022-08-14 19:16:58 +02:00
frack113 6749532ae5 Update ref 2022-08-13 13:31:52 +02:00
frack113 0f760a6822 Fix ? char 2022-08-13 13:02:33 +02:00
frack113 c8ab532955 Search ? char 2022-08-13 12:11:32 +02:00
frack113 fecd7e2fbd Update backslash 2022-08-13 11:56:57 +02:00
frack113 823cf26633 Merge pull request #3356 from Zandmann/patch-3 
Create BPF_Door_port_redirect.yml
 2022-08-13 10:34:38 +02:00
frack113 8952aaf4e3 Merge pull request #3355 from Zandmann/patch-2 
Create BPFDoor_abnormal_process_id_or_lock_file_accessed.yml
 2022-08-13 10:34:23 +02:00
frack113 3426dfb6e9 Update backslash 2022-08-13 09:59:31 +02:00
frack113 bd7f0fdf5d Merge pull request #3369 from frack113/temas 
Cyble blog
 2022-08-13 08:00:47 +02:00
frack113 7bebb9929b Merge pull request #3370 from redsand/fp_missing_contains_all 
False positive fix, needs to match ALL of selectioN_delete, not 1 of …
 2022-08-13 07:47:34 +02:00
frack113 15f94c4685 Merge pull request #3368 from nasbench/nasbench-rule-devel 
New Rules + Update (Rule Dev)
 2022-08-13 07:47:13 +02:00
frack113 7a1b32b0a4 Merge pull request #3365 from frack113/timestomping 
Timestomping file_change  rule
 2022-08-13 07:38:06 +02:00