security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,615 Commits 1 Branch 57 Tags
a036fcc2dde2c399c0d87c5401dc374b64c8a855
Commit Graph

3211 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 8b876bb737 Update proc_creation_win_lolbin_presentationhost.yml 2022-07-01 20:18:15 +01:00
Nasreddine Bencherchali 5c17ff1d0c Update proc_creation_win_lolbin_presentationhost.yml 2022-07-01 16:59:48 +01:00
Nasreddine Bencherchali c95df56222 New Rules 2022-07-01 16:56:45 +01:00
Florian Roth 21ab44acbf Merge pull request #3188 from redsand/fp_powershell_long_entries_not_high_indicator_cite_devops_behavior 
Reducing level due to it being a minor indicator and not strong enoug…
 2022-07-01 08:25:07 +02:00
Tim Shelton 98227206e0 Reducing level due to it being a minor indicator and not strong enough to warrant an investigation on its own. 2022-07-01 01:43:42 +00:00
Florian Roth cb33e5cc8a Merge pull request #3185 from frack113/fix_issue_2579 
fix issue 2579
 2022-06-30 18:17:51 +02:00
phantinuss 58dc1da663 fix: FPs found in testing environment 2022-06-30 16:40:05 +02:00
frack113 38761cbdb0 fix issue 2022-06-30 08:48:31 +02:00
Florian Roth e07b2f115b Merge pull request #3173 from nasbench/master 
Update + New Rules
 2022-06-29 17:22:02 +02:00
Nasreddine Bencherchali 80346a82b6 Changes From Meeting 2022-06-29 15:25:50 +01:00
Nasreddine Bencherchali c99a48437d Update proc_creation_win_susp_regsvr32_no_dll.yml 2022-06-29 12:52:04 +01:00
Florian Roth 3607cf878c fix: FP with explorer.exe 2022-06-29 13:22:35 +02:00
Nasreddine Bencherchali 08981a4a41 Add more options to "where" command 2022-06-29 12:22:00 +01:00
Nasreddine Bencherchali 13488e0ad6 Update proc_creation_win_attrib_system_susp_paths.yml 2022-06-29 12:19:33 +01:00
Nasreddine Bencherchali 9d511b75f8 Update proc_creation_win_susp_regsvr32_no_dll.yml 2022-06-29 12:17:59 +01:00
frack113 afc3625791 Merge pull request #3161 from alexmcdonald1124/msra-injection 
Msra.exe process injection rule
 2022-06-29 06:30:00 +02:00
Nasreddine Bencherchali a39f140255 Update proc_creation_win_change_default_file_assoc_susp.yml 2022-06-28 22:48:46 +01:00
Nasreddine Bencherchali 3818c77b03 Fix Error 2022-06-28 22:40:42 +01:00
Nasreddine Bencherchali 467b120259 Update proc_creation_win_susp_dllhost_no_cli.yml 2022-06-28 22:32:54 +01:00
Nasreddine Bencherchali 3756925dcd Update ETW Rule 2022-06-28 22:22:23 +01:00
Nasreddine Bencherchali f57b35e992 New Rules 2022-06-28 22:22:12 +01:00
Nasreddine Bencherchali 875233ca43 Update rules syntax 2022-06-28 22:21:46 +01:00
Nasreddine Bencherchali fb46b97f46 Rename + Delete Duplicate Rule 2022-06-28 22:18:02 +01:00
Florian Roth 2da48f5052 Merge pull request #3167 from SigmaHQ/rule-devel 
Rules: Bitsadmin coverage and minor improvements
 2022-06-28 17:25:03 +02:00
Florian Roth 991ff677c3 rule: bitsadmin coverage 2022-06-28 15:34:19 +02:00
Florian Roth 6f26e26846 rules: bitsadmin coverage 2022-06-28 15:16:52 +02:00
Florian Roth f54f660efb Merge pull request #3164 from pH-T/master 
rule cleanup and new rules
 2022-06-27 23:58:05 +02:00
Paul Hager d7f983340b rule cleanup and new rules 2022-06-27 16:35:22 +02:00
phantinuss ab5d2ed711 fix: FPs in testing environment 2022-06-27 08:47:27 +02:00
Florian Roth 1b08ee7916 Update proc_creation_win_msra_process_injection.yml 2022-06-25 08:47:36 +02:00
Alexander McDonald e740cbcaa3 Including id number per the error reported in testing 2022-06-24 16:55:10 -04:00
Alexander McDonald fd1be59f55 New experimental rule designed to find process injection 2022-06-24 16:44:40 -04:00
Florian Roth d78818e27d Merge pull request #3157 from d4rk-d4nph3/master 
To account for SyncAppvPublishingServer bypass
 2022-06-22 21:28:38 +02:00
Florian Roth cdfd908627 Merge branch 'master' into rule-devel 2022-06-22 21:16:29 +02:00
Florian Roth 940e4149f7 fix: wrong rule title 2022-06-22 21:15:00 +02:00
Bhabesh 7afe938d49 Fixed the missing all modifier 2022-06-22 15:14:39 +05:45
Bhabesh d9836d9fe4 Fixed my rule bug 2022-06-22 15:13:51 +05:45
Bhabesh f55e3451cf Removed bypass for SyncAppvPublishingServer 2022-06-22 15:12:17 +05:45
Florian Roth a601ce4098 Merge pull request #3145 from frack113/chromeloader 
Add proc_creation_win_chrome_load_extension
 2022-06-22 10:26:07 +02:00
Florian Roth fedc465b00 Merge pull request #3155 from SigmaHQ/rule-devel 
Linux - suspicious command lines
 2022-06-22 10:25:42 +02:00
Bhabesh 023306e09f Added alternative cmd format 2022-06-22 10:16:39 +05:45
Nasreddine Bencherchali efbfc7fe67 New Rule (https://twitter.com/nas_bench/status/1537919885031772161) 2022-06-21 19:13:53 +01:00
Nasreddine Bencherchali e25ad42b5b Reverted Rule + New Rule 2022-06-21 19:03:47 +01:00
Nasreddine Bencherchali 0c2f1bfce5 Fix review comments 2022-06-21 17:22:39 +01:00
Florian Roth c2c25acbb6 docs: rules adjusted 2022-06-21 17:21:55 +02:00
Nasreddine Bencherchali f12f6e3646 Update ID's 2022-06-21 15:46:00 +01:00
Florian Roth 7ecf771cb5 fix: rule that covers unrelated activity 2022-06-21 16:38:30 +02:00
Nasreddine Bencherchali 27e73278e7 Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:37:39 +01:00
Nasreddine Bencherchali b2ce10ea2a Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:36:21 +01:00
Florian Roth 9fdf396314 Update proc_creation_win_chrome_load_extension.yml 2022-06-21 16:30:38 +02:00