blue-team-tools

Author	SHA1	Message	Date
Florian Roth	a75f443033	Delete win_sliver_c2_default_service.yml	2022-08-26 20:52:19 +02:00
Florian Roth	bc46de2685	Delete proc_creation_win_sliver_default_shell_command.yml	2022-08-26 20:52:05 +02:00
Nasreddine Bencherchali	40ce21f3e8	Update proc_creation_win_schtasks_system.yml	2022-08-26 19:03:50 +01:00
Nasreddine Bencherchali	fcd9236bae	Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel	2022-08-26 19:02:04 +01:00
$frack113$ frack113	bdbce73c9d	Merge pull request #3434 from nasbench/revert-3433-patch-1 Revert "Fixing selection_user to match NT AUTHORITY\SYSTEM"	2022-08-26 19:56:59 +02:00
phantinuss	e80116e704	fix: FPs found in testing environment	2022-08-26 17:29:49 +02:00
Nasreddine Bencherchali	11a322f4f0	New + Update	2022-08-26 15:38:43 +01:00
Nasreddine Bencherchali	060fbcda31	Revert "Fixing selection_user to match NT AUTHORITY\SYSTEM"	2022-08-26 11:25:41 +01:00
Florian Roth	112d83fa36	Merge pull request #3430 from r00tik/master Add new rules for detection msdt.exe create file to autorun	2022-08-26 08:21:29 +02:00
jkb	f316469cd7	Fixing selection_user to match NT AUTHORITY\SYSTEM This should be 'SYSTEM' not ' SYSTEM ' - these leading/trailing spaces are making this detection invalid since the /RU parameter value will be "NT AUTHORITY\SYSTEM".	2022-08-26 00:25:04 +02:00
Florian Roth	83a384e1c7	Merge pull request #3413 from alwashali/Disable-powershell-psreadline-history posh_ps_disable_psreadline_command_history	2022-08-25 21:18:56 +02:00
Vadim Varganov	27b282da04	Merge branch 'SigmaHQ:master' into master	2022-08-25 15:25:37 +03:00
Florian Roth	c5e183cf2e	Merge pull request #3432 from SigmaHQ/rule-devel Create Stream Hash Rules	2022-08-25 14:17:50 +02:00
Vadim Varganov	732fae435b	Merge branch 'SigmaHQ:master' into master	2022-08-25 10:27:21 +03:00
Florian Roth	3c5852b5f5	fix: line endings, level, description, fp	2022-08-25 08:45:39 +02:00
Florian Roth	38ede6dd08	Merge pull request #3426 from Tomasuh/proxy-dev proxy_ua_bitsadmin_susp_ip.yml falsepositive fix	2022-08-25 08:42:14 +02:00
Florian Roth	0b0dc5a65e	Merge pull request #3429 from frack113/clean_reg registry_event Clean up	2022-08-25 08:39:37 +02:00
Florian Roth	61657f50e6	Update file_event_win_msdt_autorun.yml	2022-08-25 08:38:43 +02:00
Vadim Varganov	4a8d4041ee	Update file_event_win_msdt_autorun.yml	2022-08-25 09:25:30 +03:00
Florian Roth	02d7e8f2a4	fix: duplicate UUIDs	2022-08-25 08:23:48 +02:00
$frack113$ frack113	5cf940c0a8	Merge pull request #3425 from YamatoSecurity/fix-backend-bool-conversion-error fix backend bool conversion errors	2022-08-25 06:41:43 +02:00
$frack113$ frack113	b637cd7304	Merge pull request #3423 from benmontour/azureOperationNameField Azure Activity Logs - operationName Field	2022-08-25 06:41:20 +02:00
vadim	1c536e0698	Add new rules for detection msdt.exe create file to autorun	2022-08-24 22:18:13 +03:00
$frack113$ frack113	f324148291	Merge pull request #3424 from nasbench/nasbench-rule-devel Rule Dev - Update + New Rules	2022-08-24 19:59:08 +02:00
Nasreddine Bencherchali	728a7ccb66	Fix after review	2022-08-24 18:35:23 +01:00
$frack113$ frack113	583155df30	Order	2022-08-24 18:42:56 +02:00
$frack113$ frack113	057bdd3f0c	Merge pull request #3427 from phantinuss/master fix: many FPs in testing environment	2022-08-24 18:26:19 +02:00
$frack113$ frack113	483693f7e4	Merge pull request #3428 from redsand/fp_sentinel_one FP: sentinel one performs this	2022-08-24 18:25:20 +02:00
Tim Shelton	e310bda6ad	FP: sentinel one performs this	2022-08-24 15:34:36 +00:00
Florian Roth	6a81603d28	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2022-08-24 16:51:27 +02:00
Florian Roth	4baa18bd33	refactor: added transfer.sh domain	2022-08-24 16:51:26 +02:00
Florian Roth	2b776cdfbb	refactor: renamed old sysmon_ file names w/ new prefix	2022-08-24 16:51:12 +02:00
Florian Roth	d18fced5dd	rules: create stream hash rules	2022-08-24 16:50:40 +02:00
Ali Alwashali	9dccb4830e	Update posh_ps_disable_psreadline_command_history.yml	2022-08-24 16:16:38 +03:00
Nasreddine Bencherchali	afff53b812	Add '/k' option to CMD rules	2022-08-24 12:48:23 +01:00
Nasreddine Bencherchali	be2ec96dc2	Update file_event_win_susp_vscode_powershell_profile.yml	2022-08-24 12:29:54 +01:00
Nasreddine Bencherchali	918cf94c1b	Add + Rename	2022-08-24 12:29:35 +01:00
Nasreddine Bencherchali	10c5b51c5f	Update file_event_win_susp_powershell_profile_create.yml	2022-08-24 12:23:20 +01:00
Nasreddine Bencherchali	9f02e37dfa	Update	2022-08-24 12:23:00 +01:00
phantinuss	706a4bd0fa	fix: many FPs in testing environment	2022-08-24 10:09:48 +02:00
Tomasuh	b5d5a648b5	proxy_ua_bitsadmin_susp_ip.yml falsepositive fix Change to endswith instead of startswith to avoid matching subdomains which starts with digits, example: 3.au.download.windowsupdate.com	2022-08-24 08:19:51 +02:00
Yamato Security	1faef2fa97	fix backend bool conversion errors	2022-08-24 09:23:35 +09:00
Nasreddine Bencherchali	781c69e04c	Fix FP	2022-08-24 01:17:53 +01:00
Nasreddine Bencherchali	920c196f5b	Update registry_set_new_network_provider.yml	2022-08-24 01:10:37 +01:00
Nasreddine Bencherchali	f9c39c3c1e	Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel	2022-08-24 01:06:02 +01:00
Nasreddine Bencherchali	88295a305c	Rule Dev	2022-08-24 01:05:40 +01:00
Ben Montour	59394d2309	bad sort on subfields startswith/endswith	2022-08-23 14:35:48 -05:00
Ben Montour	6aabfaba4f	added modified field with current date	2022-08-23 14:32:10 -05:00
Ben Montour	f733105daa	renamed properties.message to operationName	2022-08-23 14:20:26 -05:00
Florian Roth	cdf5b371f1	refactor: extending the rule with /k param	2022-08-23 20:44:11 +02:00

1 2 3 4 5 ...

9648 Commits