security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,491 Commits 1 Branch 57 Tags
a75f4430332eccc8a8bafd000fdc848cd1ca89af
Commit Graph

7542 Commits

Author SHA1 Message Date
Florian Roth a75f443033 Delete win_sliver_c2_default_service.yml 2022-08-26 20:52:19 +02:00
Florian Roth bc46de2685 Delete proc_creation_win_sliver_default_shell_command.yml 2022-08-26 20:52:05 +02:00
Nasreddine Bencherchali 40ce21f3e8 Update proc_creation_win_schtasks_system.yml 2022-08-26 19:03:50 +01:00
Nasreddine Bencherchali fcd9236bae Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel 2022-08-26 19:02:04 +01:00
frack113 bdbce73c9d Merge pull request #3434 from nasbench/revert-3433-patch-1 
Revert "Fixing selection_user to match NT AUTHORITY\SYSTEM"
 2022-08-26 19:56:59 +02:00
phantinuss e80116e704 fix: FPs found in testing environment 2022-08-26 17:29:49 +02:00
Nasreddine Bencherchali 11a322f4f0 New + Update 2022-08-26 15:38:43 +01:00
Nasreddine Bencherchali 060fbcda31 Revert "Fixing selection_user to match NT AUTHORITY\SYSTEM" 2022-08-26 11:25:41 +01:00
Florian Roth 112d83fa36 Merge pull request #3430 from r00tik/master 
Add new rules for detection msdt.exe create file to autorun
 2022-08-26 08:21:29 +02:00
jkb f316469cd7 Fixing selection_user to match NT AUTHORITY\SYSTEM 
This should be 'SYSTEM' not ' SYSTEM ' - these leading/trailing spaces are making this detection invalid since the /RU parameter value will be "NT AUTHORITY\SYSTEM".
 2022-08-26 00:25:04 +02:00
Florian Roth 83a384e1c7 Merge pull request #3413 from alwashali/Disable-powershell-psreadline-history 
posh_ps_disable_psreadline_command_history
 2022-08-25 21:18:56 +02:00
Vadim Varganov 27b282da04 Merge branch 'SigmaHQ:master' into master 2022-08-25 15:25:37 +03:00
Florian Roth c5e183cf2e Merge pull request #3432 from SigmaHQ/rule-devel 
Create Stream Hash Rules
 2022-08-25 14:17:50 +02:00
Vadim Varganov 732fae435b Merge branch 'SigmaHQ:master' into master 2022-08-25 10:27:21 +03:00
Florian Roth 3c5852b5f5 fix: line endings, level, description, fp 2022-08-25 08:45:39 +02:00
Florian Roth 0b0dc5a65e Merge pull request #3429 from frack113/clean_reg 
registry_event Clean up
 2022-08-25 08:39:37 +02:00
Florian Roth 61657f50e6 Update file_event_win_msdt_autorun.yml 2022-08-25 08:38:43 +02:00
Vadim Varganov 4a8d4041ee Update file_event_win_msdt_autorun.yml 2022-08-25 09:25:30 +03:00
Florian Roth 02d7e8f2a4 fix: duplicate UUIDs 2022-08-25 08:23:48 +02:00
frack113 5cf940c0a8 Merge pull request #3425 from YamatoSecurity/fix-backend-bool-conversion-error 
fix backend bool conversion errors
 2022-08-25 06:41:43 +02:00
vadim 1c536e0698 Add new rules for detection msdt.exe create file to autorun 2022-08-24 22:18:13 +03:00
frack113 f324148291 Merge pull request #3424 from nasbench/nasbench-rule-devel 
Rule Dev - Update + New Rules
 2022-08-24 19:59:08 +02:00
Nasreddine Bencherchali 728a7ccb66 Fix after review 2022-08-24 18:35:23 +01:00
frack113 583155df30 Order 2022-08-24 18:42:56 +02:00
frack113 057bdd3f0c Merge pull request #3427 from phantinuss/master 
fix: many FPs in testing environment
 2022-08-24 18:26:19 +02:00
frack113 483693f7e4 Merge pull request #3428 from redsand/fp_sentinel_one 
FP: sentinel one performs this
 2022-08-24 18:25:20 +02:00
Tim Shelton e310bda6ad FP: sentinel one performs this 2022-08-24 15:34:36 +00:00
Florian Roth 6a81603d28 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-08-24 16:51:27 +02:00
Florian Roth 4baa18bd33 refactor: added transfer.sh domain 2022-08-24 16:51:26 +02:00
Florian Roth 2b776cdfbb refactor: renamed old sysmon_ file names w/ new prefix 2022-08-24 16:51:12 +02:00
Florian Roth d18fced5dd rules: create stream hash rules 2022-08-24 16:50:40 +02:00
Ali Alwashali 9dccb4830e Update posh_ps_disable_psreadline_command_history.yml 2022-08-24 16:16:38 +03:00
Nasreddine Bencherchali afff53b812 Add '/k' option to CMD rules 2022-08-24 12:48:23 +01:00
Nasreddine Bencherchali be2ec96dc2 Update file_event_win_susp_vscode_powershell_profile.yml 2022-08-24 12:29:54 +01:00
Nasreddine Bencherchali 918cf94c1b Add + Rename 2022-08-24 12:29:35 +01:00
Nasreddine Bencherchali 10c5b51c5f Update file_event_win_susp_powershell_profile_create.yml 2022-08-24 12:23:20 +01:00
Nasreddine Bencherchali 9f02e37dfa Update 2022-08-24 12:23:00 +01:00
phantinuss 706a4bd0fa fix: many FPs in testing environment 2022-08-24 10:09:48 +02:00
Yamato Security 1faef2fa97 fix backend bool conversion errors 2022-08-24 09:23:35 +09:00
Nasreddine Bencherchali 781c69e04c Fix FP 2022-08-24 01:17:53 +01:00
Nasreddine Bencherchali 920c196f5b Update registry_set_new_network_provider.yml 2022-08-24 01:10:37 +01:00
Nasreddine Bencherchali f9c39c3c1e Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel 2022-08-24 01:06:02 +01:00
Nasreddine Bencherchali 88295a305c Rule Dev 2022-08-24 01:05:40 +01:00
Florian Roth cdf5b371f1 refactor: extending the rule with /k param 2022-08-23 20:44:11 +02:00
Florian Roth f7a216f081 Merge branch 'master' into rule-devel 2022-08-23 20:41:40 +02:00
frack113 2a55d4fcee Clean up 2022-08-23 19:43:38 +02:00
Florian Roth f68d50e8be Update proc_creation_win_susp_missing_spaces.yml 2022-08-23 18:07:32 +02:00
Florian Roth 303c0ed260 rule: missing space characters 2022-08-23 17:24:44 +02:00
Florian Roth 4e3fc80ee8 Merge pull request #3421 from secDre4mer/master 
feat: new rule for sysnative process creation
 2022-08-23 16:30:26 +02:00
Florian Roth a3c493f8de Merge pull request #3420 from phantinuss/master 
FPs found in Testing
 2022-08-23 16:30:04 +02:00