security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,491 Commits 1 Branch 57 Tags
a75f4430332eccc8a8bafd000fdc848cd1ca89af
Commit Graph

3536 Commits

Author SHA1 Message Date
Florian Roth bc46de2685 Delete proc_creation_win_sliver_default_shell_command.yml 2022-08-26 20:52:05 +02:00
Nasreddine Bencherchali 40ce21f3e8 Update proc_creation_win_schtasks_system.yml 2022-08-26 19:03:50 +01:00
Nasreddine Bencherchali fcd9236bae Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel 2022-08-26 19:02:04 +01:00
frack113 bdbce73c9d Merge pull request #3434 from nasbench/revert-3433-patch-1 
Revert "Fixing selection_user to match NT AUTHORITY\SYSTEM"
 2022-08-26 19:56:59 +02:00
phantinuss e80116e704 fix: FPs found in testing environment 2022-08-26 17:29:49 +02:00
Nasreddine Bencherchali 11a322f4f0 New + Update 2022-08-26 15:38:43 +01:00
Nasreddine Bencherchali 060fbcda31 Revert "Fixing selection_user to match NT AUTHORITY\SYSTEM" 2022-08-26 11:25:41 +01:00
jkb f316469cd7 Fixing selection_user to match NT AUTHORITY\SYSTEM 
This should be 'SYSTEM' not ' SYSTEM ' - these leading/trailing spaces are making this detection invalid since the /RU parameter value will be "NT AUTHORITY\SYSTEM".
 2022-08-26 00:25:04 +02:00
Florian Roth c5e183cf2e Merge pull request #3432 from SigmaHQ/rule-devel 
Create Stream Hash Rules
 2022-08-25 14:17:50 +02:00
frack113 f324148291 Merge pull request #3424 from nasbench/nasbench-rule-devel 
Rule Dev - Update + New Rules
 2022-08-24 19:59:08 +02:00
Nasreddine Bencherchali 728a7ccb66 Fix after review 2022-08-24 18:35:23 +01:00
Florian Roth 6a81603d28 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-08-24 16:51:27 +02:00
Florian Roth 4baa18bd33 refactor: added transfer.sh domain 2022-08-24 16:51:26 +02:00
Nasreddine Bencherchali afff53b812 Add '/k' option to CMD rules 2022-08-24 12:48:23 +01:00
Nasreddine Bencherchali f9c39c3c1e Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel 2022-08-24 01:06:02 +01:00
Nasreddine Bencherchali 88295a305c Rule Dev 2022-08-24 01:05:40 +01:00
Florian Roth cdf5b371f1 refactor: extending the rule with /k param 2022-08-23 20:44:11 +02:00
Florian Roth f7a216f081 Merge branch 'master' into rule-devel 2022-08-23 20:41:40 +02:00
Florian Roth f68d50e8be Update proc_creation_win_susp_missing_spaces.yml 2022-08-23 18:07:32 +02:00
Florian Roth 303c0ed260 rule: missing space characters 2022-08-23 17:24:44 +02:00
Florian Roth 4e3fc80ee8 Merge pull request #3421 from secDre4mer/master 
feat: new rule for sysnative process creation
 2022-08-23 16:30:26 +02:00
Florian Roth a3c493f8de Merge pull request #3420 from phantinuss/master 
FPs found in Testing
 2022-08-23 16:30:04 +02:00
Florian Roth e5aa5896cd Merge pull request #3418 from SigmaHQ/rule-devel 
rule: Renamed Adfind, rule: CsExec
 2022-08-23 16:29:45 +02:00
Max Altgelt 74f9e77339 fix: title casing 2022-08-23 14:50:02 +02:00
Max Altgelt 6711a3e2ed feat: new rule for sysnative process creation 2022-08-23 14:38:24 +02:00
phantinuss 1d45c98f0f fix: FP with teams 2022-08-23 14:26:27 +02:00
Nasreddine Bencherchali e550080e1c Update proc_creation_win_net_recon.yml 2022-08-22 21:43:06 +01:00
Florian Roth dba875e977 Update proc_creation_win_susp_service_modification.yml 2022-08-22 21:34:23 +02:00
Nasreddine Bencherchali c9e81f1cf0 Update proc_creation_win_lolbin_sideload_link_binary.yml 2022-08-22 20:17:22 +01:00
Nasreddine Bencherchali 6aa4c56b3b Update proc_creation_win_net_recon.yml 2022-08-22 20:07:53 +01:00
Nasreddine Bencherchali a769377070 Update proc_creation_win_persistence_typed_paths.yml 2022-08-22 20:05:02 +01:00
Nasreddine Bencherchali ae9785eb47 TypedPaths 2022-08-22 20:04:43 +01:00
Florian Roth 66f829c371 rule: CsExec 2022-08-22 17:43:49 +02:00
Nasreddine Bencherchali 1ef7208897 Create proc_creation_win_lolbin_sideload_link_binary.yml 2022-08-22 15:31:35 +01:00
Nasreddine Bencherchali 9f61d51408 Rename 2022-08-22 14:52:59 +01:00
Nasreddine Bencherchali 17aa5fec6d Update 2022-08-22 14:52:41 +01:00
Nasreddine Bencherchali 60154a963f Update proc_creation_win_ntfs_short_name_path_use_image.yml 2022-08-22 11:15:15 +01:00
Nasreddine Bencherchali bb51bb4bd4 Fix #3407 2022-08-22 11:14:08 +01:00
Florian Roth 00383708ce Merge pull request #3412 from aaronherman/add-dumpert-hacktools-implashes 
add Dumpert and other Imphashes to Windows Hacktools rule
 2022-08-21 11:00:51 +02:00
Florian Roth 091f26ecd4 docs: adfind website url 2022-08-21 09:38:30 +02:00
Florian Roth e379d6b224 rule: renamed adfind 2022-08-21 09:38:18 +02:00
Florian Roth a4656f9cb7 Merge pull request #3408 from frack113/redcannary_20220820 
Redcannary 20220820
 2022-08-21 09:30:13 +02:00
Florian Roth f0bdb36b18 add more imphashes from Sysmon config 2022-08-21 09:17:23 +02:00
Florian Roth c99d94766e revert: remove dumpert rule 2022-08-21 09:08:19 +02:00
Florian Roth 79cd099ff0 Merge pull request #3404 from frack113/hotfix 
update 20220820
 2022-08-21 09:04:28 +02:00
AaronHerman 2a22cb76d7 remove dumpert rule, add to Windows Hacktools Impash 2022-08-20 20:23:15 -05:00
frack113 9f89d4c8c7 Redcannary 20220820 2022-08-20 17:12:31 +02:00
Florian Roth 268b0a8038 Merge pull request #3402 from nasbench/lolbin-update 
LOLBIN Updates
 2022-08-20 13:25:24 +02:00
frack113 df8df38414 Add proc_creation_win_susp_pester_parent 2022-08-20 12:18:49 +02:00
frack113 8333671025 Fix test error 2022-08-20 12:07:01 +02:00