security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,806 Commits 1 Branch 57 Tags
aa79f4a5ee080388ce5fe578cc87802df8c5abc3
Commit Graph

3284 Commits

Author SHA1 Message Date
Florian Roth 96f7750cb8 Merge pull request #3242 from nasbench/wpbbin-persistence 
UEFI Persistence - wpbbin
 2022-07-18 15:47:34 +02:00
Nasreddine Bencherchali 492f754f29 UEFI Persistence - wpbbin 2022-07-18 12:45:44 +01:00
Florian Roth a62fb4d501 Merge branch 'master' into rule-devel 2022-07-18 13:16:26 +02:00
frack113 f161f6d051 Fix modified 2022-07-16 20:56:13 +02:00
frack113 79f6b200cc Add csrstub.exe 2022-07-16 19:54:16 +02:00
frack113 00886a2b33 Add proc_creation_win_susp_16bit_application 2022-07-16 17:36:53 +02:00
Florian Roth 749a7b4df5 Merge branch 'master' into rule-devel 2022-07-16 08:15:20 +02:00
Florian Roth b52b279f30 Merge pull request #3225 from nasbench/master 
New Rules + Update
 2022-07-14 21:58:01 +02:00
Tim Shelton 6187cfdfd6 False positive when amazon workspaces is running and doing its weird little things 2022-07-14 19:41:52 +00:00
Nasreddine Bencherchali e4f964879e Fix after review 2022-07-14 19:34:59 +01:00
Nasreddine Bencherchali 92b0239f27 Update proc_creation_win_powershell_susp_parameter_variation.yml 2022-07-14 17:43:04 +01:00
Nasreddine Bencherchali 16b2945027 New Rules + Update 2022-07-14 17:35:50 +01:00
Florian Roth 98a7d2f76e Merge pull request #3216 from nasbench/master 
DFIR Report - SELECT XMRig FROM SQLServer (New Rules)
 2022-07-12 17:40:44 +02:00
Florian Roth 739a54289e Update proc_creation_win_inline_base64_mz_header.yml 2022-07-12 17:33:04 +02:00
Florian Roth 730ee2cc9b Merge pull request #3217 from phantinuss/master 
Fix FPs
 2022-07-12 17:16:04 +02:00
Florian Roth 31ee9b7104 Merge branch 'master' into aurora-false-positive-fixing 2022-07-12 16:54:10 +02:00
phantinuss b6025adaa8 fix: found on several systems in prod environment 2022-07-12 16:41:10 +02:00
Florian Roth e79e4d6c3b fix: FPs wtih csc.exe as child of sdiagnhost 2022-07-12 14:32:22 +02:00
Nasreddine Bencherchali a41a73d721 DFIR Report - SELECT XMRig FROM SQLServer 2022-07-12 01:27:51 +01:00
Nasreddine Bencherchali 614fe69363 Update proc_creation_win_susp_use_of_sqltoolsps_bin.yml 2022-07-11 18:27:06 +01:00
Nasreddine Bencherchali 3aab1cc54c Update proc_creation_win_susp_service_path_modification.yml 2022-07-11 18:25:54 +01:00
Nasreddine Bencherchali 987b694223 Update proc_creation_win_susp_runscripthelper.yml 2022-07-11 18:24:17 +01:00
Nasreddine Bencherchali 093aff99b0 Update proc_creation_win_lsass_dump.yml 2022-07-11 18:22:50 +01:00
Nasreddine Bencherchali f2d9299703 Update proc_creation_win_susp_runonce_execution.yml 2022-07-11 18:21:46 +01:00
Nasreddine Bencherchali 9feec535f6 Update proc_creation_win_base64_listing_shadowcopy.yml 2022-07-11 18:19:46 +01:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali 12d187bc91 Update Ref+Selection 2 2022-07-11 17:48:40 +01:00
Florian Roth b78a1f3267 rule: suspicious PS encoded & obfuscated 2022-07-11 18:23:34 +02:00
Nasreddine Bencherchali fb73dfca88 Merge branch 'master' of https://github.com/nasbench/sigma 2022-07-11 14:11:59 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth e7f5b07f2d Merge pull request #3213 from SigmaHQ/rule-devel 
refactor: another Follina process pattern observed ITW
 2022-07-11 13:00:51 +02:00
Florian Roth 5b8f7d977f Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-07-11 12:52:08 +02:00
Florian Roth a17364104b refactor: Follina patterns 2022-07-11 12:52:06 +02:00
Florian Roth 9daef055ae Merge pull request #3211 from SigmaHQ/rule-devel 
fix: FPs with notepad as parent
 2022-07-08 20:40:49 +02:00
Florian Roth 0640695258 fix: FPs with notepad.exe as parent 
Closing https://github.com/SigmaHQ/sigma/issues/3208
 2022-07-08 19:28:43 +02:00
frack113 4f21febbb4 Fix detection 2022-07-08 18:20:37 +02:00
Florian Roth 578c838277 Merge pull request #3203 from nasbench/master 
Reference Update [Batch 1]
 2022-07-08 10:47:50 +02:00
Nasreddine Bencherchali 8b9307de30 Update selections 2022-07-07 20:55:19 +01:00
Nasreddine Bencherchali 68c27b56d4 Update proc_creation_win_exploit_cve_2020_1048.yml 2022-07-07 20:16:30 +01:00
Nasreddine Bencherchali aec95b6d65 Update selections and indentation 2022-07-07 20:13:45 +01:00
Florian Roth c7eb123bc3 Merge branch 'master' into aurora-false-positive-fixing 2022-07-07 18:21:16 +02:00
Florian Roth b58c797c61 fix: FPs with Visual Studio 2022-07-07 18:20:10 +02:00
Nasreddine Bencherchali 851d55a41f Update 2022-07-07 15:37:28 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Florian Roth beec664249 Merge pull request #3189 from redsand/fp_encoded_powershell_minor_indicator_due_to_devops 
reducing level due to low indicator, per devops processes
 2022-07-06 18:34:27 +02:00
Florian Roth d4781fa63c refactor: split up rule into one low & one medium 2022-07-06 18:24:59 +02:00
phantinuss ce1710a031 fix: FPs found in testing 2022-07-06 15:38:31 +02:00
frack113 88a6ec96e7 Update proc_creation_win_powershell_cmdline_specific_comb_methods.yml 2022-07-05 16:04:00 +02:00
frack113 b3595c2605 Update proc_creation_win_powershell_cmdline_specific_comb_methods.yml 2022-07-05 16:01:57 +02:00
frack113 44e45362d4 Update proc_creation_win_powershell_cmdline_specific_comb_methods.yml 2022-07-05 15:59:45 +02:00