security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,909 Commits 1 Branch 57 Tags
aa8c18c0a5b2cd78bba2d2ff0fe3fa975d116e95
Commit Graph

11651 Commits

Author SHA1 Message Date
Nasreddine Bencherchali aa8c18c0a5 Merge pull request #4066 from nasbench/nasbench-rule-devel 
feat: multiple updates and fixes
 2023-02-22 17:20:58 +01:00
frack113 ae45af68ab Update proc_creation_win_hktl_jlaive_batch_execution.yml 2023-02-22 17:13:48 +01:00
frack113 f2c3954e74 Update proc_creation_win_hktl_crackmapexec_execution_patterns.yml 2023-02-22 17:13:02 +01:00
Nasreddine Bencherchali 69c28fedbc fix: typo 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-22 12:16:49 +01:00
Nasreddine Bencherchali 02d6d571cb fix: apply suggestions from 2nd code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-22 12:15:49 +01:00
Nasreddine Bencherchali fc3c6ef4c7 fix: apply suggestions from code review 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-02-22 11:05:50 +01:00
phantinuss db4fb9ff8e Merge pull request #4056 from D4rkCiph3r/installer-child 
Create proc_creation_macos_susp_installer_child_process.yml
 2023-02-22 09:04:58 +01:00
phantinuss 3fc4a344f2 Merge pull request #4062 from qasimqlf/patch-34 
fix: One value of imagePath was wrong
 2023-02-22 09:03:39 +01:00
frack113 1a14cd58db Update proc_creation_win_msiexec_dll.yml 2023-02-22 06:34:02 +01:00
frack113 bc5ec4fc88 Update proc_creation_win_auditpol_susp_execution.yml 2023-02-22 06:26:30 +01:00
Nasreddine Bencherchali 275748b671 fix: add missing space + rename file 2023-02-21 23:29:47 +01:00
Nasreddine Bencherchali 8220d9b5b2 fix: add slash to image field 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-21 23:17:09 +01:00
Nasreddine Bencherchali 5f1231b5f2 fix: unused selection 2023-02-21 22:25:34 +01:00
Nasreddine Bencherchali dbf4e05309 Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2023-02-21 22:16:07 +01:00
Nasreddine Bencherchali 63888f7a53 feat: multiple fixes and updates 2023-02-21 22:15:30 +01:00
phantinuss ecc41ad20b fix: FP with chocolatey 2023-02-21 16:38:05 +01:00
Florian Roth 0a734bde8c Merge pull request #4061 from wagga40/master 
Typo correction
 2023-02-20 17:29:48 +01:00
Nasreddine Bencherchali 41e844e0cc fix: add missing modified 2023-02-20 17:08:48 +01:00
Qasim Qlf 908b25bccb fix: One value of imagePath was wrong 
it was "clip" that is already covered by "clipboard]::".

Real value is "&&" .

Reference: 
Sigma Rule Id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
Link: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml
 2023-02-20 20:49:52 +05:00
D4rkCiph3r 848a64fa69 Create proc_creation_macos_persistence_via_plistbuddy.yml (#4057) 2023-02-20 14:15:31 +01:00
D4rkCiph3r d0af939108 Create proc_creation_macos_enable_guest_account.yml (#4054) 2023-02-20 14:13:52 +01:00
Wagga 7387648bb1 Update proc_creation_win_mstsc_remote_connection.yml 2023-02-20 14:13:26 +01:00
D4rkCiph3r f9a73c7a79 Update proc_creation_macos_create_account.yml (#4052) 2023-02-20 14:13:06 +01:00
Wagga e7492c0f75 Update proc_creation_win_apt_cozy_bear_phishing_campaign_indicators.yml 2023-02-20 14:12:51 +01:00
Wagga fae6d7066a Update and rename proc_creation_win_apt_cozy_bear_phishing_campaing_indicators.yml to proc_creation_win_apt_cozy_bear_phishing_campaign_indicators.yml 2023-02-20 14:12:32 +01:00
Wagga 71b849146c Update proc_creation_win_certutil_export_pfx.yml 2023-02-20 14:11:48 +01:00
Wagga ffc9044b07 Update registry_add_persistence_amsi_providers.yml 2023-02-20 14:11:11 +01:00
Wagga 2d283ff885 Update and rename file_event_win_apt_cozy_bear_phishing_campaing_indicators.yml to file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml 2023-02-20 14:10:03 +01:00
Wagga cbc9a10eba Update java_xxe_exploitation_attempt.yml 2023-02-20 14:08:28 +01:00
D4rkCiph3r 97e2717343 Update proc_creation_macos_susp_installer_child_process.yml 
Updated the selection syntax
 2023-02-20 18:19:43 +05:30
Nasreddine Bencherchali b1866adb07 Merge pull request #4049 from nasbench/nasbench-rule-devel 
feat: new rules, updates and fixes
 2023-02-20 13:44:04 +01:00
Qasim Qlf 2ec65de9a2 fix: taskName property 2023-02-20 16:08:53 +05:00
m4nbat ae469ddefe New rules added for LockBit and Reddit used for C2. (#4045) 2023-02-20 12:07:02 +01:00
Nasreddine Bencherchali f0afc4cce6 fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-20 12:06:37 +01:00
frack113 cd16dff85d Update rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml 2023-02-20 06:32:47 +01:00
D4rkCiph3r c016748316 Update proc_creation_macos_susp_installer_child_process.yml 2023-02-18 19:10:01 +05:30
D4rkCiph3r cc5bce2035 Create proc_creation_macos_susp_installer_child_process.yml 
Summary of the Pull Request:
The pull request adds a new rule for macOS (T1059, T1059.007, T1071, T1071.001)

Detailed Description of the Pull Request / Additional comments:
The rule helps detect the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters. The legitimate softwares also use scripts(preinstall and postinstall). Baselining or application allow-listing monitoring helps reduce the false positives

Example Log Event (In Case of FP Fixes)
NA

Relevant Issues (In Case of Issue Fixes)
NA
 2023-02-18 19:04:22 +05:30
frack113 e327427f13 Merge pull request #4048 from YamatoSecurity/update-powershell-usage-of-base64-IEX 
added other potential IEX strings
 2023-02-18 07:13:14 +01:00
Nasreddine Bencherchali 1d4a6dee3d fix: more fp 2023-02-17 23:23:31 +01:00
Nasreddine Bencherchali 6a0b38291f fix: fp found in baseline 2023-02-17 23:16:42 +01:00
Nasreddine Bencherchali 1dba328ddc fix: add missing modified 2023-02-17 22:52:09 +01:00
Yamato Security 9c673bbb15 added other potential IEX strings 2023-02-18 05:51:40 +09:00
Nasreddine Bencherchali 2ae212f5ab fix: remove unnecessary filter 2023-02-17 21:36:54 +01:00
Nasreddine Bencherchali ee7d1d9890 feat: add reference 2023-02-17 19:58:26 +01:00
Nasreddine Bencherchali 787ea00ff7 feat: new rule for events.asp technique 2023-02-17 19:41:14 +01:00
D4rkCiph3r c965a8dca0 Update proc_creation_macos_binary_padding.yml 
Updated the modified field
reference link is same, I have a PR in ART Repo for the same, which is yet to be verified, maybe if it's allowed the man pages of "truncate" and "dd" can be referenced
Discarding the filter, there should either be "of="(output file) or a redirection or append symbol
 2023-02-17 23:16:28 +05:30
Nasreddine Bencherchali 68c052aab7 feat: updates and fixes 2023-02-17 17:51:44 +01:00
D4rkCiph3r 45ff572bd2 Update proc_creation_macos_binary_padding.yml 
Minor changes
 2023-02-17 18:22:26 +05:30
D4rkCiph3r afc6198da8 Update proc_creation_macos_binary_padding.yml 
Few minor changes, increasing the precision of the rule and reducing the possible false positives.
 2023-02-17 18:05:55 +05:30
Nasreddine Bencherchali 164b3a36b6 Merge pull request #4043 from nasbench/certutil-other-updates 
feat: certutil rules updates + other fixes
 2023-02-16 11:45:08 +01:00