security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,792 Commits 1 Branch 57 Tags
af3857b42f319ca4820100a2f7f681436b791df7
Commit Graph

4119 Commits

Author SHA1 Message Date
securepeacock af3857b42f Update proc_creation_win_susp_runonce_execution.yml 2022-12-13 10:27:21 -05:00
securepeacock ad55efd25f Update proc_creation_win_susp_runonce_execution.yml 
Added coverage for a new procedure identified here: https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
 2022-12-13 09:50:43 -05:00
frack113 24d983a6a9 Merge pull request #3775 from danielgottt/patch-9 
Create proc_creation_win_lolbin_setres.yml
 2022-12-13 06:45:39 +01:00
Nasreddine Bencherchali aca5dccd7f fix: change title 2022-12-13 00:01:46 +01:00
Gott 120bff21f8 Update proc_creation_win_lolbin_setres.yml 2022-12-12 17:09:26 -05:00
Gott a7662a7350 Update rules/windows/process_creation/proc_creation_win_lolbin_setres.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-12 17:07:05 -05:00
Nasreddine Bencherchali 14a2bf3b59 fix: error in selection 2022-12-12 22:16:38 +01:00
Nasreddine Bencherchali 622fb687b7 fix: update logic and other information 2022-12-12 21:58:17 +01:00
Micah Babinski 52997da9b2 Modified level (reduce severity) 2022-12-12 07:33:47 -08:00
Micah Babinski e8a980161c Fixed rule description and title. 2022-12-12 07:32:26 -08:00
Micah Babinski da2d06fa37 Added suspicious rcedit rule. 2022-12-12 07:28:57 -08:00
frack113 0328946e69 Merge pull request #3774 from frack113/redcanary_20221211 
Redcannary rules
 2022-12-12 13:30:20 +01:00
frack113 d797bf0eb1 Apply suggestions from code review 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-12 13:23:59 +01:00
Gott 063aac1b4d Update proc_creation_win_lolbin_setres.yml 2022-12-11 11:57:22 -05:00
Gott 3a1fe16570 Update proc_creation_win_lolbin_setres.yml 
selection correction and detection logic correction
 2022-12-11 11:25:12 -05:00
Gott ff14120ee5 Update proc_creation_win_lolbin_setres.yml 
corrected duplicate tags
 2022-12-11 10:17:53 -05:00
Gott fec7756b8b Create proc_creation_win_lolbin_setres.yml 2022-12-11 10:00:05 -05:00
frack113 646d861471 Redcannary 2022-12-11 10:57:28 +01:00
Florian Roth 62347bcc80 Merge pull request #3772 from nasbench/nasbench-rule-devel 
feat: updates and enhancements
 2022-12-10 17:02:14 +01:00
Veramine 9662897442 Update proc_creation_win_susp_conhost_option.yml (#3763) 2022-12-09 21:13:58 +01:00
Nasreddine Bencherchali 76fca5aa4b fix: update title to reflect logic 2022-12-09 19:37:53 +01:00
Nasreddine Bencherchali bacd8078c5 feat: update detection section 2022-12-09 19:18:09 +01:00
Nasreddine Bencherchali 89e44d46cb feat: update .net etw tamper rules 2022-12-09 18:06:20 +01:00
Nasreddine Bencherchali 1143ec85b4 feat: enhance pssnapin rule 2022-12-09 16:38:32 +01:00
Nasreddine Bencherchali 0783d6df22 feat: update Lsass-Shtinkering rules 2022-12-09 12:22:50 +01:00
Nasreddine Bencherchali 7cd15d0bc1 fix: update metadata 2022-12-09 10:34:06 +01:00
Qasim Qlf fb8e0894b0 fix: condition 2022-12-09 13:42:49 +05:00
Florian Roth 4013ee645e Merge pull request #3767 from qasimqlf/patch-14 
Added more FPs
 2022-12-09 09:07:17 +01:00
Florian Roth 9afbf6d530 Merge pull request #3769 from qasimqlf/patch-15 
Fix the filter
 2022-12-09 09:07:04 +01:00
Qasim Qlf 868be248dd Fix the filter 2022-12-09 11:27:28 +05:00
Nasreddine Bencherchali fa318243c2 Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2022-12-08 19:22:11 +01:00
Florian Roth e78cb13cfd Merge pull request #3764 from pbssubhash/master 
Detection for LSASS Shtinkering
 2022-12-08 17:36:18 +01:00
Florian Roth ece1d01038 fix: syntax error, additional comma 2022-12-08 17:34:56 +01:00
Qasim Qlf c18f634c02 Added more FPs 2022-12-08 21:08:01 +05:00
Nasreddine Bencherchali 80ef3b70dc fix: broken single item lists 2022-12-08 16:23:58 +01:00
Nasreddine Bencherchali edc99c92a2 fix: enhance rules related to Lsass-Shtinkering 2022-12-08 11:02:56 +01:00
pbssubhash 4bb1df9f6e Update to remove FP 2022-12-08 12:03:02 +05:30
pbssubhash 9ea5fac51c Update proc_creation_lsass_shtinkering.yml 2022-12-08 11:56:40 +05:30
pbssubhash d393b57c36 Detection for LSASS Shtinkering 2022-12-08 11:49:53 +05:30
Nasreddine Bencherchali b59566ad0f fix: fix FP found in testing 2022-12-07 11:52:38 +01:00
Nasreddine Bencherchali a425ef65e5 feat: update metadata and add more cases for rules 2022-12-07 02:26:21 +01:00
BlueTeamOps 8fa8a73551 Updated proc_creation_win_iis_service_account_password_dumped.yml (#3682) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-06 13:10:58 +01:00
Nasreddine Bencherchali 42b99b165d feat: new rules and fixes (#3759) 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2022-12-06 12:13:20 +01:00
frack113 4b82b00ae9 Sysmoneop CMd shell (#3760) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-06 12:12:43 +01:00
frack113 32160be8bf Merge pull request #3755 from frack113/fix_sigma_warning 
Fix workflow warning
 2022-12-04 18:08:24 +01:00
Florian Roth 9375fe95b4 Merge pull request #3748 from SigmaHQ/rule-devel 
Rule refactoring, improvements
 2022-12-04 17:55:14 +01:00
Florian Roth d7a9fa9e1b Merge pull request #3754 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs
 2022-12-04 17:54:28 +01:00
frack113 54739006a9 Fix workflow warning 2022-12-04 15:29:08 +01:00
Florian Roth 6390915eb0 fix: FPs 2022-12-04 14:36:22 +01:00
Florian Roth 0db7f7f7cc rule: SysmonEOP 2022-12-04 14:36:04 +01:00