security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,670 Commits 1 Branch 57 Tags
b24e863a1ca78d00eccee2076b2ee671b8a3f2ff
Commit Graph

4769 Commits

Author SHA1 Message Date
Nasreddine Bencherchali b24e863a1c feat: add VMwareToolBoxCmd persistence 2023-07-27 14:44:37 +02:00
Nasreddine Bencherchali 1d10fd8d52 feat: update curl & wget rules 2023-07-27 13:58:57 +02:00
Nasreddine Bencherchali b20e7b449c feat: rules update 2023-07-26 10:56:18 +02:00
phantinuss 250d6c0dd0 fix: selection to use all strings 2023-07-25 10:17:54 +02:00
phantinuss 9f9f2321de fix: FP found with missing commandlines 2023-07-25 10:17:54 +02:00
Nasreddine Bencherchali ad0d3f58ac fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-07-24 12:35:11 +02:00
Nasreddine Bencherchali 72b658b4c2 Update proc_creation_win_susp_ntfs_short_name_use_image.yml 2023-07-24 11:44:59 +02:00
Nasreddine Bencherchali a97c96aacc fix: fp 2023-07-24 11:01:02 +02:00
Nasreddine Bencherchali db9214e8d2 fix: typos 2023-07-20 14:13:13 +02:00
Nasreddine Bencherchali 1ed5629eb2 feat: update filter 2023-07-20 14:01:35 +02:00
Nasreddine Bencherchali f7acf07882 Merge branch 'SigmaHQ:master' into new-rules-13-07-23 2023-07-20 13:51:48 +02:00
Nasreddine Bencherchali 73f44e61d1 feat: add more rules 2023-07-20 13:47:30 +02:00
frack113 9acc4e1823 feat: add rules related to pwsh set-acl cmdlet usage (#4352) 2023-07-20 11:08:44 +02:00
Florian Roth 764963c2c7 refactor: increased level 2023-07-18 14:09:12 +02:00
Nasreddine Bencherchali 08e0a297f3 feat: new rules and updates 2023-07-13 17:31:13 +02:00
Nasreddine Bencherchali ccec820a01 feat: new rules & updates (#4328) 2023-07-13 10:01:05 +02:00
frack113 1586e30f19 Merge pull request #4343 from frack113/redcannary_t1057 
Add proc_creation_win_findstr_susp_parent
 2023-07-12 20:52:17 +02:00
frack113 c97c3bc54c Add httpd filter 
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-07-06 20:19:03 +02:00
frack113 f9dbb1f413 Add proc_creation_win_findstr_susp_parent 
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-07-06 19:51:47 +02:00
phantinuss 835dda9484 fix: FPs found in testing env 2023-07-05 10:37:17 +02:00
securepeacock a527ff3a1a Update proc_creation_win_nltest_recon.yml 2023-06-26 09:55:01 -04:00
Ryan Plas cda0fbff62 fix:F multiple 404 links in references (#4332) 2023-06-26 10:10:04 +01:00
Nasreddine Bencherchali 96b2219686 Merge pull request #4329 from securepeacock/patch-51 
feat: add new reference to curl download rule
 2023-06-23 09:58:50 +02:00
securepeacock 01d3701982 Update proc_creation_win_pua_adfind_susp_usage.yml 2023-06-22 17:11:08 -04:00
securepeacock f8d399f054 Update proc_creation_win_curl_susp_download.yml 2023-06-22 11:53:22 -04:00
securepeacock 2b30b96f12 Update proc_creation_win_lolbin_rundll32_installscreensaver.yml 2023-06-21 13:11:09 -04:00
phantinuss 6c4408ddff chore: fix typo of lowercase Windows in description 2023-06-21 09:52:43 +02:00
phantinuss 6b2bf871c2 fix: false positives with missing Image field 2023-06-21 09:52:43 +02:00
securepeacock fcaa435517 Update proc_creation_win_renamed_binary.yml 2023-06-20 14:30:05 -04:00
Nasreddine Bencherchali 22628faaf0 feat: add rules related to Barracuda ESG exploitation 2023-06-18 22:14:57 +02:00
securepeacock 6312dd1d44 feat: update reference proc_creation_win_wmic_process_creation.yml (#4315) 2023-06-16 10:24:50 +02:00
Nasreddine Bencherchali 917e5bee68 fix: update filter name 2023-06-14 15:35:33 +02:00
frack113 9ad36c796b Fix svchost FP 
Signed-off-by: frack113 <magicfrancois@gmail.com>
 2023-06-14 11:33:58 +02:00
Nasreddine Bencherchali 9c3e652693 Merge pull request #4301 from tr0mb1r/master 
feat: add new rules related to ClickOnce abuse
 2023-06-13 11:29:25 +02:00
Nasreddine Bencherchali 7ecbf44bf6 feat: update clickonce rules 2023-06-12 23:52:40 +02:00
Nasreddine Bencherchali 2b520f9415 chore: update description 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-06-12 10:15:23 +02:00
Nasreddine Bencherchali d634acec1a feat: update legit child 2023-06-12 00:23:04 +02:00
Mohamed Ashraf (X__Junior) 2b2c5c42ca Create proc_creation_win_sndvol_susp_child_processes.yml 2023-06-09 20:43:13 +03:00
Nasreddine Bencherchali b02e3b698a Merge pull request #4289 from branchnetconsulting/patch-1 
feat: update logonscript rules
 2023-06-09 12:23:14 +02:00
phantinuss f3567b72f7 fix: wording 2023-06-09 12:14:16 +02:00
Nasreddine Bencherchali 9be8e2296a feat: update logon script rules 2023-06-09 12:09:35 +02:00
Paul Hager 695e0bd5e3 fix: typo in 'related' field 2023-06-07 12:02:43 +02:00
phantinuss 630e1a4734 fix: exclude files that are marked for deletion 2023-06-07 10:24:51 +02:00
Kevin Branch b478f24985 Update proc_creation_win_persistence_userinitmprlogonscript.yml 
When logging into Windows Core, userinit.exe normalls calls PowerShell.exe without parameters to bring up a PowerShell window.
 2023-06-05 12:57:52 -04:00
Nasreddine Bencherchali 715cc0589c Merge pull request #4232 from swachchhanda000/master 
feat: extended coverage of existing defender tampering rules
 2023-06-05 13:26:03 +02:00
phantinuss e407cfa1d6 fix: wording 2023-06-05 13:09:30 +02:00
Nasreddine Bencherchali 899c2ff23a chore: update defender rules 2023-06-05 11:50:43 +02:00
Nasreddine Bencherchali c5c61ac040 Merge pull request #4280 from nasbench/rules-update-31-05-23 
feat: rule updates and issue fixes
 2023-06-05 11:38:16 +02:00
Nasreddine Bencherchali 8a06af1364 feat: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-06-05 10:54:18 +02:00
Florian Roth 382355c728 feat: add new rule "Renamed AutoIt Execution" (#4286) 2023-06-05 10:53:42 +02:00