security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,483 Commits 1 Branch 57 Tags
b2acd800981e1c8d9f747173eb7803f0405cebd6
Commit Graph

23 Commits

Author SHA1 Message Date
Djordje Lukic 1df3c34391 Merge PR #5144 from @djlukic - Fix multiple FPs 
fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the `HTool` string to avoid unintended matches.
fix: Uncommon AppX Package Locations - Add `https://installer.teams.static.microsoft/`
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add `dn.onenote.net/` and `cdn.office.net/`
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for `Kaspersky` and `mDNS Responder`
 2024-12-27 16:38:02 +01:00
Djordje Lukic 509120a735 Merge PR #4986 from @djlukic - Multiple FP fixes 
fix: A Rule Has Been Deleted From The Windows Firewall Exception List - Exclude WinSxS
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Exclude "amsiprovider_x64"
fix: Uncommon AppX Package Locations - Exclude additional MS cdn domain
fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Enhance filters and exclude empty path  
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-29 20:41:50 +02:00
Omar A. 9b3c363cd0 Merge PR #4954 from @omaramin17 - Update multiple rules with additional sharing domains 
update: BITS Transfer Job Download From File Sharing Domains - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Websites -  File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Remote AppX Package Locations - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Unusual File Download From File Sharing Websites - File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`

--------- 

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-23 11:16:06 +02:00
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
 2024-08-12 12:02:50 +02:00
Nasreddine Bencherchali 2acebc90f2 Merge PR #4702 from @nasbench - Rule tuning and updates 
fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter
fix: Outbound RDP Connections Over Non-Standard Tools - Update filters
fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic
remove: Suspicious Non-Browser Network Communication With Reddit API
update: BITS Transfer Job Download From File Sharing Domains - Add additional domains
update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports
update: HH.EXE Initiated HTTP Network Connection - Update list of ports
update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters
update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports
update: Network Connection Initiated To Mega.nz - Update domains
update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports
update: Office Application Initiated Network Connection To Non-Local IP - update list of filters
update: Potential Dead Drop Resolvers - Update domains and filters
update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains
update: Suspicious File Download From File Sharing Websites - Add additional domains
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains
update: Suspicious Remote AppX Package Locations - Add additional domains
update: Unusual File Download From File Sharing Websites - Add additional domains
 2024-02-12 12:29:36 +01:00
github-actions[bot] ae960f0881 Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2023-12-01 12:50:36 +01:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
Nasreddine Bencherchali c39581217a feat: update rules using file sharing domains 2023-08-17 13:39:59 +02:00
Nasreddine Bencherchali b20e7b449c feat: rules update 2023-07-26 10:56:18 +02:00
Wagga 273fdb9985 fix: typos in multiple rules (#4011) 2023-02-06 13:53:23 +01:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
Nasreddine Bencherchali 0909b65bff feat: update sharing websites 2023-01-19 22:07:31 +01:00
frack113 4708bc61c6 Update win_appxdeployment_server_applocker_block.yml 2023-01-12 18:47:14 +01:00
frack113 b85d87ddf3 Apply suggestions from code review 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-01-12 18:39:46 +01:00
frack113 6d85fcb2b3 Add rule by eventid 2023-01-12 17:56:14 +01:00
Nasreddine Bencherchali a5df41cf39 fix: update title and description 2023-01-12 15:49:40 +01:00
Nasreddine Bencherchali 9a671e25d9 fix: add missing eid 400 2023-01-12 15:12:20 +01:00
Nasreddine Bencherchali e7a2e1c169 fix: remove version from name 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-01-12 10:37:34 +01:00
Nasreddine Bencherchali 0470f45246 fix: apply suggestions from code review 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-01-12 10:36:13 +01:00
Nasreddine Bencherchali 67ea98a6db feat: more updates and fixes 2023-01-12 01:05:48 +01:00
Nasreddine Bencherchali d0b2e2cbba fix: more fp and duplicate id 2023-01-11 23:47:12 +01:00
Nasreddine Bencherchali b6b1eba014 fix: fp and add related fields 2023-01-11 23:39:15 +01:00
Nasreddine Bencherchali debd658aac feat: new rules related to appx packages 2023-01-11 23:04:37 +01:00