security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
16,483 Commits 1 Branch 57 Tags
b2acd800981e1c8d9f747173eb7803f0405cebd6
Commit Graph

26 Commits

Author SHA1 Message Date
Djordje Lukic 1df3c34391 Merge PR #5144 from @djlukic - Fix multiple FPs 
fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the `HTool` string to avoid unintended matches.
fix: Uncommon AppX Package Locations - Add `https://installer.teams.static.microsoft/`
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add `dn.onenote.net/` and `cdn.office.net/`
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for `Kaspersky` and `mDNS Responder`
 2024-12-27 16:38:02 +01:00
Mohamed Ashraf 7e4748ec0e feat: update multiple rules (#5055) 
* Update multiple rules

* updates

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-25 16:32:03 +02:00
Omar A. 9b3c363cd0 Merge PR #4954 from @omaramin17 - Update multiple rules with additional sharing domains 
update: BITS Transfer Job Download From File Sharing Domains - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Websites -  File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Remote AppX Package Locations - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Unusual File Download From File Sharing Websites - File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`

--------- 

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-23 11:16:06 +02:00
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
 2024-08-12 12:02:50 +02:00
Nasreddine Bencherchali 2acebc90f2 Merge PR #4702 from @nasbench - Rule tuning and updates 
fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter
fix: Outbound RDP Connections Over Non-Standard Tools - Update filters
fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic
remove: Suspicious Non-Browser Network Communication With Reddit API
update: BITS Transfer Job Download From File Sharing Domains - Add additional domains
update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports
update: HH.EXE Initiated HTTP Network Connection - Update list of ports
update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters
update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports
update: Network Connection Initiated To Mega.nz - Update domains
update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports
update: Office Application Initiated Network Connection To Non-Local IP - update list of filters
update: Potential Dead Drop Resolvers - Update domains and filters
update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains
update: Suspicious File Download From File Sharing Websites - Add additional domains
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains
update: Suspicious Remote AppX Package Locations - Add additional domains
update: Unusual File Download From File Sharing Websites - Add additional domains
 2024-02-12 12:29:36 +01:00
github-actions[bot] 367ebd9395 Merge PR #4700 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test
 2024-02-01 02:09:31 +01:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
Nasreddine Bencherchali c39581217a feat: update rules using file sharing domains 2023-08-17 13:39:59 +02:00
Nasreddine Bencherchali b20e7b449c feat: rules update 2023-07-26 10:56:18 +02:00
Nasreddine Bencherchali 3d9372bef3 feat: new rules, updates and fp fixes (#4136) 2023-04-03 12:06:14 +02:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
frack113 1033b3f404 change status to test 2023-01-27 06:48:34 +01:00
Nasreddine Bencherchali 0909b65bff feat: update sharing websites 2023-01-19 22:07:31 +01:00
Nasreddine Bencherchali 28a3413aa7 feat: updates and enhancements 2023-01-11 01:03:52 +01:00
Nasreddine Bencherchali b6492e731b feat: general updates and fixes 2022-12-02 23:16:03 +01:00
frack113 c820216541 Update Title (#3733) 2022-11-28 06:43:17 +01:00
frack113 8b749fb126 Order yaml field 2022-10-25 11:08:51 +02:00
Florian Roth 4baa18bd33 refactor: added transfer.sh domain 2022-08-24 16:51:26 +02:00
Nasreddine Bencherchali b905df6bc7 Updates + New Rules 2022-08-09 18:35:45 +01:00
Nasreddine Bencherchali 16b2945027 New Rules + Update 2022-07-14 17:35:50 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth 991ff677c3 rule: bitsadmin coverage 2022-06-28 15:34:19 +02:00
Tim Shelton 6ae85eb557 Adding support for mozilla download via bits 2022-06-21 12:38:06 +00:00
Florian Roth 49f37684dc fix: FPs with BITS rule 2022-06-12 17:30:17 +02:00
Florian Roth ed2ab816be refactor: BITS rules new and reworked 2022-06-10 13:16:40 +02:00
frack113 53651cdd2f Add Bits-Client rules 2022-03-03 06:27:00 +01:00