security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,535 Commits 1 Branch 57 Tags
bc316855f6bcb0233f5e66bcba32beea36d4feb8
Commit Graph

3179 Commits

Author SHA1 Message Date
Florian Roth d78818e27d Merge pull request #3157 from d4rk-d4nph3/master 
To account for SyncAppvPublishingServer bypass
 2022-06-22 21:28:38 +02:00
Florian Roth cdfd908627 Merge branch 'master' into rule-devel 2022-06-22 21:16:29 +02:00
Florian Roth 940e4149f7 fix: wrong rule title 2022-06-22 21:15:00 +02:00
Bhabesh 7afe938d49 Fixed the missing all modifier 2022-06-22 15:14:39 +05:45
Bhabesh d9836d9fe4 Fixed my rule bug 2022-06-22 15:13:51 +05:45
Bhabesh f55e3451cf Removed bypass for SyncAppvPublishingServer 2022-06-22 15:12:17 +05:45
Florian Roth a601ce4098 Merge pull request #3145 from frack113/chromeloader 
Add proc_creation_win_chrome_load_extension
 2022-06-22 10:26:07 +02:00
Florian Roth fedc465b00 Merge pull request #3155 from SigmaHQ/rule-devel 
Linux - suspicious command lines
 2022-06-22 10:25:42 +02:00
Bhabesh 023306e09f Added alternative cmd format 2022-06-22 10:16:39 +05:45
Nasreddine Bencherchali efbfc7fe67 New Rule (https://twitter.com/nas_bench/status/1537919885031772161) 2022-06-21 19:13:53 +01:00
Nasreddine Bencherchali e25ad42b5b Reverted Rule + New Rule 2022-06-21 19:03:47 +01:00
Nasreddine Bencherchali 0c2f1bfce5 Fix review comments 2022-06-21 17:22:39 +01:00
Florian Roth c2c25acbb6 docs: rules adjusted 2022-06-21 17:21:55 +02:00
Nasreddine Bencherchali f12f6e3646 Update ID's 2022-06-21 15:46:00 +01:00
Florian Roth 7ecf771cb5 fix: rule that covers unrelated activity 2022-06-21 16:38:30 +02:00
Nasreddine Bencherchali 27e73278e7 Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:37:39 +01:00
Nasreddine Bencherchali b2ce10ea2a Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:36:21 +01:00
Florian Roth 9fdf396314 Update proc_creation_win_chrome_load_extension.yml 2022-06-21 16:30:38 +02:00
Nasreddine Bencherchali e3bfb18f64 New Rules 2022-06-21 11:47:18 +01:00
Nasreddine Bencherchali 62a7d755cc Update proc_creation_win_service_stop.yml 
Refactored the rule and added originalfilename
 2022-06-21 11:46:32 +01:00
Nasreddine Bencherchali f2bc1be460 Update proc_creation_win_service_execution.yml 2022-06-21 11:46:06 +01:00
Nasreddine Bencherchali 40ccd91a94 Update proc_creation_win_msdt_diagcab.yml 
In my testing i found that ".diagcab" extension is not required. You can use .txt with the /cab flag and it'll spawn an msdt process.

Also I added the "-" (dash) version of the flag
 2022-06-21 11:45:53 +01:00
Nasreddine Bencherchali d2ef62a49d Update proc_creation_win_enumeration_for_credentials_in_registry.yml 2022-06-21 11:45:01 +01:00
Nasreddine Bencherchali 4eb6b3509e Update proc_creation_win_accesschk_usage_after_priv_escalation.yml 
Changed the rule as the original was flagging on every usage of "accessChk" which was not the intended behaviour as described.

The modification take into consideration usage of the tool as seen in the referenced presentation and adds some more.
 2022-06-21 11:44:51 +01:00
Nasreddine Bencherchali 0a39827674 Renamed + Refactor "findstr" rule 2022-06-21 11:42:14 +01:00
phantinuss 9475153292 fix: FPs found in testing environment 2022-06-20 16:17:54 +02:00
Florian Roth 50b2fad091 Merge branch 'master' into aurora-false-positive-fixing 2022-06-20 13:43:36 +02:00
Florian Roth 72de90d2aa fix: FPs 2022-06-20 12:52:23 +02:00
Florian Roth 10e39e41f7 Merge pull request #3143 from SigmaHQ/rule-devel 
Rule level refactoring: critical > high
 2022-06-19 15:04:46 +02:00
frack113 87bad74ab1 Add proc_creation_win_chrome_load_extension 2022-06-19 09:34:07 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Nasreddine Bencherchali f84c1436a3 Add missing "contains" modifier 2022-06-17 14:06:14 +01:00
Nasreddine Bencherchali 32c772d0df Update proc_creation_win_lolbin_openconsole.yml 2022-06-16 23:41:57 +01:00
Nasreddine Bencherchali 2ab106ddee Small Update and New Rule 2022-06-16 23:37:50 +01:00
G Y 1eb02a0025 Update proc_creation_win_sysinternals_eula_accepted.yml 
Description changed (original description was taken from registry_add_sysinternals_eula_accepted.yml).
 2022-06-16 14:49:17 +08:00
Nasreddine Bencherchali bc94d575b7 Update proc_creation_win_susp_explorer_break_proctree.yml 2022-06-14 19:31:25 +01:00
Nasreddine Bencherchali 3b7a405492 Update proc_creation_win_lolbin_forfiles.yml 2022-06-14 18:18:14 +01:00
Nasreddine Bencherchali 7f75aceaf7 Update proc_creation_win_lolbin_pcalua.yml 2022-06-14 17:41:09 +01:00
Nasreddine Bencherchali f9bbe7e423 Update proc_creation_win_susp_explorer_break_proctree.yml 2022-06-14 17:40:01 +01:00
Nasreddine Bencherchali f065928dc0 Create proc_creation_win_lolbin_pcalua.yml 2022-06-14 17:39:58 +01:00
Nasreddine Bencherchali f34bc22537 Create proc_creation_win_lolbin_forfiles.yml 2022-06-14 17:39:55 +01:00
Nasreddine Bencherchali 6476152624 Create proc_creation_win_conhost_path_traversal.yml 2022-06-14 17:39:52 +01:00
Florian Roth afce3ffcae Merge branch 'master' into msdt-rules 2022-06-13 22:55:40 +02:00
Florian Roth 2a4e6d8ebe Merge pull request #3123 from phantinuss/master 
fix FP and add Follina reference to description
 2022-06-13 22:54:54 +02:00
Florian Roth 037bf0f6bb Update proc_creation_win_lolbin_susp_certreq_download.yml 2022-06-13 18:27:56 +02:00
Nasreddine Bencherchali 0e0f44fc0c Update proc_creation_win_msdt.yml 2022-06-13 16:36:19 +01:00
Nasreddine Bencherchali 8ca55de64c Update proc_creation_win_msdt.yml 2022-06-13 14:33:12 +01:00
Nasreddine Bencherchali ffd236158c Update MSDT Rules 2022-06-13 14:30:35 +01:00
phantinuss 92c2976793 docs: add Follina reference in description 2022-06-13 13:30:21 +02:00
Nasreddine Bencherchali e96532344f Removed "modified" date 2022-06-13 11:31:47 +01:00