security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,134 Commits 1 Branch 57 Tags
bde259619ec784bf2db2fdffc4b32495baae9c2c
Commit Graph

7303 Commits

Author SHA1 Message Date
phantinuss bde259619e Merge pull request #3333 from frack113/short_path 
Use short name path
 2022-08-09 16:49:23 +02:00
phantinuss 84e234575e Merge pull request #3341 from phantinuss/master 
fix: use wildcard * instead of plaintext *
 2022-08-09 11:10:03 +02:00
phantinuss 7ff91656ed fix: remove duplicate filter 2022-08-09 10:56:58 +02:00
phantinuss 43ac43c70d fix: FP found in testing 2022-08-09 10:56:00 +02:00
phantinuss a90ba27a1c fix: do not use wildcard, where not needed 2022-08-09 10:55:05 +02:00
frack113 dcfc0b4095 Merge pull request #3336 from frack113/DbgManagedDebugger 
Add registry_set_dbgmanageddebugger_persistence.yml
 2022-08-08 18:49:47 +02:00
phantinuss ef1f2b13ec fix: use wildcard * instead of plaintext * 
the changed files seem like they used an esacped * by mistake
 2022-08-08 17:54:46 +02:00
phantinuss eaa0f339ac fix: remove TargetObject, too many occurences in testing 2022-08-08 13:57:32 +02:00
frack113 39fa020092 Add registry_set_dbgmanageddebugger_persistence.yml 2022-08-07 10:30:30 +02:00
frack113 f1eba85780 Add short name path 2022-08-07 08:37:58 +02:00
frack113 c38bfe86da Add short path and Image 2022-08-06 11:25:44 +02:00
frack113 7553a98be0 Merge pull request #3328 from frack113/legacy_short_name 
Add proc_creation_win_shortname_use.yml
 2022-08-06 07:41:12 +02:00
Florian Roth 8041ab5130 Merge pull request #3325 from nasbench/nasbench-rule-devel 
Update+New Rules
 2022-08-05 23:42:09 +02:00
Nasreddine Bencherchali b6bac087ef Update posh_ps_tamper_defender_remove_mppreference.yml 2022-08-05 18:45:44 +01:00
Nasreddine Bencherchali b4472132a4 Fix after review 2022-08-05 18:40:12 +01:00
Nasreddine Bencherchali a5c277d06c Update and new rule 2022-08-05 17:48:35 +01:00
Nasreddine Bencherchali 95e0e51e11 Update registry_delete_exploit_guard_protected_folders.yml 2022-08-05 17:22:23 +01:00
Nasreddine Bencherchali dfb725171a Update registry_delete_exploit_guard_protected_folders.yml 2022-08-05 17:14:19 +01:00
Nasreddine Bencherchali 01c1472897 Update registry_set_exploit_guard_susp_allowed_apps.yml 2022-08-05 17:13:15 +01:00
Nasreddine Bencherchali f704feaf69 New Rules 2022-08-05 17:11:42 +01:00
Nasreddine Bencherchali 9ef9103368 Update PowerShell + other rules 2022-08-05 17:10:41 +01:00
Florian Roth a5427a6a33 Merge pull request #3329 from RomaissaAdjailia/master 
Update win_applocker_file_was_not_allowed_to_run.yml
 2022-08-05 17:07:01 +02:00
RomaissaAdjailia 1af9219b8b Update win_applocker_file_was_not_allowed_to_run.yml 2022-08-05 15:34:41 +01:00
RomaissaAdjailia 461348c88b Update win_applocker_file_was_not_allowed_to_run.yml 2022-08-05 15:23:52 +01:00
Nasreddine Bencherchali 5cf67492b7 fix fp 2022-08-05 12:34:48 +01:00
Nasreddine Bencherchali a50b35cdfa Update reg 2022-08-05 12:29:36 +01:00
frack113 cb5c245a3a Add proc_creation_win_shortname_use.yml 2022-08-05 12:04:00 +02:00
Nasreddine Bencherchali d259f9400e Update 2022-08-05 10:18:07 +01:00
Florian Roth d5f7de1314 Merge pull request #3324 from SigmaHQ/rule-devel 
Suspicious IIS Registration, Plink refactoring, remove Github compromise rules
 2022-08-05 09:39:41 +02:00
Nasreddine Bencherchali 07e55593c3 Update some registry rules 2022-08-05 00:39:32 +01:00
Nasreddine Bencherchali f2bec5c6af Update provider + rules 2022-08-04 21:58:07 +01:00
Nasreddine Bencherchali 23052b8b19 Update proc_creation_win_susp_copy_system32.yml 2022-08-04 19:43:36 +01:00
Nasreddine Bencherchali 751fbd7a2e Update proc_creation_win_susp_calc.yml 2022-08-04 19:36:07 +01:00
Nasreddine Bencherchali be40827c9b Update proc_creation_win_susp_calc.yml 2022-08-04 19:28:28 +01:00
Nasreddine Bencherchali fb1deb7fb2 Update pipe_created_psexec_default_pipe_from_susp_location.yml 2022-08-04 19:18:42 +01:00
Nasreddine Bencherchali 307f9c6a35 New rules 2022-08-04 19:11:16 +01:00
Florian Roth 664ec8b43e refactor: remove rules for false alarm 
https://twitter.com/cyb3rops/status/1555242921850544131
 2022-08-04 20:05:16 +02:00
Nasreddine Bencherchali d6a2c13738 Update rules (desc, selection, logic) 2022-08-04 18:08:08 +01:00
Florian Roth 7b6e92afca fix: attack tag 2022-08-04 18:51:44 +02:00
Nasreddine Bencherchali fe2e279cfa Add more comsvcs variations 
Based on this https://twitter.com/Wietze/status/1542107456507203586
 2022-08-04 16:18:51 +01:00
Nasreddine Bencherchali 2d46263054 Renamed rule filename for conformity 2022-08-04 15:57:43 +01:00
Nasreddine Bencherchali 6d66ed6267 Update description + Missing related field 2022-08-04 15:57:18 +01:00
Nasreddine Bencherchali df74e42243 Add missing definition for named pipe rules 2022-08-04 15:56:47 +01:00
Florian Roth 14dba5ba8b refactor: plink usage / tunneling 2022-08-04 16:54:15 +02:00
Florian Roth d535ff34b9 rule: Suspicious IIS module installation 2022-08-04 15:27:47 +02:00
Nasreddine Bencherchali 34bb346b5c Renamed because name too long 2022-08-04 13:45:35 +01:00
Florian Roth d46d89e403 Merge pull request #3315 from nasbench/nasbench-rule-devel 
New Rules + Update
 2022-08-04 13:34:26 +02:00
Florian Roth 8396f87533 Update win_security_mitigations_unsigned_dll_from_susp_location.yml 2022-08-04 13:17:36 +02:00
Nasreddine Bencherchali 0e133f7d58 Additional updates 2022-08-04 11:53:09 +01:00
Nasreddine Bencherchali 58e82da488 Rename because too long 2022-08-04 11:20:28 +01:00