security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,834 Commits 1 Branch 57 Tags
bfa5e4ecf5fbb176affea3d7bf1cc405d3e37276
Commit Graph

10790 Commits

Author SHA1 Message Date
frack113 bfa5e4ecf5 Update rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-16 08:28:45 +01:00
Veramine 3b6403fc8a Update proc_creation_win_rundll32_parent_explorer.yml 
Remove the false positive of explorer.exe launching rundll32.exe to load a DLL already present on the system.  The specific false positive case we encountered was "CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" C:\\Windows\\System32\\LogiLDA.dll,LogiFetch".  The BumbleBee case loaded a DLL from the ISO so that should still be detected.
 2022-12-15 14:54:46 -08:00
frack113 4253d5a4be Merge pull request #3788 from frack113/japan 
Add image_load_side_load_jsschhlp
 2022-12-15 06:31:47 +01:00
frack113 18132ed085 Merge pull request #3787 from nasbench/nasbench-rule-devel 
feat: add type lolbin rule and update ldap etw rule
 2022-12-15 06:30:43 +01:00
Nasreddine Bencherchali cc658743e6 fix: add additional reference 2022-12-14 23:25:13 +01:00
Nasreddine Bencherchali ec63adb32f fix: update title 2022-12-14 23:12:23 +01:00
frack113 c7e772eff9 Add image_load_side_load_jsschhlp 2022-12-14 19:24:32 +01:00
Nasreddine Bencherchali 79e83766eb feat: update ldap rule with additional strings 2022-12-14 16:52:04 +01:00
frack113 a2e818ddca Merge pull request #3785 from veramine/patch-4 
Add System to list of built-in Windows processes with no extension
 2022-12-14 16:06:48 +01:00
Nasreddine Bencherchali d6d41c12d1 feat: new rule related to using type as lolbin 2022-12-14 15:37:46 +01:00
Nasreddine Bencherchali b41ba894e5 fix: rename rule to follow convention 2022-12-14 15:37:28 +01:00
Florian Roth 6a7ae2fb19 Merge pull request #3786 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-12-14 15:27:13 +01:00
Florian Roth c98e9ec3cc fix: list with one element issue 2022-12-14 13:23:28 +01:00
Florian Roth 643a06766e fix: FP with NVIDIA driver installation 2022-12-14 13:21:54 +01:00
frack113 be8338774c Merge pull request #3784 from veramine/patch-3 
Add System to list of built-in Windows processes
 2022-12-14 13:21:12 +01:00
frack113 9af4c20912 Merge pull request #3783 from nasbench/nasbench-rule-devel 
feat: updates and enhancements
 2022-12-14 13:19:46 +01:00
frack113 c3863afdc3 Merge pull request #3782 from securepeacock/patch-36 
Update proc_creation_win_susp_runonce_execution.yml
 2022-12-14 13:19:07 +01:00
Florian Roth 7365e12478 docs: explanation for filter 2022-12-14 13:08:10 +01:00
Florian Roth 232d7f840a fix: FPs noticed with Aurora 2022-12-14 13:05:58 +01:00
Veramine a6a41eae8f Removed System from CommandLine 2022-12-14 02:25:21 -08:00
Veramine 6540ca0ed9 Update modified date 2022-12-14 02:13:53 -08:00
Nasreddine Bencherchali d8e29c80fa fix: remove filter 2022-12-14 11:09:46 +01:00
Nasreddine Bencherchali a848537bac fix: update commandline selection 2022-12-14 11:09:35 +01:00
Veramine 8a529a14c0 Add System to list of built-in Windows processes with no extension 2022-12-14 02:08:30 -08:00
Veramine 41fcd73fad Add System to list of built-in Windows processes 2022-12-14 02:06:40 -08:00
Nasreddine Bencherchali 287916fa8b fix: update logic 2022-12-13 23:49:58 +01:00
Nasreddine Bencherchali d8b69e7a02 Merge pull request #3779 from frack113/dll_classicexplorer 
Add image_load_side_load_classicexplorer32
 2022-12-13 18:41:01 +01:00
frack113 fd76082c14 Apply suggestions from code review 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-13 18:26:42 +01:00
securepeacock fea413849b Update proc_creation_win_susp_runonce_execution.yml 2022-12-13 11:12:55 -05:00
securepeacock af3857b42f Update proc_creation_win_susp_runonce_execution.yml 2022-12-13 10:27:21 -05:00
securepeacock ad55efd25f Update proc_creation_win_susp_runonce_execution.yml 
Added coverage for a new procedure identified here: https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
 2022-12-13 09:50:43 -05:00
Nasreddine Bencherchali 5232094c71 fix: more fp found in testing and enhance fp metadata 2022-12-13 11:25:23 +01:00
frack113 3b88cab510 Add image_load_side_load_classicexplorer32 2022-12-13 10:26:21 +01:00
frack113 24d983a6a9 Merge pull request #3775 from danielgottt/patch-9 
Create proc_creation_win_lolbin_setres.yml
 2022-12-13 06:45:39 +01:00
frack113 ad75051c40 Merge pull request #3776 from danielgottt/patch-10 
Create web_apache_solr_lfi_exploit.yml
 2022-12-13 06:45:03 +01:00
Nasreddine Bencherchali 078fcaab28 fix: update description 2022-12-13 00:17:04 +01:00
Nasreddine Bencherchali 8011ef23a3 fix: enhance logic, description and title 2022-12-13 00:15:49 +01:00
Nasreddine Bencherchali aca5dccd7f fix: change title 2022-12-13 00:01:46 +01:00
Gott 796db1479f Update web_cve_2021_27905_apache_solr_lfi_exploit.yml 2022-12-12 17:31:32 -05:00
Nasreddine Bencherchali 14ccb7b00e fix: broken tag 2022-12-12 23:26:19 +01:00
Gott 11351b78dd Rename web_cve_2021-27905_apache_solr_lfi_exploit.yml to web_cve_2021_27905_apache_solr_lfi_exploit.yml 2022-12-12 17:17:11 -05:00
Gott c91c775f58 Rename web_apache_solr_lfi_exploit.yml to web_cve_2021-27905_apache_solr_lfi_exploit.yml 2022-12-12 17:16:52 -05:00
Gott b9b88b1382 Update web_apache_solr_lfi_exploit.yml 2022-12-12 17:16:03 -05:00
Gott 120bff21f8 Update proc_creation_win_lolbin_setres.yml 2022-12-12 17:09:26 -05:00
Gott a7662a7350 Update rules/windows/process_creation/proc_creation_win_lolbin_setres.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-12 17:07:05 -05:00
Nasreddine Bencherchali 681c720509 fix: fp in user_driver_loaded rule 2022-12-12 22:30:08 +01:00
Nasreddine Bencherchali 14a2bf3b59 fix: error in selection 2022-12-12 22:16:38 +01:00
Nasreddine Bencherchali 622fb687b7 fix: update logic and other information 2022-12-12 21:58:17 +01:00
Micah Babinski 52997da9b2 Modified level (reduce severity) 2022-12-12 07:33:47 -08:00
Micah Babinski e8a980161c Fixed rule description and title. 2022-12-12 07:32:26 -08:00