security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,834 Commits 1 Branch 57 Tags
bfa5e4ecf5fbb176affea3d7bf1cc405d3e37276
Commit Graph

4141 Commits

Author SHA1 Message Date
frack113 bfa5e4ecf5 Update rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-16 08:28:45 +01:00
Veramine 3b6403fc8a Update proc_creation_win_rundll32_parent_explorer.yml 
Remove the false positive of explorer.exe launching rundll32.exe to load a DLL already present on the system.  The specific false positive case we encountered was "CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" C:\\Windows\\System32\\LogiLDA.dll,LogiFetch".  The BumbleBee case loaded a DLL from the ISO so that should still be detected.
 2022-12-15 14:54:46 -08:00
frack113 18132ed085 Merge pull request #3787 from nasbench/nasbench-rule-devel 
feat: add type lolbin rule and update ldap etw rule
 2022-12-15 06:30:43 +01:00
frack113 a2e818ddca Merge pull request #3785 from veramine/patch-4 
Add System to list of built-in Windows processes with no extension
 2022-12-14 16:06:48 +01:00
Nasreddine Bencherchali d6d41c12d1 feat: new rule related to using type as lolbin 2022-12-14 15:37:46 +01:00
Nasreddine Bencherchali b41ba894e5 fix: rename rule to follow convention 2022-12-14 15:37:28 +01:00
frack113 be8338774c Merge pull request #3784 from veramine/patch-3 
Add System to list of built-in Windows processes
 2022-12-14 13:21:12 +01:00
frack113 9af4c20912 Merge pull request #3783 from nasbench/nasbench-rule-devel 
feat: updates and enhancements
 2022-12-14 13:19:46 +01:00
Veramine a6a41eae8f Removed System from CommandLine 2022-12-14 02:25:21 -08:00
Veramine 6540ca0ed9 Update modified date 2022-12-14 02:13:53 -08:00
Nasreddine Bencherchali d8e29c80fa fix: remove filter 2022-12-14 11:09:46 +01:00
Nasreddine Bencherchali a848537bac fix: update commandline selection 2022-12-14 11:09:35 +01:00
Veramine 8a529a14c0 Add System to list of built-in Windows processes with no extension 2022-12-14 02:08:30 -08:00
Veramine 41fcd73fad Add System to list of built-in Windows processes 2022-12-14 02:06:40 -08:00
Nasreddine Bencherchali 287916fa8b fix: update logic 2022-12-13 23:49:58 +01:00
securepeacock fea413849b Update proc_creation_win_susp_runonce_execution.yml 2022-12-13 11:12:55 -05:00
securepeacock af3857b42f Update proc_creation_win_susp_runonce_execution.yml 2022-12-13 10:27:21 -05:00
securepeacock ad55efd25f Update proc_creation_win_susp_runonce_execution.yml 
Added coverage for a new procedure identified here: https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
 2022-12-13 09:50:43 -05:00
Nasreddine Bencherchali 5232094c71 fix: more fp found in testing and enhance fp metadata 2022-12-13 11:25:23 +01:00
frack113 24d983a6a9 Merge pull request #3775 from danielgottt/patch-9 
Create proc_creation_win_lolbin_setres.yml
 2022-12-13 06:45:39 +01:00
Nasreddine Bencherchali aca5dccd7f fix: change title 2022-12-13 00:01:46 +01:00
Gott 120bff21f8 Update proc_creation_win_lolbin_setres.yml 2022-12-12 17:09:26 -05:00
Gott a7662a7350 Update rules/windows/process_creation/proc_creation_win_lolbin_setres.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-12 17:07:05 -05:00
Nasreddine Bencherchali 14a2bf3b59 fix: error in selection 2022-12-12 22:16:38 +01:00
Nasreddine Bencherchali 622fb687b7 fix: update logic and other information 2022-12-12 21:58:17 +01:00
Micah Babinski 52997da9b2 Modified level (reduce severity) 2022-12-12 07:33:47 -08:00
Micah Babinski e8a980161c Fixed rule description and title. 2022-12-12 07:32:26 -08:00
Micah Babinski da2d06fa37 Added suspicious rcedit rule. 2022-12-12 07:28:57 -08:00
Nasreddine Bencherchali 1b63d9b413 Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel 2022-12-12 13:41:42 +01:00
Nasreddine Bencherchali 1cfd7794d2 fix: fix FP found in testing 2022-12-12 13:40:55 +01:00
frack113 0328946e69 Merge pull request #3774 from frack113/redcanary_20221211 
Redcannary rules
 2022-12-12 13:30:20 +01:00
frack113 d797bf0eb1 Apply suggestions from code review 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-12 13:23:59 +01:00
Nasreddine Bencherchali d1e47d836a feat: add related id 2022-12-12 10:44:11 +01:00
Nasreddine Bencherchali f4cebfe7ac fix: update title and description to reflect logic 2022-12-12 10:42:34 +01:00
Nasreddine Bencherchali 04b3d8885f fix: deprecate 72671447-4352-4413-bb91-b85569687135 2022-12-12 10:41:52 +01:00
Gott 063aac1b4d Update proc_creation_win_lolbin_setres.yml 2022-12-11 11:57:22 -05:00
Gott 3a1fe16570 Update proc_creation_win_lolbin_setres.yml 
selection correction and detection logic correction
 2022-12-11 11:25:12 -05:00
Gott ff14120ee5 Update proc_creation_win_lolbin_setres.yml 
corrected duplicate tags
 2022-12-11 10:17:53 -05:00
Gott fec7756b8b Create proc_creation_win_lolbin_setres.yml 2022-12-11 10:00:05 -05:00
frack113 646d861471 Redcannary 2022-12-11 10:57:28 +01:00
Florian Roth 62347bcc80 Merge pull request #3772 from nasbench/nasbench-rule-devel 
feat: updates and enhancements
 2022-12-10 17:02:14 +01:00
Veramine 9662897442 Update proc_creation_win_susp_conhost_option.yml (#3763) 2022-12-09 21:13:58 +01:00
Nasreddine Bencherchali 76fca5aa4b fix: update title to reflect logic 2022-12-09 19:37:53 +01:00
Nasreddine Bencherchali bacd8078c5 feat: update detection section 2022-12-09 19:18:09 +01:00
Nasreddine Bencherchali 89e44d46cb feat: update .net etw tamper rules 2022-12-09 18:06:20 +01:00
Nasreddine Bencherchali 1143ec85b4 feat: enhance pssnapin rule 2022-12-09 16:38:32 +01:00
Nasreddine Bencherchali 0783d6df22 feat: update Lsass-Shtinkering rules 2022-12-09 12:22:50 +01:00
Nasreddine Bencherchali 7cd15d0bc1 fix: update metadata 2022-12-09 10:34:06 +01:00
Qasim Qlf fb8e0894b0 fix: condition 2022-12-09 13:42:49 +05:00
Florian Roth 4013ee645e Merge pull request #3767 from qasimqlf/patch-14 
Added more FPs
 2022-12-09 09:07:17 +01:00