security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,341 Commits 1 Branch 57 Tags
c2045d6a9155bc5df706dca520156fc4ea448144
Commit Graph

3909 Commits

Author SHA1 Message Date
Nasreddine Bencherchali efe0cf5871 Add/Update Exchange/Mailbox Rules 2022-10-26 23:17:54 +02:00
Nasreddine Bencherchali 388624e279 Update PsExec Rules 2022-10-26 23:15:01 +02:00
Nasreddine Bencherchali aa75e084e8 Fix Issue #3593 2022-10-26 18:22:26 +02:00
Nasreddine Bencherchali bb84e503fa Merge branch 'master' into nasbench-rule-devel 2022-10-26 10:39:55 +02:00
Nasreddine Bencherchali c495a61692 Update proc_creation_win_susp_office_token_search.yml 2022-10-26 10:37:23 +02:00
Nasreddine Bencherchali 37af110aa2 Update proc_creation_win_susp_office_token_search.yml 2022-10-25 23:48:08 +02:00
Nasreddine Bencherchali 29661b98af Apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2022-10-25 15:17:50 +02:00
Nasreddine Bencherchali c4a89b3b44 Update proc_creation_win_susp_squirrel_lolbin.yml 2022-10-25 13:41:49 +02:00
Nasreddine Bencherchali 214ba4b2e2 Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2022-10-25 12:27:43 +02:00
Nasreddine Bencherchali b07f843a5a Update proc_creation_win_susp_squirrel_lolbin.yml 2022-10-25 11:18:38 +02:00
Nasreddine Bencherchali ada1121447 Add Office Token Stealing Rules 2022-10-25 01:14:27 +02:00
Nasreddine Bencherchali 34e9f0530b Add Inveigh Rules 2022-10-24 22:57:48 +02:00
schatzimangou 612f66e8a0 Msiexec update in sigma rules 2022-10-24 08:18:25 +02:00
nasreddine.bencherchali@nextron-systems.com c6bd6ec489 Create proc_creation_win_susp_electron_app_children.yml 2022-10-24 01:04:43 +02:00
Florian Roth e9d7c3fdfc Merge pull request #3611 from nasbench/fix-false-positives 
Fix FP In Testing
 2022-10-21 18:11:27 +02:00
Max Altgelt c21904620d fix: FP with conhost / csrss 2022-10-21 13:26:59 +02:00
Florian Roth 7bb2832e0f Merge pull request #3613 from nasbench/nasbench-rule-devel 
Rule Dev
 2022-10-21 08:57:43 +02:00
Florian Roth bdddb3945c Update proc_creation_win_lolbin_susp_wsl.yml 2022-10-21 08:55:51 +02:00
Nasreddine Bencherchali 2b78d921c4 Update proc_creation_win_hack_rubeus.yml 2022-10-20 12:41:23 +02:00
Nasreddine Bencherchali b4cbd6b2ee Rework Rule Condition 2022-10-20 12:25:52 +02:00
Nasreddine Bencherchali 21f8477e43 Add missing OriginalFileName 
Add missing OriginalFileName for some rules
 2022-10-20 12:25:32 +02:00
Nasreddine Bencherchali aabd6efbc1 Create proc_creation_win_susp_service_dacl_modification_set_service.yml 
Add variation of the technique described in the rule 99cf1e02-00fb-4c0d-8375-563f978dfd37 using the "set-service" cmdlet
 2022-10-20 11:57:24 +02:00
Nasreddine Bencherchali 3cdd105355 Add SafetyKatz+Seatbelt Rules 2022-10-20 11:56:19 +02:00
Nasreddine Bencherchali 1ee657b1fc Update Hacktool Rules 2022-10-20 11:55:59 +02:00
Nasreddine Bencherchali 1512c50b4d Update proc_creation_win_lolbin_susp_wsl.yml 2022-10-20 11:19:54 +02:00
phantinuss 09b94e2081 fix: FP on test system 2022-10-20 11:08:41 +02:00
phantinuss f976ad48c1 Merge pull request #3602 from nasbench/nasbench-rule-devel 
Rule Dev
 2022-10-20 10:28:56 +02:00
phantinuss 7a6bb720d9 fix: FPs on test system 2022-10-19 15:44:00 +02:00
Nasreddine Bencherchali 676578d2c4 Add PowerShell version of the rule + Fix rule 2022-10-18 16:03:26 +02:00
Nasreddine Bencherchali 0fc2e75c0d Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2022-10-18 14:12:39 +02:00
Nasreddine Bencherchali a72aedb1cc Small Update To FP 2022-10-18 11:51:37 +02:00
securepeacock cef6ea0b6b Update proc_creation_win_renamed_binary.yml 
Added InstallUtil
https://twitter.com/424f424f/status/1582048291294162946?s=20&t=5uYGiwA_fJP8-7pnK2yViQ
 2022-10-17 12:58:29 -04:00
Nasreddine Bencherchali b5500687fa Add Hide Service Via SDDL Rule 
Ref:  https://twitter.com/Alh4zr3d/status/1580925761996828672
 2022-10-17 14:26:29 +02:00
Florian Roth 450229537e Merge pull request #3595 from SigmaHQ/rule-devel 
rule: extended susp adfind rule, rule: susp wermgr process patterns
 2022-10-15 10:49:50 +02:00
Florian Roth 404a1b4c6a Merge pull request #3590 from dmuensterer/patch-1 
Filter Dell Update Utility: proc_creation_win_susp_non_exe_image.yml
 2022-10-14 18:04:59 +02:00
Florian Roth 77a61facd2 fix: wrong selector in condition 2022-10-14 17:27:20 +02:00
Florian Roth cc8a1a5441 rule: suspicious wermgr process trees 2022-10-14 15:43:02 +02:00
phantinuss cca32d824a fix: FP on testing system 2022-10-14 14:08:45 +02:00
Florian Roth c4ea037717 Merge pull request #3549 from aaronherman/add-susp-lolbin-non-c 
Add rule for suspicious lolbin executing in non-c drive
 2022-10-14 13:23:35 +02:00
Florian Roth d4ed33b84b fix: typo in filter 2022-10-14 12:42:49 +02:00
Florian Roth b4e1bd1659 Update proc_creation_win_susp_non_exe_image.yml 2022-10-14 12:25:48 +02:00
Florian Roth 6706a67bb8 refactor: move few apt rules to categories, del 'apt' folder 2022-10-14 11:44:49 +02:00
Florian Roth 7c44a58e5d refactor: extended renamed adfind detection 2022-10-14 11:40:49 +02:00
frack113 329e0f33d0 Merge pull request #3586 from nasbench/nasbench-rule-devel 
Rule Dev - New+Updated Rules
 2022-10-14 10:57:44 +02:00
dmuensterer 84daaa0c76 Update proc_creation_win_susp_non_exe_image.yml 
Added false positive filter for Dell Dockingstation Update Utility.

The Image has a value similar to: C:\Windows\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE
ParentImage will always be: C:\Windows\Temp\*\TBT_Dock_Firmware\GetDockVer32W.exe
SHA256: cd2688a74a151b03282388dadb8b6aaca309f2535c8b2b21d1243846d2b259dc
MD5:
 2022-10-14 10:36:08 +02:00
Florian Roth 0d5dba2d94 Merge pull request #3587 from nasbench/fix-false-positives 
Fix False Positives
 2022-10-14 10:22:24 +02:00
Nasreddine Bencherchali 64ade5eb3c Update proc_creation_win_get_localgroup_member_recon.yml 2022-10-14 01:01:43 +02:00
Nasreddine Bencherchali 48e7f9e302 Merge branch 'master' into nasbench-rule-devel 2022-10-14 00:49:20 +02:00
Nasreddine Bencherchali 992538ce09 Update proc_creation_win_system_exe_anomaly.yml 2022-10-14 00:39:12 +02:00
Nasreddine Bencherchali 48af508541 Create proc_creation_win_office_svchost_child.yml 2022-10-13 13:20:58 +02:00