security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,286 Commits 1 Branch 57 Tags
c4a89b3b44ec21d323ecabf296e779b2e2a135d3
Commit Graph

10326 Commits

Author SHA1 Message Date
Nasreddine Bencherchali c4a89b3b44 Update proc_creation_win_susp_squirrel_lolbin.yml 2022-10-25 13:41:49 +02:00
Nasreddine Bencherchali b07f843a5a Update proc_creation_win_susp_squirrel_lolbin.yml 2022-10-25 11:18:38 +02:00
Nasreddine Bencherchali 3c9dd2a959 Update image_load_uipromptforcreds_dlls.yml 2022-10-24 13:45:10 +02:00
schatzimangou 612f66e8a0 Msiexec update in sigma rules 2022-10-24 08:18:25 +02:00
frack113 90aeea92bf Merge pull request #3615 from YamatoSecurity/update-win_audit_cve-rule 
update win_audit_cve rule
 2022-10-22 09:50:26 +02:00
Yamato Security 544da5aabd update modified date 2022-10-22 09:34:49 +09:00
frack113 0865182271 Merge pull request #3619 from phantinuss/master 
Fix Testing/Rules
 2022-10-21 18:30:48 +02:00
Florian Roth e9d7c3fdfc Merge pull request #3611 from nasbench/fix-false-positives 
Fix FP In Testing
 2022-10-21 18:11:27 +02:00
frack113 af6c1ab3dd Update registry_set_taskcache_entry.yml 2022-10-21 18:05:06 +02:00
phantinuss f642bff744 fix: fix typos found by new check 2022-10-21 17:29:34 +02:00
phantinuss 5bf0c43984 fix: FPs in testing in connection to Aurora 2022-10-21 17:29:34 +02:00
phantinuss e52e5ebf03 add new malicious user agent strings 2022-10-21 17:29:34 +02:00
Max Altgelt c21904620d fix: FP with conhost / csrss 2022-10-21 13:26:59 +02:00
Yamato Security ed37137b7d update win_audit_cve rule 2022-10-21 19:51:33 +09:00
Florian Roth 7bb2832e0f Merge pull request #3613 from nasbench/nasbench-rule-devel 
Rule Dev
 2022-10-21 08:57:43 +02:00
Florian Roth bdddb3945c Update proc_creation_win_lolbin_susp_wsl.yml 2022-10-21 08:55:51 +02:00
Florian Roth 0d9879506a Update registry_delete_removal_com_hijacking_registry_key.yml 2022-10-21 08:55:34 +02:00
Florian Roth 41ae5444c5 Update registry_set_asep_reg_keys_modification_currentversion.yml 2022-10-21 08:55:10 +02:00
frack113 c3f41918db Update registry_set_asep_reg_keys_modification_currentversion.yml 2022-10-21 07:00:25 +02:00
frack113 fd40c8ddce Merge pull request #3612 from qasimqlf/patch-8 
Update and rename posh_ps_copy_item_system32.yml
 2022-10-21 06:48:10 +02:00
phantinuss f4420ca3c3 fix: FPs found in testing environment 2022-10-20 17:25:23 +02:00
Nasreddine Bencherchali 43f6b7fd54 Update registry_set_asep_reg_keys_modification_currentversion.yml 2022-10-20 15:58:27 +02:00
Nasreddine Bencherchali 2b78d921c4 Update proc_creation_win_hack_rubeus.yml 2022-10-20 12:41:23 +02:00
Nasreddine Bencherchali b4cbd6b2ee Rework Rule Condition 2022-10-20 12:25:52 +02:00
Nasreddine Bencherchali 21f8477e43 Add missing OriginalFileName 
Add missing OriginalFileName for some rules
 2022-10-20 12:25:32 +02:00
Nasreddine Bencherchali aabd6efbc1 Create proc_creation_win_susp_service_dacl_modification_set_service.yml 
Add variation of the technique described in the rule 99cf1e02-00fb-4c0d-8375-563f978dfd37 using the "set-service" cmdlet
 2022-10-20 11:57:24 +02:00
Nasreddine Bencherchali 3cdd105355 Add SafetyKatz+Seatbelt Rules 2022-10-20 11:56:19 +02:00
Nasreddine Bencherchali 1ee657b1fc Update Hacktool Rules 2022-10-20 11:55:59 +02:00
Nasreddine Bencherchali 7621ce8899 Add New Vuln Driver 
Add new vuln driver related to CVE-2022-37969
 2022-10-20 11:55:36 +02:00
Nasreddine Bencherchali a13a5efd47 More FP tuning 2022-10-20 11:51:06 +02:00
Qasim Qlf 2c4ea3761a Update and rename posh_ps_copy_item_system32.yml to posh_ps_copy_item_system_directory.yml 2022-10-20 14:31:48 +05:00
Nasreddine Bencherchali 1512c50b4d Update proc_creation_win_lolbin_susp_wsl.yml 2022-10-20 11:19:54 +02:00
phantinuss 09b94e2081 fix: FP on test system 2022-10-20 11:08:41 +02:00
phantinuss f976ad48c1 Merge pull request #3602 from nasbench/nasbench-rule-devel 
Rule Dev
 2022-10-20 10:28:56 +02:00
frack113 27ad27c3c0 Merge pull request #3608 from unamuno/patch-mitreid 
changed mitre id from process to user discovery
 2022-10-19 22:31:37 +02:00
Nasreddine Bencherchali 4a61f56c5f Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-19 19:06:00 +02:00
Nasreddine Bencherchali 87c0788fca Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-19 19:04:53 +02:00
Merlin 575f36d8f8 changed mitre id from process to user discovery 2022-10-19 16:10:47 +02:00
phantinuss 7a6bb720d9 fix: FPs on test system 2022-10-19 15:44:00 +02:00
Nasreddine Bencherchali 21040fc106 Update posh_ps_using_set_service_to_hide_services.yml 2022-10-18 20:13:45 +02:00
Florian Roth e93b7bf571 Merge pull request #3601 from blueteam0ps/patch-9 
proxy_ua_rclone.yml
 2022-10-18 19:07:08 +02:00
Nasreddine Bencherchali a6edfd6c21 Add more details to the definition section 
Add more details to the definition section for events from the "Audit Directory Service Changes"
 2022-10-18 17:35:02 +02:00
Florian Roth eada6ed589 Update proxy_ua_rclone.yml 2022-10-18 17:21:54 +02:00
Nasreddine Bencherchali 2758e67185 Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-18 17:08:09 +02:00
Nasreddine Bencherchali 18ed0ce02a Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-18 17:07:36 +02:00
phantinuss a5b08d5b9c fix: FPs on test machine 2022-10-18 16:39:04 +02:00
Nasreddine Bencherchali 676578d2c4 Add PowerShell version of the rule + Fix rule 2022-10-18 16:03:26 +02:00
Nasreddine Bencherchali ce567a4d8d Fix wording in definition + Add FP description 2022-10-18 16:02:41 +02:00
Nasreddine Bencherchali 2a86dd3d71 Reduce to medium level due to FP 2022-10-18 14:13:43 +02:00
Nasreddine Bencherchali 0fc2e75c0d Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2022-10-18 14:12:39 +02:00