security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,656 Commits 1 Branch 57 Tags
cb5c19d696f047bede4cfbe1ec59427b49092bbc
Commit Graph

186 Commits

Author SHA1 Message Date
Nasreddine Bencherchali b6dce4b6a5 feat: general fixes 2022-11-22 01:22:36 +01:00
Florian Roth 9bf023ceba Merge pull request #3670 from nasbench/fix-false-positives 
Aurora - Fix FP Found In Testing
 2022-11-04 17:56:32 +01:00
Florian Roth d254c7a514 Update rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-04 10:49:17 +01:00
Florian Roth 4fcac3089d Rule: Ngrok tunnel LNX 2022-11-03 17:41:23 +01:00
Florian Roth e6278f839b Rule: Ngrok Tunnel Target 2022-11-03 17:38:53 +01:00
Nasreddine Bencherchali 5ee9428e59 Fix 2022-11-03 09:39:48 +01:00
frack113 a3eed2b760 Order yaml field 2022-10-26 09:42:26 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Florian Roth b634e1a3f9 Merge pull request #3562 from nasbench/pysigma-fix 
PySigma Issues Fix
 2022-10-07 09:21:15 +02:00
frack113 7539d29e8b Merge pull request #3559 from nasbench/nasbench-rule-devel 
Rule Dev
 2022-10-07 06:07:43 +02:00
Nasreddine Bencherchali 2c26614ce4 Update Wildcard + Int to Str fields 2022-10-05 23:15:20 +02:00
Nasreddine Bencherchali 40dcb9a4c9 Update + Rename 2022-10-05 10:42:29 +02:00
Nasreddine Bencherchali 2ecf9ec7e1 Updates 2022-10-04 20:57:11 +02:00
Florian Roth 50b9a3e073 fix: FPs with MS IPs 2022-10-04 19:21:41 +02:00
Nasreddine Bencherchali 7dd2af08e7 Update net_connection_win_python.yml 2022-09-21 12:16:15 +02:00
Nasreddine Bencherchali a0c3449079 Fix typo 2022-09-21 11:59:12 +02:00
Nasreddine Bencherchali 59530f49d4 Fix more FP in testing 2022-09-21 11:53:39 +02:00
nasreddine.bencherchali@nextron-systems.com 0caeaaa122 Update rules 2022-09-13 10:02:32 +02:00
Florian Roth efe4d62a54 Merge pull request #3459 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-09-06 08:41:02 +02:00
Florian Roth cab6ccc18a Merge branch 'master' into aurora-false-positive-fixing 2022-09-05 16:57:10 +02:00
Florian Roth 468b303660 Update net_connection_win_certutil.yml 2022-09-05 11:59:15 +02:00
frack113 5e5f3c803e Fix tag 2022-09-02 17:32:50 +02:00
frack113 8f0ade9ad9 Fix name 2022-09-02 17:28:36 +02:00
frack113 693b7761c1 Add net_connection_win_certutil 2022-09-02 17:23:23 +02:00
Florian Roth 3ee77e1446 fix: FPs noticed with Aurora 2022-09-02 16:57:23 +02:00
Nasreddine Bencherchali 343b0ef199 Update net_connection_win_susp_cmstp.yml 2022-08-31 09:46:18 +02:00
Nasreddine Bencherchali 77c5640839 Update net_connection_win_susp_cmstp.yml 2022-08-31 09:42:25 +02:00
Nasreddine Bencherchali 399a18b762 Update net_connection_win_susp_cmstp.yml 2022-08-31 09:41:25 +02:00
Nasreddine Bencherchali ea183cae13 Updates+New Rules 2022-08-31 09:39:16 +02:00
frack113 45a87dd22d Update net_connection_win_dead_drop_resolvers.yml 2022-08-30 08:22:10 +02:00
Feathers 4d3d9b10ea Update net_connection_win_dead_drop_resolvers.yml 
Added the domain cdn.discordapp.com since is commonly used by malware families
 2022-08-29 12:41:57 +02:00
Wagga 8f84d10855 Update net_connection_win_excel_outbound_network_connection.yml 2022-08-29 07:21:47 +02:00
Florian Roth a49e2fe1ee refactor: add IPv6 addresses 2022-08-28 19:31:14 +02:00
Florian Roth 6fc281d1d6 some more 2022-08-28 18:59:34 +02:00
frack113 600500d963 fix space 2022-08-28 12:17:36 +02:00
frack113 9408b0a8ca Add net_connection_win_script_wan 2022-08-28 12:15:33 +02:00
Florian Roth 2e334cb7f1 Update net_connection_win_script.yml 2022-08-28 11:35:03 +02:00
frack113 b9a2c720a8 Redcannary 20220828 2022-08-28 11:16:24 +02:00
Florian Roth c5e183cf2e Merge pull request #3432 from SigmaHQ/rule-devel 
Create Stream Hash Rules
 2022-08-25 14:17:50 +02:00
Florian Roth 6a81603d28 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-08-24 16:51:27 +02:00
Florian Roth 4baa18bd33 refactor: added transfer.sh domain 2022-08-24 16:51:26 +02:00
Yamato Security 1faef2fa97 fix backend bool conversion errors 2022-08-24 09:23:35 +09:00
frack113 991560a746 Merge pull request #3392 from ionsor/patch-5 
Create net_connection_win_dead_drop_resolvers.yml
 2022-08-18 18:29:45 +02:00
Feathers 9f2ab4e047 Update net_connection_win_dead_drop_resolvers.yml 
added few more apps to which are triggering false positives and comments to identify the process with the application
 2022-08-17 18:43:47 +02:00
Feathers 41c3ea16b1 Update net_connection_win_dead_drop_resolvers.yml 
corrected the MITRE tags
 2022-08-17 18:14:43 +02:00
Feathers 60ac757cf2 Create net_connection_win_dead_drop_resolvers.yml 
This detection is an attempt to spot dead drop resolvers for ones which don't have packet inspection. Most often dead drop resolvers are initiated from malware itself which makes it easy to detect since most often users access social media websites from internet browsers.
 2022-08-17 16:09:11 +02:00
Florian Roth eeeae44db5 Merge branch 'master' into rule-devel 2022-08-17 09:14:47 +02:00
Florian Roth 96276dc36e Rule Updates / New Rules 2022-08-17 09:14:13 +02:00
phantinuss 48f8f788e8 fix: FP in testing from localhost to localhost from BITs service 2022-08-16 17:02:49 +02:00
frack113 3426dfb6e9 Update backslash 2022-08-13 09:59:31 +02:00