security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

4601 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 751fbd7a2e Update proc_creation_win_susp_calc.yml 2022-08-04 19:36:07 +01:00
Nasreddine Bencherchali be40827c9b Update proc_creation_win_susp_calc.yml 2022-08-04 19:28:28 +01:00
Nasreddine Bencherchali 307f9c6a35 New rules 2022-08-04 19:11:16 +01:00
Nasreddine Bencherchali d6a2c13738 Update rules (desc, selection, logic) 2022-08-04 18:08:08 +01:00
Florian Roth 7b6e92afca fix: attack tag 2022-08-04 18:51:44 +02:00
Nasreddine Bencherchali fe2e279cfa Add more comsvcs variations 
Based on this https://twitter.com/Wietze/status/1542107456507203586
 2022-08-04 16:18:51 +01:00
Nasreddine Bencherchali 6d66ed6267 Update description + Missing related field 2022-08-04 15:57:18 +01:00
Florian Roth 14dba5ba8b refactor: plink usage / tunneling 2022-08-04 16:54:15 +02:00
Florian Roth d535ff34b9 rule: Suspicious IIS module installation 2022-08-04 15:27:47 +02:00
Florian Roth d46d89e403 Merge pull request #3315 from nasbench/nasbench-rule-devel 
New Rules + Update
 2022-08-04 13:34:26 +02:00
Florian Roth f9b9af87ff fix: FP with MpCmdRun rule 2022-08-04 13:12:53 +02:00
Nasreddine Bencherchali 0e133f7d58 Additional updates 2022-08-04 11:53:09 +01:00
Nasreddine Bencherchali 83451b3e6d Update proc_creation_win_exfil_data_via_cli.yml 2022-08-04 10:58:56 +01:00
Nasreddine Bencherchali 8e08ff3060 Fix 2022-08-04 10:58:34 +01:00
Florian Roth 636602cf7c rule: additional rule using the obfuscated IPs 2022-08-04 08:59:04 +02:00
Nasreddine Bencherchali 521987eaa6 Create proc_creation_win_obfuscated_ip_via_cli.yml 2022-08-03 12:16:50 +01:00
Nasreddine Bencherchali 716ece8b4c Update proc_creation_win_exfil_data_via_cli.yml 2022-08-02 21:12:24 +01:00
Nasreddine Bencherchali d7d8a8fbc0 Fix typo 2022-08-02 21:06:52 +01:00
Nasreddine Bencherchali 37b97c4e66 New Rules 2022-08-02 21:05:07 +01:00
Nasreddine Bencherchali 845b5c1b5d Update 2022-08-02 21:04:03 +01:00
Florian Roth 87a0c9e1b9 Merge branch 'master' into master 2022-08-02 18:10:24 +02:00
isstabb baac2bd1f7 chore: fix case on author for consistency 2022-08-02 08:39:57 -04:00
frack113 b897015300 Merge pull request #3312 from nasbench/nasbench-rule-devel 
Update proc_creation_win_file_permission_modifications.yml
 2022-08-02 12:50:54 +02:00
Florian Roth ff6e50bc43 Merge pull request #3306 from nasbench/nasbench-rule-devel 
Update + New Rules
 2022-08-02 12:18:47 +02:00
Nasreddine Bencherchali 87ab157844 Update proc_creation_win_file_permission_modifications.yml 2022-08-02 11:17:27 +01:00
frack113 4ce8600749 Merge pull request #3310 from frack113/issue_3309 
Update option
 2022-08-02 09:46:46 +02:00
Florian Roth 46147bb4af Merge pull request #3303 from danielgottt/patch-3 
Create proc_creation_win_dnscmd_discovery.yml
 2022-08-02 09:35:53 +02:00
Florian Roth abc9aeb829 Update proc_creation_win_reg_delete_services.yml 2022-08-02 09:21:56 +02:00
Florian Roth 8399760902 Merge pull request #3307 from nasbench/webshell-children 
Update Children Of Web Shell Rules
 2022-08-02 09:12:00 +02:00
frack113 211bb6a760 Update option 2022-08-02 09:06:10 +02:00
G Y ebb753814b Update proc_creation_win_false_sysinternalsuite.yml 
Typo + grammatical correction in description field
 2022-08-02 11:19:14 +08:00
Nasreddine Bencherchali 7f1207957c Update proc_creation_win_sc_delete_av_services.yml 2022-08-01 23:39:08 +01:00
Nasreddine Bencherchali b984ee65b3 Update proc_creation_win_webshell_spawn.yml 2022-08-01 23:28:53 +01:00
Nasreddine Bencherchali 921af82587 Update proc_creation_win_reg_import_from_suspicious_paths.yml 2022-08-01 20:25:29 +01:00
Nasreddine Bencherchali 7a326e9b32 Create proc_creation_win_reg_import_from_suspicious_paths.yml 2022-08-01 20:12:40 +01:00
Nasreddine Bencherchali d62d3cc4e0 Update proc_creation_win_sc_delete_av_services.yml 2022-08-01 19:39:58 +01:00
Nasreddine Bencherchali cd7539d7e6 Create proc_creation_win_sc_delete_av_services.yml 2022-08-01 17:52:09 +01:00
Nasreddine Bencherchali 1764b51c0b Update + New Rules 2022-08-01 17:37:16 +01:00
Nasreddine Bencherchali 8d615c9d78 Update rules 2022-08-01 16:02:07 +01:00
Daniel Gott a645371e8b Update proc_creation_win_dnscmd_discovery.yml 
implemented suggestions from frack113
 2022-08-01 09:02:04 -04:00
Bhabesh 89a54bcab9 Added rule for Defender DLL sideloading 2022-08-01 16:03:58 +05:45
wikijm 7a67564dfd Update proc_creation_win_powershell_susp_parameter_variation.yml 2022-08-01 06:45:53 +02:00
Daniel Gott f6f1175413 Update proc_creation_win_dnscmd_discovery.yml 
update to selection name
 2022-07-31 19:03:38 -04:00
Daniel Gott 78ca0d324c Update proc_creation_win_dnscmd_discovery.yml 
Modified selection name
 2022-07-31 18:54:34 -04:00
Daniel Gott 7155eb999b Create proc_creation_win_dnscmd_discovery.yml 2022-07-31 18:19:49 -04:00
memory-shards 16fe47a8fa Update proc_creation_win_lolbin_agentexecutor.yml 2022-07-31 15:00:07 -04:00
memory-shards 5646756587 Update proc_creation_win_lolbin_agentexecutor.yml 2022-07-31 13:32:31 -04:00
memory-shards 562d29c432 Create proc_creation_win_lolbin_agentexecutor.yml 
Proposed rule for lolbin AgentExecutor that doesn't have much coverage. Rule created as final project for Detection Engineering with Sigma course final project.
 2022-07-31 12:46:52 -04:00
Florian Roth e98d86dd6d Merge pull request #3300 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-07-31 13:35:57 +02:00
Nasreddine Bencherchali 43f9522691 New Rules 2022-07-29 14:07:14 +02:00