security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

11789 Commits

Author SHA1 Message Date
Wagga f5a0c0e012 Update proc_creation_win_lolbin_winword.yml 2022-08-29 07:26:44 +02:00
Wagga c8a5414412 Update proc_creation_win_dll_sideload_defender.yml 2022-08-29 07:26:03 +02:00
Wagga f85cd9040d Update win_security_mitigations_defender_load_unsigned_dll.yml 2022-08-29 07:24:32 +02:00
Wagga 8f84d10855 Update net_connection_win_excel_outbound_network_connection.yml 2022-08-29 07:21:47 +02:00
Florian Roth 00305d6727 Merge pull request #3438 from frack113/redcannary_20220828 
Redcannary 20220828
 2022-08-28 19:53:08 +02:00
Florian Roth ff88a7e177 fix: FP with VSCode extensions 2022-08-28 19:33:49 +02:00
Florian Roth a49e2fe1ee refactor: add IPv6 addresses 2022-08-28 19:31:14 +02:00
Florian Roth 6fc281d1d6 some more 2022-08-28 18:59:34 +02:00
frack113 600500d963 fix space 2022-08-28 12:17:36 +02:00
frack113 9408b0a8ca Add net_connection_win_script_wan 2022-08-28 12:15:33 +02:00
Florian Roth d452591331 Update registry_set_treatas_persistence.yml 2022-08-28 11:42:08 +02:00
Florian Roth 155c829d39 Update registry_set_treatas_persistence.yml 2022-08-28 11:41:56 +02:00
Florian Roth bd03d86695 Update proc_creation_win_nimgrab.yml 2022-08-28 11:40:05 +02:00
Florian Roth 2e334cb7f1 Update net_connection_win_script.yml 2022-08-28 11:35:03 +02:00
frack113 b9a2c720a8 Redcannary 20220828 2022-08-28 11:16:24 +02:00
Florian Roth 46d917f2ca Merge pull request #3435 from nasbench/nasbench-rule-devel 
Rule Dev (New + Update)
 2022-08-27 08:56:23 +02:00
Florian Roth 33cd3e9fd9 Merge branch 'master' into rule-devel 2022-08-26 22:49:54 +02:00
Florian Roth 7c486fcf83 refactor: removed unfitting tags 2022-08-26 20:53:54 +02:00
Florian Roth a75f443033 Delete win_sliver_c2_default_service.yml 2022-08-26 20:52:19 +02:00
Florian Roth bc46de2685 Delete proc_creation_win_sliver_default_shell_command.yml 2022-08-26 20:52:05 +02:00
Florian Roth dcec3280fc merge: Nasreddine's Sliver rules 2022-08-26 20:51:39 +02:00
Florian Roth d74558c31d fix: uuid 2022-08-26 20:46:23 +02:00
Nasreddine Bencherchali 40ce21f3e8 Update proc_creation_win_schtasks_system.yml 2022-08-26 19:03:50 +01:00
Nasreddine Bencherchali fcd9236bae Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel 2022-08-26 19:02:04 +01:00
frack113 bdbce73c9d Merge pull request #3434 from nasbench/revert-3433-patch-1 
Revert "Fixing selection_user to match NT AUTHORITY\SYSTEM"
 2022-08-26 19:56:59 +02:00
Florian Roth 3c363f6bf4 refactor: sliver service rule, fix: FP 2022-08-26 18:09:11 +02:00
Florian Roth 3424c191fc revert: deleted rule 2022-08-26 18:04:02 +02:00
Florian Roth bee8468f6c rule: sysaidserver child 2022-08-26 18:03:14 +02:00
Florian Roth 0dddfab086 rule: MuddyWater rules 2022-08-26 17:49:58 +02:00
Florian Roth bb1d30b79d refactor: renamed rule 2022-08-26 17:48:14 +02:00
Florian Roth c374703ff5 rules: more sliver rules 2022-08-26 17:48:02 +02:00
phantinuss e80116e704 fix: FPs found in testing environment 2022-08-26 17:29:49 +02:00
Nasreddine Bencherchali 11a322f4f0 New + Update 2022-08-26 15:38:43 +01:00
Nasreddine Bencherchali 060fbcda31 Revert "Fixing selection_user to match NT AUTHORITY\SYSTEM" 2022-08-26 11:25:41 +01:00
Florian Roth 112d83fa36 Merge pull request #3430 from r00tik/master 
Add new rules for detection msdt.exe create file to autorun
 2022-08-26 08:21:29 +02:00
jkb f316469cd7 Fixing selection_user to match NT AUTHORITY\SYSTEM 
This should be 'SYSTEM' not ' SYSTEM ' - these leading/trailing spaces are making this detection invalid since the /RU parameter value will be "NT AUTHORITY\SYSTEM".
 2022-08-26 00:25:04 +02:00
Florian Roth 83a384e1c7 Merge pull request #3413 from alwashali/Disable-powershell-psreadline-history 
posh_ps_disable_psreadline_command_history
 2022-08-25 21:18:56 +02:00
Florian Roth a40cce9a63 rule: Sliver implant shell activity pattern 2022-08-25 17:50:47 +02:00
Vadim Varganov 27b282da04 Merge branch 'SigmaHQ:master' into master 2022-08-25 15:25:37 +03:00
Florian Roth c5e183cf2e Merge pull request #3432 from SigmaHQ/rule-devel 
Create Stream Hash Rules
 2022-08-25 14:17:50 +02:00
Vadim Varganov 732fae435b Merge branch 'SigmaHQ:master' into master 2022-08-25 10:27:21 +03:00
Florian Roth 3c5852b5f5 fix: line endings, level, description, fp 2022-08-25 08:45:39 +02:00
Florian Roth 38ede6dd08 Merge pull request #3426 from Tomasuh/proxy-dev 
proxy_ua_bitsadmin_susp_ip.yml falsepositive fix
 2022-08-25 08:42:14 +02:00
Florian Roth 0b0dc5a65e Merge pull request #3429 from frack113/clean_reg 
registry_event Clean up
 2022-08-25 08:39:37 +02:00
Florian Roth 61657f50e6 Update file_event_win_msdt_autorun.yml 2022-08-25 08:38:43 +02:00
Vadim Varganov 4a8d4041ee Update file_event_win_msdt_autorun.yml 2022-08-25 09:25:30 +03:00
Florian Roth 02d7e8f2a4 fix: duplicate UUIDs 2022-08-25 08:23:48 +02:00
frack113 5cf940c0a8 Merge pull request #3425 from YamatoSecurity/fix-backend-bool-conversion-error 
fix backend bool conversion errors
 2022-08-25 06:41:43 +02:00
frack113 b637cd7304 Merge pull request #3423 from benmontour/azureOperationNameField 
Azure Activity Logs - operationName Field
 2022-08-25 06:41:20 +02:00
vadim 1c536e0698 Add new rules for detection msdt.exe create file to autorun 2022-08-24 22:18:13 +03:00