security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

11789 Commits

Author SHA1 Message Date
Nasreddine Bencherchali f51547fe96 Update proc_creation_win_rundll32_unc_path.yml 2022-08-10 21:15:12 +01:00
Mark Morowczynski 8a750770cf Create azure_guest_invite_failure.yml 
Detection when a user without proper permissions attempts to invite a guest account.
 2022-08-10 11:01:40 -07:00
Nasreddine Bencherchali 3201b68004 Final update 2022-08-10 18:33:17 +01:00
Zandmann 327a2b7e7b Create BPF_Door_port_redirect.yml 
BPFDoor ports redirect for evasion
 2022-08-10 19:14:14 +02:00
Zandmann a1b9065a19 Create BPFDoor_abnormal_process_id_or_lock_file_accessed.yml 
detection for BPFDoor IoC files run from temporary file storage
 2022-08-10 19:12:35 +02:00
Nasreddine Bencherchali 0f8ad22b9a Update proc_creation_win_susp_wmic_proc_create.yml 2022-08-10 17:53:09 +01:00
Nasreddine Bencherchali 021c297e96 Update title and description 2022-08-10 17:48:48 +01:00
Nasreddine Bencherchali 80ee1192e6 Update file_event_win_error_handler_cmd_persistence.yml 2022-08-10 17:45:25 +01:00
frack113 004409ff87 Merge pull request #3352 from MarkMorow/markmorow 
Create azure_tap_added.yml
 2022-08-10 18:40:42 +02:00
phantinuss 6d1dad51fe fix: typo in filter name 2022-08-10 18:09:55 +02:00
phantinuss b0f07faa85 fix: FP with poqexec.exe 2022-08-10 17:28:03 +02:00
phantinuss 7b9cd0e74c fix: remove TargetObject restriction bc of too many FPs 2022-08-10 17:28:02 +02:00
phantinuss 5cde4a2d7e fix: FP with Avast 2022-08-10 17:28:02 +02:00
Nasreddine Bencherchali babdecc642 Update proc_creation_win_ntfs_short_name_use_image.yml 2022-08-10 15:25:10 +01:00
Nasreddine Bencherchali 14277c5b6d Fix FP 2022-08-10 15:15:49 +01:00
Mark Morowczynski d1c5153103 Create azure_tap_added.yml 
Detection for temporary access pass (TAP) added to an account.
 2022-08-10 07:09:09 -07:00
Florian Roth c2b415601e Merge pull request #3344 from phantinuss/master 
fix: FP found in testing
 2022-08-10 14:04:37 +02:00
Nasreddine Bencherchali 405ed7e6d2 Update file_event_win_error_handler_cmd_persistence.yml 2022-08-10 13:02:08 +01:00
phantinuss 8e63a4b2e1 fix: another Win7 i386 path 2022-08-10 13:54:19 +02:00
Nasreddine Bencherchali b5c15c5137 More additions and updates 2022-08-10 12:52:49 +01:00
phantinuss 342ec1c9cc fix: FP with wrongly matching folders 2022-08-10 11:23:42 +02:00
frack113 d666a18615 Fix issue 3342 2022-08-10 07:52:50 +02:00
frack113 519e4a8f47 Fix issue 3339 2022-08-10 07:44:56 +02:00
C.J. May d1b123c16a removed slashes from strings 2022-08-09 17:56:28 -05:00
C.J. May 402882c764 Create file_event_bloodhound_collection.yml 2022-08-09 17:49:06 -05:00
Mark Morowczynski 5591d965ce Create azure_pim_change_settings.yml 
Detect when changes are made to PIM settings
 2022-08-09 12:42:29 -07:00
Nasreddine Bencherchali b7e5e128c7 Update proc_creation_win_disable_service.yml 2022-08-09 18:42:39 +01:00
Nasreddine Bencherchali b905df6bc7 Updates + New Rules 2022-08-09 18:35:45 +01:00
Mark Morowczynski 0c0afaa45c Create azure_pim_activation_approve_deny.yml 
Detection for PIM elevation
 2022-08-09 10:01:01 -07:00
phantinuss df4b8eadbf fix: FP in testing 2022-08-09 18:34:53 +02:00
frack113 4a1eb1f333 Merge pull request #3343 from MarkMorow/markmorow 
Create azure_pim_alerts_disabled.yml
 2022-08-09 18:26:56 +02:00
phantinuss bfeb23e622 fix: FP found in testing 2022-08-09 17:53:48 +02:00
phantinuss 68a768f829 Merge pull request #3335 from nasbench/nasbench-rule-devel 
Update Ntfs Short Name rule
 2022-08-09 17:53:05 +02:00
Mark Morowczynski cdbaa27b9e Update azure_pim_alerts_disabled.yml 
fixing MITRE tag
 2022-08-09 08:39:45 -07:00
Nasreddine Bencherchali f5d0753167 Add extensions 2022-08-09 16:05:36 +01:00
Mark Morowczynski c455b6bafc Create azure_pim_alerts_disabled.yml 
Detect when PIM alert settings changed to disabled
 2022-08-09 08:00:48 -07:00
phantinuss bde259619e Merge pull request #3333 from frack113/short_path 
Use short name path
 2022-08-09 16:49:23 +02:00
phantinuss 84e234575e Merge pull request #3341 from phantinuss/master 
fix: use wildcard * instead of plaintext *
 2022-08-09 11:10:03 +02:00
phantinuss 7ff91656ed fix: remove duplicate filter 2022-08-09 10:56:58 +02:00
phantinuss 43ac43c70d fix: FP found in testing 2022-08-09 10:56:00 +02:00
phantinuss a90ba27a1c fix: do not use wildcard, where not needed 2022-08-09 10:55:05 +02:00
frack113 b58307f355 Merge pull request #3334 from MarkMorow/markmorow 
Create azure_priviledged_role_assignment_add.yml
 2022-08-09 06:18:27 +02:00
frack113 dcfc0b4095 Merge pull request #3336 from frack113/DbgManagedDebugger 
Add registry_set_dbgmanageddebugger_persistence.yml
 2022-08-08 18:49:47 +02:00
phantinuss ef1f2b13ec fix: use wildcard * instead of plaintext * 
the changed files seem like they used an esacped * by mistake
 2022-08-08 17:54:46 +02:00
Tomasuh a15044bc1c Avoid Adobe related false-positives 
Avoid Adobe related false-positives such as Adobe Synchronizer
 2022-08-08 14:03:34 +02:00
phantinuss eaa0f339ac fix: remove TargetObject, too many occurences in testing 2022-08-08 13:57:32 +02:00
Tomasuh 946b0205a2 Revert to correct rule id 2022-08-08 08:54:50 +02:00
Tomasuh 9f347bc322 Restore title from previous mistake edit 2022-08-08 08:53:38 +02:00
Tomasuh 9f8c4a4d44 Update proxy_susp_flash_download_loc.yml 2022-08-08 08:43:35 +02:00
Tomasuh 58c6068484 uri inst. of uri-query, r-dns inst of uri-stem 2022-08-08 08:41:41 +02:00