security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nasreddine Bencherchali 2e224baa94 Update file_event_win_creation_system_file.yml 2022-11-08 12:49:53 +01:00
Nasreddine Bencherchali f9d54c722f Update file_event_win_susp_dropper.yml 2022-11-08 12:42:47 +01:00
Nasreddine Bencherchali 33bd200a89 Fix FP 2022-11-08 12:32:44 +01:00
BlueTeamOps 23220c3b03 Updated to include list apppool and /config 
https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA indicates two additional ways to retrieve the IIS service account credentials. Existing detection was updated to include them.
 2022-11-08 22:30:04 +11:00
Nasreddine Bencherchali 024d76d5e5 Fix typo in conditions 2022-11-08 12:10:20 +01:00
Nasreddine Bencherchali 220e9c2c90 Fix FP 2022-11-08 12:05:38 +01:00
BlueTeamOps 10b9835e60 Merge branch 'SigmaHQ:master' into master 2022-11-08 21:46:31 +11:00
Thomas Patzke 6199a70322 Merge pull request #3677 from tr0mb1r/patch-1 
Update elasticsearch.py
 2022-11-08 07:29:38 +01:00
tr0mb1r 95d7be37c0 Merge branch 'SigmaHQ:master' into patch-1 2022-11-08 09:54:51 +04:00
Florian Roth 7a36b5b0b0 Merge pull request #3680 from SigmaHQ/aurora-false-positive-fixing 
fix: dysfunctional rules
 2022-11-07 19:29:16 +01:00
Florian Roth 344741477b Merge pull request #3678 from nasbench/fix-false-positives 
Aurora - Fix FP Found In Testing
 2022-11-07 19:28:26 +01:00
Florian Roth e9da05869d Merge pull request #3679 from phantinuss/master 
FP fixes / Tuning
 2022-11-07 19:28:06 +01:00
Florian Roth 0d86ec83b5 fix: calc rule logic 2022-11-07 15:31:38 +01:00
Florian Roth 74834a6db0 fix: FPs with mshta execution 2022-11-07 15:22:21 +01:00
phantinuss af2dc36699 new rule for lnk files with lower score 2022-11-07 14:14:04 +01:00
phantinuss 496d1b6a2a fix: add bcedit filter and sort selection 2022-11-07 13:37:11 +01:00
Nasreddine Bencherchali fc8eeb7b1e Fix FP 2022-11-07 12:11:30 +01:00
Nasreddine Bencherchali 841b311dd0 Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel 2022-11-07 11:57:18 +01:00
tr0mb1r 27b8b85230 Update elasticsearch.py 
Example:

'threshold': {
        'field': [
            'host.name',
        ],
        'value': 10,
        'cardinality': [
            {
                'field': 'process.parent.name',
                'value': 1,
            },
        ],
    }
 2022-11-07 12:46:09 +04:00
Florian Roth 9bf023ceba Merge pull request #3670 from nasbench/fix-false-positives 
Aurora - Fix FP Found In Testing
 2022-11-04 17:56:32 +01:00
Florian Roth be9bda1d54 Merge pull request #3673 from SigmaHQ/rule-devel 
fix: Adfind rule, rework: Racoon stealer UA, rule: ngrok tunneling
 2022-11-04 17:55:21 +01:00
Nasreddine Bencherchali 753772a177 Rename+Metadata Update 2022-11-04 11:59:11 +01:00
Florian Roth d254c7a514 Update rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-04 10:49:17 +01:00
Florian Roth ffbaee0c56 Update rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-04 10:49:12 +01:00
Florian Roth f27466ef2b Update rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-04 10:49:01 +01:00
Florian Roth 4fcac3089d Rule: Ngrok tunnel LNX 2022-11-03 17:41:23 +01:00
Florian Roth e6278f839b Rule: Ngrok Tunnel Target 2022-11-03 17:38:53 +01:00
unknown 0b1a0beff8 Update PR 2022-11-03 10:57:56 -04:00
unknown 6196cb4236 Merge branch 'master' of https://github.com/SigmaHQ/sigma into cobalt-pipenames-redcanary 2022-11-03 10:53:26 -04:00
Nasreddine Bencherchali 117d400c49 Deprecate 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719 2022-11-03 13:42:45 +01:00
Nasreddine Bencherchali d86c05643b Deprecate dca91cfd-d7ab-4c66-8da7-ee57d487b35b 2022-11-03 13:41:40 +01:00
Nasreddine Bencherchali bd30f75335 Update proc_access_win_in_memory_assembly_execution.yml 2022-11-03 11:19:09 +01:00
Nasreddine Bencherchali 3b4f41d588 Update proc_creation_win_susp_run_folder.yml 2022-11-03 11:16:03 +01:00
Nasreddine Bencherchali 5ee9428e59 Fix 2022-11-03 09:39:48 +01:00
Florian Roth 1d37ec5f74 Merge pull request #3667 from nasbench/kes-rules 
KES Rule
 2022-11-02 08:17:47 +01:00
Nasreddine Bencherchali e423c92d3f Update proc_creation_win_lolbin_kavremover.yml 2022-11-01 19:01:40 +01:00
Florian Roth cc9ab8d1fd Merge pull request #3662 from securepeacock/patch-32 
Update lnx_shell_priv_esc_prep.yml
 2022-11-01 18:57:48 +01:00
Florian Roth 5e9083261a Merge pull request #3665 from nasbench/nasbench-rule-devel 
Rule Dev
 2022-11-01 18:57:31 +01:00
phantinuss 29a5c62784 Merge pull request #3669 from phantinuss/master 
fix: new FPs found in testing environment
 2022-11-01 16:34:00 +01:00
phantinuss c8a4638c15 Merge pull request #3663 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-11-01 16:23:48 +01:00
phantinuss 97d5255c2e fix: new FPs found in testing environment 2022-11-01 16:19:14 +01:00
Florian Roth b00966d79d fix: dysfunctional renamed adfind rule 2022-11-01 14:58:02 +01:00
phantinuss 8c209f0ed1 Update lnx_shell_priv_esc_prep.yml 2022-11-01 12:32:46 +01:00
phantinuss 0165f9b05b Merge pull request #3664 from frack113/DeleteShadowCopies 
Add image_load_susp_vss_dll_load
 2022-11-01 12:32:04 +01:00
phantinuss 0db8a8b54d Merge pull request #3666 from nasbench/fix-false-positives 
Aurora - Fix FP Found In Testing
 2022-11-01 12:30:20 +01:00
Nasreddine Bencherchali 0fbbd96c41 Create proc_creation_win_lolbin_kavremover.yml 2022-11-01 11:23:57 +01:00
Nasreddine Bencherchali 4bdc286a02 Update rules/windows/image_load/image_load_susp_python_image_load.yml 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2022-11-01 11:10:07 +01:00
phantinuss b04f8c3db0 fix: description 2022-11-01 10:53:37 +01:00
Nasreddine Bencherchali 7dbc88385c Update rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2022-11-01 10:31:50 +01:00
Nasreddine Bencherchali 137608773b Update proc_creation_win_susp_guid_task_name.yml 2022-11-01 10:22:26 +01:00