security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
gs3cl d8e806cf93 Update falsepositives and format 2022-09-19 21:17:32 +02:00
gs3cl 44a4991419 Update and rename proc_creation_detect_execution_of_winPEAS.yml to proc_creation_win_winpeas_tool.yml 2022-09-19 21:00:59 +02:00
gs3cl 52eae2c92b new rule for winpeas tool 2022-09-19 20:25:18 +02:00
phantinuss a36724ffdf fix: FP found in testing environment 2022-09-19 15:28:05 +02:00
Feathers 633037e3cc Create microsoft365_pst_export_alert.yml (#2665) 2022-09-19 13:19:55 +02:00
Florian Roth 959585fe33 Merge pull request #3511 from SigmaHQ/aurora-false-positive-fixing 
fix: FP with VBScript in registry key rule
 2022-09-19 09:57:23 +02:00
Florian Roth 2a94527714 fix: FP with VBScript in registry key rule 2022-09-19 09:23:15 +02:00
Florian Roth cab32f2be4 Merge pull request #3510 from SigmaHQ/aurora-false-positive-fixing 
Windows 2022 false positive fixing
 2022-09-18 16:50:34 +02:00
Florian Roth 6161fb91b3 fix: typo in modifier 2022-09-18 16:33:49 +02:00
Florian Roth b052302ac0 fix: syntax error 2022-09-18 16:24:07 +02:00
Florian Roth b6e595a8eb Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-09-18 16:21:49 +02:00
Florian Roth bf660b2de2 fix: FPs (testing, and Windows 2022 test system) 2022-09-18 16:21:05 +02:00
Arturo 17e9b5ee31 Update win_impacket_psexec.yml 
Based on recent tests, the original RelativeTargetName from this rule are not accurate. The last "t" from each selection must be deleted in order to detect the predefined impacket psexec behavior.
 2022-09-18 15:38:54 +02:00
Florian Roth 968f0ae11f Merge pull request #3508 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-09-18 13:24:07 +02:00
Florian Roth 1c4a73f123 fix: FP with PS ISE 2022-09-18 12:56:52 +02:00
Florian Roth 34d7ad03f7 fix: FPs noticed with Aurora 2022-09-18 12:54:37 +02:00
Florian Roth e6d2faf25f Merge pull request #3507 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-09-18 11:47:16 +02:00
Florian Roth 34957a784b fix: modified date update 2022-09-18 10:42:19 +02:00
Florian Roth 2e8717d603 fix: taskhostw FPs with lsass access 2022-09-18 10:39:56 +02:00
Florian Roth eb87ed8f40 Merge pull request #3506 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-09-18 10:05:31 +02:00
Florian Roth 2da0554bed fix: temporarily disable Kernel-Audit-API-Calls 2022-09-18 09:57:04 +02:00
Florian Roth 9f6604cf81 fix: aurora mtach calltrace msedeg.exe 2022-09-18 09:41:51 +02:00
tr0mb1r 8b60317e2e Microsoft Teams Suspicious ObjectAccess events (#3500) 2022-09-17 08:47:35 +02:00
Yamato Security 8afb971e20 update application uninstalled rule 2022-09-17 07:46:31 +09:00
Florian Roth 1264429681 Merge pull request #3499 from nasbench/linux-rules-update 
Linux Rules Update
 2022-09-16 21:13:19 +02:00
Florian Roth cb4dcded1e Merge pull request #3452 from FabFaeb/master 
Add rule: Repeated failed mounting of administrative share
 2022-09-16 21:12:09 +02:00
Florian Roth a5cdd0dfeb Merge pull request #3501 from phantinuss/master 
FP Tuning / Local Test Script / Rule Refactor
 2022-09-16 21:11:53 +02:00
frack113 e0c37c6961 Merge pull request #3502 from bornatalebi/master 
Update reference
 2022-09-16 20:10:06 +02:00
frack113 2cd376c70c fix pass 2022-09-16 20:04:55 +02:00
frack113 c78b332ba7 Add posh_ps_sensitive_file_discovery 2022-09-16 19:37:26 +02:00
Borna Talebi 4ede1b413f Update reference 2022-09-16 21:46:45 +04:30
phantinuss bbc4aa3298 improve detection rate 2022-09-16 16:40:41 +02:00
phantinuss bde1335005 fix: FP with .NET ngen on test system 2022-09-16 16:40:40 +02:00
phantinuss 68a80844ea fix: new FPs in testing environment 2022-09-16 16:40:40 +02:00
phantinuss 914aa4ee31 chore: add more checks 2022-09-16 16:40:38 +02:00
nasreddine.bencherchali@nextron-systems.com 9d5652c4c2 Update proc_creation_lnx_services_stop_and_disable.yml 2022-09-16 13:43:01 +02:00
nasreddine.bencherchali@nextron-systems.com 7f3158d09e Fix after review 2022-09-16 11:47:19 +02:00
Florian Roth cb55ed9f93 Merge pull request #3496 from krestinichev/add-new-rule 
Add new rule: proc_creation_disable_SEP
 2022-09-16 10:37:02 +02:00
Florian Roth c2256845b2 refactor: renamed and changed title 2022-09-16 09:45:56 +02:00
nasreddine.bencherchali@nextron-systems.com 5dfa871cef Update proc_creation_lnx_base64_shebang_cli.yml 2022-09-16 09:38:00 +02:00
nasreddine.bencherchali@nextron-systems.com 33271e9034 Quick update 2022-09-16 09:29:45 +02:00
nasreddine.bencherchali@nextron-systems.com 7a5017696f Add more flag to curl windows rule 2022-09-16 09:23:15 +02:00
nasreddine.bencherchali@nextron-systems.com 4fc62dee7c Linux rules update 2022-09-16 09:22:57 +02:00
Florian Roth b4376ea580 refactor: CRLF to LF 2022-09-16 09:22:21 +02:00
Florian Roth 6d9d08e1de Update proc_creation_disable_SEP.yml 2022-09-16 09:18:27 +02:00
Florian Roth 67072ecc91 Merge pull request #3488 from frack113/redcannary_20220910 
Add posh_ps_disable_windowsoptionalfeature
 2022-09-16 09:13:16 +02:00
Florian Roth 92b6ba95e6 reduce the timeframe to 1min 2022-09-16 09:12:08 +02:00
frack113 c4d2ed0478 Merge pull request #3497 from bornatalebi/master 
New Rule: Windows DNS Client Rule command
 2022-09-16 06:33:41 +02:00
frack113 c1293c3365 Merge pull request #3495 from nasbench/nasbench-rule-devel 
Rule Dev (Updates)
 2022-09-16 06:32:53 +02:00
Borna Talebi 2af0431efa Change Title 2022-09-16 00:53:55 +04:30