security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ali Alwashali 9dccb4830e Update posh_ps_disable_psreadline_command_history.yml 2022-08-24 16:16:38 +03:00
Nasreddine Bencherchali afff53b812 Add '/k' option to CMD rules 2022-08-24 12:48:23 +01:00
Nasreddine Bencherchali be2ec96dc2 Update file_event_win_susp_vscode_powershell_profile.yml 2022-08-24 12:29:54 +01:00
Nasreddine Bencherchali 918cf94c1b Add + Rename 2022-08-24 12:29:35 +01:00
Nasreddine Bencherchali 10c5b51c5f Update file_event_win_susp_powershell_profile_create.yml 2022-08-24 12:23:20 +01:00
Nasreddine Bencherchali 9f02e37dfa Update 2022-08-24 12:23:00 +01:00
phantinuss 706a4bd0fa fix: many FPs in testing environment 2022-08-24 10:09:48 +02:00
Tomasuh b5d5a648b5 proxy_ua_bitsadmin_susp_ip.yml falsepositive fix 
Change to endswith instead of startswith to avoid matching subdomains which starts with digits, example: 3.au.download.windowsupdate.com
 2022-08-24 08:19:51 +02:00
Florian Roth 23f6f85ed3 Merge pull request #3422 from SigmaHQ/rule-devel 
rule: missing space characters
 2022-08-24 07:57:25 +02:00
Yamato Security 1faef2fa97 fix backend bool conversion errors 2022-08-24 09:23:35 +09:00
Nasreddine Bencherchali 781c69e04c Fix FP 2022-08-24 01:17:53 +01:00
Nasreddine Bencherchali 920c196f5b Update registry_set_new_network_provider.yml 2022-08-24 01:10:37 +01:00
Nasreddine Bencherchali f9c39c3c1e Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel 2022-08-24 01:06:02 +01:00
Nasreddine Bencherchali 88295a305c Rule Dev 2022-08-24 01:05:40 +01:00
Ben Montour 59394d2309 bad sort on subfields startswith/endswith 2022-08-23 14:35:48 -05:00
Ben Montour 6aabfaba4f added modified field with current date 2022-08-23 14:32:10 -05:00
Ben Montour f733105daa renamed properties.message to operationName 2022-08-23 14:20:26 -05:00
Florian Roth cdf5b371f1 refactor: extending the rule with /k param 2022-08-23 20:44:11 +02:00
Florian Roth f7a216f081 Merge branch 'master' into rule-devel 2022-08-23 20:41:40 +02:00
frack113 2a55d4fcee Clean up 2022-08-23 19:43:38 +02:00
Florian Roth f68d50e8be Update proc_creation_win_susp_missing_spaces.yml 2022-08-23 18:07:32 +02:00
Florian Roth 303c0ed260 rule: missing space characters 2022-08-23 17:24:44 +02:00
Florian Roth 4e3fc80ee8 Merge pull request #3421 from secDre4mer/master 
feat: new rule for sysnative process creation
 2022-08-23 16:30:26 +02:00
Florian Roth a3c493f8de Merge pull request #3420 from phantinuss/master 
FPs found in Testing
 2022-08-23 16:30:04 +02:00
Florian Roth e5aa5896cd Merge pull request #3418 from SigmaHQ/rule-devel 
rule: Renamed Adfind, rule: CsExec
 2022-08-23 16:29:45 +02:00
phantinuss e9ecf8d83d fix: remove space from copy paste 2022-08-23 16:02:51 +02:00
Max Altgelt 74f9e77339 fix: title casing 2022-08-23 14:50:02 +02:00
Max Altgelt 6711a3e2ed feat: new rule for sysnative process creation 2022-08-23 14:38:24 +02:00
phantinuss e2cbcd3199 fix: FP with AVG 2022-08-23 14:26:45 +02:00
phantinuss 1d45c98f0f fix: FP with teams 2022-08-23 14:26:27 +02:00
phantinuss c7cb961277 Merge pull request #3417 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs with CurrentVersion reg set rule
 2022-08-23 13:33:12 +02:00
Florian Roth 848185cec1 fix: FPs with CurrentVersion reg set rule 2022-08-23 12:57:36 +02:00
Florian Roth c1b44dfddb Merge pull request #3416 from phantinuss/master 
fix: missing WinEventLog prefix for splunk/thor logsources
 2022-08-23 11:59:00 +02:00
phantinuss 119cfe9558 fix: missing WinEventLog prefix for splunk/thor logsources 2022-08-23 11:50:15 +02:00
frack113 7248c4e6b7 Merge pull request #3415 from nasbench/nasbench-rule-devel 
Rule Dev (Update + New Rules)
 2022-08-23 06:28:51 +02:00
frack113 63afa0af8d Merge pull request #3414 from frack113/sysmon14 
Add file_event_proxy_dropping_executable
 2022-08-23 06:28:35 +02:00
Nasreddine Bencherchali e550080e1c Update proc_creation_win_net_recon.yml 2022-08-22 21:43:06 +01:00
Florian Roth dba875e977 Update proc_creation_win_susp_service_modification.yml 2022-08-22 21:34:23 +02:00
Nasreddine Bencherchali c9e81f1cf0 Update proc_creation_win_lolbin_sideload_link_binary.yml 2022-08-22 20:17:22 +01:00
Nasreddine Bencherchali 6aa4c56b3b Update proc_creation_win_net_recon.yml 2022-08-22 20:07:53 +01:00
Nasreddine Bencherchali a769377070 Update proc_creation_win_persistence_typed_paths.yml 2022-08-22 20:05:02 +01:00
Nasreddine Bencherchali ae9785eb47 TypedPaths 2022-08-22 20:04:43 +01:00
Florian Roth 4f815501fd fix: UUIDs 2022-08-22 20:30:15 +02:00
Florian Roth 40a802889b fix: typo 2022-08-22 20:22:31 +02:00
Florian Roth 9f38bce2ca refactor: refactored to 3 rules 2022-08-22 20:20:57 +02:00
Florian Roth 60512d7749 Update file_event_proxy_dropping_executable.yml 2022-08-22 20:13:37 +02:00
Florian Roth 848162172a Update file_event_proxy_dropping_executable.yml 2022-08-22 19:49:17 +02:00
Florian Roth bb7539ea56 Update file_event_proxy_dropping_executable.yml 2022-08-22 19:48:52 +02:00
Florian Roth 69f6993ed7 Update file_event_proxy_dropping_executable.yml 2022-08-22 19:48:14 +02:00
frack113 911d0fa158 Add dll and ocx 2022-08-22 19:31:17 +02:00