blue-team-tools

Author	SHA1	Message	Date
Florian Roth	3f189e52c1	fix: typo in status	2022-06-21 17:21:44 +02:00
Nasreddine Bencherchali	11dca18b5b	Merge branch 'SigmaHQ:master' into master	2022-06-21 15:57:06 +01:00
Nasreddine Bencherchali	f12f6e3646	Update ID's	2022-06-21 15:46:00 +01:00
Florian Roth	a179697c36	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2022-06-21 16:38:32 +02:00
Florian Roth	7ecf771cb5	fix: rule that covers unrelated activity	2022-06-21 16:38:30 +02:00
Nasreddine Bencherchali	27e73278e7	Update proc_creation_win_lolbin_findstr.yml	2022-06-21 15:37:39 +01:00
Florian Roth	4a88a5147b	Merge pull request #3153 from redsand/fp_bits_client_mozilla Adding support for mozilla download via bits	2022-06-21 16:37:11 +02:00
Nasreddine Bencherchali	b2ce10ea2a	Update proc_creation_win_lolbin_findstr.yml	2022-06-21 15:36:21 +01:00
Florian Roth	aee4ebb01a	Update registry_set_timeproviders_dllname.yml	2022-06-21 16:32:21 +02:00
Florian Roth	9fdf396314	Update proc_creation_win_chrome_load_extension.yml	2022-06-21 16:30:38 +02:00
Tim Shelton	6ae85eb557	Adding support for mozilla download via bits	2022-06-21 12:38:06 +00:00
Nasreddine Bencherchali	e3bfb18f64	New Rules	2022-06-21 11:47:18 +01:00
Nasreddine Bencherchali	62a7d755cc	Update proc_creation_win_service_stop.yml Refactored the rule and added originalfilename	2022-06-21 11:46:32 +01:00
Nasreddine Bencherchali	f2bc1be460	Update proc_creation_win_service_execution.yml	2022-06-21 11:46:06 +01:00
Nasreddine Bencherchali	40ccd91a94	Update proc_creation_win_msdt_diagcab.yml In my testing i found that ".diagcab" extension is not required. You can use .txt with the /cab flag and it'll spawn an msdt process. Also I added the "-" (dash) version of the flag	2022-06-21 11:45:53 +01:00
Nasreddine Bencherchali	d2ef62a49d	Update proc_creation_win_enumeration_for_credentials_in_registry.yml	2022-06-21 11:45:01 +01:00
Nasreddine Bencherchali	4eb6b3509e	Update proc_creation_win_accesschk_usage_after_priv_escalation.yml Changed the rule as the original was flagging on every usage of "accessChk" which was not the intended behaviour as described. The modification take into consideration usage of the tool as seen in the referenced presentation and adds some more.	2022-06-21 11:44:51 +01:00
Nasreddine Bencherchali	71d895c17b	Update file_event_win_notepad_plus_plus_persistence.yml Reduce level to account for FP found in testing env	2022-06-21 11:43:42 +01:00
Nasreddine Bencherchali	ce8ce2a91d	Removed related field The rule referenced in the field doesn't exist	2022-06-21 11:43:18 +01:00
Nasreddine Bencherchali	0a39827674	Renamed + Refactor "findstr" rule	2022-06-21 11:42:14 +01:00
Nasreddine Bencherchali	78dfcd6299	Renamed "Ps_Recon_Rule"	2022-06-21 11:41:43 +01:00
Florian Roth	d2e86f9001	rule: Linux cmdline rules	2022-06-21 08:26:23 +02:00
Florian Roth	7853f93862	Merge pull request #3151 from phantinuss/master fix: FPs found in testing environment	2022-06-20 16:59:45 +02:00
phantinuss	9475153292	fix: FPs found in testing environment	2022-06-20 16:17:54 +02:00
Florian Roth	f392335e19	Merge pull request #3150 from SigmaHQ/aurora-false-positive-fixing Aurora false positive fixing	2022-06-20 15:56:03 +02:00
Florian Roth	50b2fad091	Merge branch 'master' into aurora-false-positive-fixing	2022-06-20 13:43:36 +02:00
Florian Roth	accf27b771	fix: FPs	2022-06-20 13:39:47 +02:00
Florian Roth	ccd6fc5a7b	fix: FPs	2022-06-20 13:04:49 +02:00
Florian Roth	72de90d2aa	fix: FPs	2022-06-20 12:52:23 +02:00
Florian Roth	fef851a918	fix: FPs with Aurora	2022-06-20 12:01:25 +02:00
$frack113$ frack113	477e8fc180	Merge pull request #3149 from redsand/fp_sentinel_one False positive from SentinelOne Ranger Agent	2022-06-19 22:25:19 +02:00
Tim Shelton	80ee980b1d	False positive from SentinelOne Ranger Agent	2022-06-19 14:31:10 +00:00
Florian Roth	10e39e41f7	Merge pull request #3143 from SigmaHQ/rule-devel Rule level refactoring: critical > high	2022-06-19 15:04:46 +02:00
Florian Roth	f4ef4fcdc4	Merge pull request #3147 from frack113/fix_issue_3067 Fix ServiceName	2022-06-19 15:03:43 +02:00
$frack113$ frack113	55f1f6dd1e	Fix ServiceName	2022-06-19 11:59:48 +02:00
$frack113$ frack113	2219910c43	Add registry_set_timeproviders_dllname	2022-06-19 11:20:35 +02:00
$frack113$ frack113	87bad74ab1	Add proc_creation_win_chrome_load_extension	2022-06-19 09:34:07 +02:00
$frack113$ frack113	5b38168340	Merge pull request #3144 from alexmcdonald1124/mdatp-escape Adding a mapping check to escape slashes in KQL	2022-06-19 08:37:51 +02:00
$frack113$ frack113	272c29caea	Merge pull request #3138 from Yochana-H/Yochana-H create azure_blocked_account_attempt.yml	2022-06-19 08:36:30 +02:00
Florian Roth	37ed5f4bc5	Update azure_blocked_account_attempt.yml	2022-06-18 18:22:43 +02:00
Florian Roth	6caeb2fff6	docs: added link	2022-06-18 18:19:55 +02:00
Florian Roth	f728893364	refactor: rule level adjustments - critical to high	2022-06-18 17:43:22 +02:00
Alexander McDonald	1249675bcd	Adding a mapping check to escape slashes in KQL	2022-06-18 09:02:21 -04:00
Florian Roth	7425a73203	Merge pull request #3142 from SigmaHQ/aurora-false-positive-fixing fix: FPs with Browser Credential Store Access	2022-06-18 09:45:51 +02:00
Florian Roth	2105b8ecf6	fix: FPs with Browser Credential Store Access	2022-06-18 09:10:17 +02:00
Florian Roth	f3a08b5691	Merge pull request #3141 from SigmaHQ/rule-devel Rule adjustments based on hayabusa noisy rules	2022-06-18 08:45:08 +02:00
Florian Roth	c9f45cf528	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2022-06-18 08:39:04 +02:00
Florian Roth	db55be82b6	refactor: rule adjustments based on hayabusa https://github.com/Yamato-Security/hayabusa-rules/blob/deb6026fcf452600829c52852f6283d2c808bc69/config/noisy_rules.txt	2022-06-18 08:39:02 +02:00
$frack113$ frack113	e3ea9f7b42	Update azure_blocked_account_attempt.yml	2022-06-17 20:43:07 +02:00
$frack113$ frack113	5b2fac3739	Merge pull request #3135 from nasbench/master Small Updates and New Rules	2022-06-17 20:41:10 +02:00

... 70 71 72 73 74 ...

15089 Commits