security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nasreddine Bencherchali 7267e547df Update proc_creation_win_susp_cdb.yml 2022-06-09 19:16:38 +01:00
Nasreddine Bencherchali 929d264529 Update proc_creation_win_susp_cdb.yml 2022-06-09 19:14:24 +01:00
Nasreddine Bencherchali 4e1423ba74 Update proc_creation_win_susp_cdb.yml 2022-06-09 19:13:22 +01:00
Nasreddine Bencherchali 639a6dd550 Update proc_creation_win_lolbin_mftrace.yml 2022-06-09 18:52:32 +01:00
Nasreddine Bencherchali fc44b0999b Update proc_creation_win_lolbin_mftrace.yml 2022-06-09 18:47:53 +01:00
Nasreddine Bencherchali a934f587d4 Update proc_creation_win_lolbin_mftrace.yml 2022-06-09 18:04:35 +01:00
Nasreddine Bencherchali 78bdfa85a9 Fix 2022-06-09 18:00:24 +01:00
Florian Roth 7c837334b1 Update file_event_win_susp_diagcab.yml 2022-06-09 18:27:50 +02:00
Nasreddine Bencherchali f4b0dd69f1 Update proc_creation_win_lolbin_adplus.yml 2022-06-09 16:15:28 +01:00
Nasreddine Bencherchali 0a0e976ccf Update proc_creation_win_susp_dxcap.yml 2022-06-09 15:58:52 +01:00
Nasreddine Bencherchali 87e813a649 Update proc_creation_win_lolbin_squirrel.yml 2022-06-09 15:58:22 +01:00
Nasreddine Bencherchali 4561d86d81 New/Update LOLBIN Rules 2022-06-09 15:56:33 +01:00
frack113 40adb0339e Merge pull request #3113 from svch0stz/patch-2 
Update proc_creation_win_susp_recon_activity.yml
 2022-06-09 13:44:27 +02:00
frack113 e6cf3d34d1 Update modified 2022-06-09 13:27:07 +02:00
svch0stz ffcf5872c5 Update proc_creation_win_susp_recon_activity.yml 2022-06-09 20:34:25 +10:00
frack113 54b1baa188 Add proc_creation_win_msdt_diagcab 2022-06-09 08:57:51 +02:00
frack113 6bd09ec054 Merge pull request #3114 from hazedav/self-join-filter 
feat(backend): support for parent process filters
 2022-06-09 08:16:13 +02:00
David Hazekamp c1b5551486 feat(backend): bump lacework config version 2022-06-08 23:41:54 -05:00
David Hazekamp fea9602210 feat(backend): support for parent process filters 2022-06-08 23:39:32 -05:00
svch0stz c1a601fef8 Update proc_creation_win_susp_recon_activity.yml 
Using "/do" is still a valid argument . looking for /dom will exclude this. 

Other option is to remove the "/do" argument and just look for cmdline contains:
- net group "domain admins"

https://twitter.com/TheDFIRReport/status/1534227586225684481
 2022-06-09 10:14:57 +10:00
frack113 63400139bd Merge pull request #3110 from FlorianBracq/patch-1 
Updating azure federation modified rule
 2022-06-08 22:19:17 +02:00
frack113 dbc4b53999 Merge pull request #3112 from redsand/backend_hawk_update 
backend - updating hawk backend with additional translations
 2022-06-08 22:18:38 +02:00
frack113 7fbfa45d74 Merge pull request #3111 from redsand/fp_posh_ps_malicious_commandlets 
False positive - another amazon module filter
 2022-06-08 22:17:43 +02:00
Tim Shelton 4d7d0b3235 backend - updating hawk backend with additional translations 2022-06-08 19:04:37 +00:00
Tim Shelton d3ef79018c False positive - another amazon module filter 2022-06-08 19:00:12 +00:00
frack113 98e218722c Merge pull request #3107 from dacelbot/master 
Submit a rule for ECS Backdoor Task Definition
 2022-06-08 19:46:55 +02:00
FlorianBracq f5211710d6 Update modification date 2022-06-08 18:54:03 +02:00
Darin Smith d29eb1e48c Change to all selection elements rather than a filter and a selection 2022-06-08 09:13:48 -07:00
Florian Roth 7f61789082 rule: renamed rundll32.exe 2022-06-08 17:23:29 +02:00
FlorianBracq 9647183716 Updating azure federation modified 
* Set logsource service to auditlogs instead of signinlogs
* Add reference to Microsoft documentation
* Set field name in selection to ActivityDisplayName instead of properties.message
 2022-06-08 17:17:26 +02:00
Florian Roth 1abfc46f6f fix: casing of OriginalFileName 2022-06-08 17:14:49 +02:00
Florian Roth c9a5747fc4 rule: archiver > iso/img phishing indicator 2022-06-08 16:30:17 +02:00
Darin Smith 04bcbcdb44 Minor change, filter param should not be a list 2022-06-08 06:58:19 -07:00
Darin Smith 61df0b9218 Update with suggested changes 2022-06-08 06:47:30 -07:00
frack113 879ea39b6d Add file_event_win_susp_diagcab 2022-06-08 13:39:49 +02:00
Darin Smith 09e31d2045 update with command field 2022-06-07 10:45:05 -07:00
Darin Smith 8a59eb594e Add rule for ECS backdoors 2022-06-07 10:36:31 -07:00
Florian Roth 47ddf23b66 Merge pull request #3104 from rachelrice/ec2_startup_script 
Update selection_source for AWS ec2 startup script rule
 2022-06-07 18:30:17 +02:00
Florian Roth 8026797113 Merge pull request #3106 from nasbench/master 
Update proc_creation_win_tool_nsudo_as_system.yml
 2022-06-07 18:24:53 +02:00
Florian Roth ba91bb42e5 Merge pull request #3105 from secDre4mer/master 
feat: new rule for persistence using Office startup
 2022-06-07 18:13:12 +02:00
Nasreddine Bencherchali 7b8c4e2a78 Update proc_creation_win_tool_nsudo_execution.yml 2022-06-07 17:00:35 +01:00
Florian Roth 61ad8ddb62 docs: reworked id, author, links 2022-06-07 17:09:06 +02:00
Nasreddine Bencherchali e4fb5d6fb9 Update proc_creation_win_tool_nsudo_execution.yml 2022-06-07 14:51:25 +01:00
Nasreddine Bencherchali 452bf6424e Renamed file to reflect broader meaning 2022-06-07 14:46:38 +01:00
Nasreddine Bencherchali 093f738d41 Update proc_creation_win_tool_nsudo_as_system.yml 2022-06-07 14:39:29 +01:00
Max Altgelt c32e0b27a5 feat: new rule for persistence using Office startup 2022-06-07 14:25:52 +01:00
Rachel Rice db58345bc6 Update selection_source for AWS ec2 startup script rule 
The JSON payload for `ModifyInstanceAttribute` event currently looks like:
```
"requestParameters": {
  "attribute": "userData",
  ...
},
```

Updating the selection_source from `requestParameters.userData: "*"` to `requestParameters.attribute: "userData"` accordingly.

Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-06-07 13:20:08 +01:00
Florian Roth d57b32c99c Merge pull request #3103 from SigmaHQ/rule-devel 
Network rules refactoring, 1 new DNS rule
 2022-06-07 12:48:34 +02:00
frack113 f16dc71e2a Merge pull request #3101 from nasbench/master 
New/Update Rules
 2022-06-07 11:11:10 +02:00
Florian Roth 21c363cec9 Merge pull request #3102 from securepeacock/patch-25 
Create proc_creation_lnx_nohup.yml
 2022-06-07 10:47:34 +02:00