security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,727 Commits 1 Branch 57 Tags
e7084eee04abe34469b7955675076ee1da910a44
Commit Graph

193 Commits

Author SHA1 Message Date
Florian Roth e7084eee04 Merge pull request #3487 from SigmaHQ/aurora-false-positive-fixing 
fix: fixing multiple FPs with the use of VSCode
 2022-09-10 12:07:01 +02:00
Florian Roth 7dbdd4d1c6 fix: fixing multiple FPs with the use of VSCode 2022-09-10 11:42:44 +02:00
nasreddine.bencherchali@nextron-systems.com 1e2a894c2e Update posh_ps_adrecon_execution.yml 2022-09-06 17:19:46 +02:00
Wagga cb4f834845 Update posh_ps_nishang_malicious_commandlets.yml 
Typo in detection : https://github.com/samratashok/nishang/blob/master/Utility/Add-Persistence.ps1
 2022-08-29 18:53:22 +02:00
Wagga 57fcc2864f Update posh_ps_invoke_dnsexfiltration.yml 2022-08-29 07:44:46 +02:00
Wagga ef0aae28be Update posh_ps_set_policies_to_unsecure_level.yml 2022-08-29 07:43:02 +02:00
Wagga 8235eec297 Update posh_ps_susp_write_eventlog.yml 2022-08-29 07:39:53 +02:00
Florian Roth 3c5852b5f5 fix: line endings, level, description, fp 2022-08-25 08:45:39 +02:00
Ali Alwashali 9dccb4830e Update posh_ps_disable_psreadline_command_history.yml 2022-08-24 16:16:38 +03:00
Ali Alwashali 3890f6b431 posh_ps_disable_psreadline_command_history 2022-08-21 14:49:51 +03:00
Florian Roth a82c533d30 Merge pull request #3395 from nasbench/nasbench-rule-devel 
Update + New Rules
 2022-08-20 09:46:40 +02:00
frack113 3dcb4c195b Add t1484.001 2022-08-19 19:12:40 +02:00
Nasreddine Bencherchali 52f26a14a2 Rule Update 2022-08-17 20:27:55 +01:00
frack113 3426dfb6e9 Update backslash 2022-08-13 09:59:31 +02:00
Nasreddine Bencherchali b6bac087ef Update posh_ps_tamper_defender_remove_mppreference.yml 2022-08-05 18:45:44 +01:00
Nasreddine Bencherchali b4472132a4 Fix after review 2022-08-05 18:40:12 +01:00
Nasreddine Bencherchali f704feaf69 New Rules 2022-08-05 17:11:42 +01:00
Nasreddine Bencherchali 9ef9103368 Update PowerShell + other rules 2022-08-05 17:10:41 +01:00
Florian Roth 6dde3012cc refactor: some changes 2022-07-11 19:55:54 +02:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Nasreddine Bencherchali d2f08cca5d New Rules 2022-07-11 10:22:45 +01:00
Nasreddine Bencherchali aec95b6d65 Update selections and indentation 2022-07-07 20:13:45 +01:00
Nasreddine Bencherchali 49e389db5c Add More paths 2022-07-07 19:13:22 +01:00
Nasreddine Bencherchali b26c28972d Add missing definition fields and references 2022-07-07 19:13:01 +01:00
Nasreddine Bencherchali 3818c77b03 Fix Error 2022-06-28 22:40:42 +01:00
Nasreddine Bencherchali f57b35e992 New Rules 2022-06-28 22:22:12 +01:00
Nasreddine Bencherchali 5e42c4086a Add new PowerShell Function and Scripts 2022-06-28 22:18:44 +01:00
Nasreddine Bencherchali efbfc7fe67 New Rule (https://twitter.com/nas_bench/status/1537919885031772161) 2022-06-21 19:13:53 +01:00
Nasreddine Bencherchali f12f6e3646 Update ID's 2022-06-21 15:46:00 +01:00
Nasreddine Bencherchali e3bfb18f64 New Rules 2022-06-21 11:47:18 +01:00
Nasreddine Bencherchali 78dfcd6299 Renamed "Ps_Recon_Rule" 2022-06-21 11:41:43 +01:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Tim Shelton d3ef79018c False positive - another amazon module filter 2022-06-08 19:00:12 +00:00
frack113 79d284ab51 Add posh_ps_get_gpo 2022-06-04 11:08:22 +02:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
Nasreddine Bencherchali 6aad923023 Fix typo and Update Rule 
- Fixed typo in PowerShell definition to "enabled"
- Removed leading space from "/af" flag in "msdt" rule as it can be used without leading space.
 2022-06-01 15:54:40 +01:00
Tim Shelton c1ef20761a Fixing condition 2022-05-26 16:14:37 +00:00
Tim Shelton 9086efa5cd Updating meta 2022-05-26 16:13:22 +00:00
Tim Shelton 295a984d89 Fixing order of items in yaml 2022-05-26 16:12:31 +00:00
Tim Shelton 879fccd266 merging locally 2022-05-26 15:27:13 +00:00
Tim Shelton b78386d372 FP: ignore Amazon aws powershell 2022-05-26 14:45:00 +00:00
Nasreddine Bencherchali c3d807f53a Add More Malicious PowerShell Script/Cmdlet Names 2022-05-24 22:02:08 +01:00
Tim Shelton 0fb943dc2c FP: fixing modifier 2022-05-23 21:43:43 +00:00
Tim Shelton c807191ab7 FP: filtering out Amaazon AWS header 2022-05-23 21:41:13 +00:00
Florian Roth e86d007d35 Merge pull request #3027 from elhoim/rename_suspicious 
Renamed suspicious in filenames to susp
 2022-05-20 19:28:24 +02:00
MatilJ 10f0a82b94 Fix detection 2022-05-19 21:09:47 +03:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
Florian Roth a55e8f2ac1 refactor: PoSh Defender Tampering 2022-05-18 17:29:38 +02:00
frack113 196aa6d83d move deprecated rules 2022-05-14 09:42:32 +02:00
phantinuss 6f92a11c02 chore: test rules: check for all modifier with single item 2022-05-11 11:06:09 +02:00