security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

2788 Commits

Author SHA1 Message Date
Jonhnathan 5d7131bbf2 Update win_susp_compression_params.yml 2020-11-20 02:29:41 -03:00
Jonhnathan 32ed588adb Update detection Logic 2020-11-20 02:27:58 -03:00
Jonhnathan b274be8d4e Update detection Logic 2020-11-20 02:25:32 -03:00
Jonhnathan c31c0d981a Update detection logic 2020-11-20 02:23:18 -03:00
Jonhnathan 23edcc6dc6 Update win_susp_certutil_command.yml 2020-11-20 02:21:55 -03:00
Jonhnathan 8af17dda5b Update win_spn_enum.yml 2020-11-20 02:17:31 -03:00
Jonhnathan d5cb4246c2 Remove additional backlash 2020-11-20 02:16:51 -03:00
stvetro 19eb8306d3 Removed unnessary antifalse positive 2020-11-14 09:50:29 +04:00
Florian Roth af4d546408 Merge pull request #1282 from Neo23x0/rule-devel 
fix: FPs with notepad++ GUP rule
 2020-11-10 13:39:28 +01:00
Florian Roth 2e9d7951a6 Merge pull request #1272 from bczyz1/patch-2 
Fix typo in win_apt_lazarus_session_hijack.yml
 2020-11-10 13:35:08 +01:00
Florian Roth f6c0fb2d33 fix: FPs with notepad++ GUP rule 2020-11-09 16:34:12 +01:00
Florian Roth c3785d6dc7 rule: FPs with WmiPrvSE rule 2020-11-05 16:44:33 +01:00
bczyz1 c554aaea8f update win_apt_slingshot.yml 
- optimized rule
- added detection of task modification (flag /change + /disable as described here https://stackoverflow.com/questions/26169582/does-anyone-know-of-a-way-to-turn-off-windows-defragmenters-default-schedule-us)
 2020-11-05 15:51:22 +01:00
yugoslavskiy 2f789c45dc change a syntax a bit to re-run the tests 2020-11-04 22:30:27 +01:00
bczyz1 4a5b2d642e Fix typo in win_apt_lazarus_session_hijack.yml 2020-11-03 14:46:29 +01:00
feedb e93dd7fe61 fix 2020-11-01 15:25:12 +03:00
yugoslavskiy ea71828d34 change syntax a bit to re-run the test 2020-10-31 23:57:13 +01:00
stvetro 8dc8fdc44b Added antifalsepositive condition 
4688 always has non empty cmd
 2020-10-31 12:46:30 +04:00
omkargudhate22 f1bb9726ca updated mitre tag 2020-10-30 13:35:40 +05:30
omkar72 86a849728d ryuk changes 2020-10-30 13:15:11 +05:30
Roberto Rodriguez 25b92d4a2e Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-10-29 21:04:45 -04:00
Semanur Guneysu 46c52b4347 Update sysmon_abusing_debug_privilege.yml 2020-10-28 20:11:29 +03:00
Jonhnathan 28febe5dd2 Update win_apt_chafer_mar18.yml 2020-10-27 23:28:04 -03:00
Jonhnathan 0860978412 Update win_apt_bear_activity_gtr19.yml 2020-10-27 23:26:34 -03:00
Jonhnathan e24e6da3b5 Update win_apt_apt29_thinktanks.yml 2020-10-27 23:24:04 -03:00
Semanur Guneysu 27dbf73c0d Update sysmon_abusing_debug_privilege.yml 
comment added
 2020-10-26 19:25:36 +03:00
invrep-de 8a9db12d30 Enhanced to improve specificity 
Enhanced to improve specificity per feedback received;
 2020-10-26 12:05:16 -04:00
invrep-de dc41f64023 [OSCD] Bad Opsec Defaults Sacrificial Processes 
Incorporate feedback from @yugoslavskiy;
 2020-10-26 11:52:16 -04:00
Semanur Guneysu 1b3cb8a64b Delete .DS_Store 2020-10-26 18:15:57 +03:00
Semanur Guneysu db49c436a3 Update sysmon_abusing_debug_privilege.yml 2020-10-26 18:08:05 +03:00
Semanur Guneysu bc5e9b57e9 Update sysmon_abusing_debug_privilege.yml 2020-10-26 17:45:13 +03:00
Semanur Guneysu 2dab2d420c Update sysmon_abusing_debug_privilege.yml 2020-10-26 15:24:00 +03:00
Semanur Guneysu 4e1143502e Create .DS_Store 2020-10-26 15:18:20 +03:00
Semanur Guneysu cb5a541a5e Update sysmon_abusing_debug_privilege.yml 
NT AUTHORITY\SYSTEM
 2020-10-26 14:56:25 +03:00
Semanur Guneysu 3ff10b160f Update sysmon_abusing_debug_privilege.yml 2020-10-26 14:44:27 +03:00
Semanur Guneysu e65b8249d7 Update sysmon_abusing_debug_privilege.yml 2020-10-26 14:39:43 +03:00
Semanur Guneysu 70beef515d Update sysmon_abusing_debug_privilege.yml 
mitre tag added.Checked.
 2020-10-26 14:01:46 +03:00
omkargudhate22 06890ba28b update title 2020-10-25 15:10:12 +05:30
omkar72 42de51cadc conhost executions 2020-10-25 12:33:59 +05:30
invrep-de e5567631eb Minor changes to incorporate feedback 
Incorporated feedback from @yugoslavskiy. Thank you!
 2020-10-24 07:27:59 -04:00
Florian Roth 75637324e0 feat: cover newest emotet campaigns 2020-10-23 23:44:48 +02:00
invrep-de d623685c2c [OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy 2020-10-23 23:27:52 +02:00
stvetro f27a7832ad Small fix 
Added "\" at file path end
Optimised exclusion of empty cmds
 2020-10-23 13:25:32 +04:00
stvetro ca6a4beb65 Small fix 
Added "\" at file path end
 2020-10-23 12:50:27 +04:00
stvetro d7709d2236 Small fix 
Add "\" to file path end
 2020-10-23 12:44:46 +04:00
stvetro f7a110e107 Small fix 
Removed extra line;
Added "\" to file path end
 2020-10-23 12:41:39 +04:00
yugoslavskiy f050cedf92 update syntax to re-run the test once more... 2020-10-20 21:17:59 +02:00
yugoslavskiy ca4a0f7a72 shorten the titile to pass the test 2020-10-20 20:37:49 +02:00
yugoslavskiy a96408b20a add an empty line to re-run the test 2020-10-20 20:11:13 +02:00
yugoslavskiy 27baf472b8 add an empty line to re-run the test 2020-10-20 18:59:25 +02:00