blue-team-tools

Author	SHA1	Message	Date
$frack113$ frack113	010a988fe5	Merge pull request #2318 from austinsonger/clearing_windows_console_history.yml clearing_windows_console_history.yml	2021-11-27 07:43:52 +01:00
Florian Roth	46f0e32118	Update process_creation_win_lolbas_dump64.yml	2021-11-27 01:18:56 +01:00
Austin Songer	248dcbe735	Update process_creation_win_lolbas_dump64.yml	2021-11-26 14:34:32 -06:00
Florian Roth	1b8a6b901b	docs: change title and description	2021-11-26 21:24:54 +01:00
Florian Roth	83e4236edf	fix: tag, changed rule to avoid FP with VS binary there is a legitimate binary used in Visual Studio named dump64.exe, we can exclude the original location and only report when we see it in a different location or used with procdump command line flags https://www.advanceduninstaller.com/Visual-Studio-Professional-2019-dc240beb51a0e41e029278d4ad2a2e87-application.htm	2021-11-26 21:23:21 +01:00
Austin Songer	18bab18dd9	Update process_creation_win_lolbas_dump64.yml	2021-11-26 14:19:10 -06:00
Austin Songer	d485fa9b93	Create process_creation_win_lolbas_dump64.yml	2021-11-26 14:03:10 -06:00
Florian Roth	11b8ccfe8f	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2021-11-26 20:47:22 +01:00
Florian Roth	eae38d08f0	fix: FPs	2021-11-26 20:46:52 +01:00
Austin Songer	98084e857c	Update azure_subscription_permissions_elevation_via_auditlogs.yml	2021-11-26 13:42:48 -06:00
Austin Songer	7e0634e43c	Update azure_subscription_permissions_elevation_via_activitylogs.yml	2021-11-26 13:42:39 -06:00
Florian Roth	1702c057c6	Merge branch 'master' into rule-devel	2021-11-26 20:02:40 +01:00
Florian Roth	ed73510b48	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2021-11-26 20:00:56 +01:00
Florian Roth	03cddbba29	fix: FPs	2021-11-26 20:00:55 +01:00
Austin Songer	92f3705bd9	Update and rename activitylogs_azure_subscription_permissions_elevation.yml to azure_subscription_permissions_elevation_via_activitylogs.yml	2021-11-26 12:08:43 -06:00
Austin Songer	5508462029	Rename auditlogs_azure_subscription_permissions_elevation.yml to azure_subscription_permissions_elevation_via_auditlogs.yml	2021-11-26 12:08:13 -06:00
Austin Songer	8e78578892	Update activitylogs_azure_subscription_permissions_elevation.yml	2021-11-26 12:07:21 -06:00
Austin Songer	05c6e3dd12	Update azure_unusual_authentication_interruption.yml	2021-11-26 12:05:36 -06:00
$frack113$ frack113	5e57e476c2	fix remote	2021-11-26 19:01:45 +01:00
$frack113$ frack113	0f33cbc85b	add lolbas rule	2021-11-26 18:50:19 +01:00
Austin Songer	cd5edd4b65	Merge branch 'SigmaHQ:master' into admission_controllers	2021-11-26 11:44:37 -06:00
Austin Songer	d78bbb9333	Update activitylogs_azure_subscription_permissions_elevation.yml	2021-11-26 11:42:32 -06:00
Austin Songer	0a18b42445	Update azure_unusual_authentication_interruption.yml	2021-11-26 11:41:33 -06:00
Florian Roth	91f0e03481	Merge pull request #2319 from SigmaHQ/aurora-false-positive-fixing fix: FP with suspicious svchost.exe rule	2021-11-26 18:40:05 +01:00
Austin Songer	5e42b73a92	activitylogs_azure_subscription_permissions_elevation.yml	2021-11-26 11:33:37 -06:00
Austin Songer	26ae440bd0	auditlogs_azure_subscription_permissions_elevation.yml	2021-11-26 11:32:57 -06:00
Austin Songer	b260f25cc0	Create azure_unusual_authentication_interruption.yml	2021-11-26 11:07:53 -06:00
Austin Songer	2f42753b6c	Update gcp_kubernetes_admission_controller.yml	2021-11-26 10:35:04 -06:00
Austin Songer	d6f1edf5ab	Update azure_kubernetes_admission_controller.yml	2021-11-26 10:34:50 -06:00
Austin Songer	caf14e3fa0	Update azure_kubernetes_admission_controller.yml	2021-11-26 10:32:23 -06:00
Austin Songer	2c271f5be8	Update gcp_kubernetes_admission_controller.yml	2021-11-26 10:32:11 -06:00
Austin Songer	64179e3512	Update azure_kubernetes_admission_controller.yml	2021-11-26 10:31:36 -06:00
Austin Songer	60743f75da	Update gcp_kubernetes_admission_controller.yml	2021-11-26 10:31:33 -06:00
Florian Roth	9c8a649e6c	fix: FP with suspicious svchost.exe rule	2021-11-26 17:12:33 +01:00
Florian Roth	8228c77f4e	Merge pull request #2317 from SigmaHQ/aurora-false-positive-fixing fix: FPs with rules	2021-11-26 16:18:52 +01:00
Austin Songer	48d9aec318	Update powershell_clearing_windows_console_history.yml	2021-11-26 09:18:37 -06:00
Florian Roth	d91b925873	fix: FPs	2021-11-26 14:42:21 +01:00
$frack113$ frack113	06d0fd02cc	Merge pull request #2310 from austinsonger/kubernetes_cronjobs Updating azure_kubernetes_cronjob.yml	2021-11-26 06:51:48 +01:00
$frack113$ frack113	1e85356f4f	Merge pull request #2309 from austinsonger/admission-controllers Kubernetes Admission Controllers	2021-11-26 06:51:23 +01:00
Austin Songer	25df58702a	Update powershell_clearing_windows_console_history.yml	2021-11-25 19:08:55 -06:00
Austin Songer	a9ab7f4e13	Update powershell_clearing_windows_console_history.yml	2021-11-25 19:08:27 -06:00
Austin Songer	f8fd44d92a	Update powershell_clearing_windows_console_history.yml	2021-11-25 19:06:18 -06:00
Austin Songer	c3d5d1c231	clearing_windows_console_history.yml	2021-11-25 19:04:30 -06:00
Florian Roth	a6c9a8772c	Merge branch 'master' into aurora-false-positive-fixing	2021-11-26 00:09:09 +01:00
Florian Roth	11fc576103	fix: FPs with rules	2021-11-25 19:04:27 +01:00
phantinuss	979a00c2f4	fix: FPs found with Aurora	2021-11-25 15:36:08 +01:00
$frack113$ frack113	a507848834	Update azure_kubernetes_cronjob.yml	2021-11-25 10:21:39 +01:00
phantinuss	271e8291a5	fix: remove unneeded escape	2021-11-25 09:24:04 +01:00
$frack113$ frack113	34626e41de	Update gcp_kubernetes_admission_controller.yml	2021-11-25 09:11:09 +01:00
Austin Songer	0873483e25	Update gcp_kubernetes_admission_controller.yml	2021-11-25 00:14:52 -06:00

... 24 25 26 27 28 ...

7964 Commits