security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,227 Commits 1 Branch 57 Tags
e93b7bf5711cd0f45decb6fe06ded830c77ecd57
Commit Graph

10275 Commits

Author SHA1 Message Date
Florian Roth e93b7bf571 Merge pull request #3601 from blueteam0ps/patch-9 
proxy_ua_rclone.yml
 2022-10-18 19:07:08 +02:00
Florian Roth eada6ed589 Update proxy_ua_rclone.yml 2022-10-18 17:21:54 +02:00
phantinuss a5b08d5b9c fix: FPs on test machine 2022-10-18 16:39:04 +02:00
phantinuss a1f4ef4d34 fix: FP on many systems 2022-10-18 12:49:24 +02:00
Florian Roth 458428bf5f Update proxy_ua_rclone.yml 2022-10-18 10:15:33 +02:00
BlueTeamOps f34c32882a proxy_ua_rclone.yml 
Adding this rule after reading https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone. It is more relevant to O365 but it may help via proxy too if this off O365.
 2022-10-18 17:32:38 +11:00
frack113 0b84ffa517 Merge pull request #3600 from securepeacock/patch-30 
Update proc_creation_win_renamed_binary.yml
 2022-10-18 06:24:16 +02:00
securepeacock cef6ea0b6b Update proc_creation_win_renamed_binary.yml 
Added InstallUtil
https://twitter.com/424f424f/status/1582048291294162946?s=20&t=5uYGiwA_fJP8-7pnK2yViQ
 2022-10-17 12:58:29 -04:00
Kawa 6960178d56 Update driver_load_vuln_drivers_names.yml 2022-10-17 15:23:14 +02:00
frack113 2247e87945 Order file rule 2022-10-16 09:25:51 +02:00
Florian Roth a6bfd33d81 Merge branch 'master' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-10-15 11:30:58 +02:00
Florian Roth 7279e67b86 fix: several FPs with legitimate programs 2022-10-15 11:23:41 +02:00
Florian Roth b123f71e02 fix: FPs with no OriginalFilename 2022-10-15 11:14:48 +02:00
Florian Roth 450229537e Merge pull request #3595 from SigmaHQ/rule-devel 
rule: extended susp adfind rule, rule: susp wermgr process patterns
 2022-10-15 10:49:50 +02:00
Florian Roth e344b1f10f Merge pull request #3591 from frack113/yamato_security 
Windows builtin security rules
 2022-10-15 10:49:37 +02:00
Florian Roth 404a1b4c6a Merge pull request #3590 from dmuensterer/patch-1 
Filter Dell Update Utility: proc_creation_win_susp_non_exe_image.yml
 2022-10-14 18:04:59 +02:00
Florian Roth a6e54ab023 Update win_security_user_logoff.yml 2022-10-14 18:03:40 +02:00
Florian Roth 9e7e252397 Merge pull request #3594 from SigmaHQ/aurora-false-positive-fixing 
fix: DropBox FP
 2022-10-14 18:02:05 +02:00
Florian Roth 77a61facd2 fix: wrong selector in condition 2022-10-14 17:27:20 +02:00
Florian Roth 8205af46f7 fix: DropBox FP 2022-10-14 15:43:32 +02:00
Florian Roth cc8a1a5441 rule: suspicious wermgr process trees 2022-10-14 15:43:02 +02:00
phantinuss cca32d824a fix: FP on testing system 2022-10-14 14:08:45 +02:00
Florian Roth c4ea037717 Merge pull request #3549 from aaronherman/add-susp-lolbin-non-c 
Add rule for suspicious lolbin executing in non-c drive
 2022-10-14 13:23:35 +02:00
Florian Roth d4ed33b84b fix: typo in filter 2022-10-14 12:42:49 +02:00
frack113 81ec573424 Update rules/windows/builtin/security/win_security_user_logoff.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:51 +02:00
frack113 d010fedb2c Update rules/windows/builtin/security/win_security_replay_attack_detected.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:41 +02:00
frack113 2e14174911 Update rules/windows/builtin/security/win_security_device_installation_blocked.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:27 +02:00
frack113 0042e2c8f0 Update rules/windows/builtin/security/win_security_add_remove_computer.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:20 +02:00
Florian Roth b4e1bd1659 Update proc_creation_win_susp_non_exe_image.yml 2022-10-14 12:25:48 +02:00
Florian Roth 3a2079b02b Merge pull request #3588 from frack113/rename_builtin 
Rename builtin rule
 2022-10-14 11:52:39 +02:00
Florian Roth 15fc7f4711 Merge pull request #3585 from frack113/file_order 
Move file category rules
 2022-10-14 11:52:03 +02:00
Florian Roth 6706a67bb8 refactor: move few apt rules to categories, del 'apt' folder 2022-10-14 11:44:49 +02:00
Florian Roth 7c44a58e5d refactor: extended renamed adfind detection 2022-10-14 11:40:49 +02:00
frack113 7b9ab691a3 Rename rule 2022-10-14 11:25:25 +02:00
frack113 329e0f33d0 Merge pull request #3586 from nasbench/nasbench-rule-devel 
Rule Dev - New+Updated Rules
 2022-10-14 10:57:44 +02:00
dmuensterer 84daaa0c76 Update proc_creation_win_susp_non_exe_image.yml 
Added false positive filter for Dell Dockingstation Update Utility.

The Image has a value similar to: C:\Windows\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE
ParentImage will always be: C:\Windows\Temp\*\TBT_Dock_Firmware\GetDockVer32W.exe
SHA256: cd2688a74a151b03282388dadb8b6aaca309f2535c8b2b21d1243846d2b259dc
MD5:
 2022-10-14 10:36:08 +02:00
frack113 0eda26397f Set to low 2022-10-14 10:33:34 +02:00
frack113 35e1660479 Fix LF 2022-10-14 10:22:58 +02:00
Florian Roth 0d5dba2d94 Merge pull request #3587 from nasbench/fix-false-positives 
Fix False Positives
 2022-10-14 10:22:24 +02:00
frack113 6a69608b44 Add security rules 2022-10-14 10:13:32 +02:00
frack113 8b7280e8fa Fix file name lenght 2022-10-14 09:11:19 +02:00
frack113 ecebb2d573 Rename system rules 2022-10-14 09:04:45 +02:00
frack113 05d9ee85ed Rename security rules 2022-10-14 08:53:50 +02:00
Nasreddine Bencherchali 64ade5eb3c Update proc_creation_win_get_localgroup_member_recon.yml 2022-10-14 01:01:43 +02:00
Nasreddine Bencherchali f4257c33b1 Update posh_ps_wmi_unquoted_service_search.yml 2022-10-14 00:51:21 +02:00
Nasreddine Bencherchali 48e7f9e302 Merge branch 'master' into nasbench-rule-devel 2022-10-14 00:49:20 +02:00
Nasreddine Bencherchali 992538ce09 Update proc_creation_win_system_exe_anomaly.yml 2022-10-14 00:39:12 +02:00
frack113 3cc42cfe61 Move file category rules 2022-10-13 13:25:05 +02:00
Nasreddine Bencherchali 48af508541 Create proc_creation_win_office_svchost_child.yml 2022-10-13 13:20:58 +02:00
Nasreddine Bencherchali bf9bfa9a97 Add more FP filters 2022-10-13 12:36:25 +02:00