security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,574 Commits 1 Branch 57 Tags
eb41e8cd4a660e95f2f88d6acce39b07d617ff3c
Commit Graph

13574 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nasreddine Bencherchali eb41e8cd4a Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2022-11-18 11:34:25 +01:00
frack113 59ccb74bc6 Add proc_creation_win_susp_powercfg 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-18 11:26:04 +01:00
Nasreddine Bencherchali 6603ca9202 fix: update rules to not use regex 2022-11-18 11:16:13 +01:00
Nasreddine Bencherchali 7804decd2d feat: add more clarification to the test (#3710) 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2022-11-18 11:15:50 +01:00
Nasreddine Bencherchali 20b0a6bad8 Rule Dev 2022-11-18 11:15:28 +01:00
nikitah4x 0f496be1e5 Add new rule to detect PST export when eDiscovery alert policy is disabled (M365) 2022-11-18 08:40:39 +01:00
frack113 cd3082c3f2 Add proc_creation_win_susp_msbuild (#3708) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-18 08:29:50 +01:00
frack113 71690c8618 Update posh_ps_get_adcomputer.yml 2022-11-18 08:07:09 +01:00
frack113 59b7294f05 Update dns_query_win_susp_ipify.yml 2022-11-18 08:05:07 +01:00
frack113 359393aec0 Merge pull request #3707 from sysradwin/master 
Update proc_creation_win_base64_reflective_assembly_load.yml
 2022-11-17 19:25:02 +01:00
Nasreddine Bencherchali 607f3c6f63 feat: add new value 
Co-Authored-By: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com>
 2022-11-17 19:13:07 +01:00
Nasreddine Bencherchali 6b6a0f95d2 fix: update metadata of the rule 2022-11-17 19:05:03 +01:00
sysradwin b851fe17b9 Update proc_creation_win_base64_reflective_assembly_load.yml 2022-11-17 13:03:32 -05:00
Nasreddine Bencherchali c9fb23ab04 feat: add PowerShell variants of rules 
Posh variants of the Get-AdComputer and Get-AdUser rules
 2022-11-17 16:00:24 +01:00
Nasreddine Bencherchali e4a580f9bf fix: update selection 2022-11-17 15:59:29 +01:00
Nasreddine Bencherchali 1e82c0eb61 fix: fix #3706 2022-11-17 15:50:02 +01:00
Nasreddine Bencherchali 7ef5f9b76e fix: rename rule to remove susp from rule name 
The rule are with a low score and do not represent suspiciousness at this state
 2022-11-17 15:48:56 +01:00
Nasreddine Bencherchali 8ff90e589b feat: add another domain 2022-11-17 15:47:22 +01:00
Nasreddine Bencherchali 278808f166 feat: add another case to the selection 2022-11-17 15:47:13 +01:00
Nasreddine Bencherchali c4719bdba7 fix: add missing definition 2022-11-17 15:46:49 +01:00
Nasreddine Bencherchali b7b6c12631 fix: update rule title 2022-11-17 15:46:13 +01:00
Florian Roth 18a44625fc Merge pull request #3702 from nasbench/nasbench-rule-devel 
fix: fix issues and deprecate rule
 2022-11-17 14:49:43 +01:00
Florian Roth f6d9b26ed3 Merge pull request #3703 from nasbench/update-invoke-obfusc-rules 
fix: update invoke-obfuscation rules
 2022-11-17 14:49:27 +01:00
Nasreddine Bencherchali 54a94f6f1c fix: add more cases 2022-11-17 10:26:00 +01:00
Nasreddine Bencherchali ef91852c44 fix: update modified date 2022-11-17 10:15:58 +01:00
Nasreddine Bencherchali 6674ed0554 fix: add removed comments 2022-11-17 00:57:24 +01:00
Nasreddine Bencherchali ae149345b5 fix: fix #1972 2022-11-17 00:53:00 +01:00
Nasreddine Bencherchali 061f93364e fix: update invoke-obfuscation rules 2022-11-17 00:25:04 +01:00
Nasreddine Bencherchali b03ccf6844 fix: fix #3699 2022-11-16 23:41:16 +01:00
Florian Roth 890c2496d1 Merge pull request #3695 from nasbench/add-missing-originalfilename 
feat: add missing `OriginalFileName` field
 2022-11-16 10:44:54 +01:00
Florian Roth eefa2da8b4 Merge pull request #3700 from jstnk9/master 
Update rpc_firewall_eventlog_recon.yml
 2022-11-16 08:55:49 +01:00
Nasreddine Bencherchali 569d1d757a fix: remove non existent eid and fix #2744 2022-11-15 22:58:19 +01:00
Nasreddine Bencherchali 11ce8a1e5b fix: deprecate 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 2022-11-15 22:56:51 +01:00
jstnk9 9ec8d40b42 Update rpc_firewall_eventlog_recon.yml 
removed duplicated ref
 2022-11-15 21:58:53 +01:00
Florian Roth ec66833765 Merge pull request #3696 from nasbench/fix-ldap-debug-provider 
feat: add missing `Microsoft-Windows-LDAP-Client/Debug` ETW provider
 2022-11-15 13:18:08 +01:00
Nasreddine Bencherchali a67ab607a1 feat: add Microsoft-Windows-LDAP-Client/Debug provider 2022-11-15 11:39:42 +01:00
Nasreddine Bencherchali a605380279 fix: fix broken mapping 2022-11-15 11:39:28 +01:00
Nasreddine Bencherchali 38688b6e68 fix: fix remarks after review 2022-11-15 10:01:11 +01:00
Florian Roth 187cb6b47e Merge pull request #3694 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-11-15 09:35:45 +01:00
Nasreddine Bencherchali f0f660100a fix: fixed broken condition 2022-11-15 00:02:19 +01:00
Nasreddine Bencherchali 7f736b7443 feat: add missing OriginalFileName field 
First batch
 2022-11-14 23:08:19 +01:00
Florian Roth d8704daf79 fix: change modified date 2022-11-14 17:21:08 +01:00
Florian Roth d43517078b fix: modifier 2022-11-14 17:08:08 +01:00
Florian Roth 75f246a1f0 Merge pull request #3693 from phantinuss/master 
fix: FPs in testing environment
 2022-11-14 09:59:19 +01:00
phantinuss 64d10f845a fix: FPs in testing environment 2022-11-14 08:54:47 +01:00
Florian Roth 0fb1295157 fix: FPs noticed with Aurora 2022-11-13 20:26:03 +01:00
Florian Roth 91acad69a8 fix: field value 2022-11-12 09:39:25 +01:00
Florian Roth b0d47b303e Merge branch 'master' into aurora-false-positive-fixing 2022-11-12 08:34:48 +01:00
Florian Roth f94f0727c4 fix: FPs noticed with Aurora and VStudio 2022-11-12 08:33:04 +01:00
Florian Roth 4a814e1428 Merge pull request #3692 from nasbench/fix-regex-in-test 
feat: enhance mitre tag regex in sigma test
 2022-11-11 18:42:27 +01:00