security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,503 Commits 1 Branch 57 Tags
efbfc7fe67bab78a3c3a968b635f5f3533e34a16
Commit Graph

166 Commits

Author SHA1 Message Date
Nasreddine Bencherchali efbfc7fe67 New Rule (https://twitter.com/nas_bench/status/1537919885031772161) 2022-06-21 19:13:53 +01:00
Nasreddine Bencherchali f12f6e3646 Update ID's 2022-06-21 15:46:00 +01:00
Nasreddine Bencherchali e3bfb18f64 New Rules 2022-06-21 11:47:18 +01:00
Nasreddine Bencherchali 78dfcd6299 Renamed "Ps_Recon_Rule" 2022-06-21 11:41:43 +01:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Tim Shelton d3ef79018c False positive - another amazon module filter 2022-06-08 19:00:12 +00:00
frack113 79d284ab51 Add posh_ps_get_gpo 2022-06-04 11:08:22 +02:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
Nasreddine Bencherchali 6aad923023 Fix typo and Update Rule 
- Fixed typo in PowerShell definition to "enabled"
- Removed leading space from "/af" flag in "msdt" rule as it can be used without leading space.
 2022-06-01 15:54:40 +01:00
Tim Shelton c1ef20761a Fixing condition 2022-05-26 16:14:37 +00:00
Tim Shelton 9086efa5cd Updating meta 2022-05-26 16:13:22 +00:00
Tim Shelton 295a984d89 Fixing order of items in yaml 2022-05-26 16:12:31 +00:00
Tim Shelton 879fccd266 merging locally 2022-05-26 15:27:13 +00:00
Tim Shelton b78386d372 FP: ignore Amazon aws powershell 2022-05-26 14:45:00 +00:00
Nasreddine Bencherchali c3d807f53a Add More Malicious PowerShell Script/Cmdlet Names 2022-05-24 22:02:08 +01:00
Tim Shelton 0fb943dc2c FP: fixing modifier 2022-05-23 21:43:43 +00:00
Tim Shelton c807191ab7 FP: filtering out Amaazon AWS header 2022-05-23 21:41:13 +00:00
Florian Roth e86d007d35 Merge pull request #3027 from elhoim/rename_suspicious 
Renamed suspicious in filenames to susp
 2022-05-20 19:28:24 +02:00
MatilJ 10f0a82b94 Fix detection 2022-05-19 21:09:47 +03:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
Florian Roth a55e8f2ac1 refactor: PoSh Defender Tampering 2022-05-18 17:29:38 +02:00
frack113 196aa6d83d move deprecated rules 2022-05-14 09:42:32 +02:00
phantinuss 6f92a11c02 chore: test rules: check for all modifier with single item 2022-05-11 11:06:09 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
phantinuss b991a5be52 chore: test rules: warn on errors or invalid FP reasons 
also adapted the existing rules to pass the tests
 2022-05-09 16:07:55 +02:00
David ANDRE 6c632b1ef0 Modified description 2022-05-05 17:27:35 +02:00
David ANDRE f3dc78b9da Added various disabling options of defender in posh_ps_tamper_defender.yml\nAdded match on default actions of defender to allow. 2022-05-05 17:25:37 +02:00
Florian Roth 0a55406444 fix: wording on two rules 2022-04-26 16:43:44 +02:00
frack113 eec8437dc2 Add posh_ps_win32_product_install_msi 2022-04-24 12:49:00 +02:00
frack113 89985b08c8 New Redcannary Windows Tests 2022-04-09 18:00:15 +02:00
frack113 0f4d61d04e Merge pull request #2872 from frack113/redcannay_20220404 
Windows Redcannary
 2022-04-04 13:23:47 +02:00
Florian Roth eaaabf2468 Update posh_ps_suspicious_get_current_user.yml 2022-04-04 12:19:47 +02:00
frack113 aaafef29b4 Redcannary 2022-04-04 10:57:23 +02:00
Florian Roth b394702748 Update posh_ps_suspicious_gettypefromclsid.yml 2022-04-04 09:28:56 +02:00
frack113 d2b2362ce7 Redcannary 2022-04-02 11:55:02 +02:00
Florian Roth 3f1b8ff727 Update posh_ps_susp_get_addefaultdomainpasswordpolicy.yml 2022-03-21 12:09:33 +01:00
Florian Roth 7ebdfda1b8 Update posh_ps_susp_get_addefaultdomainpasswordpolicy.yml 2022-03-21 11:54:45 +01:00
frack113 ab471b11ae Redcannary 2022-03-20 08:36:07 +01:00
frack113 45cfdab828 Revert "Redcannary" 2022-03-20 08:11:11 +01:00
frack113 1060009949 Redcannary 2022-03-18 11:15:05 +01:00
frack113 41fce11b76 Merge pull request #2820 from frack113/day_off 
Windows Redcannary
 2022-03-18 08:18:18 +01:00
Florian Roth 1118189032 Update posh_ps_susp_get_adgroup.yml 2022-03-17 20:23:14 +01:00
Florian Roth 8c69b3977f Update posh_ps_susp_directory_enum.yml 2022-03-17 20:22:51 +01:00
Florian Roth a5cfb87ee1 Update posh_ps_as_rep_roasting.yml 2022-03-17 20:22:11 +01:00
Florian Roth c855a38f98 Merge pull request #2819 from frack113/fp_test 
posh_ps_remove_item_path fix registry FP
 2022-03-17 18:44:53 +01:00
frack113 829409d29a Redcannary 2022-03-17 16:48:41 +01:00
frack113 6da13f19a6 fix registry FP 2022-03-17 14:26:12 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00