blue-team-tools

Author	SHA1	Message	Date
Nasreddine Bencherchali	f2cc5c8ce7	Add more processes	2022-07-04 13:38:18 +01:00
Nasreddine Bencherchali	8afa3ed1b6	Renamed + Update	2022-07-04 13:38:08 +01:00
Nasreddine Bencherchali	75117927f0	Fix field name	2022-07-03 20:24:10 +01:00
Nasreddine Bencherchali	6eaafa7b92	Update proc_creation_win_uac_bypass_idiagnostic_profile.yml	2022-07-03 20:16:43 +01:00
Nasreddine Bencherchali	30baccb49c	Update proc_creation_win_uac_bypass_idiagnostic_profile.yml	2022-07-03 19:54:11 +01:00
Nasreddine Bencherchali	ab4242b8f5	Update proc_creation_win_uac_bypass_idiagnostic_profile.yml	2022-07-03 19:47:11 +01:00
Nasreddine Bencherchali	78f039311a	Fix error	2022-07-03 19:45:18 +01:00
Nasreddine Bencherchali	5770b3190c	Update proc_creation_win_uac_bypass_idiagnostic_profile.yml	2022-07-03 19:43:24 +01:00
Nasreddine Bencherchali	f9d6f468c3	Update	2022-07-03 19:43:03 +01:00
Nasreddine Bencherchali	da370f8ce3	Update proc_creation_win_cmstp_com_object_access.yml	2022-07-03 19:26:47 +01:00
Florian Roth	c4021267ec	Merge pull request #3193 from SigmaHQ/rule-devel Multiple changes, new rule, some docs	2022-07-03 16:30:36 +02:00
Florian Roth	881890177b	rule: suspicious network connections no cmdline	2022-07-03 15:58:54 +02:00
Florian Roth	a75a8ce526	docs: add reference	2022-07-03 15:58:44 +02:00
Florian Roth	b4751520c5	refactor: more domains	2022-07-03 15:58:36 +02:00
Nasreddine Bencherchali	8b876bb737	Update proc_creation_win_lolbin_presentationhost.yml	2022-07-01 20:18:15 +01:00
Nasreddine Bencherchali	5c17ff1d0c	Update proc_creation_win_lolbin_presentationhost.yml	2022-07-01 16:59:48 +01:00
Nasreddine Bencherchali	c95df56222	New Rules	2022-07-01 16:56:45 +01:00
$frack113$ frack113	8109af3ea3	Merge pull request #3170 from mepples21/miepping-dev3 Create azure_ad_device_registration_policy_changes.yml	2022-07-01 15:49:02 +02:00
$frack113$ frack113	2f19daed62	Merge pull request #3163 from d4rk-d4nph3/master Rule for HandleKatz	2022-07-01 14:29:45 +02:00
$frack113$ frack113	a2c10bcade	Update azure_ad_device_registration_policy_changes.yml	2022-07-01 14:17:21 +02:00
Florian Roth	f29c01e1d9	fix: wrong field selection	2022-07-01 12:29:23 +02:00
phantinuss	15cd71403a	fix: FP found in testing	2022-07-01 11:11:08 +02:00
Florian Roth	21ab44acbf	Merge pull request #3188 from redsand/fp_powershell_long_entries_not_high_indicator_cite_devops_behavior Reducing level due to it being a minor indicator and not strong enoug…	2022-07-01 08:25:07 +02:00
Tim Shelton	98227206e0	Reducing level due to it being a minor indicator and not strong enough to warrant an investigation on its own.	2022-07-01 01:43:42 +00:00
Florian Roth	e1fc02e7d2	Merge pull request #3186 from redsand/fp_scm_db_mgmt_by_services.exe False positive filtering out of behavior by services.exe which is exp…	2022-06-30 23:29:07 +02:00
Florian Roth	952d244a19	Merge pull request #3187 from SigmaHQ/aurora-false-positive-fixing Aurora false positive fixing	2022-06-30 22:15:23 +02:00
Florian Roth	d059d34fab	fix: wrong field selection don't use PE header field, but the source image	2022-06-30 21:33:23 +02:00
Florian Roth	3754075ae6	fix: FP with git.exe	2022-06-30 18:25:31 +02:00
Tim Shelton	38335b6303	False positive filtering out of behavior by services.exe which is expected	2022-06-30 16:22:42 +00:00
Florian Roth	33afe1f6a2	Merge pull request #3183 from pH-T/master fix: FP fix	2022-06-30 18:18:01 +02:00
Florian Roth	cb33e5cc8a	Merge pull request #3185 from frack113/fix_issue_2579 fix issue 2579	2022-06-30 18:17:51 +02:00
Florian Roth	d09544c358	refactor: remove now unnecessary filters	2022-06-30 17:36:49 +02:00
phantinuss	58dc1da663	fix: FPs found in testing environment	2022-06-30 16:40:05 +02:00
Paul Hager	9044998428	fix: FP fix	2022-06-30 15:18:39 +02:00
$frack113$ frack113	38761cbdb0	fix issue	2022-06-30 08:48:31 +02:00
Florian Roth	efd48e2bc2	Merge pull request #3180 from frack113/issue_2088 More generic registry_event_cve_2021_31979_cve_2021_33771_exploits	2022-06-29 20:18:34 +02:00
Florian Roth	e516fd74cb	Merge pull request #3172 from mepples21/miepping-dev5 Create azure_ad_bitlocker_key_retrieval.yml	2022-06-29 19:40:36 +02:00
Florian Roth	218e7f1491	Update azure_ad_device_registration_policy_changes.yml	2022-06-29 19:39:34 +02:00
Florian Roth	4fee43361c	Merge pull request #3171 from mepples21/miepping-dev4 Create azure_ad_sign_ins_from_unknown_devices.yml	2022-06-29 19:37:13 +02:00
$frack113$ frack113	c64ece9f68	More generic	2022-06-29 19:33:50 +02:00
securepeacock	ecdd32c462	Update lnx_auditd_hidden_files_directories.yml Fixing typo.	2022-06-29 13:24:24 -04:00
Florian Roth	96e424bd4e	Merge pull request #3178 from phantinuss/master fix: technically filter THOR checking for BlueKeep vuln	2022-06-29 17:42:21 +02:00
Florian Roth	e07b2f115b	Merge pull request #3173 from nasbench/master Update + New Rules	2022-06-29 17:22:02 +02:00
phantinuss	b4bce46c65	fix: technically filter THOR checking for BlueKeep vuln	2022-06-29 17:07:04 +02:00
Florian Roth	6709a2dbaf	Merge pull request #3177 from redsand/level_reduce_suspicious_failed_logins Reducing the level of Account Tampering - Suspicious Failed Logon Reasons	2022-06-29 16:50:44 +02:00
Florian Roth	71edfa3550	Merge pull request #3176 from redsand/fp_reorder_system_ignore_all False positive whre system needs to be filtered first against any wri…	2022-06-29 16:50:25 +02:00
Nasreddine Bencherchali	80346a82b6	Changes From Meeting	2022-06-29 15:25:50 +01:00
Tim Shelton	78ff2fb70f	Reducing the level of this item. This behavior happens too often in a normal enviornment, with day to day activity and no definitive threat. I believe a different rule, detecting a larger volume of this behavior would warrant a high level rating.	2022-06-29 13:32:19 +00:00
Tim Shelton	ef4d3efa3a	False positive whre system needs to be filtered first against any writes, as its related to drivers especially backups	2022-06-29 13:25:24 +00:00
Nasreddine Bencherchali	c99a48437d	Update proc_creation_win_susp_regsvr32_no_dll.yml	2022-06-29 12:52:04 +01:00

1 2 3 4 5 ...

8874 Commits