security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,629 Commits 1 Branch 57 Tags
f2cc5c8ce7ddeb6727e0c76f3364735dfd6dfdce
Commit Graph

3222 Commits

Author SHA1 Message Date
Nasreddine Bencherchali f2cc5c8ce7 Add more processes 2022-07-04 13:38:18 +01:00
Nasreddine Bencherchali 75117927f0 Fix field name 2022-07-03 20:24:10 +01:00
Nasreddine Bencherchali 6eaafa7b92 Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 20:16:43 +01:00
Nasreddine Bencherchali 30baccb49c Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 19:54:11 +01:00
Nasreddine Bencherchali ab4242b8f5 Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 19:47:11 +01:00
Nasreddine Bencherchali 78f039311a Fix error 2022-07-03 19:45:18 +01:00
Nasreddine Bencherchali 5770b3190c Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 19:43:24 +01:00
Nasreddine Bencherchali f9d6f468c3 Update 2022-07-03 19:43:03 +01:00
Nasreddine Bencherchali da370f8ce3 Update proc_creation_win_cmstp_com_object_access.yml 2022-07-03 19:26:47 +01:00
Florian Roth c4021267ec Merge pull request #3193 from SigmaHQ/rule-devel 
Multiple changes, new rule, some docs
 2022-07-03 16:30:36 +02:00
Florian Roth a75a8ce526 docs: add reference 2022-07-03 15:58:44 +02:00
Nasreddine Bencherchali 8b876bb737 Update proc_creation_win_lolbin_presentationhost.yml 2022-07-01 20:18:15 +01:00
Nasreddine Bencherchali 5c17ff1d0c Update proc_creation_win_lolbin_presentationhost.yml 2022-07-01 16:59:48 +01:00
Nasreddine Bencherchali c95df56222 New Rules 2022-07-01 16:56:45 +01:00
Florian Roth 21ab44acbf Merge pull request #3188 from redsand/fp_powershell_long_entries_not_high_indicator_cite_devops_behavior 
Reducing level due to it being a minor indicator and not strong enoug…
 2022-07-01 08:25:07 +02:00
Tim Shelton 98227206e0 Reducing level due to it being a minor indicator and not strong enough to warrant an investigation on its own. 2022-07-01 01:43:42 +00:00
Florian Roth cb33e5cc8a Merge pull request #3185 from frack113/fix_issue_2579 
fix issue 2579
 2022-06-30 18:17:51 +02:00
phantinuss 58dc1da663 fix: FPs found in testing environment 2022-06-30 16:40:05 +02:00
frack113 38761cbdb0 fix issue 2022-06-30 08:48:31 +02:00
Florian Roth e07b2f115b Merge pull request #3173 from nasbench/master 
Update + New Rules
 2022-06-29 17:22:02 +02:00
Nasreddine Bencherchali 80346a82b6 Changes From Meeting 2022-06-29 15:25:50 +01:00
Nasreddine Bencherchali c99a48437d Update proc_creation_win_susp_regsvr32_no_dll.yml 2022-06-29 12:52:04 +01:00
Florian Roth 3607cf878c fix: FP with explorer.exe 2022-06-29 13:22:35 +02:00
Nasreddine Bencherchali 08981a4a41 Add more options to "where" command 2022-06-29 12:22:00 +01:00
Nasreddine Bencherchali 13488e0ad6 Update proc_creation_win_attrib_system_susp_paths.yml 2022-06-29 12:19:33 +01:00
Nasreddine Bencherchali 9d511b75f8 Update proc_creation_win_susp_regsvr32_no_dll.yml 2022-06-29 12:17:59 +01:00
frack113 afc3625791 Merge pull request #3161 from alexmcdonald1124/msra-injection 
Msra.exe process injection rule
 2022-06-29 06:30:00 +02:00
Nasreddine Bencherchali a39f140255 Update proc_creation_win_change_default_file_assoc_susp.yml 2022-06-28 22:48:46 +01:00
Nasreddine Bencherchali 3818c77b03 Fix Error 2022-06-28 22:40:42 +01:00
Nasreddine Bencherchali 467b120259 Update proc_creation_win_susp_dllhost_no_cli.yml 2022-06-28 22:32:54 +01:00
Nasreddine Bencherchali 3756925dcd Update ETW Rule 2022-06-28 22:22:23 +01:00
Nasreddine Bencherchali f57b35e992 New Rules 2022-06-28 22:22:12 +01:00
Nasreddine Bencherchali 875233ca43 Update rules syntax 2022-06-28 22:21:46 +01:00
Nasreddine Bencherchali fb46b97f46 Rename + Delete Duplicate Rule 2022-06-28 22:18:02 +01:00
Florian Roth 2da48f5052 Merge pull request #3167 from SigmaHQ/rule-devel 
Rules: Bitsadmin coverage and minor improvements
 2022-06-28 17:25:03 +02:00
Florian Roth 991ff677c3 rule: bitsadmin coverage 2022-06-28 15:34:19 +02:00
Florian Roth 6f26e26846 rules: bitsadmin coverage 2022-06-28 15:16:52 +02:00
Florian Roth f54f660efb Merge pull request #3164 from pH-T/master 
rule cleanup and new rules
 2022-06-27 23:58:05 +02:00
Paul Hager d7f983340b rule cleanup and new rules 2022-06-27 16:35:22 +02:00
phantinuss ab5d2ed711 fix: FPs in testing environment 2022-06-27 08:47:27 +02:00
Florian Roth 1b08ee7916 Update proc_creation_win_msra_process_injection.yml 2022-06-25 08:47:36 +02:00
Alexander McDonald e740cbcaa3 Including id number per the error reported in testing 2022-06-24 16:55:10 -04:00
Alexander McDonald fd1be59f55 New experimental rule designed to find process injection 2022-06-24 16:44:40 -04:00
Florian Roth d78818e27d Merge pull request #3157 from d4rk-d4nph3/master 
To account for SyncAppvPublishingServer bypass
 2022-06-22 21:28:38 +02:00
Florian Roth cdfd908627 Merge branch 'master' into rule-devel 2022-06-22 21:16:29 +02:00
Florian Roth 940e4149f7 fix: wrong rule title 2022-06-22 21:15:00 +02:00
Bhabesh 7afe938d49 Fixed the missing all modifier 2022-06-22 15:14:39 +05:45
Bhabesh d9836d9fe4 Fixed my rule bug 2022-06-22 15:13:51 +05:45
Bhabesh f55e3451cf Removed bypass for SyncAppvPublishingServer 2022-06-22 15:12:17 +05:45
Florian Roth a601ce4098 Merge pull request #3145 from frack113/chromeloader 
Add proc_creation_win_chrome_load_extension
 2022-06-22 10:26:07 +02:00