security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,629 Commits 1 Branch 57 Tags
f2cc5c8ce7ddeb6727e0c76f3364735dfd6dfdce
Commit Graph

11629 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nasreddine Bencherchali 80346a82b6 Changes From Meeting 2022-06-29 15:25:50 +01:00
Tim Shelton 78ff2fb70f Reducing the level of this item. This behavior happens too often in a normal enviornment, with day to day activity and no definitive threat. I believe a different rule, detecting a larger volume of this behavior would warrant a high level rating. 2022-06-29 13:32:19 +00:00
Tim Shelton ef4d3efa3a False positive whre system needs to be filtered first against any writes, as its related to drivers especially backups 2022-06-29 13:25:24 +00:00
Nasreddine Bencherchali c99a48437d Update proc_creation_win_susp_regsvr32_no_dll.yml 2022-06-29 12:52:04 +01:00
Florian Roth a4929221aa Merge pull request #3175 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-06-29 13:47:47 +02:00
Florian Roth 3607cf878c fix: FP with explorer.exe 2022-06-29 13:22:35 +02:00
Nasreddine Bencherchali 08981a4a41 Add more options to "where" command 2022-06-29 12:22:00 +01:00
Florian Roth fd7b8d1c4f fix: FPs 2022-06-29 13:20:57 +02:00
Nasreddine Bencherchali 13488e0ad6 Update proc_creation_win_attrib_system_susp_paths.yml 2022-06-29 12:19:33 +01:00
Nasreddine Bencherchali 9d511b75f8 Update proc_creation_win_susp_regsvr32_no_dll.yml 2022-06-29 12:17:59 +01:00
frack113 ef47e7c8f2 Update azure_ad_bitlocker_key_retrieval.yml 2022-06-29 06:34:11 +02:00
frack113 0315f31cb0 Update azure_ad_sign_ins_from_unknown_devices.yml 2022-06-29 06:33:24 +02:00
frack113 afc3625791 Merge pull request #3161 from alexmcdonald1124/msra-injection 
Msra.exe process injection rule
 2022-06-29 06:30:00 +02:00
Nasreddine Bencherchali a39f140255 Update proc_creation_win_change_default_file_assoc_susp.yml 2022-06-28 22:48:46 +01:00
Nasreddine Bencherchali 3818c77b03 Fix Error 2022-06-28 22:40:42 +01:00
Nasreddine Bencherchali 467b120259 Update proc_creation_win_susp_dllhost_no_cli.yml 2022-06-28 22:32:54 +01:00
Michael Epping 7aadcff92c Create azure_ad_bitlocker_key_retrieval.yml 2022-06-28 14:23:36 -07:00
Nasreddine Bencherchali 3756925dcd Update ETW Rule 2022-06-28 22:22:23 +01:00
Nasreddine Bencherchali f57b35e992 New Rules 2022-06-28 22:22:12 +01:00
Nasreddine Bencherchali 875233ca43 Update rules syntax 2022-06-28 22:21:46 +01:00
Nasreddine Bencherchali 5e42c4086a Add new PowerShell Function and Scripts 2022-06-28 22:18:44 +01:00
Nasreddine Bencherchali fb46b97f46 Rename + Delete Duplicate Rule 2022-06-28 22:18:02 +01:00
Michael Epping e446a23818 Create azure_ad_sign_ins_from_unknown_devices.yml 2022-06-28 14:12:30 -07:00
Michael Epping 7c446f0d37 Create azure_ad_device_registration_policy_changes.yml 
Rule from Azure AD SecOps guide
 2022-06-28 13:11:45 -07:00
Michael Epping 495a4fb1f0 Create azure_ad_device_registration_policy_changes.ym; 2022-06-28 13:10:38 -07:00
Florian Roth 2da48f5052 Merge pull request #3167 from SigmaHQ/rule-devel 
Rules: Bitsadmin coverage and minor improvements
 2022-06-28 17:25:03 +02:00
Florian Roth 991ff677c3 rule: bitsadmin coverage 2022-06-28 15:34:19 +02:00
Florian Roth 6f26e26846 rules: bitsadmin coverage 2022-06-28 15:16:52 +02:00
Bhabesh 1f7e37d2a0 Fixed CallTrace 2022-06-28 10:56:18 +05:45
Florian Roth c9007cb3ed Merge pull request #3165 from redsand/fp_conflict_with_filter_and_selection 
Comparison conflict found between selection and filtere. In favor of …
 2022-06-27 23:59:20 +02:00
Florian Roth f54f660efb Merge pull request #3164 from pH-T/master 
rule cleanup and new rules
 2022-06-27 23:58:05 +02:00
Florian Roth 3f6d0ca970 Merge pull request #3160 from phantinuss/master 
fix: FPs in testing environment
 2022-06-27 23:57:05 +02:00
Tim Shelton f20e196909 Comparison conflict found between selection and filtere. In favor of selection 2022-06-27 21:03:36 +00:00
phantinuss 10dfd7d063 fix: FP found in webserver logs 2022-06-27 16:46:18 +02:00
Paul Hager d7f983340b rule cleanup and new rules 2022-06-27 16:35:22 +02:00
Florian Roth 46e22d6d73 rule: WerFault process memory dump 2022-06-27 15:53:06 +02:00
Florian Roth 19ef1c153f rule: werfault accessing lsass 2022-06-27 15:49:30 +02:00
Florian Roth be5ee96e6f refactor: lsass dump file, nano dump default 2022-06-27 15:49:15 +02:00
Bhabesh e0f8506c1b Rule for HandleKatz 2022-06-27 17:25:21 +05:45
phantinuss e2a719a312 fix: typo 2022-06-27 08:47:30 +02:00
phantinuss ab5d2ed711 fix: FPs in testing environment 2022-06-27 08:47:27 +02:00
Florian Roth bc316855f6 Merge pull request #3162 from frack113/registry_event 
Add missing EventType
 2022-06-26 20:33:41 +02:00
frack113 281a7c8149 Add missing EventType 2022-06-26 17:41:23 +02:00
Florian Roth 1b08ee7916 Update proc_creation_win_msra_process_injection.yml 2022-06-25 08:47:36 +02:00
Alexander McDonald e740cbcaa3 Including id number per the error reported in testing 2022-06-24 16:55:10 -04:00
Alexander McDonald fd1be59f55 New experimental rule designed to find process injection 2022-06-24 16:44:40 -04:00
Florian Roth d78818e27d Merge pull request #3157 from d4rk-d4nph3/master 
To account for SyncAppvPublishingServer bypass
 2022-06-22 21:28:38 +02:00
Florian Roth acc95b725c Merge pull request #3159 from SigmaHQ/rule-devel 
fix: title and a false positive
 2022-06-22 21:22:38 +02:00
Florian Roth cdfd908627 Merge branch 'master' into rule-devel 2022-06-22 21:16:29 +02:00
Florian Roth a876da1ad7 fix: FP with ProcessExpl 2022-06-22 21:15:21 +02:00