security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,629 Commits 1 Branch 57 Tags
f2cc5c8ce7ddeb6727e0c76f3364735dfd6dfdce
Commit Graph

11629 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 940e4149f7 fix: wrong rule title 2022-06-22 21:15:00 +02:00
frack113 5cebc1ab88 Merge pull request #3158 from redsand/fp_printspooler_timeout 
False positive when print dll times out when attempting to register
 2022-06-22 21:08:40 +02:00
Tim Shelton ae50b42b2b False positive when print dll times out when attempting to register 2022-06-22 14:42:07 +00:00
Bhabesh 7afe938d49 Fixed the missing all modifier 2022-06-22 15:14:39 +05:45
Bhabesh d9836d9fe4 Fixed my rule bug 2022-06-22 15:13:51 +05:45
Bhabesh f55e3451cf Removed bypass for SyncAppvPublishingServer 2022-06-22 15:12:17 +05:45
Florian Roth 567d8e4e24 Merge pull request #3146 from frack113/redcanary_20220619 
Add registry_set_timeproviders_dllname
 2022-06-22 10:26:15 +02:00
Florian Roth a601ce4098 Merge pull request #3145 from frack113/chromeloader 
Add proc_creation_win_chrome_load_extension
 2022-06-22 10:26:07 +02:00
Florian Roth fedc465b00 Merge pull request #3155 from SigmaHQ/rule-devel 
Linux - suspicious command lines
 2022-06-22 10:25:42 +02:00
frack113 4ead3ea896 Merge pull request #3156 from d4rk-d4nph3/master 
Added support for alternative cmd format
 2022-06-22 08:19:56 +02:00
Florian Roth 926d72f7c2 fix: missing upper tick 2022-06-22 07:07:38 +02:00
Florian Roth e04003577f Update proc_creation_lnx_susp_history_recon.yml 2022-06-22 07:05:03 +02:00
Florian Roth fe72dbf62f Update proc_creation_lnx_susp_history_delete.yml 2022-06-22 07:04:30 +02:00
Bhabesh 023306e09f Added alternative cmd format 2022-06-22 10:16:39 +05:45
frack113 ecef60a4e3 Merge pull request #3154 from nasbench/master 
Updates & New Rules
 2022-06-22 06:19:40 +02:00
Nasreddine Bencherchali efbfc7fe67 New Rule (https://twitter.com/nas_bench/status/1537919885031772161) 2022-06-21 19:13:53 +01:00
Nasreddine Bencherchali e25ad42b5b Reverted Rule + New Rule 2022-06-21 19:03:47 +01:00
Nasreddine Bencherchali 0c2f1bfce5 Fix review comments 2022-06-21 17:22:39 +01:00
Florian Roth 8096f06c18 fix: condition 2022-06-21 17:55:49 +02:00
Florian Roth ffbe19404e fix: two rules 2022-06-21 17:45:50 +02:00
Florian Roth c2c25acbb6 docs: rules adjusted 2022-06-21 17:21:55 +02:00
Florian Roth 3f189e52c1 fix: typo in status 2022-06-21 17:21:44 +02:00
Nasreddine Bencherchali 11dca18b5b Merge branch 'SigmaHQ:master' into master 2022-06-21 15:57:06 +01:00
Nasreddine Bencherchali f12f6e3646 Update ID's 2022-06-21 15:46:00 +01:00
Florian Roth a179697c36 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-06-21 16:38:32 +02:00
Florian Roth 7ecf771cb5 fix: rule that covers unrelated activity 2022-06-21 16:38:30 +02:00
Nasreddine Bencherchali 27e73278e7 Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:37:39 +01:00
Florian Roth 4a88a5147b Merge pull request #3153 from redsand/fp_bits_client_mozilla 
Adding support for mozilla download via bits
 2022-06-21 16:37:11 +02:00
Nasreddine Bencherchali b2ce10ea2a Update proc_creation_win_lolbin_findstr.yml 2022-06-21 15:36:21 +01:00
Florian Roth aee4ebb01a Update registry_set_timeproviders_dllname.yml 2022-06-21 16:32:21 +02:00
Florian Roth 9fdf396314 Update proc_creation_win_chrome_load_extension.yml 2022-06-21 16:30:38 +02:00
Tim Shelton 6ae85eb557 Adding support for mozilla download via bits 2022-06-21 12:38:06 +00:00
Nasreddine Bencherchali e3bfb18f64 New Rules 2022-06-21 11:47:18 +01:00
Nasreddine Bencherchali 62a7d755cc Update proc_creation_win_service_stop.yml 
Refactored the rule and added originalfilename
 2022-06-21 11:46:32 +01:00
Nasreddine Bencherchali f2bc1be460 Update proc_creation_win_service_execution.yml 2022-06-21 11:46:06 +01:00
Nasreddine Bencherchali 40ccd91a94 Update proc_creation_win_msdt_diagcab.yml 
In my testing i found that ".diagcab" extension is not required. You can use .txt with the /cab flag and it'll spawn an msdt process.

Also I added the "-" (dash) version of the flag
 2022-06-21 11:45:53 +01:00
Nasreddine Bencherchali d2ef62a49d Update proc_creation_win_enumeration_for_credentials_in_registry.yml 2022-06-21 11:45:01 +01:00
Nasreddine Bencherchali 4eb6b3509e Update proc_creation_win_accesschk_usage_after_priv_escalation.yml 
Changed the rule as the original was flagging on every usage of "accessChk" which was not the intended behaviour as described.

The modification take into consideration usage of the tool as seen in the referenced presentation and adds some more.
 2022-06-21 11:44:51 +01:00
Nasreddine Bencherchali 71d895c17b Update file_event_win_notepad_plus_plus_persistence.yml 
Reduce level to account for FP found in testing env
 2022-06-21 11:43:42 +01:00
Nasreddine Bencherchali ce8ce2a91d Removed related field 
The rule referenced in the field doesn't exist
 2022-06-21 11:43:18 +01:00
Nasreddine Bencherchali 0a39827674 Renamed + Refactor "findstr" rule 2022-06-21 11:42:14 +01:00
Nasreddine Bencherchali 78dfcd6299 Renamed "Ps_Recon_Rule" 2022-06-21 11:41:43 +01:00
Florian Roth d2e86f9001 rule: Linux cmdline rules 2022-06-21 08:26:23 +02:00
Florian Roth 7853f93862 Merge pull request #3151 from phantinuss/master 
fix: FPs found in testing environment
 2022-06-20 16:59:45 +02:00
phantinuss 9475153292 fix: FPs found in testing environment 2022-06-20 16:17:54 +02:00
Florian Roth f392335e19 Merge pull request #3150 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-06-20 15:56:03 +02:00
Florian Roth 50b2fad091 Merge branch 'master' into aurora-false-positive-fixing 2022-06-20 13:43:36 +02:00
Florian Roth accf27b771 fix: FPs 2022-06-20 13:39:47 +02:00
Florian Roth ccd6fc5a7b fix: FPs 2022-06-20 13:04:49 +02:00
Florian Roth 72de90d2aa fix: FPs 2022-06-20 12:52:23 +02:00