security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,629 Commits 1 Branch 57 Tags
f2cc5c8ce7ddeb6727e0c76f3364735dfd6dfdce
Commit Graph

11629 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 55c4112e1a Merge pull request #3048 from CD-R0M/master 
Filter for Dell Display Manager Child Process
 2022-06-12 10:45:48 +02:00
CD-R0M 335e97247e Update registry_set_custom_file_open_handler_powershell_execution.yml 2022-06-11 10:40:04 -04:00
CD-R0M e89811fa47 Merge branch 'master' of https://github.com/CD-R0M/sigma-1 2022-06-11 10:29:54 -04:00
CD-R0M 2a2c15a407 Create registry_set_custom_file_open_handler_powershell_execution.yml 2022-06-11 10:29:46 -04:00
CD-R0M 6786bd58ac Merge branch 'SigmaHQ:master' into master 2022-06-11 10:21:07 -04:00
frack113 fba0615d15 Merge pull request #3119 from nasbench/master 
GUP LOLBIN Rules + Update AccCheckConsole Rule
 2022-06-11 13:09:16 +02:00
frack113 6c211887a9 Remove unneeded star 2022-06-11 12:58:14 +02:00
Nasreddine Bencherchali de78f9f5b3 Update proc_creation_win_cmdkey_recon.yml 2022-06-11 11:18:33 +01:00
Nasreddine Bencherchali b8ab72c222 Update proc_creation_win_mstsc.yml 2022-06-11 02:23:38 +01:00
Nasreddine Bencherchali c610e4a749 Update proc_creation_win_cmdkey_recon.yml 2022-06-11 02:23:31 +01:00
Nasreddine Bencherchali 3aa1d3710a Update proc_creation_win_susp_curl_fileupload.yml 2022-06-11 02:23:14 +01:00
Nasreddine Bencherchali 0e68a801b1 Update proc_creation_win_susp_curl_download.yml 2022-06-11 02:22:56 +01:00
Nasreddine Bencherchali 50bb79d54e Update proc_creation_win_susp_wsl_lolbin.yml 2022-06-11 02:21:39 +01:00
Nasreddine Bencherchali 40564ac49f Update file_event_win_notepad_plus_plus_persistence.yml 2022-06-10 20:06:03 +01:00
Nasreddine Bencherchali 2d174ec4fc Update proc_creation_win_susp_gup_execution.yml 2022-06-10 19:08:30 +01:00
Nasreddine Bencherchali 41dd9246fd GUP LOLBIN Rules + Update AccCheckConsole Rule 2022-06-10 19:07:25 +01:00
Florian Roth a05e154869 fix: condition 2022-06-10 13:46:19 +02:00
Florian Roth 3ffe83bd70 fix: typo 2022-06-10 13:18:55 +02:00
Florian Roth ed2ab816be refactor: BITS rules new and reworked 2022-06-10 13:16:40 +02:00
Florian Roth d172b136bf Merge pull request #3109 from frack113/diagcab 
Add file_event_win_susp_diagcab
 2022-06-10 07:34:33 +02:00
frack113 2d51c7719e Merge pull request #3115 from nasbench/master 
New/Update LOLBIN Rules
 2022-06-10 06:21:48 +02:00
Nasreddine Bencherchali 7267e547df Update proc_creation_win_susp_cdb.yml 2022-06-09 19:16:38 +01:00
Nasreddine Bencherchali 929d264529 Update proc_creation_win_susp_cdb.yml 2022-06-09 19:14:24 +01:00
Nasreddine Bencherchali 4e1423ba74 Update proc_creation_win_susp_cdb.yml 2022-06-09 19:13:22 +01:00
Nasreddine Bencherchali 639a6dd550 Update proc_creation_win_lolbin_mftrace.yml 2022-06-09 18:52:32 +01:00
Nasreddine Bencherchali fc44b0999b Update proc_creation_win_lolbin_mftrace.yml 2022-06-09 18:47:53 +01:00
Nasreddine Bencherchali a934f587d4 Update proc_creation_win_lolbin_mftrace.yml 2022-06-09 18:04:35 +01:00
Nasreddine Bencherchali 78bdfa85a9 Fix 2022-06-09 18:00:24 +01:00
Florian Roth 7c837334b1 Update file_event_win_susp_diagcab.yml 2022-06-09 18:27:50 +02:00
Nasreddine Bencherchali f4b0dd69f1 Update proc_creation_win_lolbin_adplus.yml 2022-06-09 16:15:28 +01:00
Nasreddine Bencherchali 0a0e976ccf Update proc_creation_win_susp_dxcap.yml 2022-06-09 15:58:52 +01:00
Nasreddine Bencherchali 87e813a649 Update proc_creation_win_lolbin_squirrel.yml 2022-06-09 15:58:22 +01:00
Nasreddine Bencherchali 4561d86d81 New/Update LOLBIN Rules 2022-06-09 15:56:33 +01:00
frack113 40adb0339e Merge pull request #3113 from svch0stz/patch-2 
Update proc_creation_win_susp_recon_activity.yml
 2022-06-09 13:44:27 +02:00
frack113 e6cf3d34d1 Update modified 2022-06-09 13:27:07 +02:00
svch0stz ffcf5872c5 Update proc_creation_win_susp_recon_activity.yml 2022-06-09 20:34:25 +10:00
frack113 54b1baa188 Add proc_creation_win_msdt_diagcab 2022-06-09 08:57:51 +02:00
frack113 6bd09ec054 Merge pull request #3114 from hazedav/self-join-filter 
feat(backend): support for parent process filters
 2022-06-09 08:16:13 +02:00
David Hazekamp c1b5551486 feat(backend): bump lacework config version 2022-06-08 23:41:54 -05:00
David Hazekamp fea9602210 feat(backend): support for parent process filters 2022-06-08 23:39:32 -05:00
svch0stz c1a601fef8 Update proc_creation_win_susp_recon_activity.yml 
Using "/do" is still a valid argument . looking for /dom will exclude this. 

Other option is to remove the "/do" argument and just look for cmdline contains:
- net group "domain admins"

https://twitter.com/TheDFIRReport/status/1534227586225684481
 2022-06-09 10:14:57 +10:00
frack113 63400139bd Merge pull request #3110 from FlorianBracq/patch-1 
Updating azure federation modified rule
 2022-06-08 22:19:17 +02:00
frack113 dbc4b53999 Merge pull request #3112 from redsand/backend_hawk_update 
backend - updating hawk backend with additional translations
 2022-06-08 22:18:38 +02:00
frack113 7fbfa45d74 Merge pull request #3111 from redsand/fp_posh_ps_malicious_commandlets 
False positive - another amazon module filter
 2022-06-08 22:17:43 +02:00
Tim Shelton 4d7d0b3235 backend - updating hawk backend with additional translations 2022-06-08 19:04:37 +00:00
Tim Shelton d3ef79018c False positive - another amazon module filter 2022-06-08 19:00:12 +00:00
frack113 98e218722c Merge pull request #3107 from dacelbot/master 
Submit a rule for ECS Backdoor Task Definition
 2022-06-08 19:46:55 +02:00
FlorianBracq f5211710d6 Update modification date 2022-06-08 18:54:03 +02:00
Darin Smith d29eb1e48c Change to all selection elements rather than a filter and a selection 2022-06-08 09:13:48 -07:00
Florian Roth 7f61789082 rule: renamed rundll32.exe 2022-06-08 17:23:29 +02:00