security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,899 Commits 1 Branch 57 Tags
fa85c19b973fae2ad9d0b4fa24456c71d04c9c3b
Commit Graph

41 Commits

Author SHA1 Message Date
Fukusuke Takahashi 587da70c94 Merge PR #4519 from @fukusuket - Update PowerShell Classic Rule To Use Data Field 
update: Suspicious XOR Encoded PowerShell Command Line - PowerShell
update: Uncommon PowerShell Hosts
update: Delete Volume Shadow Copies Via WMI With PowerShell
update: PowerShell Downgrade Attack - PowerShell
update: PowerShell Called from an Executable Version Mismatch
update: Netcat The Powershell Version
update: Remote PowerShell Session (PS Classic)
update: Renamed Powershell Under Powershell Channel
update: Suspicious PowerShell Download
update: Use Get-NetTCPConnection
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell
update: Tamper Windows Defender - PSClassic
update: Suspicious Non PowerShell WSMAN COM Provider
update: Suspicious XOR Encoded PowerShell Command Line - PowerShell

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-10-28 12:43:58 +02:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
Nasreddine Bencherchali ccec820a01 feat: new rules & updates (#4328) 2023-07-13 10:01:05 +02:00
Nasreddine Bencherchali 715cc0589c Merge pull request #4232 from swachchhanda000/master 
feat: extended coverage of existing defender tampering rules
 2023-06-05 13:26:03 +02:00
phantinuss e407cfa1d6 fix: wording 2023-06-05 13:09:30 +02:00
Nasreddine Bencherchali 899c2ff23a chore: update defender rules 2023-06-05 11:50:43 +02:00
Nasreddine Bencherchali 0cb01970e7 feat: new rules, updates and goofy guineapig stuff (#4229) 2023-05-15 15:53:39 +02:00
frack113 6ee5218b17 Add Powershell FP 2023-04-12 07:46:36 +02:00
sai prashanth pulisetti 46ed735d4a feat: add co-author to posh_pc_abuse_nslookup_with_dns_records.yml (#4079) 2023-02-27 12:16:55 +01:00
Nasreddine Bencherchali a19a75b0b0 fix: resolves #4015 2023-02-07 14:33:56 +01:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
Nasreddine Bencherchali 85fb255bc9 feat: new rules and updates 2023-01-17 01:00:44 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali 025c1a4aae fix: enhance logic and severity 2022-12-19 11:21:24 +01:00
frack113 9af4c20912 Merge pull request #3783 from nasbench/nasbench-rule-devel 
feat: updates and enhancements
 2022-12-14 13:19:46 +01:00
Nasreddine Bencherchali 5232094c71 fix: more fp found in testing and enhance fp metadata 2022-12-13 11:25:23 +01:00
sai prashanth pulisetti 5a46cd3efd Create Abuse Nslookup with DNS Records (#3773) 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-12 13:24:46 +01:00
frack113 0f3eefdc9c Update title (#3746) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-02 18:10:43 +01:00
Nasreddine Bencherchali 5a70e402b3 Update rules 2022-11-09 16:13:17 +01:00
frack113 1e5ae09c4b Order yaml field 2022-10-26 09:43:39 +02:00
frack113 cf7a348028 Fix related 2022-10-09 17:28:05 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali 2c26614ce4 Update Wildcard + Int to Str fields 2022-10-05 23:15:20 +02:00
Nasreddine Bencherchali 9ef9103368 Update PowerShell + other rules 2022-08-05 17:10:41 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Nasreddine Bencherchali b26c28972d Add missing definition fields and references 2022-07-07 19:13:01 +01:00
Florian Roth 50b2fad091 Merge branch 'master' into aurora-false-positive-fixing 2022-06-20 13:43:36 +02:00
Florian Roth 72de90d2aa fix: FPs 2022-06-20 12:52:23 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 8012efa9b5 refactor: some adjustments 2022-03-04 16:34:15 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 5fd339858a Rename powershell_classic 2022-01-15 10:30:03 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
frack113 ee67779811 Windows T1049 RedCannary 2021-12-11 09:38:20 +01:00
frack113 4149fa8632 change to category: ps_classic_* 2021-10-16 08:26:51 +02:00
frack113 0d04b469f7 order powershell_classic 2021-10-07 07:40:53 +02:00