security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,718 Commits 1 Branch 57 Tags
fb73dfca88643ffca2f27af4a5f93025a36f0c3e
Commit Graph

3256 Commits

Author SHA1 Message Date
Nasreddine Bencherchali fb73dfca88 Merge branch 'master' of https://github.com/nasbench/sigma 2022-07-11 14:11:59 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth e7f5b07f2d Merge pull request #3213 from SigmaHQ/rule-devel 
refactor: another Follina process pattern observed ITW
 2022-07-11 13:00:51 +02:00
Florian Roth 5b8f7d977f Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-07-11 12:52:08 +02:00
Florian Roth a17364104b refactor: Follina patterns 2022-07-11 12:52:06 +02:00
Florian Roth 9daef055ae Merge pull request #3211 from SigmaHQ/rule-devel 
fix: FPs with notepad as parent
 2022-07-08 20:40:49 +02:00
Florian Roth 0640695258 fix: FPs with notepad.exe as parent 
Closing https://github.com/SigmaHQ/sigma/issues/3208
 2022-07-08 19:28:43 +02:00
frack113 4f21febbb4 Fix detection 2022-07-08 18:20:37 +02:00
Florian Roth 578c838277 Merge pull request #3203 from nasbench/master 
Reference Update [Batch 1]
 2022-07-08 10:47:50 +02:00
Nasreddine Bencherchali 8b9307de30 Update selections 2022-07-07 20:55:19 +01:00
Nasreddine Bencherchali 68c27b56d4 Update proc_creation_win_exploit_cve_2020_1048.yml 2022-07-07 20:16:30 +01:00
Nasreddine Bencherchali aec95b6d65 Update selections and indentation 2022-07-07 20:13:45 +01:00
Florian Roth c7eb123bc3 Merge branch 'master' into aurora-false-positive-fixing 2022-07-07 18:21:16 +02:00
Florian Roth b58c797c61 fix: FPs with Visual Studio 2022-07-07 18:20:10 +02:00
Nasreddine Bencherchali 851d55a41f Update 2022-07-07 15:37:28 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Florian Roth beec664249 Merge pull request #3189 from redsand/fp_encoded_powershell_minor_indicator_due_to_devops 
reducing level due to low indicator, per devops processes
 2022-07-06 18:34:27 +02:00
Florian Roth d4781fa63c refactor: split up rule into one low & one medium 2022-07-06 18:24:59 +02:00
phantinuss ce1710a031 fix: FPs found in testing 2022-07-06 15:38:31 +02:00
frack113 88a6ec96e7 Update proc_creation_win_powershell_cmdline_specific_comb_methods.yml 2022-07-05 16:04:00 +02:00
frack113 b3595c2605 Update proc_creation_win_powershell_cmdline_specific_comb_methods.yml 2022-07-05 16:01:57 +02:00
frack113 44e45362d4 Update proc_creation_win_powershell_cmdline_specific_comb_methods.yml 2022-07-05 15:59:45 +02:00
frack113 46ef9e0c55 refractor condition 2022-07-05 13:51:00 +02:00
Nasreddine Bencherchali 22a17fbf64 Merge branch 'SigmaHQ:master' into master 2022-07-04 18:47:53 +01:00
Florian Roth dc16208fe3 Merge branch 'master' into rule-devel 2022-07-04 19:07:35 +02:00
Florian Roth 1694101893 fix: indentation 2022-07-04 17:09:53 +02:00
Florian Roth 86c3062b34 refactor: curl changes 2022-07-04 17:08:23 +02:00
Nasreddine Bencherchali 485bbd52a9 Update proc_creation_win_system_exe_anomaly.yml 2022-07-04 14:31:54 +01:00
Florian Roth 6238c6fd2c refactor: curl refactoring 2022-07-04 14:50:44 +02:00
Nasreddine Bencherchali f2cc5c8ce7 Add more processes 2022-07-04 13:38:18 +01:00
Florian Roth 5b2c38d05b refactor: curl rules refactored 2022-07-04 13:24:56 +02:00
Florian Roth 6fb1a22e77 regsvr rule extended 2022-07-04 12:39:31 +02:00
Nasreddine Bencherchali 75117927f0 Fix field name 2022-07-03 20:24:10 +01:00
Nasreddine Bencherchali 6eaafa7b92 Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 20:16:43 +01:00
Nasreddine Bencherchali 30baccb49c Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 19:54:11 +01:00
Nasreddine Bencherchali ab4242b8f5 Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 19:47:11 +01:00
Nasreddine Bencherchali 78f039311a Fix error 2022-07-03 19:45:18 +01:00
Nasreddine Bencherchali 5770b3190c Update proc_creation_win_uac_bypass_idiagnostic_profile.yml 2022-07-03 19:43:24 +01:00
Nasreddine Bencherchali f9d6f468c3 Update 2022-07-03 19:43:03 +01:00
Nasreddine Bencherchali da370f8ce3 Update proc_creation_win_cmstp_com_object_access.yml 2022-07-03 19:26:47 +01:00
Florian Roth c4021267ec Merge pull request #3193 from SigmaHQ/rule-devel 
Multiple changes, new rule, some docs
 2022-07-03 16:30:36 +02:00
Florian Roth a75a8ce526 docs: add reference 2022-07-03 15:58:44 +02:00
Florian Roth af8206171b style: adjusted casing 2022-07-01 21:41:14 +02:00
Nasreddine Bencherchali 8b876bb737 Update proc_creation_win_lolbin_presentationhost.yml 2022-07-01 20:18:15 +01:00
Nasreddine Bencherchali 5c17ff1d0c Update proc_creation_win_lolbin_presentationhost.yml 2022-07-01 16:59:48 +01:00
Nasreddine Bencherchali c95df56222 New Rules 2022-07-01 16:56:45 +01:00
Tim Shelton ac5deb5865 Fixing error in selection condition 2022-07-01 15:08:24 +00:00
Tim Shelton 2689d1e0a1 Splitting rules out and prioritizing the detection of convertto-securestring 2022-07-01 15:06:06 +00:00
Florian Roth 21ab44acbf Merge pull request #3188 from redsand/fp_powershell_long_entries_not_high_indicator_cite_devops_behavior 
Reducing level due to it being a minor indicator and not strong enoug…
 2022-07-01 08:25:07 +02:00
Tim Shelton 98227206e0 Reducing level due to it being a minor indicator and not strong enough to warrant an investigation on its own. 2022-07-01 01:43:42 +00:00