security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,254 Commits 1 Branch 57 Tags
fd40c8ddcef8c3e331ecebf6ef87bd2c988f2f63
Commit Graph

10297 Commits

Author SHA1 Message Date
frack113 fd40c8ddce Merge pull request #3612 from qasimqlf/patch-8 
Update and rename posh_ps_copy_item_system32.yml
 2022-10-21 06:48:10 +02:00
phantinuss f4420ca3c3 fix: FPs found in testing environment 2022-10-20 17:25:23 +02:00
Qasim Qlf 2c4ea3761a Update and rename posh_ps_copy_item_system32.yml to posh_ps_copy_item_system_directory.yml 2022-10-20 14:31:48 +05:00
phantinuss 09b94e2081 fix: FP on test system 2022-10-20 11:08:41 +02:00
phantinuss f976ad48c1 Merge pull request #3602 from nasbench/nasbench-rule-devel 
Rule Dev
 2022-10-20 10:28:56 +02:00
frack113 27ad27c3c0 Merge pull request #3608 from unamuno/patch-mitreid 
changed mitre id from process to user discovery
 2022-10-19 22:31:37 +02:00
Nasreddine Bencherchali 4a61f56c5f Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-19 19:06:00 +02:00
Nasreddine Bencherchali 87c0788fca Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-19 19:04:53 +02:00
Merlin 575f36d8f8 changed mitre id from process to user discovery 2022-10-19 16:10:47 +02:00
phantinuss 7a6bb720d9 fix: FPs on test system 2022-10-19 15:44:00 +02:00
Nasreddine Bencherchali 21040fc106 Update posh_ps_using_set_service_to_hide_services.yml 2022-10-18 20:13:45 +02:00
Florian Roth e93b7bf571 Merge pull request #3601 from blueteam0ps/patch-9 
proxy_ua_rclone.yml
 2022-10-18 19:07:08 +02:00
Nasreddine Bencherchali a6edfd6c21 Add more details to the definition section 
Add more details to the definition section for events from the "Audit Directory Service Changes"
 2022-10-18 17:35:02 +02:00
Florian Roth eada6ed589 Update proxy_ua_rclone.yml 2022-10-18 17:21:54 +02:00
Nasreddine Bencherchali 2758e67185 Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-18 17:08:09 +02:00
Nasreddine Bencherchali 18ed0ce02a Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-18 17:07:36 +02:00
phantinuss a5b08d5b9c fix: FPs on test machine 2022-10-18 16:39:04 +02:00
Nasreddine Bencherchali 676578d2c4 Add PowerShell version of the rule + Fix rule 2022-10-18 16:03:26 +02:00
Nasreddine Bencherchali ce567a4d8d Fix wording in definition + Add FP description 2022-10-18 16:02:41 +02:00
Nasreddine Bencherchali 2a86dd3d71 Reduce to medium level due to FP 2022-10-18 14:13:43 +02:00
Nasreddine Bencherchali 0fc2e75c0d Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2022-10-18 14:12:39 +02:00
phantinuss a1f4ef4d34 fix: FP on many systems 2022-10-18 12:49:24 +02:00
Nasreddine Bencherchali a72aedb1cc Small Update To FP 2022-10-18 11:51:37 +02:00
Nasreddine Bencherchali 01826d2a3b New File Access Rules 
Added new files access rules related to windows dpapi files/keys
 2022-10-18 11:51:24 +02:00
Florian Roth 458428bf5f Update proxy_ua_rclone.yml 2022-10-18 10:15:33 +02:00
BlueTeamOps f34c32882a proxy_ua_rclone.yml 
Adding this rule after reading https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone. It is more relevant to O365 but it may help via proxy too if this off O365.
 2022-10-18 17:32:38 +11:00
frack113 0b84ffa517 Merge pull request #3600 from securepeacock/patch-30 
Update proc_creation_win_renamed_binary.yml
 2022-10-18 06:24:16 +02:00
securepeacock cef6ea0b6b Update proc_creation_win_renamed_binary.yml 
Added InstallUtil
https://twitter.com/424f424f/status/1582048291294162946?s=20&t=5uYGiwA_fJP8-7pnK2yViQ
 2022-10-17 12:58:29 -04:00
Kawa 6960178d56 Update driver_load_vuln_drivers_names.yml 2022-10-17 15:23:14 +02:00
Nasreddine Bencherchali b5500687fa Add Hide Service Via SDDL Rule 
Ref:  https://twitter.com/Alh4zr3d/status/1580925761996828672
 2022-10-17 14:26:29 +02:00
Nasreddine Bencherchali e26a6e36db Add missing definitions 
Add missing definitions for Audit Directory Services Changes events
 2022-10-17 13:23:53 +02:00
frack113 2247e87945 Order file rule 2022-10-16 09:25:51 +02:00
Florian Roth a6bfd33d81 Merge branch 'master' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-10-15 11:30:58 +02:00
Florian Roth 7279e67b86 fix: several FPs with legitimate programs 2022-10-15 11:23:41 +02:00
Florian Roth b123f71e02 fix: FPs with no OriginalFilename 2022-10-15 11:14:48 +02:00
Florian Roth 450229537e Merge pull request #3595 from SigmaHQ/rule-devel 
rule: extended susp adfind rule, rule: susp wermgr process patterns
 2022-10-15 10:49:50 +02:00
Florian Roth e344b1f10f Merge pull request #3591 from frack113/yamato_security 
Windows builtin security rules
 2022-10-15 10:49:37 +02:00
Florian Roth 404a1b4c6a Merge pull request #3590 from dmuensterer/patch-1 
Filter Dell Update Utility: proc_creation_win_susp_non_exe_image.yml
 2022-10-14 18:04:59 +02:00
Florian Roth a6e54ab023 Update win_security_user_logoff.yml 2022-10-14 18:03:40 +02:00
Florian Roth 9e7e252397 Merge pull request #3594 from SigmaHQ/aurora-false-positive-fixing 
fix: DropBox FP
 2022-10-14 18:02:05 +02:00
Florian Roth 77a61facd2 fix: wrong selector in condition 2022-10-14 17:27:20 +02:00
Florian Roth 8205af46f7 fix: DropBox FP 2022-10-14 15:43:32 +02:00
Florian Roth cc8a1a5441 rule: suspicious wermgr process trees 2022-10-14 15:43:02 +02:00
phantinuss cca32d824a fix: FP on testing system 2022-10-14 14:08:45 +02:00
Florian Roth c4ea037717 Merge pull request #3549 from aaronherman/add-susp-lolbin-non-c 
Add rule for suspicious lolbin executing in non-c drive
 2022-10-14 13:23:35 +02:00
Florian Roth d4ed33b84b fix: typo in filter 2022-10-14 12:42:49 +02:00
frack113 81ec573424 Update rules/windows/builtin/security/win_security_user_logoff.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:51 +02:00
frack113 d010fedb2c Update rules/windows/builtin/security/win_security_replay_attack_detected.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:41 +02:00
frack113 2e14174911 Update rules/windows/builtin/security/win_security_device_installation_blocked.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:27 +02:00
frack113 0042e2c8f0 Update rules/windows/builtin/security/win_security_add_remove_computer.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:20 +02:00