security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,254 Commits 1 Branch 57 Tags
fd40c8ddcef8c3e331ecebf6ef87bd2c988f2f63
Commit Graph

3884 Commits

Author SHA1 Message Date
phantinuss 09b94e2081 fix: FP on test system 2022-10-20 11:08:41 +02:00
phantinuss f976ad48c1 Merge pull request #3602 from nasbench/nasbench-rule-devel 
Rule Dev
 2022-10-20 10:28:56 +02:00
phantinuss 7a6bb720d9 fix: FPs on test system 2022-10-19 15:44:00 +02:00
Nasreddine Bencherchali 676578d2c4 Add PowerShell version of the rule + Fix rule 2022-10-18 16:03:26 +02:00
Nasreddine Bencherchali 0fc2e75c0d Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2022-10-18 14:12:39 +02:00
Nasreddine Bencherchali a72aedb1cc Small Update To FP 2022-10-18 11:51:37 +02:00
securepeacock cef6ea0b6b Update proc_creation_win_renamed_binary.yml 
Added InstallUtil
https://twitter.com/424f424f/status/1582048291294162946?s=20&t=5uYGiwA_fJP8-7pnK2yViQ
 2022-10-17 12:58:29 -04:00
Nasreddine Bencherchali b5500687fa Add Hide Service Via SDDL Rule 
Ref:  https://twitter.com/Alh4zr3d/status/1580925761996828672
 2022-10-17 14:26:29 +02:00
Florian Roth 450229537e Merge pull request #3595 from SigmaHQ/rule-devel 
rule: extended susp adfind rule, rule: susp wermgr process patterns
 2022-10-15 10:49:50 +02:00
Florian Roth 404a1b4c6a Merge pull request #3590 from dmuensterer/patch-1 
Filter Dell Update Utility: proc_creation_win_susp_non_exe_image.yml
 2022-10-14 18:04:59 +02:00
Florian Roth 77a61facd2 fix: wrong selector in condition 2022-10-14 17:27:20 +02:00
Florian Roth cc8a1a5441 rule: suspicious wermgr process trees 2022-10-14 15:43:02 +02:00
phantinuss cca32d824a fix: FP on testing system 2022-10-14 14:08:45 +02:00
Florian Roth c4ea037717 Merge pull request #3549 from aaronherman/add-susp-lolbin-non-c 
Add rule for suspicious lolbin executing in non-c drive
 2022-10-14 13:23:35 +02:00
Florian Roth d4ed33b84b fix: typo in filter 2022-10-14 12:42:49 +02:00
Florian Roth b4e1bd1659 Update proc_creation_win_susp_non_exe_image.yml 2022-10-14 12:25:48 +02:00
Florian Roth 6706a67bb8 refactor: move few apt rules to categories, del 'apt' folder 2022-10-14 11:44:49 +02:00
Florian Roth 7c44a58e5d refactor: extended renamed adfind detection 2022-10-14 11:40:49 +02:00
frack113 329e0f33d0 Merge pull request #3586 from nasbench/nasbench-rule-devel 
Rule Dev - New+Updated Rules
 2022-10-14 10:57:44 +02:00
dmuensterer 84daaa0c76 Update proc_creation_win_susp_non_exe_image.yml 
Added false positive filter for Dell Dockingstation Update Utility.

The Image has a value similar to: C:\Windows\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE
ParentImage will always be: C:\Windows\Temp\*\TBT_Dock_Firmware\GetDockVer32W.exe
SHA256: cd2688a74a151b03282388dadb8b6aaca309f2535c8b2b21d1243846d2b259dc
MD5:
 2022-10-14 10:36:08 +02:00
Florian Roth 0d5dba2d94 Merge pull request #3587 from nasbench/fix-false-positives 
Fix False Positives
 2022-10-14 10:22:24 +02:00
Nasreddine Bencherchali 64ade5eb3c Update proc_creation_win_get_localgroup_member_recon.yml 2022-10-14 01:01:43 +02:00
Nasreddine Bencherchali 48e7f9e302 Merge branch 'master' into nasbench-rule-devel 2022-10-14 00:49:20 +02:00
Nasreddine Bencherchali 992538ce09 Update proc_creation_win_system_exe_anomaly.yml 2022-10-14 00:39:12 +02:00
Nasreddine Bencherchali 48af508541 Create proc_creation_win_office_svchost_child.yml 2022-10-13 13:20:58 +02:00
Florian Roth 69b0b9bf93 Merge pull request #3541 from Gude5/master 
Added some rules based on elastic rules
 2022-10-12 18:01:39 +02:00
Florian Roth 677cf08bab Merge pull request #3583 from SigmaHQ/rule-devel 
refactor: addition to Rubeus rule
 2022-10-12 18:01:00 +02:00
Florian Roth 0a330250ea Merge pull request #3576 from phantinuss/master 
FP fixes and minor QA
 2022-10-12 18:00:11 +02:00
nasreddine.bencherchali@nextron-systems.com 3ac4ad7643 Rename+Update Browser Remote Debugging Rule 2022-10-12 15:58:34 +02:00
nasreddine.bencherchali@nextron-systems.com 626effcad4 Update proc_creation_win_susp_plink_usage.yml 2022-10-12 11:25:01 +02:00
nasreddine.bencherchali@nextron-systems.com d3ca351834 New SSH.EXE rules 2022-10-12 11:24:54 +02:00
nasreddine.bencherchali@nextron-systems.com faad0209de Rename Plink Port Forward Rule 2022-10-12 11:24:28 +02:00
Nasreddine Bencherchali f55f4ca2d6 Update Rules 2022-10-12 10:04:15 +02:00
Nasreddine Bencherchali d42e5b5435 New Rules 2022-10-12 10:04:04 +02:00
frack113 f2aa1cacf0 Add OriginalFileName 2022-10-12 06:36:32 +02:00
frack113 8eed237931 Update proc_creation_win_unusual_parent_for_cmd.yml 2022-10-12 06:28:58 +02:00
frack113 4acc692633 Update proc_creation_win_susp_certutil_command.yml 2022-10-12 06:28:34 +02:00
frack113 d5b6451f90 Fix modified 2022-10-11 20:30:31 +02:00
Gude5 2a1233c965 Updated some rules after review 2022-10-11 16:31:56 +02:00
phantinuss af9d04aa9c fix: FPs occurring when using winget upgrade 2022-10-11 16:25:03 +02:00
Nasreddine Bencherchali 0e40a65bef Fix FP caused by short atoms 
Added spaces to avoid fp
 2022-10-11 14:37:34 +02:00
Nasreddine Bencherchali 563a3d5646 Reduce level to medium 2022-10-11 14:04:14 +02:00
Tim Rauch cd6ee66a38 Updated some rules 2022-10-11 13:48:42 +02:00
Tim Rauch d84e281e96 Updated cbb9e3d1-2386-4e59-912e-62f1484f7a89 2022-10-11 13:42:24 +02:00
Tim Rauch c4fec44e5b Updated some rules 2022-10-11 13:28:59 +02:00
Tim Rauch 4ab6fe537a Updated some rules 2022-10-11 12:38:23 +02:00
Florian Roth 8d9c11b26e Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-10-11 11:40:07 +02:00
Florian Roth 5ad51c4dea refactor: additional Rubeus indicators 2022-10-11 11:40:03 +02:00
Tim Rauch 3454738439 Merge branch 'master' 2022-10-11 11:32:20 +02:00
Gude5 2d5939e33b Merge branch 'SigmaHQ:master' into master 2022-10-11 11:29:48 +02:00