security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,853 Commits 1 Branch 57 Tags
fda2ca4308d826ec7ee20df3b41e2cdf37330ab2
Commit Graph

3701 Commits

Author SHA1 Message Date
Veramine fda2ca4308 Update proc_creation_win_commandline_path_traversal_evasion.yml 
Fix FP with Citrix launcher
 2022-09-20 17:20:19 -07:00
Nasreddine Bencherchali 2f7a54cc31 Fix FP 2022-09-20 11:20:33 +02:00
Florian Roth cab32f2be4 Merge pull request #3510 from SigmaHQ/aurora-false-positive-fixing 
Windows 2022 false positive fixing
 2022-09-18 16:50:34 +02:00
Florian Roth bf660b2de2 fix: FPs (testing, and Windows 2022 test system) 2022-09-18 16:21:05 +02:00
tr0mb1r 8b60317e2e Microsoft Teams Suspicious ObjectAccess events (#3500) 2022-09-17 08:47:35 +02:00
Florian Roth 1264429681 Merge pull request #3499 from nasbench/linux-rules-update 
Linux Rules Update
 2022-09-16 21:13:19 +02:00
phantinuss bbc4aa3298 improve detection rate 2022-09-16 16:40:41 +02:00
nasreddine.bencherchali@nextron-systems.com 7f3158d09e Fix after review 2022-09-16 11:47:19 +02:00
Florian Roth cb55ed9f93 Merge pull request #3496 from krestinichev/add-new-rule 
Add new rule: proc_creation_disable_SEP
 2022-09-16 10:37:02 +02:00
Florian Roth c2256845b2 refactor: renamed and changed title 2022-09-16 09:45:56 +02:00
nasreddine.bencherchali@nextron-systems.com 7a5017696f Add more flag to curl windows rule 2022-09-16 09:23:15 +02:00
Florian Roth b4376ea580 refactor: CRLF to LF 2022-09-16 09:22:21 +02:00
Florian Roth 6d9d08e1de Update proc_creation_disable_SEP.yml 2022-09-16 09:18:27 +02:00
frack113 c1293c3365 Merge pull request #3495 from nasbench/nasbench-rule-devel 
Rule Dev (Updates)
 2022-09-16 06:32:53 +02:00
nasreddine.bencherchali@nextron-systems.com eb4247fdb4 Add missing modified field 2022-09-14 15:03:50 +02:00
krestinichev 02cfd972ed Add files via upload 2022-09-14 15:37:51 +03:00
nasreddine.bencherchali@nextron-systems.com 653ad66f21 Updates 2022-09-14 12:29:57 +02:00
Florian Roth 67bca96744 fix: wrong image selection 2022-09-13 13:13:16 +02:00
Qasim Qlf 3b4fc8c3fd VS Code Filter Fix - Undo the last commit 
Previous Filter of Image was wrong. Image can't endsWith (Code.exe and attrib.exe) at the same time. Same condition with other scenario.
CommandLine filter is good.
 2022-09-13 16:02:17 +05:00
Nasreddine Bencherchali 8a504bee9e Add %tmp% env variable 2022-09-13 10:49:14 +02:00
nasreddine.bencherchali@nextron-systems.com 0caeaaa122 Update rules 2022-09-13 10:02:32 +02:00
Florian Roth d0286e210e Merge pull request #3492 from SigmaHQ/rule-devel 
Rule devel
 2022-09-13 08:50:37 +02:00
Florian Roth 2d7e545cad fix: list with one element 2022-09-13 08:38:57 +02:00
Florian Roth c22974205f Merge branch 'master' into rule-devel 2022-09-13 08:07:35 +02:00
Florian Roth 72aa55f1c7 Merge branch 'master' into aurora-false-positive-fixing 2022-09-13 08:07:26 +02:00
Florian Roth 61422ca237 rule: UAC Bypass via ICMLuaUtil 2022-09-13 08:07:15 +02:00
Florian Roth 072a9d73eb fix: changes to existing rules 2022-09-13 08:07:03 +02:00
Florian Roth 5f164ebe12 style: indentation 2022-09-12 13:30:14 +02:00
Florian Roth 0bbb679e38 fix: FPs with veam backup shell 2022-09-12 13:29:51 +02:00
Qasim Qlf 1eaad811b6 tag added 2022-09-12 14:15:48 +05:00
David André 93da67b593 Update proc_creation_win_renamed_vmnat.yml 
Added accidentaly removed falsepositives
 2022-09-11 13:13:58 +02:00
David André 5656a3a50b Merge branch 'SigmaHQ:master' into add_renamed_vmnat 2022-09-11 13:06:21 +02:00
David ANDRE d73aac41d3 Changes based on advice 2022-09-11 12:44:54 +02:00
frack113 21435629a0 Merge pull request #3482 from nasbench/nasbench-rule-devel 
Rule Devel (New+Update)
 2022-09-10 12:34:26 +02:00
Florian Roth e7084eee04 Merge pull request #3487 from SigmaHQ/aurora-false-positive-fixing 
fix: fixing multiple FPs with the use of VSCode
 2022-09-10 12:07:01 +02:00
Florian Roth 0a5cfb93b3 fix: condition 2022-09-10 11:53:42 +02:00
Florian Roth 7dbdd4d1c6 fix: fixing multiple FPs with the use of VSCode 2022-09-10 11:42:44 +02:00
Florian Roth a053be791c Update proc_creation_win_user_discovery_get_aduser.yml 2022-09-10 09:49:14 +02:00
Florian Roth a616647b08 lowered score of scheduled task + SYSTEM rule 2022-09-10 09:48:50 +02:00
Nasreddine Bencherchali 2552b75e72 Delete proc_creation_win_net_add_local_user.yml 2022-09-09 23:11:28 +02:00
David ANDRE 6182b43279 Add rule for renamed vmnat.exe 2022-09-09 16:40:17 +02:00
nasreddine.bencherchali@nextron-systems.com 14db9c9fb1 Update proc_creation_win_wmic_computersystem_recon.yml 2022-09-09 15:43:07 +02:00
nasreddine.bencherchali@nextron-systems.com a71ce185d7 Fix 2022-09-09 15:32:03 +02:00
David ANDRE b75fb5abf5 Renamed suspicious in rules file names to susp 2022-09-09 15:12:47 +02:00
nasreddine.bencherchali@nextron-systems.com 051397b533 Update proc_creation_win_susp_schtasks_delete_all.yml 2022-09-09 15:10:49 +02:00
nasreddine.bencherchali@nextron-systems.com c8fc1cf21e Update proc_creation_win_user_discovery_get_aduser.yml 2022-09-09 15:04:36 +02:00
nasreddine.bencherchali@nextron-systems.com 70f9ff61ca Big Update 2022-09-09 15:02:31 +02:00
Nasreddine Bencherchali fbc7733078 Update proc_creation_win_susp_reg_add.yml 2022-09-08 22:52:24 +02:00
Nasreddine Bencherchali dd67c4fd73 Dev 2022-09-08 22:50:57 +02:00
Florian Roth 358e8a567e Merge pull request #3474 from SigmaHQ/aurora-false-positive-fixing 
fix: schtasks in suspicious parents rule
 2022-09-08 09:09:26 +02:00