security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,854 Commits 1 Branch 57 Tags
ff6384aabb2bf61410fcc335ff2edb3fa4a6e83a
Commit Graph

7091 Commits

Author SHA1 Message Date
Florian Roth 8f36f332fc Merge pull request #3264 from nasbench/persistence-methods 
New Persistence Rules
 2022-07-22 10:01:46 +02:00
Florian Roth d31c47e79a exclude changes by legitimate programs 2022-07-22 08:15:42 +02:00
Florian Roth 5cd2eaff99 Merge pull request #3260 from greg-workspace/master 
Detect RipZip attack
 2022-07-22 08:12:41 +02:00
Nasreddine Bencherchali eaa8167052 Fix FP 2022-07-21 22:23:11 +01:00
Nasreddine Bencherchali 2d28590ec3 Update registry_set_sip_persistence.yml 2022-07-21 21:50:46 +01:00
Nasreddine Bencherchali 16bcfd1c8b Fix FP 2022-07-21 21:46:34 +01:00
Nasreddine Bencherchali 4fa86ca772 Update registry_set_mpnotify_persistence.yml 2022-07-21 21:25:14 +01:00
Nasreddine Bencherchali f1673d13a6 Update proc_creation_win_susp_psexex_paexec_escalate_system.yml 2022-07-21 21:24:16 +01:00
Nasreddine Bencherchali ee2dd212a7 Update registry_set_ifilter_persistence.yml 2022-07-21 21:22:53 +01:00
Nasreddine Bencherchali 4e9e5450eb Update proc_creation_win_susp_psexex_paexec_escalate_system.yml 2022-07-21 21:20:25 +01:00
Nasreddine Bencherchali a949fecb1c Persistence Rules 2022-07-21 21:13:10 +01:00
Florian Roth f71504fb3f Merge pull request #3261 from SigmaHQ/rule-devel 
Some rule improvements
 2022-07-21 21:34:09 +02:00
Florian Roth 7858d5e841 Merge pull request #3244 from frack113/icacls_deny 
Add proc_creation_win_icacls_deny
 2022-07-21 18:19:51 +02:00
Florian Roth a906dd89cb refactor: rewritten RipZip rule 2022-07-21 18:19:07 +02:00
Florian Roth 9fb737612f Merge branch 'master' into rule-devel 2022-07-21 18:16:34 +02:00
Florian Roth b3dd9f51f0 some rule improvements 2022-07-21 18:16:22 +02:00
eiger 4d981fded8 Detect RipZip attack 2022-07-21 16:05:52 +08:00
Florian Roth 4a709eeea0 Merge pull request #3258 from BlackB0lt/patch-29 
Update proc_creation_win_lolbins_by_office_applications.yml
 2022-07-20 23:22:02 +02:00
Tim Shelton 3f6bbd0df9 False positive when box app uses regsvr32 2022-07-20 18:47:26 +00:00
Sittikorn S cac84f2d29 Update proc_creation_win_lolbins_by_office_applications.yml 
And control.exe reference from Splunk Detection
 2022-07-20 19:53:53 +07:00
Florian Roth c107c27074 Update proc_creation_win_icacls_deny.yml 2022-07-20 14:05:06 +02:00
Florian Roth b3131a5a44 Merge pull request #3237 from frack113/fax 
Fax service persistance
 2022-07-20 14:03:56 +02:00
Florian Roth abe97c6ba8 Merge pull request #3245 from redsand/fp_epmap_from_amazon_ssm 
False positive from amazon ssm agent updater connecting to local ip a…
 2022-07-20 14:03:41 +02:00
Florian Roth 3286d16f3a Merge branch 'master' into aurora-false-positive-fixing 2022-07-20 13:03:56 +02:00
Florian Roth 634722c786 fix: FPs noticed with Aurora 2022-07-20 13:02:49 +02:00
Florian Roth 2bea984f0a fix: FPs with Rundll32 rule 2022-07-20 12:53:24 +02:00
Florian Roth fd30a06112 Merge pull request #3240 from nasbench/uac-bypass-image-load 
Iscsicpl UAC Bypass + Generic Rule
 2022-07-19 16:38:34 +02:00
Tim Shelton 785a31025c False positive from amazon ssm agent updater connecting to local ip address on this port 2022-07-18 19:51:00 +00:00
frack113 4ef0cc8c66 Add proc_creation_win_icacls_deny 2022-07-18 20:10:25 +02:00
Florian Roth 96f7750cb8 Merge pull request #3242 from nasbench/wpbbin-persistence 
UEFI Persistence - wpbbin
 2022-07-18 15:47:34 +02:00
Florian Roth 44b424e3cf refactor: WSMAN Provider Image Loads & empty cmdline 2022-07-18 13:55:14 +02:00
Nasreddine Bencherchali 492f754f29 UEFI Persistence - wpbbin 2022-07-18 12:45:44 +01:00
Florian Roth d8792692d7 fix: typo 2022-07-18 13:27:38 +02:00
Florian Roth fe6d57cf8d Merge branch 'master' into rule-devel 2022-07-18 13:16:52 +02:00
Florian Roth a62fb4d501 Merge branch 'master' into rule-devel 2022-07-18 13:16:26 +02:00
Florian Roth 4e1f453d06 Merge pull request #3236 from frack113/ransomware 
Add file_rename_win_ransomware
 2022-07-18 13:16:16 +02:00
Florian Roth a8dfe50048 fix: tag list 2022-07-18 13:03:56 +02:00
Florian Roth 56944de525 Update file_rename_win_ransomware.yml 2022-07-18 12:55:58 +02:00
Nasreddine Bencherchali d32816f7a2 Iscsicpl UAC Bypass + Generic Rule 2022-07-18 11:50:55 +01:00
Florian Roth dbdb721dde Update file_rename_win_ransomware.yml 2022-07-18 12:44:51 +02:00
Florian Roth 3291db17da Update file_rename_win_ransomware.yml 2022-07-18 12:43:54 +02:00
Florian Roth 5bfd9b78f1 Update file_rename_win_ransomware.yml 2022-07-18 12:23:23 +02:00
Florian Roth 8b1ffae8ee reordered fields 2022-07-18 12:17:53 +02:00
Florian Roth 5f968dec96 reordered fields 2022-07-18 12:17:13 +02:00
frack113 957f80ec4a Fax service persistance 2022-07-17 19:46:19 +02:00
frack113 f161f6d051 Fix modified 2022-07-16 20:56:13 +02:00
frack113 5364af737b Update file_rename_win_ransomware.yml 2022-07-16 20:53:11 +02:00
frack113 04594d5556 Add file_rename_win_ransomware 2022-07-16 20:43:24 +02:00
frack113 79f6b200cc Add csrstub.exe 2022-07-16 19:54:16 +02:00
Florian Roth b24e7ae984 Merge pull request #3233 from frack113/16bit 
Add proc_creation_win_susp_16bit_application
 2022-07-16 17:58:43 +02:00