security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,854 Commits 1 Branch 57 Tags
ff6384aabb2bf61410fcc335ff2edb3fa4a6e83a
Commit Graph

3300 Commits

Author SHA1 Message Date
Florian Roth 8f36f332fc Merge pull request #3264 from nasbench/persistence-methods 
New Persistence Rules
 2022-07-22 10:01:46 +02:00
Nasreddine Bencherchali f1673d13a6 Update proc_creation_win_susp_psexex_paexec_escalate_system.yml 2022-07-21 21:24:16 +01:00
Nasreddine Bencherchali 4e9e5450eb Update proc_creation_win_susp_psexex_paexec_escalate_system.yml 2022-07-21 21:20:25 +01:00
Nasreddine Bencherchali a949fecb1c Persistence Rules 2022-07-21 21:13:10 +01:00
Florian Roth f71504fb3f Merge pull request #3261 from SigmaHQ/rule-devel 
Some rule improvements
 2022-07-21 21:34:09 +02:00
Florian Roth 7858d5e841 Merge pull request #3244 from frack113/icacls_deny 
Add proc_creation_win_icacls_deny
 2022-07-21 18:19:51 +02:00
Florian Roth 9fb737612f Merge branch 'master' into rule-devel 2022-07-21 18:16:34 +02:00
Florian Roth b3dd9f51f0 some rule improvements 2022-07-21 18:16:22 +02:00
Florian Roth 4a709eeea0 Merge pull request #3258 from BlackB0lt/patch-29 
Update proc_creation_win_lolbins_by_office_applications.yml
 2022-07-20 23:22:02 +02:00
Tim Shelton 3f6bbd0df9 False positive when box app uses regsvr32 2022-07-20 18:47:26 +00:00
Sittikorn S cac84f2d29 Update proc_creation_win_lolbins_by_office_applications.yml 
And control.exe reference from Splunk Detection
 2022-07-20 19:53:53 +07:00
Florian Roth c107c27074 Update proc_creation_win_icacls_deny.yml 2022-07-20 14:05:06 +02:00
Florian Roth 3286d16f3a Merge branch 'master' into aurora-false-positive-fixing 2022-07-20 13:03:56 +02:00
Florian Roth 634722c786 fix: FPs noticed with Aurora 2022-07-20 13:02:49 +02:00
Florian Roth 2bea984f0a fix: FPs with Rundll32 rule 2022-07-20 12:53:24 +02:00
frack113 4ef0cc8c66 Add proc_creation_win_icacls_deny 2022-07-18 20:10:25 +02:00
Florian Roth 96f7750cb8 Merge pull request #3242 from nasbench/wpbbin-persistence 
UEFI Persistence - wpbbin
 2022-07-18 15:47:34 +02:00
Nasreddine Bencherchali 492f754f29 UEFI Persistence - wpbbin 2022-07-18 12:45:44 +01:00
Florian Roth a62fb4d501 Merge branch 'master' into rule-devel 2022-07-18 13:16:26 +02:00
frack113 f161f6d051 Fix modified 2022-07-16 20:56:13 +02:00
frack113 79f6b200cc Add csrstub.exe 2022-07-16 19:54:16 +02:00
frack113 00886a2b33 Add proc_creation_win_susp_16bit_application 2022-07-16 17:36:53 +02:00
Florian Roth 749a7b4df5 Merge branch 'master' into rule-devel 2022-07-16 08:15:20 +02:00
Florian Roth b52b279f30 Merge pull request #3225 from nasbench/master 
New Rules + Update
 2022-07-14 21:58:01 +02:00
Tim Shelton 6187cfdfd6 False positive when amazon workspaces is running and doing its weird little things 2022-07-14 19:41:52 +00:00
Nasreddine Bencherchali e4f964879e Fix after review 2022-07-14 19:34:59 +01:00
Nasreddine Bencherchali 92b0239f27 Update proc_creation_win_powershell_susp_parameter_variation.yml 2022-07-14 17:43:04 +01:00
Nasreddine Bencherchali 16b2945027 New Rules + Update 2022-07-14 17:35:50 +01:00
Florian Roth 98a7d2f76e Merge pull request #3216 from nasbench/master 
DFIR Report - SELECT XMRig FROM SQLServer (New Rules)
 2022-07-12 17:40:44 +02:00
Florian Roth 739a54289e Update proc_creation_win_inline_base64_mz_header.yml 2022-07-12 17:33:04 +02:00
Florian Roth 730ee2cc9b Merge pull request #3217 from phantinuss/master 
Fix FPs
 2022-07-12 17:16:04 +02:00
Florian Roth 31ee9b7104 Merge branch 'master' into aurora-false-positive-fixing 2022-07-12 16:54:10 +02:00
phantinuss b6025adaa8 fix: found on several systems in prod environment 2022-07-12 16:41:10 +02:00
Florian Roth e79e4d6c3b fix: FPs wtih csc.exe as child of sdiagnhost 2022-07-12 14:32:22 +02:00
Nasreddine Bencherchali a41a73d721 DFIR Report - SELECT XMRig FROM SQLServer 2022-07-12 01:27:51 +01:00
Nasreddine Bencherchali 614fe69363 Update proc_creation_win_susp_use_of_sqltoolsps_bin.yml 2022-07-11 18:27:06 +01:00
Nasreddine Bencherchali 3aab1cc54c Update proc_creation_win_susp_service_path_modification.yml 2022-07-11 18:25:54 +01:00
Nasreddine Bencherchali 987b694223 Update proc_creation_win_susp_runscripthelper.yml 2022-07-11 18:24:17 +01:00
Nasreddine Bencherchali 093aff99b0 Update proc_creation_win_lsass_dump.yml 2022-07-11 18:22:50 +01:00
Nasreddine Bencherchali f2d9299703 Update proc_creation_win_susp_runonce_execution.yml 2022-07-11 18:21:46 +01:00
Nasreddine Bencherchali 9feec535f6 Update proc_creation_win_base64_listing_shadowcopy.yml 2022-07-11 18:19:46 +01:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali 12d187bc91 Update Ref+Selection 2 2022-07-11 17:48:40 +01:00
Florian Roth b78a1f3267 rule: suspicious PS encoded & obfuscated 2022-07-11 18:23:34 +02:00
Nasreddine Bencherchali fb73dfca88 Merge branch 'master' of https://github.com/nasbench/sigma 2022-07-11 14:11:59 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth e7f5b07f2d Merge pull request #3213 from SigmaHQ/rule-devel 
refactor: another Follina process pattern observed ITW
 2022-07-11 13:00:51 +02:00
Florian Roth 5b8f7d977f Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-07-11 12:52:08 +02:00
Florian Roth a17364104b refactor: Follina patterns 2022-07-11 12:52:06 +02:00
Florian Roth 9daef055ae Merge pull request #3211 from SigmaHQ/rule-devel 
fix: FPs with notepad as parent
 2022-07-08 20:40:49 +02:00