blue-team-tools

Files

T

Nasreddine Bencherchali 04ad307e4e Update proc_creation_win_susp_advancedrun_priv_user.yml

Added cases for LocalService and NetworkService, which could be interesting to monitor:

RunAs=10 (Network Service)
RunAs=11 (Local Service)

2022-05-05 21:06:53 +01:00

builtin

Merge pull request #2979 from SigmaHQ/rule-devel

2022-05-05 18:57:08 +02:00

create_remote_thread

rule: KeePass password dumping

2022-04-23 18:25:11 +02:00

create_stream_hash

fix: unknown --> Unknown

2022-03-16 13:43:54 +01:00

dns_query

Redcannary

2022-04-04 10:57:23 +02:00

driver_load

fix: legitimate --> Legitimate

2022-03-16 14:35:19 +01:00

file_access

Redcannary test

2022-05-01 11:34:54 +02:00

file_delete

fix: unknown --> Unknown

2022-03-16 13:43:54 +01:00

file_event

Merge pull request #2961 from elhoim/suspicious_file_default_gpo

2022-04-29 08:41:40 +02:00

file_rename

refactor: folder refactoring

2022-04-11 11:35:19 +02:00

image_load

fix: FPs noticed with Aurora

2022-05-02 16:25:33 +02:00

network_connection

Merge pull request #2976 from SigmaHQ/aurora-false-positive-fixing

2022-05-02 16:38:01 +02:00

pipe_created

fix: FPs found in win2022 domain controller baseline

2022-04-21 10:48:59 +02:00

powershell

Modified description

2022-05-05 17:27:35 +02:00

process_access

fix: FPs noticed with Aurora

2022-05-02 16:25:33 +02:00

process_creation

Update proc_creation_win_susp_advancedrun_priv_user.yml

2022-05-05 21:06:53 +01:00

raw_access_thread

fix: FPs with THOR

2022-03-15 18:05:42 +01:00

registry

fix: FPs with Zoom

2022-05-05 07:54:16 +02:00

sysmon

fix: FPs from fresh Windows install

2022-04-06 16:09:53 +02:00

wmi_event

remove invalid tag

2022-01-19 18:23:30 +01:00