blue-team-tools

Author	SHA1	Message	Date
$frack113$ frack113	01dc930c17	Change status for old rules	2021-11-27 11:33:14 +01:00
Florian Roth	5e91d30e29	Merge pull request #2306 from SigmaHQ/rule-devel refactor: change rule for CVE-2021-42321 exploitation	2021-11-24 13:42:17 +01:00
Florian Roth	236b69e6f7	Update win_exchange_cve_2021_42321.yml	2021-11-24 12:37:51 +01:00
$frack113$ frack113	b764153d4f	Update detection	2021-11-23 08:16:10 +01:00
$frack113$ frack113	f47d0da3f7	add missing MITRE Techniques	2021-11-20 12:26:01 +01:00
$frack113$ frack113	1cfca93354	Missing status in rules (#2284 ) * add missing status	2021-11-19 22:32:26 +01:00
Florian Roth	3834048363	docs: extended false positive comment	2021-11-19 12:15:11 +01:00
Florian Roth	b91b43ad84	rule: Exchange CVE-2021-42321	2021-11-18 17:27:09 +01:00
$frack113$ frack113	f647571478	fix logsource	2021-11-13 09:59:14 +01:00
$frack113$ frack113	6c19303aa4	normalize logsource	2021-11-09 10:48:13 +01:00
$frack113$ frack113	8f39ef9ed1	normalize logsource	2021-11-09 10:41:09 +01:00
$frack113$ frack113	68d30293b5	Cleanup process_creation	2021-11-06 10:16:16 +01:00
phantinuss	7c8a735882	fix: change modifed date	2021-10-13 14:22:48 +02:00
phantinuss	5c3cdbe845	fix: replace space with _	2021-10-13 14:20:26 +02:00
$frack113$ frack113	bcf40fa4e4	Fix logsource not a string	2021-09-27 18:59:05 +02:00
$frack113$ frack113	6e6d57b019	fix filename	2021-09-22 18:45:08 +02:00
$frack113$ frack113	c0e24e9236	split global win_defender_disabled.yml	2021-09-21 10:24:52 +02:00
$frack113$ frack113	2b23118b0d	split global win_defender_exclusions.yml	2021-09-21 10:16:25 +02:00
$frack113$ frack113	318f8b714e	split global win_tool_psexec.yml	2021-09-21 10:10:48 +02:00
$frack113$ frack113	a96dd66b46	split global win_wmi_persistence.yml	2021-09-21 09:56:03 +02:00
Florian Roth	6b2bacd2cc	Merge pull request #1979 from frack113/test_global Change ID in global action rule	2021-09-06 08:44:14 +02:00
$frack113$ frack113	135d0a2c61	Update global id	2021-09-03 06:50:00 +02:00
$frack113$ frack113	f90c7558a7	update global id	2021-09-02 21:03:25 +02:00
$frack113$ frack113	1ba0a7c7a3	add missing tags	2021-09-01 19:38:35 +02:00
phantinuss	3155f7172d	detection for proxyshell MSF module	2021-08-31 12:51:16 +02:00
mlp1515	cce7cfc79a	Update win_tool_psexec.yml French language settings	2021-08-26 12:51:45 +00:00
Max Altgelt	82dde594d1	feat: Add rule for malicious CSR export on Exchange	2021-08-23 11:20:30 +02:00
Austin Songer	c9128687ee	Spelling Errors on Rules	2021-08-18 18:58:20 +00:00
$frack113$ frack113	f69868b5aa	Merge pull request #1834 from secDre4mer/master Correct incorrect message / keyword usage	2021-08-16 09:16:33 +02:00
Max Altgelt	ce326cb903	fix: Correct broken rules, add documentation	2021-08-13 15:46:30 +02:00
$frack113$ frack113	62e541ec7f	Merge pull request #1784 from frack113/winlogbeat-modules-enabled Update Mapping Winlogbeat modules enabled	2021-08-12 19:14:17 +02:00
Max Altgelt	6f05e33feb	fix: Correct incorrect message / keyword usage Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.	2021-08-12 16:28:07 +02:00
Florian Roth	08883c8e32	refactor: removed old rule that uses Message field Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible. We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details)	2021-08-12 09:27:50 +02:00
phantinuss	a880663d51	fix: add missing 'all of' for 'and' conjunction of the assignment keywords	2021-08-11 17:46:10 +02:00
phantinuss	1c919c07c7	exchange mailbox export with generic keyword search (Message is not a real field)	2021-08-11 16:57:15 +02:00
$frack113$ frack113	f4bef0fc39	Add Microsoft-Windows-Windows Defender/Operational	2021-08-06 11:12:34 +02:00
$frack113$ frack113	cf8d8d3ed4	fix TargetFilename case error	2021-08-06 08:43:05 +02:00
$frack113$ frack113	c6cb7f1247	fix missing references and duplicate UUID	2021-07-15 11:06:54 +02:00
phantinuss	bf9b82fc45	medium level rule for Windows Defender Exclusions	2021-07-13 13:16:25 +02:00
Bhabesh Rai	3bc6532049	Added and updated Defender's tamper related rules	2021-07-05 20:30:07 +05:45
Bhabesh Rai	206adbb2b6	Merging upstream updates	2021-07-01 12:18:30 +05:45
mat	b3e36281b5	fix reference field + add test for references in plural form	2020-11-27 10:17:45 +01:00
Florian Roth	b31ed47ccf	Merge branch 'master' into devel	2020-11-26 09:44:56 +01:00
Florian Roth	2cd9b794e6	Merge pull request #1007 from d4rk-d4nph3/master Windows Defender AMSI Trigger Detected	2020-09-15 15:45:00 +02:00
Bhabesh Rai	03c7d751c0	Windows Defender AMSI Trigger Detected	2020-09-14 18:10:38 +05:45
Yugoslavskiy Daniil	1fc202fe5d	fix typos, update tags	2020-09-13 15:46:45 +02:00
Florian Roth	de5444a81e	Merge pull request #989 from oscd-initiative/master [OSCD Initiative][ATT&CK tags update]	2020-09-08 13:27:58 +02:00
Florian Roth	39dfcd40ec	Merge pull request #921 from d4rk-d4nph3/master Added support for Defender's PSExec and WMI ASR rules.	2020-09-07 09:40:46 +02:00
Yugoslavskiy Daniil	5026438524	fix modified field	2020-08-25 01:29:57 +02:00
Yugoslavskiy Daniil	42c4079ed8	att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other	2020-08-25 01:09:17 +02:00

1 2

97 Commits