security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,994 Commits 1 Branch 57 Tags
01dc930c173e329c191245b76f05de5fa4b5da21
Commit Graph

852 Commits

Author SHA1 Message Date
Florian Roth 0ab163b6ba fix: FP which happens more frequently under normal circumstances 2021-11-12 13:31:25 +01:00
frack113 ab5f5f95bc fix filename 2021-09-22 16:27:05 +02:00
frack113 92999468ee Merge pull request #2012 from frack113/upgrade_test 
Upgrade test_rules.py
 2021-09-11 15:29:19 +02:00
Austin Songer 1ea9aab455 Update Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 09:44:31 -05:00
Austin Songer 9d9a5088bb Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml 2021-09-10 09:43:24 -05:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
frack113 ac9ea531ae Merge pull request #1956 from Cyb3rEng/master 
Adding Various Rules To Monitor Process Creations in Sysmon, Event Logs & EDR
 2021-09-10 10:47:23 +02:00
Cyb3rEng f4155010ff Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:09:20 -06:00
Cyb3rEng 4af244b135 Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:08:52 -06:00
Cyb3rEng 361121c402 changed title 
title: Lolbins Process Created With WmiPrvSE
 2021-09-09 21:51:49 -06:00
Cyb3rEng a3a12375b5 changed title 
title: Lolbins Process Created With Office Application
 2021-09-09 21:51:22 -06:00
Cyb3rEng 6cae20b9b8 Changed title 
changed title
 2021-09-09 21:38:42 -06:00
Cyb3rEng ca19f43a06 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custom id
 2021-09-09 21:35:21 -06:00
Cyb3rEng d14c26f5f1 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:33:36 -06:00
Cyb3rEng ba995ef442 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:32:42 -06:00
Cyb3rEng f7b8fd571d Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:31:57 -06:00
Cyb3rEng 6a7ac098ed changed id uuid to v4 
b45e1519-5de5-4dfe-bef6-73bc48c2b983
 2021-09-09 21:31:20 -06:00
Cyb3rEng 7c9be6da32 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:24:05 -06:00
Cyb3rEng ff08de6d20 Completed Changes based on review 
selection2:
     ParentPrcessName|endswith:
 2021-09-09 21:02:11 -06:00
frack113 d9cd1652f2 Split global sysmon rules 2021-09-09 16:11:41 +02:00
frack113 312ffe69e2 Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml 2021-09-09 06:28:48 +02:00
Cyb3rEng b2c44ebd6e Changed selection1 
completed the following change to selection1 to keep inline with rule creation guideline
- CommandLine|contains: 'wmic '
 2021-09-08 21:27:15 -06:00
Cyb3rEng fe9b91c504 Completed changes to selection1 
changed to the following to follow rule creation guidelines:
    - Image|endswith: '\wbem\WMIC.exe'
    - ProcessCommandLine|contains: 'wmic '
 2021-09-08 21:26:01 -06:00
Cyb3rEng 851dfeee46 Changed selection2 condition 
changed from "\\wbem\\WmiPrvSE.exe" to "\wbem\WmiPrvSE.exe" to follow rule creation guidelines
 2021-09-08 21:24:18 -06:00
Cyb3rEng 6ddc83901b Changed Category 
Category Changed from process_creation to file_event
 2021-09-08 20:38:07 -06:00
Cyb3rEng 5ac0fded26 Merge branch 'SigmaHQ:master' into master 2021-09-08 20:26:59 -06:00
frack113 e712d9696b Merge pull request #2000 from frack113/split_global 
Split frack113 global rules
 2021-09-08 06:26:35 +02:00
Cyb3rEng e3b376e945 Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:26:42 -06:00
Cyb3rEng 4130ceb208 Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:25:52 -06:00
Cyb3rEng 8d47f9531b Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:22:01 -06:00
Cyb3rEng 13e6262055 Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:20:51 -06:00
Cyb3rEng 8dc1b03fef Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:19:43 -06:00
Cyb3rEng 932b7cf2ba Merge branch 'SigmaHQ:master' into master 2021-09-07 19:58:09 -06:00
Thomas Patzke 143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
frack113 0e5e4fa19d Split global rules 2021-09-07 13:30:32 +02:00
frack113 be442182fe convert to LF 2021-09-06 21:10:08 +02:00
frack113 9ef299c4f4 Change to LF 2021-09-06 21:07:49 +02:00
frack113 d02ee1eddd Update global ID 2021-09-02 21:16:55 +02:00
frack113 f90c7558a7 update global id 2021-09-02 21:03:25 +02:00
frack113 086a15fc45 Update global ID 2021-09-02 20:07:03 +02:00
Cyb3rEng c5507658c0 Updated Rule 
updated title
 2021-08-31 22:13:31 -06:00
Cyb3rEng 785fc98ee3 Updated Rule 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 22:05:10 -06:00
Cyb3rEng d5f73a8910 Updated Rule 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 22:03:31 -06:00
Cyb3rEng fa3b882fdc Updated Rule 
Removed " " from falsepositives section
 2021-08-31 21:58:50 -06:00
Cyb3rEng c7c49c55d2 Updated Rule 
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 21:58:09 -06:00
Cyb3rEng d5fa226180 Updated Rule 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 21:54:32 -06:00
Cyb3rEng 900f71e6b2 Rule Update Review 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 21:50:44 -06:00
Cyb3rEng 6c9b2a2f37 Add files via upload 2021-08-30 21:48:03 -06:00
frack113 a4021842de Fix invalid tags 2021-08-25 09:15:57 +02:00
frack113 c2302a15da fix cve tags 2021-08-24 10:10:45 +02:00