security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
7,896 Commits 1 Branch 57 Tags
12e5eeac9ecb3e5d4e2243e9b2c829ca331c609f
Commit Graph

2022 Commits

Author SHA1 Message Date
frack113 92999468ee Merge pull request #2012 from frack113/upgrade_test 
Upgrade test_rules.py
 2021-09-11 15:29:19 +02:00
frack113 d2e622f149 Merge pull request #2011 from d4rk-d4nph3/master 
Added rule for Atlassian Confluence CVE-2021-26084
 2021-09-11 07:24:58 +02:00
Austin Songer 57d349bfe5 Update process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 09:44:22 -05:00
Austin Songer 5aa5586c54 Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml 2021-09-10 09:43:11 -05:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
frack113 ac9ea531ae Merge pull request #1956 from Cyb3rEng/master 
Adding Various Rules To Monitor Process Creations in Sysmon, Event Logs & EDR
 2021-09-10 10:47:23 +02:00
frack113 fe035388f0 Rename Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml to process_creation_office_application_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 10:02:19 +02:00
Florian Roth 3824a12323 style: fixed indentation level, order of fields 2021-09-10 09:33:52 +02:00
Florian Roth 59b9902502 style: fixed indentation level 2021-09-10 09:33:09 +02:00
frack113 3d147f528f Rename Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml to process_creation_command_execution_by_office_applications.yml 2021-09-10 09:23:00 +02:00
Bhabesh Rai 91081a7fbc Added rule for Atlassian Confluence CVE-2021-26084 2021-09-10 10:04:16 +05:45
Cyb3rEng bcd043dd01 Merge branch 'SigmaHQ:master' into master 2021-09-09 21:48:33 -06:00
Cyb3rEng 44e39ec3ac Changed title 
changed title to stay within rule guideline
 2021-09-09 21:43:35 -06:00
Cyb3rEng 5547d274a0 Changed Title 
title: New LOLBin Process by Office Applications
 2021-09-09 21:41:56 -06:00
Cyb3rEng 9a42b690bd changed id uuid to v4 
8c6fd6fc-28fc-4597-a86a-fc1de20b039d
 2021-09-09 21:30:02 -06:00
Cyb3rEng 8b9cf80be2 changed id uuid to v4 
3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
 2021-09-09 21:29:31 -06:00
Cyb3rEng d65881b752 changed id uuid to v4 
04f5363a-6bca-42ff-be70-0d28bf629ead
 2021-09-09 21:28:58 -06:00
Cyb3rEng a334ea167c changed id uuid to v4 
c0e1c3d5-4381-4f18-8145-2583f06a1fe5
 2021-09-09 21:28:17 -06:00
Cyb3rEng 2bc38a0ed4 changed id uuid to v4 
8a582fe2-0882-4b89-a82a-da6b2dc32937
 2021-09-09 21:27:48 -06:00
Cyb3rEng b0ad49d950 changed id to v4 uuid 
23daeb52-e6eb-493c-8607-c4f0246cb7d8
 2021-09-09 21:27:16 -06:00
Cyb3rEng e64bb1783e Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:20:16 -06:00
Cyb3rEng 3f71f7466d Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:19:17 -06:00
Cyb3rEng 250a307414 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:17:38 -06:00
Cyb3rEng 2be4c699fc Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:16:38 -06:00
Cyb3rEng 1102def1bf Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:14:08 -06:00
Cyb3rEng cfe11cdf17 Resolved more issues from last commit as per commetns 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:13:02 -06:00
Cyb3rEng d3b4a6aa7a Changed title based on comments 
title: File Creation by Office Applications
 2021-09-09 21:09:24 -06:00
Cyb3rEng 918bcfbf8a Completed requested changes 
selection2:
    Image|endswith:
 2021-09-09 21:04:09 -06:00
Cyb3rEng 5470c40ca6 Resolving Comment 
selection2:
   ParentImage:

removed - since there is only one attribute.
 2021-09-09 20:56:11 -06:00
frack113 d9cd1652f2 Split global sysmon rules 2021-09-09 16:11:41 +02:00
frack113 217be6cd8a Merge pull request #2005 from frack113/tags_end 
Add  missing tags to rule
 2021-09-09 15:04:26 +02:00
Florian Roth e8b633f54f Merge pull request #2006 from SigmaHQ/rule-devel 
docs: changed level and reference in CVE-2021-40444 rule
 2021-09-09 09:29:08 +02:00
Florian Roth 2777187fd9 docs: changed level and reference in CVE-2021-40444 rule 2021-09-09 08:46:34 +02:00
Florian Roth b1f5c22805 Merge pull request #2003 from SigmaHQ/rule-devel 
CVE-2021-40444 process pattern
 2021-09-09 08:44:52 +02:00
Florian Roth 36a5d7ec04 CVE-2021-40444 false positives 2021-09-09 08:12:36 +02:00
frack113 caa5c7af1a Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml 2021-09-09 06:27:23 +02:00
Cyb3rEng 77ee51dd76 Changed the category 
Changed category to file_event
 2021-09-08 21:22:26 -06:00
Cyb3rEng 5bbe3dec9b Completed changes to selection1 and selection2 
changes were completed to remove ( * ) and stay within rule creation guide:
    - Image|endswith:
      - '\winword.exe'
      - '\excel.exe'
      - '\powerpnt.exe'

 WMIcommand|contains: 'Win32_Process\:\:Create'
 2021-09-08 21:14:58 -06:00
Cyb3rEng 49df2358de Completed changes to selection1 
completed changes to selection1 to comply with rule creation guide with no ( * ) or ( \\ ) 

  - Image|endswith: '\wbem\WMIC.exe'
  - ProcessCommandLine|contains: 'wmic '
 2021-09-08 21:12:27 -06:00
Cyb3rEng a3236e62a2 Changed selection2 conditions 
replaced *\wbem\WMIC.exe with Image|endswith: '\wbem\WMIC.exe' and ProcessCommandLine: *wmic * with ProcessCommandLine|contains: 'wmic '
 2021-09-08 21:10:47 -06:00
Cyb3rEng 1f577174f9 Changed endswith condition 
removed double // from "\wbem\WmiPrvSE.exe"
 2021-09-08 21:06:41 -06:00
Cyb3rEng 5ac0fded26 Merge branch 'SigmaHQ:master' into master 2021-09-08 20:26:59 -06:00
frack113 8eb527d042 Update process_mailboxexport_share.yml 2021-09-08 20:21:02 +02:00
frack113 deb0ddfe09 fix duplicate tags 2021-09-08 20:16:53 +02:00
frack113 af8bf06b30 add missing tags 2021-09-08 20:14:49 +02:00
Florian Roth b1540d65b9 refactor: simplified rule 2021-09-08 17:35:50 +02:00
Florian Roth e388bc6bfa remove unsupported tag 2021-09-08 16:56:04 +02:00
Florian Roth c9b4f5d326 CVE-2021-40444 2021-09-08 16:49:49 +02:00
frack113 993112c7eb Merge pull request #2002 from frack113/missing_tag 
Add missing Tags #1974
 2021-09-08 06:26:55 +02:00
frack113 e712d9696b Merge pull request #2000 from frack113/split_global 
Split frack113 global rules
 2021-09-08 06:26:35 +02:00