security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,224 Commits 1 Branch 57 Tags
179bfa7d5607328ec6dbb5db1c0b44dd53df8754
Commit Graph

63 Commits

Author SHA1 Message Date
Florian Roth adbdb5b22f Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
Jonhnathan 627a83914a Update Threat Hunter Playbook Reference 2021-05-22 01:01:33 -03:00
Jonhnathan 3853d71c56 Update Threat Hunter Playbook Reference 2021-05-22 01:01:07 -03:00
frack113 168d5c9dff Fix falsepositives list 2021-05-21 12:32:24 +02:00
Florian Roth 30bee7204c Merge pull request #1475 from wagga40/master 
Modified some field values for case sensitive backends (SQL)
 2021-05-14 08:59:39 +02:00
wagga40 8944ccea04 Modified some field values for case sensitive backends (SQL) 2021-05-13 06:19:04 +02:00
frack113 0fd8606e00 image_load is a category 2021-05-12 09:02:04 +02:00
frack113 fa72242ff0 image_load is a category 2021-05-12 08:59:51 +02:00
Steven d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven 7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Thomas Patzke 3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
Thomas Patzke a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
Thomas Patzke 90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
Anton Kutepov 3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
yugoslavskiy 82e5d031b0 Merge pull request #1139 from omkar72/oscd-4 
[OSCD] script applications loading .net dll
 2021-01-05 23:17:25 +03:00
yugoslavskiy b5c78212ad Merge pull request #1076 from nsaddler/oscd5 
[OSCD] Powershell without powershell.exe Rule Added
 2021-01-05 23:06:37 +03:00
yugoslavskiy c7e9522f29 Merge pull request #1077 from uchakin/oscd 
[OSCD] UAC bypass added
 2021-01-05 23:06:24 +03:00
Daniel Masse fedda17231 Update the azure image_load rule to be a generic sysmon rule 2020-12-23 16:29:49 -05:00
Jonhnathan a9fde0117b Merge branch 'oscd' into oscd_rules_improvement 2020-11-28 14:52:31 -03:00
Jonhnathan 43ffb80d94 Remove additional backslash 2020-11-19 23:09:50 -03:00
Jonhnathan 44652c4ffd Remove additional backslash 2020-11-19 23:08:40 -03:00
Roberto Rodriguez 972326f761 A few more - 7 Rules 2020-10-29 21:11:41 -04:00
Jonhnathan bfb50a3d42 Update sysmon_susp_office_dsparse_dll_load.yml 2020-10-27 22:13:02 -03:00
nsaddler 8d1b863182 Update sysmon_in_memory_powershell.yml 2020-10-18 01:16:11 +03:00
yugoslavskiy fc3e7c37ab Update sysmon_uac_bypass_via_dism.yml 
to execute the test
 2020-10-17 21:35:44 +02:00
Roberto Rodriguez 7c9249f6ad Create sysmon_wmic_remote_xsl_scripting_dlls.yml 
BSides Delhi Example
 2020-10-17 11:17:48 -04:00
Jonhnathan 7adfd75c0a Update sysmon_svchost_dll_search_order_hijack.yml 2020-10-15 16:10:23 -03:00
Jonhnathan b6cf10fdd2 Update sysmon_susp_winword_wmidll_load.yml 2020-10-15 16:09:44 -03:00
Jonhnathan efe5ad92c3 Update sysmon_susp_winword_vbadll_load.yml 2020-10-15 16:09:21 -03:00
Jonhnathan 7c196aed22 Update sysmon_susp_office_kerberos_dll_load.yml 2020-10-15 16:09:03 -03:00
Jonhnathan 38ef5976dc Update sysmon_susp_office_dsparse_dll_load.yml 2020-10-15 16:08:55 -03:00
Jonhnathan 8aa2f8582b Update sysmon_susp_office_dsparse_dll_load.yml 2020-10-15 16:07:46 -03:00
Jonhnathan 4de241d44c Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-10-15 16:07:10 -03:00
Jonhnathan ecbec06709 Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-10-15 16:06:47 -03:00
Jonhnathan 0d4f372351 Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-10-15 16:06:21 -03:00
Jonhnathan 1136725728 Update sysmon_susp_image_load.yml 2020-10-15 16:05:50 -03:00
Jonhnathan 56594a5a06 Update sysmon_mimikatz_inmemory_detection.yml 2020-10-15 16:05:11 -03:00
omkargudhate22 ecdb0b4997 adding slashes 2020-10-15 17:51:21 +05:30
uchakin a7e5b0ac40 Some fixes for rules 2020-10-14 19:06:59 +03:00
omkargudhate22 2e2b2c2393 removed backslash 2020-10-14 19:44:31 +05:30
omkargudhate22 2e52cb7f86 Update sysmon_susp_script_dotnet_clr_dll_load.yml 2020-10-14 18:47:25 +05:30
omkargudhate22 8e792f95ab removed regex 2020-10-14 17:31:38 +05:30
omkargudhate22 5c65d07100 add reference & ends with condition 2020-10-13 17:44:39 +05:30
Roberto Rodriguez 2cb540f95e 13 Rules from THP - Backlog Rules (old) 2020-10-13 03:33:55 -04:00
nsaddler 28c8b56473 Update sysmon_in_memory_powershell.yml 2020-10-12 19:05:08 +03:00
omkar72 b32b6f0e09 script loading .net 2020-10-12 17:20:22 +05:30
Ensar Şamil d6aa0c31b9 Update sysmon_tttracer_mod_load.yml 2020-10-09 09:34:05 +03:00
uchakin a73dbd0a5d Fix titles 2020-10-07 22:27:48 +03:00
uchakin b568e14b03 Add 3 rules 2020-10-07 22:06:16 +03:00