security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,241 Commits 1 Branch 57 Tags
1c0c29f45f554d65d30a1dfbf8fd9cb77c192546
Commit Graph

56 Commits

Author SHA1 Message Date
Nasreddine Bencherchali a67ab607a1 feat: add Microsoft-Windows-LDAP-Client/Debug provider 2022-11-15 11:39:42 +01:00
Nasreddine Bencherchali 2f5fe64099 Update service to openssh 2022-10-25 20:01:02 +02:00
Nasreddine Bencherchali 9b7af82e23 Add OpenSSH/Operational 2022-10-25 19:07:53 +02:00
Nasreddine Bencherchali 14c08635ef Add PowerShellCore Channel 2022-10-19 00:07:09 +02:00
Yamato Security 979502921f define security-mitigations service 2022-09-28 06:23:50 +09:00
frack113 dd1fed29a0 Add shell-core service 2022-09-27 06:36:01 +02:00
Yamato Security 048de3fc81 add diagnosis-scripted to windows services file 2022-09-27 10:43:38 +09:00
Nasreddine Bencherchali d5133bcdd7 Update Sysmon 2022-08-16 19:47:44 +01:00
tr0mb1r ab7d7dbed8 Update sysmon.yml 
typo in config
 2022-05-20 13:47:18 +04:00
Florian Roth 43f3a31d19 feat: new service definition - terminal services 2022-04-29 12:26:26 +02:00
DustInDark 1a7e03c96b changed windows-bits-client Channel 
windows-bits-client tag converted `WinEventlog:Microsoft-Windows-Bits-Client/Operational` but other channel is not add `WinEventLog:`.

Removed "WinEventlog" to unify with other channel conversions.

ex: https://answers.microsoft.com/en-us/windows/forum/all/unknown-events-in-windowsbits-clientoperational/c0856f82-44a2-4998-9a3b-9d6eda328136
 2022-04-10 21:18:53 +09:00
phantinuss 7f030b250e fix: wrong mapping of Windows Audit Log EventID 4688 
reverts some changes introduced by commit c5fa73c328
    - removes the unnecessary/wrong field mapping
    - fixes the rules to apply to CommandLine instead of
      ParentCommandLine as the author probably intended
 2022-03-30 11:24:24 +02:00
frack113 f1b8bc9479 Registry_add 2022-03-26 11:56:39 +01:00
frack113 6daaa252c1 Update registry category 2022-03-26 11:06:11 +01:00
frack113 e2fbbb319d Categorie registry_set 2022-03-26 10:55:05 +01:00
Florian Roth baaad50c65 Delete m365.yml 2022-03-23 08:31:36 +01:00
Florian Roth 66b74a9b76 fix: bugs in configs 2022-03-22 18:10:35 +01:00
Florian Roth e91fc4486e refactor: first bigger log source refactoring 
see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
 2022-03-22 17:58:29 +01:00
frack113 53651cdd2f Add Bits-Client rules 2022-03-03 06:27:00 +01:00
frack113 8cfab22acb Add firewall-as basic rules 2022-02-19 10:18:49 +01:00
frack113 5890c1bb20 Fix logsource 2022-01-16 08:56:51 +01:00
frack113 b7b1ebf772 Fix LogonId - SubjectLogonId 2021-11-10 19:12:51 +01:00
frack113 ee4082b50d Merge pull request #2242 from frack113/fix_ProcessCommandLine 
Fix process command line
 2021-11-10 08:09:06 +01:00
frack113 c5fa73c328 fix ProcessCommandLine to ParentCommandLine 2021-11-09 16:13:29 +01:00
frack113 3430943746 standardization 2021-11-09 07:27:25 +01:00
frack113 963f32063f Merge pull request #2148 from SigmaHQ/rule-devel 
First Linux Process Creation and Network Connection rules (Sysmon for Linux)
 2021-10-21 19:10:08 +02:00
Florian Roth 6660be9753 config: network connection linux 2021-10-16 14:22:48 +02:00
frack113 fc796df654 add references 2021-10-16 08:37:51 +02:00
frack113 690b26fb90 change order to chain sysmon 2021-10-16 08:19:25 +02:00
Florian Roth 5a144e1864 sysmon for linux - process_creation mapping 2021-10-15 14:46:13 +02:00
frack113 f1d5605f10 fix yml space 2021-10-11 07:44:48 +02:00
frack113 9810a9fe73 add powershell.yml 2021-10-11 07:42:04 +02:00
frack113 424b0263df add EventID 26 2021-09-29 08:53:22 +02:00
Austin Songer 579a80411d Update m365.yml 2021-08-21 15:03:31 -05:00
Austin Songer 645492cef5 Update m365.yml 
just working on expanding this.
 2021-08-21 14:57:38 -05:00
Austin Songer e6457531dd Create m365.yml 2021-08-20 00:29:29 -05:00
frack113 1d1b58d712 add sysmon mapping 2021-08-05 10:54:58 +02:00
frack113 1b4d4cfb82 Add missing sysmon EventID 2021-06-09 12:52:38 +02:00
Florian Roth d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Florian Roth 66d0f910dd feat: windows native events - registry_event 2021-04-25 22:35:23 +02:00
Steven 7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Steven 8b74abe0bc - Created new categories for sysmon events 
- Replaced the explicit EventIDs with the reference to the category
- Moved the rules to the corresponding directories
 2020-09-30 20:44:14 +02:00
Thomas Patzke 939156fa6d Introduced dns_query log source category 2020-07-05 23:29:51 +02:00
Brad Kish 8b3b312c4e Proposed fix for https://github.com/Neo23x0/sigma/issues/889 
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
 2020-07-03 16:28:19 -04:00
Florian Roth 9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth 07c0a6558e fix: wording on sysmon mapping file 2020-06-24 17:49:42 +02:00
Florian Roth f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Steven Goossens 423baafa2a Added rules for different sysmon categories and added the category definition 2020-06-10 15:02:15 +02:00
Florian Roth a0beda240c fix: fixed wrong field mapping in windows-audit source config 2019-11-09 22:42:00 +01:00
Thomas Patzke 36aeb19721 Added title to all configurations 2019-05-16 23:33:51 +02:00