security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
945 Commits 1 Branch 57 Tags
21bee17ffdfd29ef4d1b5923df275ee7f0683dd8
Commit Graph

945 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Lurkkeli 21bee17ffd Update sysmon_uac_bypass_eventvwr.yml 2018-08-07 08:07:49 +02:00
Thomas Patzke f8246e9f49 Removed "not implemented" hints for available options in sigmac 2018-08-04 23:31:29 +02:00
Thomas Patzke 0e986cae4d Fixed log source and field names 2018-08-04 22:58:19 +02:00
Thomas Patzke e6c3313168 Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-08-02 22:45:25 +02:00
Thomas Patzke af9f636199 Removal of backend output classes 
Breaking change: Instead of feeding the output class with the results,
they are now returned as strings (*Backend.generate()) or list
(SigmaCollectionParser.generate()). Users of the library must now take
care of the output to the terminal, files or wherever Sigma rules should
be pushed to.
 2018-08-02 22:41:32 +02:00
Florian Roth acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth 1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Thomas Patzke 1c9d0a176e Moved const_start into class definition 2018-07-28 23:51:33 +02:00
Thomas Patzke 8ceebba0d2 Merging split of config 2018-07-27 23:56:18 +02:00
Thomas Patzke df74460629 Fixed imports after config split 2018-07-27 23:54:18 +02:00
Thomas Patzke e02af9aa37 Merge config split branches 2018-07-27 23:16:50 +02:00
Thomas Patzke eb440b3357 Split config - code removal from configuration 2018-07-27 23:02:35 +02:00
Thomas Patzke 36ada66007 Split config - Copy configuration 2018-07-27 23:01:41 +02:00
Thomas Patzke 920c4b061d Split config - code removal from filter 2018-07-27 22:35:30 +02:00
Thomas Patzke db07648f33 Merge pull request #133 from james0d0a/attack_tags 
added a few mitre attack tags to windows sysmon rules
 2018-07-27 07:55:56 +02:00
James Dickenson 5fc118dcac added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
Thomas Patzke d235a9e017 Split config - Copy filter 2018-07-27 00:23:22 +02:00
Thomas Patzke 50a6a92d20 Split config - code removal from exceptions 2018-07-27 00:17:35 +02:00
Thomas Patzke 405bc4a0d1 Split config - Copy exception 2018-07-27 00:17:13 +02:00
Thomas Patzke 096bc35447 Split config - code removal from mapping 2018-07-27 00:15:14 +02:00
Thomas Patzke 4ffbb25960 Split config - Copy mapping 2018-07-27 00:13:19 +02:00
Thomas Patzke cad6e8d314 Merge parser split branch 2018-07-27 00:02:59 +02:00
Thomas Patzke 1c4c67053c Fixes for parser split 
* Fixed imports
* Rename
 2018-07-27 00:02:07 +02:00
Thomas Patzke 88a4a5d36a Merge parser split branches 2018-07-26 23:42:09 +02:00
Thomas Patzke 595327ace4 Split parser - code removal from condition 2018-07-26 23:40:22 +02:00
Thomas Patzke c8043368bd Split parser - code removal from rule 2018-07-26 22:43:49 +02:00
Florian Roth a9fcecab88 Merge pull request #130 from samsson/patch-4 
Fixed typo / Created a rule
 2018-07-26 22:34:46 +02:00
Thomas Patzke 294ca20350 Split parser - code removal from collection 2018-07-26 22:28:33 +02:00
Thomas Patzke 3a0de01bad Split parser - code removal from base 2018-07-26 22:22:21 +02:00
Thomas Patzke b9425d13df Split parser - code removal from exceptions 2018-07-26 22:18:21 +02:00
Thomas Patzke e550bf5c3b Split parser - Copy base 2018-07-26 22:15:04 +02:00
Thomas Patzke a2329de03c Split parser - Copy rule 2018-07-26 22:07:38 +02:00
Florian Roth 016b15a2a9 Added quotation marks 
I've added quotation marks to make it clearer (leading dash looks weird)
 2018-07-26 18:10:21 +02:00
Lurkkeli 7796492c2b Update powershell_NTFS_Alternate_Data_Streams 2018-07-26 08:54:08 -07:00
Thomas Patzke 5e3211928f Merge pull request #132 from dspautz/master 
Add tags to APT rules
 2018-07-25 09:57:35 +02:00
David Spautz f039f95f4d Add tags to APT rules 2018-07-25 09:50:01 +02:00
Florian Roth 089498b0b3 Merge pull request #131 from yt0ng/master 
Possible SafetyKatz Dump of debug.bin
 2018-07-25 07:41:38 +02:00
Florian Roth dd857c4470 Cosmetics 
If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
 2018-07-25 07:37:17 +02:00
Florian Roth cf7f5c7473 Changes 
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? 
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
 2018-07-25 07:35:59 +02:00
yt0ng b415fc8d42 Possible SafetyKatz Dump of debug.bin 
https://github.com/GhostPack/SafetyKatz
 2018-07-24 23:51:46 +02:00
Lurkkeli db82322d17 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00
Lurkkeli 0e9c5bb14a Update sysmon_rundll32_net_connections.yml 2018-07-24 20:01:47 +02:00
Lurkkeli fd8c5c5bf6 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:00:21 +02:00
Lurkkeli ad580635ea Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00
Thomas Patzke afe8bd6a57 Merge pull request #129 from nbareil/patch-1 
use yaml.safe_load()
 2018-07-24 11:22:24 +02:00
Nicolas Bareil 6728a5ccaa use yaml.safe_load() 2018-07-24 11:14:01 +02:00
Thomas Patzke 0fa914139c Merge pull request #128 from ntim/master 
Tagged windows powershell, other and malware rules.
 2018-07-24 11:05:50 +02:00
ntim c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Thomas Patzke bfc7012043 Merge pull request #127 from dspautz/master 
Add tags to windows builtin rules
 2018-07-24 08:24:39 +02:00
Thomas Patzke 0d8bc922a3 Merge branch 'master' into master 2018-07-24 08:23:37 +02:00