security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,012 Commits 1 Branch 57 Tags
230562bdf6c0bb3a040ae2afae9773247dc5acd6
Commit Graph

485 Commits

Author SHA1 Message Date
Remco Hofman 6cadfa5b2b Added win_vul_cve_2020_1472 rule 2020-09-15 15:13:53 +02:00
Florian Roth 50db6dcc69 Merge pull request #1002 from scottdermott/master 
+ Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx)
 2020-09-15 08:17:02 +02:00
Yugoslavskiy Daniil 1fc202fe5d fix typos, update tags 2020-09-13 15:46:45 +02:00
Dermott, Scott J c72ac8f73e Merge branch 'master' of https://github.com/scottdermott/sigma 2020-09-11 16:19:54 +01:00
Scott Dermott 1f50e0af35 + Adding exclusion for Azure AD Sync (MSOL_xxxxxxxx) 
AD Connect on premise AD accounts to Azure AD.  The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account.  The AD Connect application is installed on a member server (i.e. not on a DC).  
https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028
 2020-09-11 16:06:51 +01:00
Florian Roth de5444a81e Merge pull request #989 from oscd-initiative/master 
[OSCD Initiative][ATT&CK tags update]
 2020-09-08 13:27:58 +02:00
Florian Roth 7ddb63ec1b fix: FPs with McAfee and CyberReason 2020-09-02 12:30:34 +02:00
Yugoslavskiy Daniil 5026438524 fix modified field 2020-08-25 01:29:57 +02:00
Yugoslavskiy Daniil 42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
Florian Roth 8970d03f6f Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00
Florian Roth 80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
Ryan Plas aa548ba1a9 Add quotes due to a colon in the falsepositives string 2020-07-23 23:33:36 -04:00
Ryan Plas e52489aaf6 Change production status to stable 2020-07-23 23:33:36 -04:00
Aidan Bracher 1fd73a23b2 Updated tags with sub-techniques 2020-07-18 03:01:34 +01:00
Aidan Bracher 4ac1058ab5 Updated tags 2020-07-18 03:01:11 +01:00
Ryan Plas de53a08746 Merge branch 'master' of github.com:Neo23x0/sigma 2020-07-15 10:27:33 -04:00
Florian Roth c7e412788a Merge pull request #924 from Neo23x0/devel 
Live MITRE ATT&CK data from TAXI service in Test Scripts
 2020-07-14 18:15:29 +02:00
Florian Roth 58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Ryan Plas 04fd598bcf Update additional rules to have correct logsource attributes 2020-07-13 17:02:17 -04:00
Pushkarev Dmitry efe720d44e Added new rule. AppLocker 2020-07-13 20:51:48 +00:00
Florian Roth f12cb7309b fix: references is not a list 2020-07-13 17:37:03 +02:00
Florian Roth e3734aaa27 fix: missing upper tick 2020-07-08 15:53:04 +02:00
GelosSnake efae210556 adding google chrome to FP list 
legitimate errors generated by Google Chrome are reported often.

Official google standpoint on this:
https://support.google.com/chrome/a/thread/15440066?hl=en
 2020-07-08 16:44:41 +03:00
Thomas Patzke 3c760fabc1 Merge pull request #745 from Rettila/master 
Added new rules
 2020-07-07 23:14:19 +02:00
Thomas Patzke de0bb36c51 Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785 2020-07-02 23:04:59 +02:00
Florian Roth 77553e11e8 Update win_not_allowed_rdp_access.yml 2020-06-30 10:03:00 +02:00
Pushkarev Dmitry 502ec4b417 add win_not_allowed_rdp_access.yml rule 2020-06-26 22:15:53 +00:00
Brad Kish d385cbfa69 Fix quoting for AD Object WriteDAC Access 
The AccessMask field needs to be quoted so that it is compared correctly.
 2020-06-22 15:31:03 -04:00
Ivan Kirillov 5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Brad Kish f5aa871e5d Identifiers shared between global document and rule gets overwritten 
The global document defines a "selection" identifier which is also defined the
individual rules. The rule identifier is getting overwritten by the global identifier.
Fix by giving unique names to the global identifier.
 2020-06-15 13:14:31 -04:00
Florian Roth d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth a962bd1bc1 Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source 
Fix 'source' value for win_susp_backup_delete
 2020-05-25 10:48:36 +02:00
4A616D6573 879ad6f206 Update win_susp_ntlm_rdp.yml 2020-05-22 13:32:02 +10:00
4A616D6573 daa3c5e053 Update win_susp_ntlm_rdp.yml 2020-05-22 13:28:56 +10:00
4A616D6573 0f8f5fb29c Create win_susp_ntlm_rdp.yml 2020-05-22 13:24:27 +10:00
Florian Roth 9ab65cd1c7 Update win_alert_ad_user_backdoors.yml 2020-05-19 14:50:22 +02:00
Tatsuya Ito c815773b1a enhancement rule 2020-05-19 18:05:51 +09:00
Tatsuya Ito 49f68a327a enhancement rule 2020-05-19 18:00:50 +09:00
ecco 54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
zaphod d510e1aad4 Fix 'source' value for win_susp_backup_delete 2020-05-11 18:31:59 +02:00
Rettila 6ec74364f2 Create win_global_catalog_enumeration.yml 2020-05-11 17:40:47 +02:00
Rettila ccacedf621 Merge pull request #3 from Neo23x0/master 
merge
 2020-05-11 17:38:27 +02:00
Rettila 07a50edf89 Update win_metasploit_authentication.yml 2020-05-07 14:42:00 +02:00
Remco Hofman 123a23adae win_susp_failed_logon_source rule 2020-05-06 22:24:02 +02:00
Rettila 6aed82a039 Update win_metasploit_authentication.yml 2020-05-06 17:04:47 +02:00
Rettila 2beb65076c Update win_metasploit_authentication.yml 2020-05-06 16:44:19 +02:00
Rettila 7371ce234b Create win_metasploit_authentication.yml 2020-05-06 16:42:27 +02:00
Florian Roth 473c31232e add additional reference 2020-05-05 19:25:33 +02:00
Rettila 0e1fa5c135 Update win_possible_dc_shadow.yml 2020-05-05 18:14:32 +02:00