security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,807 Commits 1 Branch 57 Tags
291ca18d22f720f2ebcd30cf468f4434cecccdaa
Commit Graph

887 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 1e02a7db4c Apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-07-20 15:47:14 +02:00
Nasreddine Bencherchali e6003c19cd Apply suggestions from code review 2023-07-20 14:08:49 +02:00
frack113 03ec08f933 Add Sysmon 28-29 rules 
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-07-20 12:38:11 +02:00
Wagga 273fdb9985 fix: typos in multiple rules (#4011) 2023-02-06 13:53:23 +01:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
frack113 1033b3f404 change status to test 2023-01-27 06:48:34 +01:00
frack113 cb67871bd2 Revert "Change status of old rules" 2023-01-26 19:37:18 +01:00
frack113 5323fd4baa Change status of old rules 2023-01-25 18:41:18 +01:00
Nasreddine Bencherchali f409a8a984 fix: update modified date 2023-01-03 10:37:09 +01:00
Ali Alwashali 6c178639f4 adding WMIADAP.exe to filters 
adding WMIADAP.exe to filters
 2023-01-03 08:01:11 +03:00
frack113 646351808e Refractor (#3794) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-18 21:00:14 +01:00
frack113 cd4121d966 Update Title (#3731) 
Co-authored-by: Florian Roth <venom14@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-27 19:19:27 +01:00
frack113 dfdaecc52c Order yaml field 2022-10-25 12:00:56 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali dadec8b9f0 Update incorrect mitre tags 2022-10-06 00:35:40 +02:00
phantinuss b7f20b884c fix: FPs from new evtx-baseline 2022-09-21 13:51:19 +02:00
Florian Roth 072a9d73eb fix: changes to existing rules 2022-09-13 08:07:03 +02:00
Nasreddine Bencherchali d5133bcdd7 Update Sysmon 2022-08-16 19:47:44 +01:00
frack113 4312151b2b Filter start 2022-08-02 10:42:03 +02:00
Nasreddine Bencherchali 16b2945027 New Rules + Update 2022-07-14 17:35:50 +01:00
Nasreddine Bencherchali 12d187bc91 Update Ref+Selection 2 2022-07-11 17:48:40 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
phantinuss 7edf04d9ff fix: FPs from fresh Windows install 2022-04-06 16:09:53 +02:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 43bae23f23 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:47:22 +01:00
frack113 120436bdb4 Update filter 2022-02-02 06:34:32 +01:00
Florian Roth 7f9fd3ea63 Update sysmon_process_hollowing.yml 2022-02-01 16:01:27 +01:00
Sittikorn S e16974522b Update sysmon_process_hollowing.yml 
Update filters
 2022-02-01 15:19:36 +07:00
Florian Roth 027fce7f13 Update sysmon_process_hollowing.yml 2022-01-29 23:55:21 +01:00
Florian Roth e08e8dd3d4 Update sysmon_process_hollowing.yml 2022-01-26 17:53:46 +01:00
securepeacock 364b5c9620 Create sysmon_process_hollowing.yml 
Closed old request, and put rule into its appropriate file directory.
 2022-01-25 15:57:03 -05:00
Florian Roth c0bd1ef9bc Update sysmon_config_modification.yml 2022-01-13 21:07:11 +01:00
frack113 baaef207cb Add filter help 2022-01-13 06:38:43 +01:00
frack113 592485fac5 Windows Redcannary 2022-01-12 20:27:56 +01:00
Tim Shelton fc2e2aa4c5 adding filter for false positive. no risk to sysmon operation 2021-12-02 20:38:58 +00:00
Florian Roth 0ab163b6ba fix: FP which happens more frequently under normal circumstances 2021-11-12 13:31:25 +01:00
frack113 ab5f5f95bc fix filename 2021-09-22 16:27:05 +02:00
frack113 92999468ee Merge pull request #2012 from frack113/upgrade_test 
Upgrade test_rules.py
 2021-09-11 15:29:19 +02:00
Austin Songer 1ea9aab455 Update Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 09:44:31 -05:00
Austin Songer 9d9a5088bb Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml 2021-09-10 09:43:24 -05:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
frack113 ac9ea531ae Merge pull request #1956 from Cyb3rEng/master 
Adding Various Rules To Monitor Process Creations in Sysmon, Event Logs & EDR
 2021-09-10 10:47:23 +02:00
Cyb3rEng f4155010ff Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:09:20 -06:00
Cyb3rEng 4af244b135 Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:08:52 -06:00
Cyb3rEng 361121c402 changed title 
title: Lolbins Process Created With WmiPrvSE
 2021-09-09 21:51:49 -06:00
Cyb3rEng a3a12375b5 changed title 
title: Lolbins Process Created With Office Application
 2021-09-09 21:51:22 -06:00
Cyb3rEng 6cae20b9b8 Changed title 
changed title
 2021-09-09 21:38:42 -06:00
Cyb3rEng ca19f43a06 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custom id
 2021-09-09 21:35:21 -06:00
Cyb3rEng d14c26f5f1 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:33:36 -06:00
Cyb3rEng ba995ef442 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:32:42 -06:00