security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,341 Commits 1 Branch 57 Tags
33fcfd71bbd2e2f419e960250ca625600ac7774d
Commit Graph

6341 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Hasan 33fcfd71bb Merge fixes for Rules 2021-06-16 10:45:20 +05:00
Hasan fabcb6c3c6 Removed asterisks from filter 2021-06-16 10:42:29 +05:00
Hasan 8196fbaada Parenthesis for condition statement 2021-06-16 10:41:52 +05:00
Hasan 415ced0023 Corrected MITRE reference tag 2021-06-15 19:07:50 +05:00
Hasan f079556067 Removed GUID phrase from description 2021-06-15 17:14:32 +05:00
Hasan 1764714e26 Rule to detect new TaskCache Entry 2021-06-15 17:08:14 +05:00
Hasan 1114a25a2c Removal of NODE from ALL filter for better coverage 2021-06-15 17:07:51 +05:00
Hasan 82bcfb29c3 Addition of Safemode flags 2021-06-15 17:07:02 +05:00
Florian Roth 1650d4638d Merge pull request #1548 from luffynextgen/master 
Create sysmon_svchost_cred_dump.yml
 2021-06-14 14:27:25 +02:00
Florian Roth 0377a30893 fix: several issues 2021-06-14 09:42:25 +02:00
Florian Roth 59df5119c2 Merge pull request #1552 from frack113/fix_category 
Fix some sysmon category
 2021-06-14 09:34:15 +02:00
luffynextgen 6fd7979659 Update sysmon_svchost_cred_dump.yml 2021-06-14 08:52:16 +02:00
Florian Roth ae06ebcae0 Merge pull request #1551 from xg5-simon/xg5-simon 
Support for VMware Carbon Black Cloud EEDR
 2021-06-10 18:35:16 +02:00
Florian Roth ff314b1220 Merge pull request #1550 from humpalum/master 
Rules: persitence by exploiting Outlook or Exchange
 2021-06-10 18:34:43 +02:00
Florian Roth 3f46d0ea28 Update sysmon_outlook_newform.yml 2021-06-10 17:41:57 +02:00
frack113 fb2d0092f1 forget to add modified 2021-06-10 17:27:15 +02:00
frack113 4e516414c9 Split to Convert eventID to correct category 2021-06-10 16:58:45 +02:00
frack113 a0aed54f7d Convert eventID 22 to category dns_query 2021-06-10 16:43:33 +02:00
Tobias Michalski 54e98c8441 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 16:41:22 +02:00
Tobias Michalski 1f52763878 Removed EventIDs 2021-06-10 16:41:00 +02:00
frack113 7cb10b5475 convert eventID to category 2021-06-10 16:36:14 +02:00
Tobias Michalski e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Florian Roth 83dddf99b4 Update win_exchange_TransportAgent.yml 2021-06-10 16:07:22 +02:00
Florian Roth cd0531b345 fix: removed process_creation log source 2021-06-10 15:37:00 +02:00
Florian Roth cd2792f82c Merge pull request #1547 from frack113/new_filter_condition 
Add New filter condition
 2021-06-10 14:42:44 +02:00
Tobias Michalski 3970934252 Switched EventID:1 to category: process_creation 2021-06-10 14:13:29 +02:00
Tobias Michalski b1913deaca Removed extra whitespace 2021-06-10 14:09:16 +02:00
luffynextgen e170a4a12a Update sysmon_svchost_cred_dump.yml 
following the advices given to me I changed the category and the filter to be closer to sysmon field.
 2021-06-10 14:04:58 +02:00
Simon 1d081e300d Support for VMware Carbon Black Cloud EEDR 
Add support for VMware Carbon Black Cloud EEDR. Field mappings derived from https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search-fields/
 2021-06-10 21:45:29 +10:00
Tobias Michalski 56d200bad0 Fixed meta informations 2021-06-10 12:44:19 +02:00
Tobias Michalski bbc8633c67 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 11:32:08 +02:00
Tobias Michalski 4d6e7e1338 Rules persitence by exploiting Outlook or Exchange 2021-06-10 11:26:21 +02:00
Florian Roth 5e35e387dd Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth 45c3d4702b Merge pull request #1520 from SyeedHasan/master 
Detection rule for 'ISO mounts'
 2021-06-10 09:51:29 +02:00
Florian Roth 78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Florian Roth 9c0700bc56 Powershell artefacts to critical 2021-06-10 09:42:07 +02:00
Florian Roth 04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth f52ed7604c BabyShark Pattern 2021-06-10 09:41:36 +02:00
Florian Roth 28abdf3a81 Update win_iso_mount.yml 2021-06-10 09:31:40 +02:00
luffynextgen c75d92410d Create sysmon_svchost_cred_dump.yml 2021-06-10 09:30:08 +02:00
Florian Roth b2d0fbba2c Adjustments 2021-06-10 09:12:37 +02:00
Florian Roth ab3baa9463 Merge pull request #1534 from SpeedyFireCyclone/mdatp_serviceinstalled 
MDATP ServiceInstalled mapping
 2021-06-10 09:05:56 +02:00
Florian Roth 3dca4425d5 Merge pull request #1546 from frack113/issues_1525 
Add missing sysmon EventID
 2021-06-10 09:05:35 +02:00
frack113 a600e2dcaa forget a print debug 2021-06-10 08:49:15 +02:00
frack113 af1aee9541 Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00
frack113 1b4d4cfb82 Add missing sysmon EventID 2021-06-09 12:52:38 +02:00
Florian Roth ced94bb728 Merge pull request #1545 from roysjosh/eql 
Add support for Elastic EQL
 2021-06-08 21:19:37 +02:00
Joshua Roys 2034d36677 Add support for Elastic EQL 
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
 2021-06-08 13:38:38 -04:00
Florian Roth 8a04bea6aa Merge pull request #1535 from mvelazc0/master 
Password Spraying Sigma Rules
 2021-06-08 16:14:52 +02:00
Florian Roth 16fc76bd5e Merge pull request #1544 from Karneades/patch-1 
Revert renaming of ngrok rule
 2021-06-08 15:42:38 +02:00