security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,527 Commits 1 Branch 57 Tags
35dabc529cd9b4b46ff7dca0f13d3be552c3d598
Commit Graph

14527 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nasreddine Bencherchali 35dabc529c fix: update metadata 2023-01-27 13:55:19 +01:00
frack113 0f9ce8de60 Update registry_set_susp_pendingfilerenameoperations.yml 2023-01-27 11:09:45 +01:00
frack113 40dffb5c92 Add registry_set_susp_pendingfilerenameoperations 2023-01-27 10:49:58 +01:00
frack113 1be13b3ea5 Merge pull request #3958 from SigmaHQ/revert-3956-promote_old_experimental 
Revert "Change status of old rules"
 2023-01-26 21:22:43 +01:00
frack113 cb67871bd2 Revert "Change status of old rules" 2023-01-26 19:37:18 +01:00
frack113 bc0e90f495 Merge pull request #3956 from frack113/promote_old_experimental 
Change status of old rules
 2023-01-26 17:24:40 +01:00
frack113 5323fd4baa Change status of old rules 2023-01-25 18:41:18 +01:00
Nasreddine Bencherchali 4921c96703 Merge pull request #3955 from phantinuss/master 
fix: FPs in testing environment
 2023-01-25 17:29:34 +01:00
phantinuss 32c89da010 fix: FPs in testing environment 2023-01-25 16:23:10 +01:00
frack113 f7b159350d Merge pull request #3954 from nasbench/nasbench-rule-devel 
feat: updates and enhancements
 2023-01-25 13:21:44 +01:00
Nasreddine Bencherchali d2575eff64 fix: fp with lsass access rule 
- Add new filters
- Reorder and rename some filter for clarity
 2023-01-25 13:08:20 +01:00
Nasreddine Bencherchali 690af599ba fix: fp with invoke patchingapi rule 2023-01-25 12:54:29 +01:00
Nasreddine Bencherchali f42eb77f29 fix: rule logic 2023-01-25 12:03:11 +01:00
Nasreddine Bencherchali d47215d469 fix: single element selection 2023-01-25 01:35:47 +01:00
Nasreddine Bencherchali 7d2b70cb91 feat: add bpf related rules 2023-01-25 01:14:49 +01:00
Nasreddine Bencherchali 10707f307a Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel 2023-01-24 17:00:04 +01:00
Nasreddine Bencherchali 2a53a0b8c8 fix: fp in system file names 2023-01-24 16:59:39 +01:00
Nasreddine Bencherchali 9e2c01521a fix: broken condition 2023-01-24 16:54:15 +01:00
Nasreddine Bencherchali 9a03e4e13d fix: fp found in testing 2023-01-24 16:51:37 +01:00
Nasreddine Bencherchali d7bf5383a4 feat: update wsl related rules and other 2023-01-24 16:50:53 +01:00
Nasreddine Bencherchali 5fc05fe921 Merge pull request #3953 from phantinuss/master 
fix: FPs found in testing environment
 2023-01-24 11:04:54 +01:00
phantinuss a41a374901 fix: FPs found in testing environment 2023-01-24 10:30:43 +01:00
Thomas Patzke 3a8f85c6ff Merge pull request #3952 from kelnage/pySigma-all-of 
Change rules using all of required-lists to |all
 2023-01-24 07:56:27 +01:00
Nick Moore 0312c481d9 Change rules using all of required-lists to |all 
When a Sigma rule writer wants to create a list of values where all of
them must be matched for the rule to trigger, the approach used
previously was to have an `all of` condition for a single selector.
However, this has now changed, and the new approach is to use an empty
key and the |all modifier (i.e., `'|all'`).

This commit (tries to) identify all the rules that used the old
approach and modifies them to use the new approach instead.

See SigmaHQ/sigma-specification#53 for further discussion.
 2023-01-23 14:37:25 +00:00
Nasreddine Bencherchali fb1dcc1340 Merge pull request #3950 from nasbench/nasbench-rule-devel 
feat: updates and new rules
 2023-01-23 14:03:43 +01:00
Nasreddine Bencherchali 483db992f7 Merge pull request #3951 from phantinuss/master 
fix: fps found in testing
 2023-01-23 13:41:02 +01:00
Nasreddine Bencherchali e3f7feeb65 fix: update description 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-01-23 13:38:23 +01:00
phantinuss 628f616dbe fix: sharpen regex to not match default windows rundll32 usage 2023-01-23 12:57:50 +01:00
phantinuss 231e87e316 fix: FP in testing environment 2023-01-23 12:05:28 +01:00
Nasreddine Bencherchali 58fbe4a100 feat: update wsl lolbin 2023-01-23 01:05:28 +01:00
Nasreddine Bencherchali 2f6161619b fix: add missing filter 2023-01-22 23:45:22 +01:00
Nasreddine Bencherchali 47fa1dff54 fix: fp with iissetup 2023-01-22 23:41:56 +01:00
Nasreddine Bencherchali f2cf68cf14 fix: broken condition 2023-01-22 23:32:14 +01:00
Nasreddine Bencherchali 1c2b6f40a6 feat: updates and new rules 2023-01-22 23:31:02 +01:00
frack113 f25ad0f1a3 Merge pull request #3949 from frack113/import_module_dll 
Import module dll
 2023-01-22 20:54:00 +01:00
Nasreddine Bencherchali c9b230de6d feat: update pwsh ad module rules 2023-01-22 20:07:42 +01:00
frack113 40592f463f Add Microsoft.ActiveDirectory.Management.dll 2023-01-22 19:34:09 +01:00
frack113 fa593dc4c4 Merge pull request #3942 from faisalusuf/master 2023-01-22 18:49:55 +01:00
frack113 6d535e032f Remove operation 2023-01-22 18:42:54 +01:00
frack113 c7537c5d2a Add import_module dll 2023-01-22 17:39:28 +01:00
frack113 75c01db53b Add import_module dll 2023-01-22 17:38:59 +01:00
Florian Roth a11051447e Merge pull request #3948 from SigmaHQ/rule-devel 
doc: adding another reference
 2023-01-22 11:18:59 +01:00
Florian Roth e95f0d03b4 doc: adding another reference 2023-01-22 11:03:59 +01:00
Florian Roth 1820b04917 Merge pull request #3947 from SigmaHQ/rule-devel 
docs: authors extended
 2023-01-22 11:02:31 +01:00
Florian Roth f2d633ad1a docs: authors extended 2023-01-22 10:57:11 +01:00
Florian Roth 9739cb1c69 Merge pull request #3946 from SigmaHQ/rule-devel 
rule: susp svchost sub process
 2023-01-22 10:32:06 +01:00
frack113 2bd14e4953 Small update 
- Change service to audit
- Add operation
 2023-01-22 08:55:24 +01:00
Nasreddine Bencherchali f1c9112413 fix: update filename 2023-01-22 01:04:27 +01:00
Nasreddine Bencherchali a530e7ad36 fix: add more detail 2023-01-22 01:00:55 +01:00
Florian Roth 52a4985dce rule: susp svchost sub process 2023-01-21 23:45:22 +01:00