security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
14,175 Commits 1 Branch 57 Tags
3da07164ce0d651bf72691bac1cfcafbf20249de
Commit Graph

879 Commits

Author SHA1 Message Date
Nasreddine Bencherchali f409a8a984 fix: update modified date 2023-01-03 10:37:09 +01:00
Ali Alwashali 6c178639f4 adding WMIADAP.exe to filters 
adding WMIADAP.exe to filters
 2023-01-03 08:01:11 +03:00
frack113 646351808e Refractor (#3794) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-18 21:00:14 +01:00
frack113 cd4121d966 Update Title (#3731) 
Co-authored-by: Florian Roth <venom14@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-27 19:19:27 +01:00
frack113 dfdaecc52c Order yaml field 2022-10-25 12:00:56 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali dadec8b9f0 Update incorrect mitre tags 2022-10-06 00:35:40 +02:00
phantinuss b7f20b884c fix: FPs from new evtx-baseline 2022-09-21 13:51:19 +02:00
Florian Roth 072a9d73eb fix: changes to existing rules 2022-09-13 08:07:03 +02:00
Nasreddine Bencherchali d5133bcdd7 Update Sysmon 2022-08-16 19:47:44 +01:00
frack113 4312151b2b Filter start 2022-08-02 10:42:03 +02:00
Nasreddine Bencherchali 16b2945027 New Rules + Update 2022-07-14 17:35:50 +01:00
Nasreddine Bencherchali 12d187bc91 Update Ref+Selection 2 2022-07-11 17:48:40 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
phantinuss 7edf04d9ff fix: FPs from fresh Windows install 2022-04-06 16:09:53 +02:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 43bae23f23 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:47:22 +01:00
frack113 120436bdb4 Update filter 2022-02-02 06:34:32 +01:00
Florian Roth 7f9fd3ea63 Update sysmon_process_hollowing.yml 2022-02-01 16:01:27 +01:00
Sittikorn S e16974522b Update sysmon_process_hollowing.yml 
Update filters
 2022-02-01 15:19:36 +07:00
Florian Roth 027fce7f13 Update sysmon_process_hollowing.yml 2022-01-29 23:55:21 +01:00
Florian Roth e08e8dd3d4 Update sysmon_process_hollowing.yml 2022-01-26 17:53:46 +01:00
securepeacock 364b5c9620 Create sysmon_process_hollowing.yml 
Closed old request, and put rule into its appropriate file directory.
 2022-01-25 15:57:03 -05:00
Florian Roth c0bd1ef9bc Update sysmon_config_modification.yml 2022-01-13 21:07:11 +01:00
frack113 baaef207cb Add filter help 2022-01-13 06:38:43 +01:00
frack113 592485fac5 Windows Redcannary 2022-01-12 20:27:56 +01:00
Tim Shelton fc2e2aa4c5 adding filter for false positive. no risk to sysmon operation 2021-12-02 20:38:58 +00:00
Florian Roth 0ab163b6ba fix: FP which happens more frequently under normal circumstances 2021-11-12 13:31:25 +01:00
frack113 ab5f5f95bc fix filename 2021-09-22 16:27:05 +02:00
frack113 92999468ee Merge pull request #2012 from frack113/upgrade_test 
Upgrade test_rules.py
 2021-09-11 15:29:19 +02:00
Austin Songer 1ea9aab455 Update Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 09:44:31 -05:00
Austin Songer 9d9a5088bb Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml 2021-09-10 09:43:24 -05:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
frack113 ac9ea531ae Merge pull request #1956 from Cyb3rEng/master 
Adding Various Rules To Monitor Process Creations in Sysmon, Event Logs & EDR
 2021-09-10 10:47:23 +02:00
Cyb3rEng f4155010ff Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:09:20 -06:00
Cyb3rEng 4af244b135 Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:08:52 -06:00
Cyb3rEng 361121c402 changed title 
title: Lolbins Process Created With WmiPrvSE
 2021-09-09 21:51:49 -06:00
Cyb3rEng a3a12375b5 changed title 
title: Lolbins Process Created With Office Application
 2021-09-09 21:51:22 -06:00
Cyb3rEng 6cae20b9b8 Changed title 
changed title
 2021-09-09 21:38:42 -06:00
Cyb3rEng ca19f43a06 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custom id
 2021-09-09 21:35:21 -06:00
Cyb3rEng d14c26f5f1 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:33:36 -06:00
Cyb3rEng ba995ef442 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:32:42 -06:00
Cyb3rEng f7b8fd571d Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:31:57 -06:00
Cyb3rEng 6a7ac098ed changed id uuid to v4 
b45e1519-5de5-4dfe-bef6-73bc48c2b983
 2021-09-09 21:31:20 -06:00
Cyb3rEng 7c9be6da32 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:24:05 -06:00
Cyb3rEng ff08de6d20 Completed Changes based on review 
selection2:
     ParentPrcessName|endswith:
 2021-09-09 21:02:11 -06:00
frack113 d9cd1652f2 Split global sysmon rules 2021-09-09 16:11:41 +02:00
frack113 312ffe69e2 Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml 2021-09-09 06:28:48 +02:00
Cyb3rEng b2c44ebd6e Changed selection1 
completed the following change to selection1 to keep inline with rule creation guideline
- CommandLine|contains: 'wmic '
 2021-09-08 21:27:15 -06:00
Cyb3rEng fe9b91c504 Completed changes to selection1 
changed to the following to follow rule creation guidelines:
    - Image|endswith: '\wbem\WMIC.exe'
    - ProcessCommandLine|contains: 'wmic '
 2021-09-08 21:26:01 -06:00