security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,941 Commits 1 Branch 57 Tags
52b41da731d57ed48fd4decd2be41f5451eeb3d6
Commit Graph

6941 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 52b41da731 Merge pull request #1775 from austinsonger/sysmon_disabled_pua_protection_on_microsoft_defender.yml 
Create sysmon_disabled_pua_protection_on_microsoft_defender.yml
 2021-08-05 15:42:17 +02:00
Florian Roth c05dacb1f0 Merge pull request #1776 from austinsonger/sysmon_disabled_tamper_protection_on_microsoft_defender.yml 
sysmon_disabled_tamper_protection_on_microsoft_defender.yml
 2021-08-05 15:41:54 +02:00
Florian Roth 53cfe2895d Merge pull request #1777 from austinsonger/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml 
sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
 2021-08-05 15:41:37 +02:00
Florian Roth 6742b4ad3d Merge pull request #1778 from frack113/winlogbeat_modules_enabled 
Update winlogbeat-modules-enabled.yml
 2021-08-05 14:44:23 +02:00
frack113 4b44ee654b Fix missing a space 2021-08-05 13:36:18 +02:00
frack113 0b053e79cc fix syntax error 2021-08-05 13:33:39 +02:00
frack113 439b3cecc3 Add most of security EventID 2021-08-05 13:31:39 +02:00
frack113 ac43eecc36 Add eventid 4624 2021-08-05 11:20:22 +02:00
frack113 1d1b58d712 add sysmon mapping 2021-08-05 10:54:58 +02:00
Austin Songer 483dacb209 Create sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml 2021-08-04 19:11:00 -05:00
Austin Songer ff7fb4e4d2 Create sysmon_disabled_tamper_protection_on_microsoft_defender.yml 2021-08-04 19:08:10 -05:00
Austin Songer 6a2663a3ae Update sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 17:00:34 -05:00
Austin Songer 8d195bf5d5 Update sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 13:11:31 -05:00
Austin Songer bae075713c Update sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 13:10:37 -05:00
Austin Songer f89ba18c5d Create sysmon_disabled_pua_protection_on_microsoft_defender.yml 2021-08-04 11:27:41 -05:00
frack113 481cd9aca1 add security 7045 2021-08-04 15:46:05 +02:00
frack113 47086d5d78 fix duplicate 2021-08-04 15:12:01 +02:00
frack113 21228a21c7 update SYSMON Hashes 2021-08-04 15:09:02 +02:00
Florian Roth 28abe88927 Merge pull request #1760 from SigmaHQ/rule-devel 
fix: CobaltStrike NamedPipe Patterns, SeriousSAM PS1
 2021-07-30 09:21:52 +02:00
Florian Roth 917b95d8ff fix: bash script bug 2021-07-30 08:51:38 +02:00
Florian Roth ab16490d33 fix: re CS rule 2021-07-30 08:24:41 +02:00
Florian Roth 5947dddcd2 feat: print the faulty rule as an error into cmdline 2021-07-30 08:24:06 +02:00
Florian Roth 096395a49a fix: one condition style error 2021-07-30 07:19:42 +02:00
Florian Roth b105402fe4 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-07-30 07:11:14 +02:00
Florian Roth 0cbb6f82ad CobaltStrike NamedPipe Patterns 
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
 2021-07-30 07:11:11 +02:00
Florian Roth 61a9da3901 Merge branch 'master' into rule-devel 2021-07-29 18:15:36 +02:00
Florian Roth 03b68dcf10 Merge pull request #1756 from frack113/small_fix 
fix duplicate UUID
 2021-07-29 18:14:02 +02:00
Florian Roth f06f8a1191 Merge pull request #1757 from wietze/fix/carbon-black-eedr/field_renames 
[CarbonBlack EEDR] Several updates to config file
 2021-07-29 18:13:47 +02:00
Florian Roth d7710cdf03 Merge pull request #1758 from wietze/fix/carbon-black/hyphen 
[CarbonBlack] Adding extra escape character
 2021-07-29 18:13:17 +02:00
Florian Roth ec9c15226f SeriousSAM PowerShell rule 2021-07-29 18:12:10 +02:00
Florian Roth d753d9a7fd fix: duplicate id and indentation 2021-07-29 16:06:45 +02:00
Wietze 687631ee20 Several updates to CarbonBlack EEDR config 2021-07-29 14:09:37 +01:00
Wietze e0d6856987 [CarbonBlack] Adding extra escape character 
Hyphens, especially when at the start of a query, need escaping since hyphens are also used to negate conditions
 2021-07-29 13:57:58 +01:00
Florian Roth 5ce5465559 Merge pull request #1755 from SigmaHQ/rule-devel 
Different rule updates
 2021-07-28 18:56:28 +02:00
frack113 bd123536df fix duplicate UUID 2021-07-28 18:19:23 +02:00
Florian Roth 8787e338bd Merge pull request #1734 from austinsonger/aws_elasticache_security_group_modified_or_deleted.yml 
aws_elasticache_security_group_modified_or_deleted.yml
 2021-07-28 16:25:39 +02:00
Florian Roth 358ec255a1 Merge pull request #1736 from austinsonger/azure_kubernetes_pods_delete.yml 
azure_kubernetes_pods_deleted.yml
 2021-07-28 16:25:19 +02:00
Florian Roth 3c6c2db11d Merge pull request #1737 from austinsonger/azure_kubernetes_events_deleted.yml 
azure_kubernetes_events_deleted.yml
 2021-07-28 16:25:05 +02:00
Florian Roth 25283948fc Merge pull request #1741 from austinsonger/aws_sts_getsessiontoken_misuse.yml 
aws_sts_getsessiontoken_misuse.yml
 2021-07-28 16:24:53 +02:00
Florian Roth 7c78f40372 Merge pull request #1744 from gliptak/patch-3 
Add yamllint to GHA
 2021-07-28 16:24:33 +02:00
Florian Roth 77c8225db3 Merge pull request #1745 from frack113/redcanary_t1115 
[OSCD]  process_creation_clip.yml t1115
 2021-07-28 16:24:15 +02:00
Florian Roth f57f5931ed Merge pull request #1746 from frack113/tune_sysmon_office_vsto_persistence.yml 
Tune sysmon_office_vsto_persistence.yml
 2021-07-28 16:23:49 +02:00
Florian Roth 59a93ef964 Merge pull request #1747 from frack113/tune_sysmon_taskcache_entry.yml 
Tune sysmon_taskcache_entry.yml
 2021-07-28 16:23:38 +02:00
Florian Roth c3eced4ae7 Merge pull request #1748 from frack113/update_win_susp_rar_flags.yml 
update win_susp_rar_flags.yml
 2021-07-28 16:23:14 +02:00
Florian Roth dc4380d459 Merge pull request #1750 from frack113/redcanary_t1560.001_winzip 
[OSCD] Redcanary t1560.001 winzip
 2021-07-28 16:22:48 +02:00
Florian Roth 321a15d004 Merge pull request #1751 from frack113/redcanary_t1560.001_7zip 
[OSCD] Redcanary t1560.001 7z
 2021-07-28 16:22:31 +02:00
Florian Roth 7688806c5e Merge pull request #1752 from frack113/test_author 
Add test_optional_author to test_rules.py
 2021-07-28 16:22:10 +02:00
Florian Roth 6d5e695cd1 Merge pull request #1753 from frack113/redcanary_t1119 
Redcanary t1119
 2021-07-28 16:21:40 +02:00
Florian Roth 4879b32081 Merge pull request #1754 from wietze/fix/local_path 
Fixing exception caused by incorrect type of passed 'path' parameter
 2021-07-28 16:21:11 +02:00
Florian Roth 7f820c7b29 rule updates 2021-07-28 16:20:21 +02:00