security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
10,568 Commits 1 Branch 57 Tags
627843d73ff96fd63cdc253fdecabd5c0decdf0e
Commit Graph

8007 Commits

Author SHA1 Message Date
frack113 3190840f40 Registry_delete category 2022-03-26 12:02:37 +01:00
frack113 f1b8bc9479 Registry_add 2022-03-26 11:56:39 +01:00
frack113 5a1e2c91e0 fix date 2022-03-26 11:39:32 +01:00
frack113 fb55e0e7b3 Catagorie registry add delete 2022-03-26 11:21:53 +01:00
frack113 e2fbbb319d Categorie registry_set 2022-03-26 10:55:05 +01:00
frack113 b425d04944 order registry rules 2022-03-26 10:24:10 +01:00
Florian Roth 952f14d851 Merge pull request #2853 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-03-25 17:14:06 +01:00
Florian Roth 016265169d docs: changed description and title of two rules 2022-03-25 13:42:56 +01:00
Florian Roth 15c6fad973 Merge pull request #2850 from hieuttmmo/master 
Rule to detect when any MFA Denied recorded by Azure SigninLogs
 2022-03-25 11:35:49 +01:00
Florian Roth 7d48d0e838 Merge pull request #2852 from drasti-mehta/fix_win_susp_service_install 
Fix win_susp_service_ rules causing Sigmac error
 2022-03-25 08:27:55 +01:00
Florian Roth 9028600878 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-03-25 00:05:51 +01:00
Florian Roth 68f3e6328e fix: FP with different procs on less relevant keys 2022-03-25 00:05:49 +01:00
Florian Roth 0dfd802579 Merge pull request #2837 from SigmaHQ/log-source-cleanup 
Log source cleanup
 2022-03-24 21:26:46 +01:00
Florian Roth 0b97d37faf Update azure_mfa_denies.yml 2022-03-24 21:26:13 +01:00
Florian Roth 37437c7f3d Update win_susp_service_installation_script.yml 2022-03-24 21:22:26 +01:00
Florian Roth 76710a1d86 Update win_susp_service_installation.yml 2022-03-24 21:19:36 +01:00
Drasti Mehta ae4c01142e add modified and date 2022-03-24 15:57:47 -04:00
Drasti Mehta 77f5a6f4d8 Fix win_susp_service_ rules causing sigmac error 2022-03-24 15:24:01 -04:00
Florian Roth 507551c631 fix: typo in modifier 2022-03-24 19:08:53 +01:00
Florian Roth 6970223872 fix: bug in modifier 2022-03-24 19:05:04 +01:00
Florian Roth f1b91ba8ac refactor: more powershell loader rules 2022-03-24 16:44:35 +01:00
Florian Roth a06b599bec rule: IEX patterns 2022-03-24 16:31:50 +01:00
Florian Roth c331195637 fix: empty query in rule > bug 2022-03-24 15:17:29 +01:00
hieuttmmo 1fe45bd593 Merge branch 'SigmaHQ:master' into master 2022-03-24 16:53:41 +04:00
Tran Trung Hieu 713bc24750 Add new MFA Denied rule 2022-03-24 16:53:01 +04:00
Florian Roth 213f7fff5c refactor: make antivirus a category 2022-03-24 11:59:33 +01:00
Florian Roth f7cd8e3424 fix: duplicate id 2022-03-24 11:41:26 +01:00
Florian Roth 3114433944 fix: product unix > linux 2022-03-24 11:40:51 +01:00
Florian Roth f3abef8b5f fix: indentation 2022-03-24 11:34:00 +01:00
Florian Roth a10011cd03 Merge branch 'master' into rule-devel 2022-03-24 10:08:43 +01:00
Florian Roth fb7d0b5469 refactor: move macos rules to separate dir 2022-03-24 09:17:05 +01:00
Florian Roth 53b450d377 rule: PowerShell Downloads 2022-03-24 09:16:12 +01:00
Florian Roth a90148c414 Merge pull request #2844 from redsand/fp_av_printernightmare_symantec_more_generic 
FP another variation of symantec submitting file for analysis, reduce…
 2022-03-23 17:40:09 +01:00
Florian Roth 7c4d198498 fix: FPs with win32calc.exe 2022-03-23 16:31:45 +01:00
Florian Roth 535e6ce0cc refactor: scheduled task patterns 2022-03-23 09:09:43 +01:00
Tim Shelton 6ab396fd66 FP another variation of symantec submitting file for analysis, reduced words to catch both 2022-03-22 21:43:33 +00:00
Florian Roth 70acb06c16 fix: old azure notation 2022-03-22 18:15:33 +01:00
Florian Roth e91fc4486e refactor: first bigger log source refactoring 
see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
 2022-03-22 17:58:29 +01:00
Florian Roth d8046b5989 rules: registry, tamper with Defender & LSA 2022-03-22 16:10:11 +01:00
Florian Roth a5281c0eaf Merge branch 'master' into log-source-cleanup 2022-03-22 15:16:14 +01:00
Florian Roth 8b7eaae6ec fix: ServiceFileName in 7045 events 2022-03-22 14:41:25 +01:00
Florian Roth 63066ab5e1 Merge branch 'master' into rule-devel 2022-03-22 13:16:13 +01:00
Florian Roth 68542e20e9 fix: condition 2022-03-22 13:16:08 +01:00
Florian Roth e3839ac282 removed: overlapping, unharmonised rule 
already covered in 04f5363a-6bca-42ff-be70-0d28bf629ead
 2022-03-22 09:58:29 +01:00
Florian Roth 8b9fc64170 Merge pull request #2832 from frack113/redcannay 
Redcannary
 2022-03-21 15:03:03 +01:00
Florian Roth 35828985e0 refactor: rule extended 2022-03-21 12:59:14 +01:00
Florian Roth 007e52ccb9 rule: suspicious parents, susp powershell parent rule 2022-03-21 12:57:59 +01:00
phantinuss f1dcaa02f4 fix: single list element 2022-03-21 12:33:55 +01:00
Florian Roth 3f1b8ff727 Update posh_ps_susp_get_addefaultdomainpasswordpolicy.yml 2022-03-21 12:09:33 +01:00
Florian Roth 026428640e Update registry_event_set_nopolicies_user.yml 2022-03-21 12:06:50 +01:00