security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

2645 Commits

Author SHA1 Message Date
Brad Kish 8b3b312c4e Proposed fix for https://github.com/Neo23x0/sigma/issues/889 
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
 2020-07-03 16:28:19 -04:00
Brad Kish 7031d9e2b8 Fix typo for rule in image_load category 
image_load not image_loaded.
 2020-07-03 16:23:17 -04:00
Brad Kish 1e9d0e9653 Fixes for rules in the sysmon file_event category 
Fix a couple of typos

For sysmon_hack_dumpert:
Make sure the logsource is category file_event and not sysmon. Don't set
the category at the global level. Instead set in the individual document.
 2020-07-03 16:22:29 -04:00
Brad Kish 4b31633355 Fixes for rules in new sysmon registry_event category 
To be consistent with the behaviour of the other rules, the eventID should not
be specified as part of the rule. The category defines the eventID.
 2020-07-03 16:20:37 -04:00
Florian Roth 11517edbd7 rule: suspicious curl usage 2020-07-03 18:55:44 +02:00
Florian Roth c4267a4614 rule: suspicious curl file upload 2020-07-03 18:20:44 +02:00
Florian Roth 80f15a1e50 Merge pull request #885 from Neo23x0/rule-devel 
fix: trailing whitespace
 2020-07-03 18:00:19 +02:00
Florian Roth 4d9e2e8c16 fix: trailing white space 2020-07-03 17:59:50 +02:00
Ömer Günal 47a2f1bc94 Update lnx_space_after_filename.yml 2020-07-03 18:56:51 +03:00
Ömer Günal 51363d8a87 Update lnx_setuid_setgid.yml 2020-07-03 18:56:40 +03:00
Ömer Günal 87346d4b94 Update lnx_disabling_security_tools.yml 2020-07-03 18:56:30 +03:00
Ömer Günal 64afd6e7ee Update lnx_connection_proxy.yml 2020-07-03 18:56:19 +03:00
Florian Roth 26d8810efb Merge pull request #882 from Neo23x0/rule-devel 
Rule devel
 2020-07-03 15:33:55 +02:00
Florian Roth 8a0262d1a2 fix: in linux keyword expression 2020-07-03 15:08:20 +02:00
Florian Roth 4dc818aafd fix: rar flags rule caused too many FPs 2020-07-03 13:20:24 +02:00
Florian Roth 5dd5b87f43 rule: guacamole exploitation detection 2020-07-03 13:20:03 +02:00
Florian Roth abf5f799d6 docs: more references 2020-07-03 13:19:44 +02:00
Florian Roth fa452bf3e5 Merge pull request #849 from omergunal/ogunal-1 
Rules for detecting suspicious remote file copy
 2020-07-03 11:59:45 +02:00
Florian Roth b9966a173c Update lnx_file_copy.yml 2020-07-03 11:32:49 +02:00
Florian Roth 5f04fcccf5 fix: broken links 2020-07-03 11:22:06 +02:00
Florian Roth 3111ab8396 refactor: new way to write that rule 2020-07-03 11:20:36 +02:00
Florian Roth d12b8347dc fix: bug in cmstp rule 
https://github.com/Neo23x0/sigma/issues/876
 2020-07-03 11:19:11 +02:00
Florian Roth 0bbf40fb14 refactor: include xcopy 2020-07-03 11:03:45 +02:00
Florian Roth 3bea08edfc refactor: copy from/to system32 rule 2020-07-03 10:56:26 +02:00
Florian Roth 02dee36f4c Merge pull request #880 from Neo23x0/rule-devel 
fix: typo in systemroot
 2020-07-03 10:25:31 +02:00
Florian Roth 34ea706e4f fix: typo in systemroot 2020-07-03 10:24:58 +02:00
Florian Roth 53620a0d2f Merge pull request #879 from Neo23x0/rule-devel 
fix: missing copy command
 2020-07-03 10:18:21 +02:00
Florian Roth 0fa1c1525b fix: missing copy command 2020-07-03 10:17:34 +02:00
Florian Roth 248506be93 Merge pull request #878 from Neo23x0/rule-devel 
DesktopImgDownLdr Rules and extra rule
 2020-07-03 10:14:58 +02:00
Florian Roth 1f0b1e58a9 fix: bugs in rule and title 2020-07-03 09:54:10 +02:00
Florian Roth 01ed87186f Copy From System Root rule 2020-07-03 09:45:58 +02:00
Florian Roth 33fef8bcf5 DesktopImgDownLdr rules 2020-07-03 09:45:48 +02:00
Thomas Patzke de0bb36c51 Merge branch 'master' of https://github.com/4A616D6573/sigma into pr-785 2020-07-02 23:04:59 +02:00
Florian Roth 4c4ed1a4a2 fix: duplicate IDs and rule titles 2020-07-01 16:37:27 +02:00
Florian Roth 9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth 4231fe2efc fix: remove duplicate rules in sysmon (generic rule cleanup) 2020-07-01 10:23:30 +02:00
Florian Roth 154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth fe71d21d97 style: removed new lines 2020-07-01 09:11:00 +02:00
Florian Roth b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Florian Roth ba682c5de6 Merge pull request #863 from qwerty1q2w/feature 
add win_not_allowed_rdp_access.yml rule
 2020-06-30 10:03:11 +02:00
Florian Roth 77553e11e8 Update win_not_allowed_rdp_access.yml 2020-06-30 10:03:00 +02:00
Florian Roth 2e3669a5a4 Merge pull request #865 from j91321/defender-rules 
Windows Defender logsource and rules
 2020-06-30 10:01:17 +02:00
Florian Roth eb3a6e86af Merge pull request #867 from HarishHary/suspicious_powershell_parent_process 
New Rule: Suspicious powershell parent process
 2020-06-30 10:00:28 +02:00
Harish SEGAR 9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR 5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Harish SEGAR 649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Florian Roth 5a11ef90d0 rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR 1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00