security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,746 Commits 1 Branch 57 Tags
89d2d00a5b2ca20a217c1b29dd6bae625cdb6cfb
Commit Graph

189 Commits

Author SHA1 Message Date
Florian Roth 356ab98ada fix: FPs with Important Scheduled Task Deleted 2022-12-09 12:55:41 +01:00
Nasreddine Bencherchali fa318243c2 Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2022-12-08 19:22:11 +01:00
Nasreddine Bencherchali 0567ca8ca3 fix: fix unused selection 2022-12-08 11:57:40 +01:00
Nasreddine Bencherchali f12975bc6b fix: update description 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2022-12-07 22:34:56 +01:00
Nasreddine Bencherchali a425ef65e5 feat: update metadata and add more cases for rules 2022-12-07 02:26:21 +01:00
Nasreddine Bencherchali a7bfb349ee fix: fix fp found in testing 2022-12-07 02:25:52 +01:00
Nasreddine Bencherchali 42b99b165d feat: new rules and fixes (#3759) 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2022-12-06 12:13:20 +01:00
Nasreddine Bencherchali 9657446647 fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2022-12-06 10:53:57 +01:00
Nasreddine Bencherchali dbf114e7cb feat: add rules related to scheduled tasks 2022-12-05 23:52:11 +01:00
frack113 54739006a9 Fix workflow warning 2022-12-04 15:29:08 +01:00
frack113 a674ee246b Update Title (#3739) 2022-11-30 11:44:15 +01:00
frack113 c820216541 Update Title (#3733) 2022-11-28 06:43:17 +01:00
frack113 cd4121d966 Update Title (#3731) 
Co-authored-by: Florian Roth <venom14@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-27 19:19:27 +01:00
Qasim Qlf ed54bf44a5 Minor Fix 2022-11-22 18:13:34 +05:00
Nasreddine Bencherchali 6603ca9202 fix: update rules to not use regex 2022-11-18 11:16:13 +01:00
Florian Roth 0fb1295157 fix: FPs noticed with Aurora 2022-11-13 20:26:03 +01:00
Yamato Security 5de1fd6f2d Rule add: windows access token abuse (#3675) 
Co-authored-by: Florian Roth <venom14@gmail.com>
 2022-11-09 09:43:15 +01:00
frack113 8b749fb126 Order yaml field 2022-10-25 11:08:51 +02:00
frack113 f78e9e9034 Add rule 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-24 17:52:05 +02:00
Nasreddine Bencherchali 4a61f56c5f Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-19 19:06:00 +02:00
Nasreddine Bencherchali 87c0788fca Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-19 19:04:53 +02:00
Nasreddine Bencherchali a6edfd6c21 Add more details to the definition section 
Add more details to the definition section for events from the "Audit Directory Service Changes"
 2022-10-18 17:35:02 +02:00
Nasreddine Bencherchali 2758e67185 Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-18 17:08:09 +02:00
Nasreddine Bencherchali 18ed0ce02a Update win_security_susp_possible_shadow_credentials_added.yml 2022-10-18 17:07:36 +02:00
Nasreddine Bencherchali ce567a4d8d Fix wording in definition + Add FP description 2022-10-18 16:02:41 +02:00
Nasreddine Bencherchali 01826d2a3b New File Access Rules 
Added new files access rules related to windows dpapi files/keys
 2022-10-18 11:51:24 +02:00
Nasreddine Bencherchali e26a6e36db Add missing definitions 
Add missing definitions for Audit Directory Services Changes events
 2022-10-17 13:23:53 +02:00
Florian Roth e344b1f10f Merge pull request #3591 from frack113/yamato_security 
Windows builtin security rules
 2022-10-15 10:49:37 +02:00
Florian Roth a6e54ab023 Update win_security_user_logoff.yml 2022-10-14 18:03:40 +02:00
frack113 81ec573424 Update rules/windows/builtin/security/win_security_user_logoff.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:51 +02:00
frack113 d010fedb2c Update rules/windows/builtin/security/win_security_replay_attack_detected.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:41 +02:00
frack113 2e14174911 Update rules/windows/builtin/security/win_security_device_installation_blocked.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:27 +02:00
frack113 0042e2c8f0 Update rules/windows/builtin/security/win_security_add_remove_computer.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-14 12:37:20 +02:00
frack113 0eda26397f Set to low 2022-10-14 10:33:34 +02:00
frack113 35e1660479 Fix LF 2022-10-14 10:22:58 +02:00
frack113 6a69608b44 Add security rules 2022-10-14 10:13:32 +02:00
frack113 8b7280e8fa Fix file name lenght 2022-10-14 09:11:19 +02:00
frack113 05d9ee85ed Rename security rules 2022-10-14 08:53:50 +02:00
Gude5 2d5939e33b Merge branch 'SigmaHQ:master' into master 2022-10-11 11:29:48 +02:00
Gude5 7a347cf8eb Update rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-10 17:01:45 +02:00
Gude5 a984351d25 Update rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-10-10 17:01:35 +02:00
Nasreddine Bencherchali be0a3ad863 Add missing definition section for EID 4697 2022-10-10 10:22:46 +02:00
Florian Roth 83f93bc32c Merge branch 'master' into master 2022-10-10 00:27:48 +02:00
frack113 cf7a348028 Fix related 2022-10-09 17:28:05 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Florian Roth d8890295fe Merge branch 'master' into master 2022-10-07 16:24:30 +02:00
nasreddine.bencherchali@nextron-systems.com 91cf9ce926 Fix modifier 2022-10-06 10:04:01 +02:00
Nasreddine Bencherchali 2c26614ce4 Update Wildcard + Int to Str fields 2022-10-05 23:15:20 +02:00
Tim Rauch b6046803a0 fix: fixed rules after review 2022-10-04 10:06:15 +02:00
Gude5 f692271c0a Merge branch 'SigmaHQ:master' into master 2022-10-04 09:33:51 +02:00