security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,605 Commits 1 Branch 57 Tags
aaafef29b4aa53e8ebb5cd488dbf873865402dcc
Commit Graph

10605 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
frack113 aaafef29b4 Redcannary 2022-04-04 10:57:23 +02:00
Florian Roth dd7576e4b3 Merge pull request #2870 from phantinuss/master 
Some fixes and promotion of rule level
 2022-04-02 07:46:39 +02:00
phantinuss 67ad16f411 edit because of ambiguous trailing space 2022-03-31 12:04:37 +02:00
phantinuss 51d45bae8b chore: promote status of rules 2022-03-31 12:04:37 +02:00
phantinuss 5ebb919472 fix: FP with intel graphics 2022-03-31 12:04:37 +02:00
phantinuss 8afe875ad6 update rule to also match on original sample 2022-03-31 12:04:36 +02:00
Florian Roth 08d3bd48ce Merge pull request #2868 from securepeacock/patch-11 
Create proc_creation_win_fsutil_drive_enumeration.yml
 2022-03-30 21:05:56 +02:00
frack113 9f679320c1 Merge pull request #2869 from redsand/hawk_config_fix_registry_set 
Fixing missed entry for registry_set
 2022-03-30 19:45:42 +02:00
Tim Shelton 0a9d8fd614 Fixing missed entry for registry_set 2022-03-30 15:56:31 +00:00
frack113 96ba532853 Merge pull request #2867 from fryguy04/patch-1 
added resource and improved MITRE Subtechnique
 2022-03-30 17:23:23 +02:00
securepeacock 35661df7e4 Update proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:45:01 -04:00
securepeacock 34182908c9 Update proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:38:28 -04:00
securepeacock 5e3a5642e8 Create proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:00:03 -04:00
Fred Frey 78aeee3054 added resource and improved MITRE Subtechnique 
Mavinject now has its own subtechnique
https://attack.mitre.org/techniques/T1218/013/
 2022-03-30 08:57:15 -04:00
Florian Roth 7f490d958a Merge pull request #2865 from phantinuss/master 
Fix wrong field mapping of Windows Audit Log EventID 4688
 2022-03-30 14:25:22 +02:00
phantinuss 7f030b250e fix: wrong mapping of Windows Audit Log EventID 4688 
reverts some changes introduced by commit c5fa73c328
    - removes the unnecessary/wrong field mapping
    - fixes the rules to apply to CommandLine instead of
      ParentCommandLine as the author probably intended
 2022-03-30 11:24:24 +02:00
phantinuss 3034d626ea chore: promote status of rules 2022-03-30 11:24:24 +02:00
Florian Roth adce5eff93 Merge pull request #2863 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-03-29 21:19:19 +02:00
Florian Roth 0b4bfad074 Merge branch 'master' into aurora-false-positive-fixing 2022-03-29 21:06:30 +02:00
Florian Roth 567cdad7b5 fix: cleanmgr.exe FPs 2022-03-29 19:48:40 +02:00
Florian Roth 4b5a9db68a Merge pull request #2864 from SigmaHQ/rule-devel 
refactor: more robust reg add ImagePath rule
 2022-03-29 19:47:24 +02:00
Florian Roth 9d0483697c fix: wpad decision matches 2022-03-29 19:46:45 +02:00
Florian Roth 7cd65a737d Merge pull request #2861 from redsand/fp_msiexec_sccm 
FP filter to include without quotes
 2022-03-29 16:00:12 +02:00
Florian Roth cc45743669 refactor: more robust reg add ImagePath rule 2022-03-29 15:21:47 +02:00
Florian Roth a0d64f4879 Merge pull request #2860 from secDre4mer/master 
fix: filter null image in process creation rule
 2022-03-29 13:22:00 +02:00
Max Altgelt 36ba148616 fix: filter null image in process creation rule 2022-03-29 08:56:47 +02:00
Tim Shelton f4776fb081 FP filter to include without quotes 2022-03-28 18:50:00 +00:00
Florian Roth 658f4c48ee refactor: less relevant FW event 2022-03-28 17:06:00 +02:00
frack113 14ec2e7d7c Merge pull request #2859 from redsand/fp_msiexec_sccm 
Adding FP filter for ccm
 2022-03-27 08:44:50 +02:00
frack113 e34bbfa7f2 Merge pull request #2857 from frack113/fix_logsource 
Update Registry logsource
 2022-03-27 08:42:49 +02:00
Thomas Patzke eec218e82b Merge pull request #2858 from frack113/backend_reg 
Backend with hardcoded  new registry category
 2022-03-26 20:03:14 +01:00
frack113 627843d73f New registry category mapping 2022-03-26 19:36:46 +01:00
Tim Shelton 35bbd3727e Adding FP filter for ccm 2022-03-26 18:35:31 +00:00
Florian Roth a9bf73f33c Merge pull request #2856 from redsand/fp_filter_ccm_setup 
Filtering of ccm setup executables
 2022-03-26 19:07:53 +01:00
frack113 33e29b55bf New registry category 2022-03-26 19:05:38 +01:00
Florian Roth df2cbc9765 refactor: single element list 2022-03-26 18:42:47 +01:00
Tim Shelton 2918383643 OOps... syntax err... early morning 2022-03-26 16:09:09 +00:00
frack113 c13532aea6 Update logsource 2022-03-26 16:57:58 +01:00
Tim Shelton a587d4145e Filtering of ccm setup executables 2022-03-26 15:23:57 +00:00
Thomas Patzke b247237c0e Merge pull request #2855 from frack113/registry 
Split registry_event category
 2022-03-26 12:56:00 +01:00
frack113 3190840f40 Registry_delete category 2022-03-26 12:02:37 +01:00
frack113 f1b8bc9479 Registry_add 2022-03-26 11:56:39 +01:00
frack113 fbc9e8c2df Update new registry category 2022-03-26 11:46:52 +01:00
frack113 5a1e2c91e0 fix date 2022-03-26 11:39:32 +01:00
frack113 6836d64a14 Fix space 2022-03-26 11:33:30 +01:00
frack113 fb55e0e7b3 Catagorie registry add delete 2022-03-26 11:21:53 +01:00
frack113 6daaa252c1 Update registry category 2022-03-26 11:06:11 +01:00
frack113 e2fbbb319d Categorie registry_set 2022-03-26 10:55:05 +01:00
frack113 b425d04944 order registry rules 2022-03-26 10:24:10 +01:00
Florian Roth 952f14d851 Merge pull request #2853 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-03-25 17:14:06 +01:00