security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,605 Commits 1 Branch 57 Tags
aaafef29b4aa53e8ebb5cd488dbf873865402dcc
Commit Graph

8036 Commits

Author SHA1 Message Date
frack113 aaafef29b4 Redcannary 2022-04-04 10:57:23 +02:00
phantinuss 67ad16f411 edit because of ambiguous trailing space 2022-03-31 12:04:37 +02:00
phantinuss 51d45bae8b chore: promote status of rules 2022-03-31 12:04:37 +02:00
phantinuss 5ebb919472 fix: FP with intel graphics 2022-03-31 12:04:37 +02:00
phantinuss 8afe875ad6 update rule to also match on original sample 2022-03-31 12:04:36 +02:00
Florian Roth 08d3bd48ce Merge pull request #2868 from securepeacock/patch-11 
Create proc_creation_win_fsutil_drive_enumeration.yml
 2022-03-30 21:05:56 +02:00
securepeacock 35661df7e4 Update proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:45:01 -04:00
securepeacock 34182908c9 Update proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:38:28 -04:00
securepeacock 5e3a5642e8 Create proc_creation_win_fsutil_drive_enumeration.yml 2022-03-30 10:00:03 -04:00
Fred Frey 78aeee3054 added resource and improved MITRE Subtechnique 
Mavinject now has its own subtechnique
https://attack.mitre.org/techniques/T1218/013/
 2022-03-30 08:57:15 -04:00
phantinuss 7f030b250e fix: wrong mapping of Windows Audit Log EventID 4688 
reverts some changes introduced by commit c5fa73c328
    - removes the unnecessary/wrong field mapping
    - fixes the rules to apply to CommandLine instead of
      ParentCommandLine as the author probably intended
 2022-03-30 11:24:24 +02:00
phantinuss 3034d626ea chore: promote status of rules 2022-03-30 11:24:24 +02:00
Florian Roth 0b4bfad074 Merge branch 'master' into aurora-false-positive-fixing 2022-03-29 21:06:30 +02:00
Florian Roth 567cdad7b5 fix: cleanmgr.exe FPs 2022-03-29 19:48:40 +02:00
Florian Roth 4b5a9db68a Merge pull request #2864 from SigmaHQ/rule-devel 
refactor: more robust reg add ImagePath rule
 2022-03-29 19:47:24 +02:00
Florian Roth 9d0483697c fix: wpad decision matches 2022-03-29 19:46:45 +02:00
Florian Roth 7cd65a737d Merge pull request #2861 from redsand/fp_msiexec_sccm 
FP filter to include without quotes
 2022-03-29 16:00:12 +02:00
Florian Roth cc45743669 refactor: more robust reg add ImagePath rule 2022-03-29 15:21:47 +02:00
Max Altgelt 36ba148616 fix: filter null image in process creation rule 2022-03-29 08:56:47 +02:00
Tim Shelton f4776fb081 FP filter to include without quotes 2022-03-28 18:50:00 +00:00
Florian Roth 658f4c48ee refactor: less relevant FW event 2022-03-28 17:06:00 +02:00
frack113 14ec2e7d7c Merge pull request #2859 from redsand/fp_msiexec_sccm 
Adding FP filter for ccm
 2022-03-27 08:44:50 +02:00
frack113 e34bbfa7f2 Merge pull request #2857 from frack113/fix_logsource 
Update Registry logsource
 2022-03-27 08:42:49 +02:00
Tim Shelton 35bbd3727e Adding FP filter for ccm 2022-03-26 18:35:31 +00:00
Florian Roth a9bf73f33c Merge pull request #2856 from redsand/fp_filter_ccm_setup 
Filtering of ccm setup executables
 2022-03-26 19:07:53 +01:00
Florian Roth df2cbc9765 refactor: single element list 2022-03-26 18:42:47 +01:00
Tim Shelton 2918383643 OOps... syntax err... early morning 2022-03-26 16:09:09 +00:00
frack113 c13532aea6 Update logsource 2022-03-26 16:57:58 +01:00
Tim Shelton a587d4145e Filtering of ccm setup executables 2022-03-26 15:23:57 +00:00
frack113 3190840f40 Registry_delete category 2022-03-26 12:02:37 +01:00
frack113 f1b8bc9479 Registry_add 2022-03-26 11:56:39 +01:00
frack113 5a1e2c91e0 fix date 2022-03-26 11:39:32 +01:00
frack113 fb55e0e7b3 Catagorie registry add delete 2022-03-26 11:21:53 +01:00
frack113 e2fbbb319d Categorie registry_set 2022-03-26 10:55:05 +01:00
frack113 b425d04944 order registry rules 2022-03-26 10:24:10 +01:00
Florian Roth 952f14d851 Merge pull request #2853 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-03-25 17:14:06 +01:00
Florian Roth 016265169d docs: changed description and title of two rules 2022-03-25 13:42:56 +01:00
Florian Roth 15c6fad973 Merge pull request #2850 from hieuttmmo/master 
Rule to detect when any MFA Denied recorded by Azure SigninLogs
 2022-03-25 11:35:49 +01:00
Florian Roth 7d48d0e838 Merge pull request #2852 from drasti-mehta/fix_win_susp_service_install 
Fix win_susp_service_ rules causing Sigmac error
 2022-03-25 08:27:55 +01:00
Florian Roth 9028600878 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-03-25 00:05:51 +01:00
Florian Roth 68f3e6328e fix: FP with different procs on less relevant keys 2022-03-25 00:05:49 +01:00
Florian Roth 0dfd802579 Merge pull request #2837 from SigmaHQ/log-source-cleanup 
Log source cleanup
 2022-03-24 21:26:46 +01:00
Florian Roth 0b97d37faf Update azure_mfa_denies.yml 2022-03-24 21:26:13 +01:00
Florian Roth 37437c7f3d Update win_susp_service_installation_script.yml 2022-03-24 21:22:26 +01:00
Florian Roth 76710a1d86 Update win_susp_service_installation.yml 2022-03-24 21:19:36 +01:00
Drasti Mehta ae4c01142e add modified and date 2022-03-24 15:57:47 -04:00
Drasti Mehta 77f5a6f4d8 Fix win_susp_service_ rules causing sigmac error 2022-03-24 15:24:01 -04:00
Florian Roth 507551c631 fix: typo in modifier 2022-03-24 19:08:53 +01:00
Florian Roth 6970223872 fix: bug in modifier 2022-03-24 19:05:04 +01:00
Florian Roth f1b91ba8ac refactor: more powershell loader rules 2022-03-24 16:44:35 +01:00