blue-team-tools

Author	SHA1	Message	Date
$frack113$ frack113	e2b70a2edb	add win_susp_system_update_error rule	2021-12-04 13:02:12 +01:00
$frack113$ frack113	e215f4606b	Order rules	2021-12-04 10:07:07 +01:00
phantinuss	07a0a37273	feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*'	2021-12-02 14:47:39 +01:00
Tim Shelton	d90ddc097e	adding additional filter for lsass: ShareName=\\*\IPC$ \| ShareLocalPath= \| RelativeTargetName=lsass \| AccessMask=0x2019f	2021-12-01 18:36:38 +00:00
Tim Shelton	7626b73b8e	Duplicate matching causes confusion. Converting to simplified selection (matching) and false positive (filtering) phases	2021-12-01 18:33:48 +00:00
phantinuss	204c627991	add PE files because of CVE-2020-1599	2021-12-01 15:14:43 +01:00
Florian Roth	0903b667c1	Merge pull request #2356 from SigmaHQ/aurora-false-positive-fixing Aurora false positive fixing	2021-12-01 15:10:50 +01:00
Florian Roth	5a01a88af1	fix: FPs with FileStream events	2021-12-01 14:10:56 +01:00
$frack113$ frack113	24d73a5f8a	Add definition info	2021-11-30 15:10:36 +01:00
$frack113$ frack113	5c1b3f8362	Add Provider_Name	2021-11-30 15:03:53 +01:00
Florian Roth	820cc0ccf8	Merge branch 'master' into rule-devel	2021-11-29 11:00:25 +01:00
Florian Roth	ef7810fa8b	fix: fixing issues with wildcard symbol https://github.com/SigmaHQ/sigma/issues/2339	2021-11-29 10:57:01 +01:00
$frack113$ frack113	01dc930c17	Change status for old rules	2021-11-27 11:33:14 +01:00
Florian Roth	d91b925873	fix: FPs	2021-11-26 14:42:21 +01:00
Florian Roth	db03d08b11	Merge pull request #2293 from SigmaHQ/rule-devel fix: 0x1000 access on LSASS, rule: new LSASS access, rule: CVE-2021-41379	2021-11-22 13:29:31 +01:00
Florian Roth	01189dcef2	fix: rule condition	2021-11-22 11:47:39 +01:00
Florian Roth	d2e45afc3c	fix: typo in filename - missing period	2021-11-22 11:40:17 +01:00
Florian Roth	d3ec743906	fix: changed modified date	2021-11-22 11:38:37 +01:00
Florian Roth	7432aa37a0	refactor: lsass query info access	2021-11-22 11:02:01 +01:00
$frack113$ frack113	e5404785d3	Merge pull request #2290 from frack113/fix_fieldname Fix field name in windows rules	2021-11-21 09:09:40 +01:00
$frack113$ frack113	bc61fbeee2	Merge pull request #2281 from orlinum/patch-2 Create win_ADCS_certificate_template_configuration_vulnerability.yml	2021-11-20 20:45:04 +01:00
$frack113$ frack113	3162b7ccfe	Merge pull request #2280 from orlinum/patch-1 Create win_ADCS_certificate_template_configuration_vulnerability_EKU.yml	2021-11-20 20:44:42 +01:00
Orlinum	c37f7aede9	path modified to rules/windows/builtin/	2021-11-20 19:38:00 +01:00
Orlinum	89c20b2b28	path modified to rules/windows/builtin/	2021-11-20 19:37:55 +01:00
$frack113$ frack113	ebcfcfebf4	Fix field name	2021-11-20 19:14:59 +01:00
Florian Roth	3eeeb81d00	Merge pull request #2288 from SigmaHQ/rule-devel fix: FPs; rule: Windows Shell File Write to Suspicious Folder	2021-11-20 18:27:26 +01:00
Florian Roth	ed4e771700	Merge pull request #2287 from frack113/tags Add missing Mitre Techniques Tags for windows rules	2021-11-20 15:38:25 +01:00
Florian Roth	c7462832fe	fix: FPs with Wincred in log files	2021-11-20 15:03:11 +01:00
Florian Roth	8271b04f80	fix: FPs with ISO mount rule	2021-11-20 12:46:50 +01:00
$frack113$ frack113	f47d0da3f7	add missing MITRE Techniques	2021-11-20 12:26:01 +01:00
Florian Roth	1fffb57df0	fix: FPs with different rules	2021-11-20 11:33:43 +01:00
$frack113$ frack113	1cfca93354	Missing status in rules (#2284 ) * add missing status	2021-11-19 22:32:26 +01:00
$frack113$ frack113	6a9313535c	Add correct provider_name	2021-11-17 06:59:57 +01:00
phantinuss	c3ecbc52a9	add Exchange reference to title/description	2021-11-15 14:00:05 +01:00
$frack113$ frack113	f647571478	fix logsource	2021-11-13 09:59:14 +01:00
$frack113$ frack113	64839d9e4f	Fix detection field name	2021-11-12 14:21:53 +01:00
$frack113$ frack113	f145392b6a	Fix detection field name	2021-11-12 13:55:45 +01:00
$frack113$ frack113	eb5465e5a6	Fix detection from reference	2021-11-12 13:41:48 +01:00
$frack113$ frack113	9f7a027913	Fix category and EventID	2021-11-12 12:18:44 +01:00
Florian Roth	791736cb3e	Merge pull request #2243 from SigmaHQ/rule-devel CobaltStrike DNS beaconing, some FP fixes	2021-11-11 17:21:33 +01:00
$frack113$ frack113	3ea1eda717	ParentImage do not exist in network_connection	2021-11-10 19:38:05 +01:00
Florian Roth	5abea871b0	docs: put link in references	2021-11-10 09:28:59 +01:00
$frack113$ frack113	a089a83794	Merge pull request #2238 from frack113/fix_logsource Fix logsource	2021-11-10 08:08:40 +01:00
Florian Roth	e30b09fcce	fix: more FPs with Windows 11 services	2021-11-09 19:09:07 +01:00
Florian Roth	5613b6ca82	fix: FP with MicrosoftEdgeUpdate	2021-11-09 19:06:26 +01:00
$frack113$ frack113	6c19303aa4	normalize logsource	2021-11-09 10:48:13 +01:00
Florian Roth	f0dd02f483	fix: FPs with Failed Logon Reason rule	2021-10-29 10:25:27 +02:00
$frack113$ frack113	f8574fcd81	Add cve tags	2021-10-25 18:40:50 +02:00
phantinuss	1099d40473	rename the field 'Provider Name' to 'Provider_Name'	2021-10-13 13:04:11 +02:00
phantinuss	3d8002a237	fix: Use 'Provider Name' for windows eventlog log sources	2021-10-13 11:40:24 +02:00

1 2 3 4 5 ...

919 Commits