security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,169 Commits 1 Branch 57 Tags
cd4491cba2fe03876ea46ba3b9195e45fe5ce021
Commit Graph

56 Commits

Author SHA1 Message Date
mat b3e36281b5 fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00
Florian Roth b31ed47ccf Merge branch 'master' into devel 2020-11-26 09:44:56 +01:00
Florian Roth 2cd9b794e6 Merge pull request #1007 from d4rk-d4nph3/master 
Windows Defender AMSI Trigger Detected
 2020-09-15 15:45:00 +02:00
Bhabesh Rai 03c7d751c0 Windows Defender AMSI Trigger Detected 2020-09-14 18:10:38 +05:45
Yugoslavskiy Daniil 1fc202fe5d fix typos, update tags 2020-09-13 15:46:45 +02:00
Florian Roth de5444a81e Merge pull request #989 from oscd-initiative/master 
[OSCD Initiative][ATT&CK tags update]
 2020-09-08 13:27:58 +02:00
Florian Roth 39dfcd40ec Merge pull request #921 from d4rk-d4nph3/master 
Added support for Defender's PSExec and WMI ASR rules.
 2020-09-07 09:40:46 +02:00
Yugoslavskiy Daniil 5026438524 fix modified field 2020-08-25 01:29:57 +02:00
Yugoslavskiy Daniil 42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
Florian Roth f788a723b6 Merge pull request #986 from diskurse/devel 
win_defender_history_delete.yml
 2020-08-21 16:05:49 +02:00
Cian Heasley 28fe002f34 win_defender_history_delete.yml 
Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software".
 2020-08-21 13:51:05 +01:00
Aidan Bracher ad9a8ff956 Updated to include extra registry key 2020-07-18 02:37:11 +01:00
Aidan Bracher 2006aa8f5e Inclusion of registry keys for WinDefender disabling 2020-07-18 02:23:30 +01:00
Bhabesh Rai e0c1d84951 Added new Lateral Movement Attack ID 2020-07-14 22:32:29 +05:45
Bhabesh Rai 6fb045aa4b Conforming to Rule Creation Guide. 2020-07-14 14:20:07 +05:45
Bhabesh Rai 66ad325fde Added support for Defender's PSExec and WMI ASR rules. 2020-07-14 14:01:43 +05:45
Thomas Patzke 28013a15e1 Improved rule 2020-07-07 23:18:07 +02:00
Thomas Patzke 90f09f7b12 Merge branch 'devel' of https://github.com/diskurse/sigma into pr-829 2020-07-07 23:15:39 +02:00
j91321 24029d998a FIX: lint error for title 2020-06-28 11:05:19 +02:00
j91321 ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth a7136481f1 Update win_pcap_drivers.yml 2020-06-11 11:14:43 +02:00
Cian Heasley 9835c6d67d add win_pcap_drivers.yml 2020-06-10 15:53:22 +01:00
Florian Roth 35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
Florian Roth 82cae6d63c Merge pull request #604 from Neo23x0/devel 
New tests, colorized test output and rule cleanup
 2020-01-31 07:07:13 +01:00
Florian Roth e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth 30d872f98f Merge pull request #492 from booberry46/master 
Bypass Windows Defender
 2020-01-30 14:27:30 +01:00
Florian Roth 0a4d32c7c7 fix: fixing issues 2020-01-30 10:07:24 +01:00
Florian Roth d90ea6d267 improved rule 2020-01-30 09:58:32 +01:00
Thomas Patzke 0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Florian Roth 8cc16d252a fix: more FP reductions 2019-11-09 23:36:29 +01:00
Karneades cd20e4a3fc fix: bound keywords to field in WMI persistence rule 
See #501.
 2019-10-29 19:22:41 +01:00
booberry46 b7fe52133d Update win_defender_bypass.yml 2019-10-27 00:07:56 +08:00
booberry46 3f1fc9a507 Add files via upload 2019-10-27 00:06:49 +08:00
Tareq AlKhatib 075df83118 Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
mrblacyk 99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Florian Roth 5b92790e3f Rule: WMI Persistence - FPs 2019-02-05 14:35:23 +01:00
ntim c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Florian Roth 0ffd226293 Moved new rule to sysmon folder 2018-04-11 20:11:54 +02:00
Florian Roth b065c2c35c Simplified rule 2018-04-11 19:03:35 +02:00
Karneades fa6677a41d Remove @ in author 
Be nice to Travis: "error    syntax error: found character '@' that cannot start any token"
 2018-04-11 15:21:42 +02:00
Karneades be3c27981f Add rule for Windows registry persistence mechanisms 2018-04-11 15:13:00 +02:00
Thomas Patzke ada1ca94ea JPCERT rules 
* Addition of ntdsutil.exe rule
* Added new link to existing rules
 2018-03-08 00:10:19 +01:00
Thomas Patzke 8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke 84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
SherifEldeeb 48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb 112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Thomas Patzke 986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Florian Roth f46e86fbb1 WMI persistence modified 2017-08-24 18:27:40 +02:00