security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

44 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 5198cb3824 chore: change state to unsupported 2023-03-13 10:35:44 +01:00
fukusuket 8b5a254d4f fix: update modified 2023-03-04 20:40:48 +09:00
fukusuket d0e1bd5cfa fix endswith typo 2023-03-04 20:36:28 +09:00
Nasreddine Bencherchali 587fbbce58 chore: update pipe-notation rules to unsupported 2023-02-24 19:54:14 +01:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
Nasreddine Bencherchali a25027fef8 fix: rename links from old repo to SigmaHQ 2022-12-27 21:05:16 +01:00
Nasreddine Bencherchali 03cc78e916 feat: filename test enhancements (#3812) 2022-12-23 09:25:16 +01:00
Nasreddine Bencherchali 1ccee514e2 feat: add duplicate titles test 2022-12-18 20:55:32 +01:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Nasreddine Bencherchali 97856b562a Add "\" to "Image|endswith" modifier 
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on  default windows binaries to avoid changing logic of other rules.
 2022-06-02 13:39:07 +01:00
Florian Roth f0253eb67d some fixes and refactoring 2022-04-26 15:32:56 +02:00
Florian Roth ce4cdf06f0 fix: Service Installation 7045 field confusion 2022-03-21 11:10:03 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
frack113 5938569d3e Refactor regex 2022-03-08 19:07:37 +01:00
phantinuss 07a0a37273 feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' 2021-12-02 14:47:39 +01:00
Florian Roth 91c83bbe09 docs: changed wording in rule descriptions 2021-11-27 15:20:37 +01:00
frack113 5245360186 No filetype or bodyMagic in zeek http log field 2021-11-14 09:24:34 +01:00
frack113 bd3358d33c Fix auditd field name 2021-11-11 10:13:48 +01:00
frack113 f01523d791 Integrity do not exist in file_event 2021-11-10 19:51:01 +01:00
frack113 b6f6beda3c FileMagicBytes do not exist in file_event 2021-11-10 19:44:08 +01:00
frack113 3ea1eda717 ParentImage do not exist in network_connection 2021-11-10 19:38:05 +01:00
frack113 b2d66c41f3 change to unsupported status 2021-10-29 06:53:24 +02:00
Florian Roth f196e3174d refactor: moved last global rule to unsupported 2021-09-26 10:54:11 +02:00
frack113 dde3b17c20 split global win_mal_service_installs.yml 2021-09-21 16:17:59 +02:00
frack113 b9d14ef55a split global win_metasploit_or_impacket_smb_psexec_service_install.yml 2021-09-21 16:02:47 +02:00
frack113 06ed7c41af split clobal win_tap_driver_installation.yml 2021-09-21 13:15:21 +02:00
frack113 79d22dde58 split global win_invoke_obfuscation_* 2021-09-20 22:56:13 +02:00
frack113 b6dc4de5e1 split global win_invoke_obfuscation_* 2021-09-20 22:42:59 +02:00
Gábor Lipták d2592ee0b6 Add yamllint to GHA 
Signed-off-by: Gábor Lipták <gliptak@gmail.com>
 2021-07-26 21:26:16 -04:00
frack113 a53e21eb77 2 more rule with custom field 2021-07-09 10:07:41 +02:00
frack113 06a05cfad9 Move to rules-unsupported as use special enrichment field 2021-07-09 07:40:57 +02:00
yugoslavskiy 738bb4af90 Merge pull request #1041 from ryanplasma/rplas-SIGMA-547-page-13 
[OSCD] Add Stored Credentials in Fake Files rule
 2021-01-05 22:57:36 +03:00
Ryan Plas ff84852803 Replace start of paths with placeholders 2020-10-17 09:36:25 -04:00
yugoslavskiy cc2f48b4a3 Merge pull request #1195 from tas-kmanager/mt-oscd-sigma547-48 
[OSCD] Always Install Elevated: unsupported
 2020-10-16 22:24:34 +02:00
tas_kmanager 65c2e5daa4 [OSCD] Always Install Elevated 
Page 48 from #574

Since the slide showing the usage of correlation of events, it was suggested to add the rules to rules-unsupported. Following suggestion from @yugoslavskiy - https://github.com/Neo23x0/sigma/issues/574#issuecomment-707441823
 2020-10-15 21:59:37 -04:00
yugoslavskiy 0966d24031 Merge pull request #1033 from JPMinty/oscd 
Create rules-unsupported/win_remote_schtask.yml
 2020-10-11 19:39:33 +02:00
JPMinty 21284c2c92 Added selection criteria + moved to Unsupported rule 2020-10-11 12:48:48 +10:30
JPMinty 10f5c38b20 Added conditional description + moved to unsupported-rules 2020-10-11 12:40:24 +10:30
Sven Scharmentke 4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'. 
This commit fixes the incorrect spelling.
 2020-06-03 09:00:59 +02:00
Thomas Patzke 924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00