security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

4601 Commits

Author SHA1 Message Date
frack113 217be6cd8a Merge pull request #2005 from frack113/tags_end 
Add  missing tags to rule
 2021-09-09 15:04:26 +02:00
Florian Roth f00aaf8461 refactor: exclude case in which upper ticks are used 2021-09-09 12:55:10 +02:00
Florian Roth 6d86c7df6c Revert "refactor: 2nd condition in CVE-2021-40444 rule" 
This reverts commit 015573c450.
 2021-09-09 09:41:03 +02:00
Florian Roth 015573c450 refactor: 2nd condition in CVE-2021-40444 rule 2021-09-09 09:33:45 +02:00
Florian Roth e8b633f54f Merge pull request #2006 from SigmaHQ/rule-devel 
docs: changed level and reference in CVE-2021-40444 rule
 2021-09-09 09:29:08 +02:00
Florian Roth 2777187fd9 docs: changed level and reference in CVE-2021-40444 rule 2021-09-09 08:46:34 +02:00
Florian Roth b1f5c22805 Merge pull request #2003 from SigmaHQ/rule-devel 
CVE-2021-40444 process pattern
 2021-09-09 08:44:52 +02:00
Florian Roth 36a5d7ec04 CVE-2021-40444 false positives 2021-09-09 08:12:36 +02:00
frack113 caa5c7af1a Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml 2021-09-09 06:27:23 +02:00
Cyb3rEng 77ee51dd76 Changed the category 
Changed category to file_event
 2021-09-08 21:22:26 -06:00
Cyb3rEng 5bbe3dec9b Completed changes to selection1 and selection2 
changes were completed to remove ( * ) and stay within rule creation guide:
    - Image|endswith:
      - '\winword.exe'
      - '\excel.exe'
      - '\powerpnt.exe'

 WMIcommand|contains: 'Win32_Process\:\:Create'
 2021-09-08 21:14:58 -06:00
Cyb3rEng 49df2358de Completed changes to selection1 
completed changes to selection1 to comply with rule creation guide with no ( * ) or ( \\ ) 

  - Image|endswith: '\wbem\WMIC.exe'
  - ProcessCommandLine|contains: 'wmic '
 2021-09-08 21:12:27 -06:00
Cyb3rEng a3236e62a2 Changed selection2 conditions 
replaced *\wbem\WMIC.exe with Image|endswith: '\wbem\WMIC.exe' and ProcessCommandLine: *wmic * with ProcessCommandLine|contains: 'wmic '
 2021-09-08 21:10:47 -06:00
Cyb3rEng 1f577174f9 Changed endswith condition 
removed double // from "\wbem\WmiPrvSE.exe"
 2021-09-08 21:06:41 -06:00
Cyb3rEng 5ac0fded26 Merge branch 'SigmaHQ:master' into master 2021-09-08 20:26:59 -06:00
frack113 8eb527d042 Update process_mailboxexport_share.yml 2021-09-08 20:21:02 +02:00
frack113 deb0ddfe09 fix duplicate tags 2021-09-08 20:16:53 +02:00
frack113 af8bf06b30 add missing tags 2021-09-08 20:14:49 +02:00
Florian Roth b1540d65b9 refactor: simplified rule 2021-09-08 17:35:50 +02:00
Florian Roth e388bc6bfa remove unsupported tag 2021-09-08 16:56:04 +02:00
Florian Roth c9b4f5d326 CVE-2021-40444 2021-09-08 16:49:49 +02:00
frack113 993112c7eb Merge pull request #2002 from frack113/missing_tag 
Add missing Tags #1974
 2021-09-08 06:26:55 +02:00
frack113 e712d9696b Merge pull request #2000 from frack113/split_global 
Split frack113 global rules
 2021-09-08 06:26:35 +02:00
Cyb3rEng bd4d21c41c Completed changes based on comments 
Removed :
unnecessary event ID
 2021-09-07 21:17:12 -06:00
Cyb3rEng 75a6e5c95b Completed Changes as per comments 
Removed :
unnecessary event ID
 2021-09-07 21:14:06 -06:00
Cyb3rEng 3b2ebe1580 Completed changes 
Removed :
unnecessary event ID
 2021-09-07 21:12:02 -06:00
Cyb3rEng 8467d5a65a Modified Rule 
Removed :
unnecessary event ID
 2021-09-07 21:09:07 -06:00
Cyb3rEng f0f3ecfe2f Converted to LF 
Removed :
unnecessary event ID
 2021-09-07 21:00:35 -06:00
Cyb3rEng 932b7cf2ba Merge branch 'SigmaHQ:master' into master 2021-09-07 19:58:09 -06:00
Thomas Patzke 143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
frack113 4e394d83a1 add missing tags 2021-09-07 17:45:41 +02:00
frack113 0e5e4fa19d Split global rules 2021-09-07 13:30:32 +02:00
frack113 be442182fe convert to LF 2021-09-06 21:10:08 +02:00
frack113 9ef299c4f4 Change to LF 2021-09-06 21:07:49 +02:00
frack113 3b95b0c913 Remove useless Eventid 
Use tools/config/generic/windows-audit.yml to convert for security 4688
 2021-09-06 20:56:41 +02:00
Florian Roth 6b2bacd2cc Merge pull request #1979 from frack113/test_global 
Change ID in global action rule
 2021-09-06 08:44:14 +02:00
frack113 6780182c37 Merge pull request #1974 from frack113/tags_pack2 
Add missing Tags
 2021-09-03 19:13:32 +02:00
frack113 688df3405a Merge pull request #1970 from frack113/red_T1564.004_1 
Redcanary  t1564.004  ADS test 1
 2021-09-03 19:06:51 +02:00
ncrqnt adc3c9e608 fixed date: switched day/month 2021-09-03 12:03:38 +02:00
frack113 11e4b900e4 Update global id 2021-09-03 06:59:40 +02:00
frack113 135d0a2c61 Update global id 2021-09-03 06:50:00 +02:00
frack113 a6bb5574fb Update global id 2021-09-03 06:35:35 +02:00
phantinuss ab721c736c chore: move level/falsepositives to bottom 2021-09-02 14:55:17 +02:00
phantinuss 0b373ff1e9 fix: remove 2nd selection due to FPs 2021-09-02 14:47:47 +02:00
frack113 6a1b95d947 Findstr covert by win_susp_findstr.yml 2021-09-02 14:22:59 +02:00
frack113 aaa568ff2d print covert by win_susp_print.yml 2021-09-02 14:18:38 +02:00
phantinuss 5cb6eed52e fix: remove single value lists 2021-09-02 14:09:03 +02:00
phantinuss f4a5df67ae further narrowing down of the selection, therefore removing the filter 2021-09-02 10:28:01 +02:00
frack113 6f1f70ca5e Add missing tags 2021-09-02 09:59:19 +02:00
frack113 e0cd35261c add missing tags 2021-09-01 20:01:03 +02:00