security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

58 Commits

Author SHA1 Message Date
Nasreddine Bencherchali e5fe4d5f46 feat: update config files 
- Update indentation of config files to 4
- Add new event logs
 2023-01-17 01:00:24 +01:00
frack113 deeac89f36 Add lsa-server 2023-01-13 17:56:02 +01:00
Nasreddine Bencherchali acf4a404d5 feat: add Microsoft-Windows-AppXDeploymentServer/Operational 2023-01-11 22:23:52 +01:00
frack113 9b550f6858 Add win_vhdmp_mount_iso 2023-01-09 10:19:41 +01:00
Nasreddine Bencherchali 3bd12552bb feat: add bitlocker channel 2023-01-02 22:19:32 +01:00
Nasreddine Bencherchali a67ab607a1 feat: add Microsoft-Windows-LDAP-Client/Debug provider 2022-11-15 11:39:42 +01:00
Nasreddine Bencherchali 2f5fe64099 Update service to openssh 2022-10-25 20:01:02 +02:00
Nasreddine Bencherchali 9b7af82e23 Add OpenSSH/Operational 2022-10-25 19:07:53 +02:00
Nasreddine Bencherchali 14c08635ef Add PowerShellCore Channel 2022-10-19 00:07:09 +02:00
phantinuss 40f64a6b69 fix: unneeded fieldmapping for THOR/Aurora 2022-10-12 16:17:18 +02:00
phantinuss 119cfe9558 fix: missing WinEventLog prefix for splunk/thor logsources 2022-08-23 11:50:15 +02:00
Nasreddine Bencherchali f37fd2375b Update config 2022-08-16 20:18:46 +01:00
Nasreddine Bencherchali 6407089a40 Change service to diagnosis scripted 2022-08-15 12:45:12 +01:00
Nasreddine Bencherchali d09037c9ad Add 2 New EventLog Sources 
- Microsoft-Windows-Shell-Core/Operational
- Microsoft-Windows-Diagnosis-Scripted/Operational
 2022-08-14 21:38:36 +01:00
Nasreddine Bencherchali f2bec5c6af Update provider + rules 2022-08-04 21:58:07 +01:00
Nasreddine Bencherchali a073590c2f Add Security-Mitigations-User Mode log 2022-08-04 13:44:55 +01:00
Florian Roth afa0d77025 refactor: adding new channel to all backends 2022-08-02 18:08:29 +02:00
Florian Roth 43f3a31d19 feat: new service definition - terminal services 2022-04-29 12:26:26 +02:00
frack113 6836d64a14 Fix space 2022-03-26 11:33:30 +01:00
frack113 fb55e0e7b3 Catagorie registry add delete 2022-03-26 11:21:53 +01:00
frack113 e2fbbb319d Categorie registry_set 2022-03-26 10:55:05 +01:00
Florian Roth 7177e32e5e fix: issues with new sources in old THOR versions 2022-03-16 12:52:15 +01:00
Max Altgelt 1044a20149 feat: Add log sources for process listing within THOR 2022-03-15 11:51:59 +01:00
Florian Roth 979d25ed67 fix: casing in thor config 2022-03-07 18:18:57 +01:00
frack113 53651cdd2f Add Bits-Client rules 2022-03-03 06:27:00 +01:00
frack113 8cfab22acb Add firewall-as basic rules 2022-02-19 10:18:49 +01:00
Florian Roth 68f0cdf338 feat: new log channel windows-codeintegrity-operational 
https://twitter.com/SBousseaden/status/1483810148602814466
 2022-01-20 09:44:36 +01:00
Florian Roth 683c1b59cb fix: add field mapping for provider name 2022-01-07 13:08:14 +01:00
Max Altgelt b4553dcd9d feat: Add finer powershell log source distinguation 
Credits for this go to @frack113
 2021-12-13 09:49:28 +01:00
phantinuss 3b5f3d8bef fix: indentation 2021-07-22 10:18:03 +02:00
phantinuss e4880169d3 add sysmon_status and sysmon_error category to thor logsources 2021-07-22 09:59:16 +02:00
Florian Roth 9fce0fb42d Merge pull request #1680 from phantinuss/master 
medium level Rule for Windows Defender Exclusions
 2021-07-14 08:18:39 +02:00
phantinuss bf9b82fc45 medium level rule for Windows Defender Exclusions 2021-07-13 13:16:25 +02:00
Florian Roth 5e7f1f3a36 refactor: THOR config adjustments 2021-07-08 14:51:49 +02:00
Florian Roth ba94b8396c config: thor - powershell classic 2021-07-02 14:14:48 +02:00
Florian Roth 63f3fd7e73 config: add PrintService Operational 2021-07-01 09:55:15 +02:00
Florian Roth a49bfb14dd refactor: Admin log - not Operational 2021-06-30 14:22:40 +02:00
Florian Roth 26cfbb9c34 config: mapping for Microsoft SMBClient service - security 2021-06-30 14:16:26 +02:00
Florian Roth 8262a1d98b config: mappings for Microsoft print service 2021-06-30 14:09:44 +02:00
Florian Roth 2f12c5c540 fix: too broad definition of *.log on linux 2021-05-03 17:04:55 +02:00
Max Altgelt 7c8cca744f chore: Revert log file changes for THOR sigma configuration 
Revert recent changes for Windows / Linux .log files for THOR
because of massive performance impacts.
 2021-04-28 17:48:17 +02:00
Max Altgelt de2cedf213 fix: Distinguish Windows and Linux logfiles by path separator 
A previous commit added a log source detailing *.log files with
product: linux. This caused linux specific Sigma rules to apply to
all *.log file, including those on Windows. To distinguish these
cases, expand the file path pattern to include the typical start
for unix / windows paths ( / vs [A-Z]:\ )
 2021-04-28 11:45:19 +02:00
Florian Roth d766c12888 feat: generic categories - thor config 2021-04-23 17:47:09 +02:00
phantinuss 95fa99b4a3 search generic log files for product: linux 2021-04-23 12:00:48 +02:00
Florian Roth e47ee24889 Merge branch 'master' into rule-devel 2021-03-20 08:52:55 +01:00
Florian Roth 9e287a1b89 feat: MSExchange Management log mapping 2021-03-20 08:49:59 +01:00
Codehardt 6d626456f2 fix: syntax error in THOR's config file 2021-03-17 11:49:50 +01:00
Florian Roth 11c216629b fix: thor sources for applocker with wrong prefix 2021-01-07 12:27:37 +01:00
Pushkarev Dmitry 0d925896b9 Added AppLocker log source 2020-07-13 20:23:42 +00:00
Florian Roth c8ca55b3e4 fix: duplicate wrong old key 2020-07-06 17:14:59 +02:00