security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nasreddine Bencherchali 6325e75d42 fix: apply suggestions from code review 2023-01-27 00:51:17 +01:00
Maxime Lamothe-Brassard ff7794225b Fix a case of regular expression use. 2023-01-26 15:44:10 -08:00
Nasreddine Bencherchali 85c5f21818 feat: more updates, renames and fixes 2023-01-27 00:30:16 +01:00
IntelScott d380862b69 Update proc_creation_win_wmic_system_info_discovery.yml 
Fixing list with only one element
 2023-01-26 17:36:14 -05:00
IntelScott 6a954b6d08 Create proc_creation_win_rhadamanthys_dll_launch.yml 2023-01-26 17:26:18 -05:00
IntelScott 696e0b83ff Create proc_creation_win_wmic_system_info_discovery.yml 2023-01-26 17:25:07 -05:00
Nasreddine Bencherchali 58912f5eda Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel 2023-01-26 23:01:51 +01:00
Nasreddine Bencherchali 242814f3e9 Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2023-01-26 23:01:17 +01:00
Nasreddine Bencherchali c538550b03 feat: updates and fixes 2023-01-26 22:42:56 +01:00
frack113 1be13b3ea5 Merge pull request #3958 from SigmaHQ/revert-3956-promote_old_experimental 
Revert "Change status of old rules"
 2023-01-26 21:22:43 +01:00
frack113 cb67871bd2 Revert "Change status of old rules" 2023-01-26 19:37:18 +01:00
Nasreddine Bencherchali 3c846a1c51 Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2023-01-26 17:35:55 +01:00
frack113 bc0e90f495 Merge pull request #3956 from frack113/promote_old_experimental 
Change status of old rules
 2023-01-26 17:24:40 +01:00
frack113 5323fd4baa Change status of old rules 2023-01-25 18:41:18 +01:00
Nasreddine Bencherchali 4921c96703 Merge pull request #3955 from phantinuss/master 
fix: FPs in testing environment
 2023-01-25 17:29:34 +01:00
Nasreddine Bencherchali 725c5ba420 fix: fp found in testing 2023-01-25 16:54:11 +01:00
phantinuss 32c89da010 fix: FPs in testing environment 2023-01-25 16:23:10 +01:00
frack113 f7b159350d Merge pull request #3954 from nasbench/nasbench-rule-devel 
feat: updates and enhancements
 2023-01-25 13:21:44 +01:00
Nasreddine Bencherchali d2575eff64 fix: fp with lsass access rule 
- Add new filters
- Reorder and rename some filter for clarity
 2023-01-25 13:08:20 +01:00
Nasreddine Bencherchali 690af599ba fix: fp with invoke patchingapi rule 2023-01-25 12:54:29 +01:00
Nasreddine Bencherchali f42eb77f29 fix: rule logic 2023-01-25 12:03:11 +01:00
Nasreddine Bencherchali d47215d469 fix: single element selection 2023-01-25 01:35:47 +01:00
Nasreddine Bencherchali 7d2b70cb91 feat: add bpf related rules 2023-01-25 01:14:49 +01:00
Nasreddine Bencherchali 10707f307a Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel 2023-01-24 17:00:04 +01:00
Nasreddine Bencherchali 2a53a0b8c8 fix: fp in system file names 2023-01-24 16:59:39 +01:00
Nasreddine Bencherchali 9e2c01521a fix: broken condition 2023-01-24 16:54:15 +01:00
Nasreddine Bencherchali 9a03e4e13d fix: fp found in testing 2023-01-24 16:51:37 +01:00
Nasreddine Bencherchali d7bf5383a4 feat: update wsl related rules and other 2023-01-24 16:50:53 +01:00
Nasreddine Bencherchali 5fc05fe921 Merge pull request #3953 from phantinuss/master 
fix: FPs found in testing environment
 2023-01-24 11:04:54 +01:00
phantinuss a41a374901 fix: FPs found in testing environment 2023-01-24 10:30:43 +01:00
Thomas Patzke 3a8f85c6ff Merge pull request #3952 from kelnage/pySigma-all-of 
Change rules using all of required-lists to |all
 2023-01-24 07:56:27 +01:00
Nick Moore 0312c481d9 Change rules using all of required-lists to |all 
When a Sigma rule writer wants to create a list of values where all of
them must be matched for the rule to trigger, the approach used
previously was to have an `all of` condition for a single selector.
However, this has now changed, and the new approach is to use an empty
key and the |all modifier (i.e., `'|all'`).

This commit (tries to) identify all the rules that used the old
approach and modifies them to use the new approach instead.

See SigmaHQ/sigma-specification#53 for further discussion.
 2023-01-23 14:37:25 +00:00
Nasreddine Bencherchali fb1dcc1340 Merge pull request #3950 from nasbench/nasbench-rule-devel 
feat: updates and new rules
 2023-01-23 14:03:43 +01:00
Nasreddine Bencherchali 483db992f7 Merge pull request #3951 from phantinuss/master 
fix: fps found in testing
 2023-01-23 13:41:02 +01:00
Nasreddine Bencherchali e3f7feeb65 fix: update description 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-01-23 13:38:23 +01:00
phantinuss 628f616dbe fix: sharpen regex to not match default windows rundll32 usage 2023-01-23 12:57:50 +01:00
phantinuss 231e87e316 fix: FP in testing environment 2023-01-23 12:05:28 +01:00
Nasreddine Bencherchali 58fbe4a100 feat: update wsl lolbin 2023-01-23 01:05:28 +01:00
Nasreddine Bencherchali 2f6161619b fix: add missing filter 2023-01-22 23:45:22 +01:00
Nasreddine Bencherchali 47fa1dff54 fix: fp with iissetup 2023-01-22 23:41:56 +01:00
Nasreddine Bencherchali f2cf68cf14 fix: broken condition 2023-01-22 23:32:14 +01:00
Nasreddine Bencherchali 1c2b6f40a6 feat: updates and new rules 2023-01-22 23:31:02 +01:00
frack113 299fe649a2 split the rule by LogonType 2023-01-22 21:14:10 +01:00
frack113 f25ad0f1a3 Merge pull request #3949 from frack113/import_module_dll 
Import module dll
 2023-01-22 20:54:00 +01:00
Nasreddine Bencherchali c9b230de6d feat: update pwsh ad module rules 2023-01-22 20:07:42 +01:00
frack113 40592f463f Add Microsoft.ActiveDirectory.Management.dll 2023-01-22 19:34:09 +01:00
frack113 fa593dc4c4 Merge pull request #3942 from faisalusuf/master 2023-01-22 18:49:55 +01:00
frack113 6d535e032f Remove operation 2023-01-22 18:42:54 +01:00
frack113 c7537c5d2a Add import_module dll 2023-01-22 17:39:28 +01:00
frack113 75c01db53b Add import_module dll 2023-01-22 17:38:59 +01:00