security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nasreddine Bencherchali f065928dc0 Create proc_creation_win_lolbin_pcalua.yml 2022-06-14 17:39:58 +01:00
Nasreddine Bencherchali f34bc22537 Create proc_creation_win_lolbin_forfiles.yml 2022-06-14 17:39:55 +01:00
Nasreddine Bencherchali 6476152624 Create proc_creation_win_conhost_path_traversal.yml 2022-06-14 17:39:52 +01:00
Frank Block 1e0a9fd8c1 Mapping name "Provider_Name" instead of "ProviderName" 
The mapping identifier `ProviderName` doesn't occur in any windows rule (except one: `powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml`).

Instead, the identifier `Provider_Name` is used.
 2022-06-14 18:17:35 +02:00
Frank Block 06234d831d ProviderName seems to be wrong 
`ProviderName: winlog.event_data.ProviderName` seems to be wrong (at least in our case). Actually, the mapping from the `winlogbeat-modules-enabled.yml` would be correct, but we definitely don't use the modules (the other mappings don't apply). Maybe the two got mixed up? Can't verify it for the modules config, but at least the `winlogbeat.yml` does seem to have this mapping wrong.
 2022-06-14 17:45:36 +02:00
Frank Block b6ecf5cffd Fixes typo for TargetServerName mapping 2022-06-14 17:40:33 +02:00
Florian Roth 40be326cce Merge pull request #3124 from nasbench/msdt-rules 
Update MSDT Rules
 2022-06-13 23:04:12 +02:00
Florian Roth afce3ffcae Merge branch 'master' into msdt-rules 2022-06-13 22:55:40 +02:00
Florian Roth 2a4e6d8ebe Merge pull request #3123 from phantinuss/master 
fix FP and add Follina reference to description
 2022-06-13 22:54:54 +02:00
Florian Roth 90a12487d4 Merge pull request #3122 from nasbench/master 
Renaming LOLBIN rules + Other Updates
 2022-06-13 22:54:37 +02:00
Florian Roth 037bf0f6bb Update proc_creation_win_lolbin_susp_certreq_download.yml 2022-06-13 18:27:56 +02:00
Nasreddine Bencherchali 0e0f44fc0c Update proc_creation_win_msdt.yml 2022-06-13 16:36:19 +01:00
Nasreddine Bencherchali 8ca55de64c Update proc_creation_win_msdt.yml 2022-06-13 14:33:12 +01:00
Nasreddine Bencherchali ffd236158c Update MSDT Rules 2022-06-13 14:30:35 +01:00
phantinuss d382f91313 fix: FP with AVG anti virus 2022-06-13 13:30:21 +02:00
phantinuss 92c2976793 docs: add Follina reference in description 2022-06-13 13:30:21 +02:00
Nasreddine Bencherchali e96532344f Removed "modified" date 2022-06-13 11:31:47 +01:00
Nasreddine Bencherchali 21f20c9e7a Renamed to shorter names 2022-06-13 00:52:53 +01:00
Nasreddine Bencherchali 7b3e6c7f59 Update proc_creation_win_lolbin_rasautou_dll_execution.yml 2022-06-13 00:21:32 +01:00
Nasreddine Bencherchali ffd135c6b6 Renamed LOLBIN rules + Other 2022-06-12 23:59:25 +01:00
Nasreddine Bencherchali 13b02a2aec Renamed LOLBIN Rules 2 2022-06-12 21:37:42 +01:00
Nasreddine Bencherchali 3cfb370266 Renamed LOLBIN Rules 2022-06-12 21:36:52 +01:00
Florian Roth 6d07a3aaff Merge pull request #3121 from frack113/Cmdkey 
Update Cmdkey
 2022-06-12 18:37:19 +02:00
Florian Roth 1c8c9d4ff2 refactor: one more space char 2022-06-12 18:06:51 +02:00
frack113 dc67990e07 Update proc_creation_win_local_system_owner_account_discovery.yml 2022-06-12 17:58:33 +02:00
frack113 fb0618795f Update proc_creation_win_mstsc.yml 2022-06-12 17:52:37 +02:00
Florian Roth 9caea8bb03 Merge pull request #3118 from SigmaHQ/rule-devel 
rules: DNS ext requests, ISO phish, BITS refactor
 2022-06-12 17:51:11 +02:00
frack113 b0730c613b Update Cmdkey 2022-06-12 17:31:24 +02:00
Florian Roth 49f37684dc fix: FPs with BITS rule 2022-06-12 17:30:17 +02:00
Florian Roth 55c4112e1a Merge pull request #3048 from CD-R0M/master 
Filter for Dell Display Manager Child Process
 2022-06-12 10:45:48 +02:00
CD-R0M 335e97247e Update registry_set_custom_file_open_handler_powershell_execution.yml 2022-06-11 10:40:04 -04:00
CD-R0M e89811fa47 Merge branch 'master' of https://github.com/CD-R0M/sigma-1 2022-06-11 10:29:54 -04:00
CD-R0M 2a2c15a407 Create registry_set_custom_file_open_handler_powershell_execution.yml 2022-06-11 10:29:46 -04:00
CD-R0M 6786bd58ac Merge branch 'SigmaHQ:master' into master 2022-06-11 10:21:07 -04:00
frack113 fba0615d15 Merge pull request #3119 from nasbench/master 
GUP LOLBIN Rules + Update AccCheckConsole Rule
 2022-06-11 13:09:16 +02:00
frack113 6c211887a9 Remove unneeded star 2022-06-11 12:58:14 +02:00
Nasreddine Bencherchali de78f9f5b3 Update proc_creation_win_cmdkey_recon.yml 2022-06-11 11:18:33 +01:00
Nasreddine Bencherchali b8ab72c222 Update proc_creation_win_mstsc.yml 2022-06-11 02:23:38 +01:00
Nasreddine Bencherchali c610e4a749 Update proc_creation_win_cmdkey_recon.yml 2022-06-11 02:23:31 +01:00
Nasreddine Bencherchali 3aa1d3710a Update proc_creation_win_susp_curl_fileupload.yml 2022-06-11 02:23:14 +01:00
Nasreddine Bencherchali 0e68a801b1 Update proc_creation_win_susp_curl_download.yml 2022-06-11 02:22:56 +01:00
Nasreddine Bencherchali 50bb79d54e Update proc_creation_win_susp_wsl_lolbin.yml 2022-06-11 02:21:39 +01:00
Nasreddine Bencherchali 40564ac49f Update file_event_win_notepad_plus_plus_persistence.yml 2022-06-10 20:06:03 +01:00
Nasreddine Bencherchali 2d174ec4fc Update proc_creation_win_susp_gup_execution.yml 2022-06-10 19:08:30 +01:00
Nasreddine Bencherchali 41dd9246fd GUP LOLBIN Rules + Update AccCheckConsole Rule 2022-06-10 19:07:25 +01:00
Florian Roth a05e154869 fix: condition 2022-06-10 13:46:19 +02:00
Florian Roth 3ffe83bd70 fix: typo 2022-06-10 13:18:55 +02:00
Florian Roth ed2ab816be refactor: BITS rules new and reworked 2022-06-10 13:16:40 +02:00
Florian Roth d172b136bf Merge pull request #3109 from frack113/diagcab 
Add file_event_win_susp_diagcab
 2022-06-10 07:34:33 +02:00
frack113 2d51c7719e Merge pull request #3115 from nasbench/master 
New/Update LOLBIN Rules
 2022-06-10 06:21:48 +02:00