blue-team-tools

Author	SHA1	Message	Date
Florian Roth	e2aa3665af	fix: avoid Microsoft Defender detections We keep the strings as specific as necessary while avoiding Microsoft Defender detections on the rule files	2022-02-06 08:56:54 +01:00
Florian Roth	6ce92b27be	refactor: more regex avoidance	2022-02-03 20:05:10 +01:00
Florian Roth	8c07a51ab9	fix: non-ascii character in description	2022-02-03 19:52:07 +01:00
Florian Roth	b715894497	refactor: avoid regex use	2022-02-03 19:48:19 +01:00
$frack113$ frack113	7ceb3968d8	Update file_event_susp_teamviewer_remote_session.yml	2022-01-31 06:24:02 +01:00
Florian Roth	c35973d6e7	rule: TeamViewer remote session	2022-01-30 22:26:13 +01:00
Florian Roth	ba3065e943	refactor: added another TV domain	2022-01-30 22:26:01 +01:00
Florian Roth	1b57916890	rule: suspicious renamed teamviewer	2022-01-30 22:05:47 +01:00
Florian Roth	bfee0f8067	rule: xordump	2022-01-28 17:26:12 +01:00
Florian Roth	982808c3db	refactor: whoami / authority, rule: whoami as trusted installer	2022-01-28 11:30:30 +01:00
Florian Roth	f80f0d3696	rules: nircmd, nsudo, runx	2022-01-24 13:37:28 +01:00
Florian Roth	9505a761e1	fix: bug in rule - missing backspace	2022-01-24 11:54:58 +01:00
Florian Roth	8cf78fb4e6	rules: advancedrun executions	2022-01-20 11:08:08 +01:00
Florian Roth	9b7b48c0e6	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2022-01-20 09:45:03 +01:00
Florian Roth	4395a6dafa	rule: code integrity failed driver load	2022-01-20 09:45:00 +01:00
Florian Roth	68f0cdf338	feat: new log channel windows-codeintegrity-operational https://twitter.com/SBousseaden/status/1483810148602814466	2022-01-20 09:44:36 +01:00
Florian Roth	6835381e6a	Merge branch 'master' into rule-devel	2022-01-19 19:42:14 +01:00
Florian Roth	eb382c4a59	Merge pull request #2576 from frack113/remove_old_tag remove invalid tag	2022-01-19 19:40:01 +01:00
$frack113$ frack113	4631d0c482	remove invalid tag	2022-01-19 18:23:30 +01:00
Florian Roth	49502f3796	fix: wrong number of placeholders	2022-01-19 15:24:24 +01:00
Florian Roth	2a118e900a	refactor: added requirement, debug output for MITRE ATTCK eval	2022-01-19 15:21:50 +01:00
Florian Roth	d7de27ca3c	rule: extended Defender exclusions rule	2022-01-19 13:21:19 +01:00
$frack113$ frack113	926b9c964c	Merge pull request #2571 from thomai/master Adjust case sensitivity of Provider_Name field	2022-01-17 16:03:06 +01:00
Tom Maier	2cd464e77c	Adjusted modified field to current date	2022-01-17 14:18:33 +01:00
Tom Maier	82e7ce7799	Adjust case sensitivity of Provider_Name field	2022-01-17 10:36:09 +01:00
$frack113$ frack113	3ec9f6d252	Merge pull request #2569 from frack113/red_20220116 Windows Redcannary defense_evasion	2022-01-17 06:36:41 +01:00
$frack113$ frack113	fc7485a07c	Merge pull request #2567 from frack113/red_20220115 Windows Redcannary	2022-01-17 06:35:49 +01:00
Florian Roth	c1e1809dae	Merge pull request #2570 from SigmaHQ/rule-devel Admin Share rules, JS RunHTMLApplication	2022-01-16 22:44:02 +01:00
Florian Roth	a3a9e2add8	fix: wrong modifier	2022-01-16 17:43:55 +01:00
Florian Roth	be224a6f37	rule: new rules covering admin share activity	2022-01-16 17:40:50 +01:00
$frack113$ frack113	2ef4b1a712	fix empty id	2022-01-16 15:24:44 +01:00
$frack113$ frack113	7b3d2d4313	Fix space	2022-01-16 15:12:50 +01:00
$frack113$ frack113	12f0d6dfab	Windows Redcannary	2022-01-16 14:47:56 +01:00
$frack113$ frack113	2a6609a71d	Merge pull request #2568 from frack113/windows_config Add windows-services.yml	2022-01-16 14:44:42 +01:00
$frack113$ frack113	11b6b24660	Merge pull request #2566 from frack113/discussion_2472 Rename from Discussion 2472	2022-01-16 11:18:03 +01:00
$frack113$ frack113	262cb31143	Fix CommandLine Forget to copy the correct from Test VM	2022-01-16 11:15:50 +01:00
$frack113$ frack113	5890c1bb20	Fix logsource	2022-01-16 08:56:51 +01:00
$frack113$ frack113	c4f4b55920	Add french user	2022-01-15 23:33:36 +01:00
$frack113$ frack113	38ddf07291	Add french user	2022-01-15 23:31:51 +01:00
$frack113$ frack113	cb938c14df	Windows Redcannary	2022-01-15 17:04:03 +01:00
$frack113$ frack113	3f359be8b6	Merge pull request #2565 from frack113/powershell_log Fix windows-dns-server	2022-01-15 10:56:20 +01:00
$frack113$ frack113	65a268b0b3	Rename powershell_script	2022-01-15 10:54:21 +01:00
$frack113$ frack113	6badb13114	Rename powershell_module	2022-01-15 10:38:27 +01:00
$frack113$ frack113	5fd339858a	Rename powershell_classic	2022-01-15 10:30:03 +01:00
$frack113$ frack113	0828ff098f	Fix windows-dns-server	2022-01-15 09:07:26 +01:00
$frack113$ frack113	a2ceddcd65	Merge pull request #2562 from SimoneCagol/patch-1 Update sysmon_raw_disk_access_using_illegitimate_tools.yml	2022-01-14 16:51:54 +01:00
SimoneCagol	2c964503e9	Update sysmon_raw_disk_access_using_illegitimate_tools.yml	2022-01-14 13:05:45 +01:00
Florian Roth	8608ce6396	Merge pull request #2559 from redsand/executable_invalid_extension Detects executable running with non executable extension	2022-01-14 12:33:33 +01:00
Florian Roth	d525203083	rule: suspicious rundll32 JS pattern	2022-01-14 12:30:16 +01:00
Florian Roth	4d5e87258d	Update win_run_executable_invalid_extension.yml	2022-01-14 11:47:46 +01:00

1 2 3 4 5 ...

9738 Commits