security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,140 Commits 1 Branch 57 Tags
e2fbe065854123c2ab367ac1e45e8a100db783bc
Commit Graph

5221 Commits

Author SHA1 Message Date
frack113 62e541ec7f Merge pull request #1784 from frack113/winlogbeat-modules-enabled 
Update Mapping Winlogbeat modules enabled
 2021-08-12 19:14:17 +02:00
Florian Roth 62c9468180 Merge pull request #1832 from SigmaHQ/rule-devel 
Whoami Refactoring
 2021-08-12 14:28:28 +02:00
Florian Roth d9d543e545 refactor: removed OriginalFileName from rule to improve compatibilty 2021-08-12 13:28:24 +02:00
Florian Roth 34d70de084 rule: whoami anomalies 2021-08-12 13:28:00 +02:00
Florian Roth bd0a2a1b9f rule: renamed whoami 2021-08-12 13:27:51 +02:00
Florian Roth 418a0bbf7e Merge pull request #1827 from phantinuss/master 
2 new rules (Little Corporal Maldoc and keyword generic version of "ProxyShell MSExchange MailBox Export Pattern")
 2021-08-12 11:41:50 +02:00
Florian Roth 6ed62b431e Merge pull request #1830 from SigmaHQ/rule-devel 
SystemNightmare and Typo
 2021-08-12 11:41:16 +02:00
Florian Roth 852d7a8b22 fix: typo in description 2021-08-12 10:11:17 +02:00
Florian Roth 08883c8e32 refactor: removed old rule that uses Message field 
Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible.

We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details)
 2021-08-12 09:27:50 +02:00
frack113 b144523ad2 fix duplicate id 2021-08-11 22:37:01 +02:00
frack113 4c2159455d Merge pull request #1821 from austinsonger/gcp_kubernetes_role_access.yml 
gcp_kubernetes_rolebinding.yml
 2021-08-11 20:58:52 +02:00
frack113 b2a0d97b5e Merge pull request #1822 from austinsonger/gcp_kubernetes_secrets_modified_or_deleted.yml 
gcp_kubernetes_secrets_modified_or_deleted.yml
 2021-08-11 20:58:07 +02:00
Austin Songer 22d672187c Update gcp_kubernetes_secrets_modified_or_deleted.yml 2021-08-11 11:26:32 -05:00
Austin Songer ae85bf2b28 Update gcp_kubernetes_rolebinding.yml 2021-08-11 11:26:14 -05:00
Austin Songer 9b9d3c28c7 Update gcp_kubernetes_secrets_modified_or_deleted.yml 2021-08-11 11:24:40 -05:00
Austin Songer 4aec212e08 Update gcp_kubernetes_rolebinding.yml 2021-08-11 11:24:15 -05:00
phantinuss a880663d51 fix: add missing 'all of' for 'and' conjunction of the assignment keywords 2021-08-11 17:46:10 +02:00
phantinuss 1c919c07c7 exchange mailbox export with generic keyword search (Message is not a real field) 2021-08-11 16:57:15 +02:00
Florian Roth c8d481fd83 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-08-11 10:10:32 +02:00
Florian Roth c1f9c33730 rule: SystemNightmare 2021-08-11 10:10:30 +02:00
Florian Roth d9d1e2c578 Merge pull request #1823 from SigmaHQ/rule-devel 
rule: ProxyLogon rule for MS Exchange
 2021-08-11 09:43:41 +02:00
phantinuss 62eca463ac new rule LittleCorporal generated maldoc process injection 2021-08-11 09:25:23 +02:00
frack113 63ead346e8 fix modified value 2021-08-10 19:09:34 +02:00
Florian Roth 73a4bd74dc fix: FPs script exec from temp 2021-08-10 17:10:46 +02:00
frack113 6d869feb43 update modified 2021-08-10 15:12:45 +02:00
Jon Galarneau 1544a351a3 Correcting regex in win_modif_of_services_for_via_commandline.yml 
The ^ symbol designates the beginning of the string, but in this rule it is clearly intended to be the end of the string.
 2021-08-10 08:29:39 -04:00
Florian Roth 17c6fc7038 rule: ProxyLogon rule for MS Exchange 2021-08-10 09:16:30 +02:00
Florian Roth 17fb418271 Merge pull request #1817 from SigmaHQ/rule-devel 
rules: ProxyShell refactoring and new rule
 2021-08-10 08:18:32 +02:00
frack113 89e3fb1d86 Merge pull request #1814 from austinsonger/azure_vpn_connection_modified_or_deleted.yml 
azure_vpn_connection_modified_or_deleted.yml
 2021-08-10 06:36:46 +02:00
frack113 711619e90e remove 'or' as not need 2021-08-10 06:28:35 +02:00
frack113 a1917b4247 Merge pull request #1813 from austinsonger/azure_virtual_network_modified_or_deleted.yml 
azure_virtual_network_modified_or_deleted.yml
 2021-08-10 06:22:25 +02:00
frack113 f7d3f93907 Merge pull request #1807 from austinsonger/azure_network_security_modified_or_deleted.yml 
azure_network_security_modified_or_deleted.yml
 2021-08-10 06:21:45 +02:00
frack113 9bd60c45c6 Merge pull request #1806 from austinsonger/azure_network_p2s_vpn_modified_or_deleted.yml 
azure_network_p2s_vpn_modified_or_deleted.yml
 2021-08-10 06:21:19 +02:00
Austin Songer a48fd2135e Create gcp_kubernetes_secrets_modified_or_deleted.yml 2021-08-09 22:08:14 -05:00
Austin Songer cc4b3d7d38 Delete gcp_kubernetes_secrets_modified_or_deleted.yml 2021-08-09 22:07:49 -05:00
Austin Songer 23d5ed9d23 Create gcp_kubernetes_secrets_modified_or_deleted.yml 2021-08-09 22:06:56 -05:00
Austin Songer 019bdaac90 Update gcp_kubernetes_rolebinding.yml 2021-08-09 22:05:46 -05:00
Austin Songer 4542ab9a14 Create gcp_kubernetes_rolebinding.yml 2021-08-09 22:01:16 -05:00
Austin Songer fa54a38394 Update azure_virtual_network_modified_or_deleted.yml 2021-08-09 15:51:43 -05:00
Austin Songer 27441d7093 Update azure_network_p2s_vpn_modified_or_deleted.yml 2021-08-09 15:37:53 -05:00
Austin Songer 5b25f56964 Update azure_network_security_modified_or_deleted.yml 2021-08-09 15:36:30 -05:00
frack113 3a873f6e7a Merge pull request #1811 from austinsonger/azure_firewall_modified_or_deleted.yml 
azure_firewall_modified_or_deleted.yml
 2021-08-09 22:24:41 +02:00
frack113 51eab7f366 Merge pull request #1810 from austinsonger/azure_firewall_rule_collection_modified_or_deleted.yml 
azure_firewall_rule_collection_modified_or_deleted.yml
 2021-08-09 22:23:06 +02:00
frack113 b4e6e0eab3 Merge pull request #1809 from austinsonger/azure_network_firewall_rule_modified_or_deleted.yml 
azure_network_firewall_rule_modified_or_deleted.yml
 2021-08-09 22:21:04 +02:00
frack113 3b4d782135 Merge pull request #1812 from austinsonger/azure_dns_zone_modified_or_deleted.yml 
azure_dns_zone_modified_or_deleted.yml
 2021-08-09 22:14:07 +02:00
frack113 ee777350ab Merge pull request #1808 from austinsonger/azure_network_virtual_device_modified_or_deleted.yml 
azure_network_virtual_device_modified_or_deleted.yml
 2021-08-09 22:11:28 +02:00
Austin Songer 1f1aa7c31f Update azure_dns_zone_modified_or_deleted.yml 2021-08-09 14:38:15 -05:00
Austin Songer b9026f2dfe Update azure_dns_zone_modified_or_deleted.yml 2021-08-09 14:36:50 -05:00
Austin Songer 27ce557562 Update azure_virtual_network_modified_or_deleted.yml 2021-08-09 14:35:45 -05:00
Austin Songer 70e2bb06a2 Update azure_vpn_connection_modified_or_deleted.yml 2021-08-09 14:35:27 -05:00