security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

31 Commits

Author SHA1 Message Date
Florian Roth ce4cdf06f0 fix: Service Installation 7045 field confusion 2022-03-21 11:10:03 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
frack113 5938569d3e Refactor regex 2022-03-08 19:07:37 +01:00
phantinuss 07a0a37273 feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' 2021-12-02 14:47:39 +01:00
Florian Roth 91c83bbe09 docs: changed wording in rule descriptions 2021-11-27 15:20:37 +01:00
frack113 5245360186 No filetype or bodyMagic in zeek http log field 2021-11-14 09:24:34 +01:00
frack113 bd3358d33c Fix auditd field name 2021-11-11 10:13:48 +01:00
frack113 f01523d791 Integrity do not exist in file_event 2021-11-10 19:51:01 +01:00
frack113 b6f6beda3c FileMagicBytes do not exist in file_event 2021-11-10 19:44:08 +01:00
frack113 3ea1eda717 ParentImage do not exist in network_connection 2021-11-10 19:38:05 +01:00
frack113 b2d66c41f3 change to unsupported status 2021-10-29 06:53:24 +02:00
Florian Roth f196e3174d refactor: moved last global rule to unsupported 2021-09-26 10:54:11 +02:00
frack113 dde3b17c20 split global win_mal_service_installs.yml 2021-09-21 16:17:59 +02:00
frack113 b9d14ef55a split global win_metasploit_or_impacket_smb_psexec_service_install.yml 2021-09-21 16:02:47 +02:00
frack113 06ed7c41af split clobal win_tap_driver_installation.yml 2021-09-21 13:15:21 +02:00
frack113 79d22dde58 split global win_invoke_obfuscation_* 2021-09-20 22:56:13 +02:00
frack113 b6dc4de5e1 split global win_invoke_obfuscation_* 2021-09-20 22:42:59 +02:00
Gábor Lipták d2592ee0b6 Add yamllint to GHA 
Signed-off-by: Gábor Lipták <gliptak@gmail.com>
 2021-07-26 21:26:16 -04:00
frack113 a53e21eb77 2 more rule with custom field 2021-07-09 10:07:41 +02:00
frack113 06a05cfad9 Move to rules-unsupported as use special enrichment field 2021-07-09 07:40:57 +02:00
yugoslavskiy 738bb4af90 Merge pull request #1041 from ryanplasma/rplas-SIGMA-547-page-13 
[OSCD] Add Stored Credentials in Fake Files rule
 2021-01-05 22:57:36 +03:00
Ryan Plas ff84852803 Replace start of paths with placeholders 2020-10-17 09:36:25 -04:00
yugoslavskiy cc2f48b4a3 Merge pull request #1195 from tas-kmanager/mt-oscd-sigma547-48 
[OSCD] Always Install Elevated: unsupported
 2020-10-16 22:24:34 +02:00
tas_kmanager 65c2e5daa4 [OSCD] Always Install Elevated 
Page 48 from #574

Since the slide showing the usage of correlation of events, it was suggested to add the rules to rules-unsupported. Following suggestion from @yugoslavskiy - https://github.com/Neo23x0/sigma/issues/574#issuecomment-707441823
 2020-10-15 21:59:37 -04:00
yugoslavskiy 0966d24031 Merge pull request #1033 from JPMinty/oscd 
Create rules-unsupported/win_remote_schtask.yml
 2020-10-11 19:39:33 +02:00
JPMinty 21284c2c92 Added selection criteria + moved to Unsupported rule 2020-10-11 12:48:48 +10:30
JPMinty 10f5c38b20 Added conditional description + moved to unsupported-rules 2020-10-11 12:40:24 +10:30
Sven Scharmentke 4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'. 
This commit fixes the incorrect spelling.
 2020-06-03 09:00:59 +02:00
Thomas Patzke 924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00