blue-team-tools

Author	SHA1	Message	Date
phantinuss	6ae28b7a1c	fix: legitimate --> Legitimate	2022-03-16 14:35:19 +01:00
phantinuss	43bae23f23	fix: several FPs against a fresh installed Windows with example applications and basic user interaction	2022-02-09 17:47:22 +01:00
$frack113$ frack113	120436bdb4	Update filter	2022-02-02 06:34:32 +01:00
Florian Roth	7f9fd3ea63	Update sysmon_process_hollowing.yml	2022-02-01 16:01:27 +01:00
Sittikorn S	e16974522b	Update sysmon_process_hollowing.yml Update filters	2022-02-01 15:19:36 +07:00
Florian Roth	027fce7f13	Update sysmon_process_hollowing.yml	2022-01-29 23:55:21 +01:00
Florian Roth	e08e8dd3d4	Update sysmon_process_hollowing.yml	2022-01-26 17:53:46 +01:00
securepeacock	364b5c9620	Create sysmon_process_hollowing.yml Closed old request, and put rule into its appropriate file directory.	2022-01-25 15:57:03 -05:00
Florian Roth	c0bd1ef9bc	Update sysmon_config_modification.yml	2022-01-13 21:07:11 +01:00
$frack113$ frack113	baaef207cb	Add filter help	2022-01-13 06:38:43 +01:00
$frack113$ frack113	592485fac5	Windows Redcannary	2022-01-12 20:27:56 +01:00
Tim Shelton	fc2e2aa4c5	adding filter for false positive. no risk to sysmon operation	2021-12-02 20:38:58 +00:00
Florian Roth	0ab163b6ba	fix: FP which happens more frequently under normal circumstances	2021-11-12 13:31:25 +01:00
$frack113$ frack113	ab5f5f95bc	fix filename	2021-09-22 16:27:05 +02:00
$frack113$ frack113	92999468ee	Merge pull request #2012 from frack113/upgrade_test Upgrade test_rules.py	2021-09-11 15:29:19 +02:00
Austin Songer	1ea9aab455	Update Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml	2021-09-10 09:44:31 -05:00
Austin Songer	9d9a5088bb	Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml	2021-09-10 09:43:24 -05:00
$frack113$ frack113	0288f5b626	fix condition operator case	2021-09-10 13:51:52 +02:00
$frack113$ frack113	ac9ea531ae	Merge pull request #1956 from Cyb3rEng/master Adding Various Rules To Monitor Process Creations in Sysmon, Event Logs & EDR	2021-09-10 10:47:23 +02:00
Cyb3rEng	f4155010ff	Duplicate Rule Removed rule as it was duplicated	2021-09-09 23:09:20 -06:00
Cyb3rEng	4af244b135	Duplicate Rule Removed rule as it was duplicated	2021-09-09 23:08:52 -06:00
Cyb3rEng	361121c402	changed title title: Lolbins Process Created With WmiPrvSE	2021-09-09 21:51:49 -06:00
Cyb3rEng	a3a12375b5	changed title title: Lolbins Process Created With Office Application	2021-09-09 21:51:22 -06:00
Cyb3rEng	6cae20b9b8	Changed title changed title	2021-09-09 21:38:42 -06:00
Cyb3rEng	ca19f43a06	Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custom id	2021-09-09 21:35:21 -06:00
Cyb3rEng	d14c26f5f1	Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id	2021-09-09 21:33:36 -06:00
Cyb3rEng	ba995ef442	Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id	2021-09-09 21:32:42 -06:00
Cyb3rEng	f7b8fd571d	Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id	2021-09-09 21:31:57 -06:00
Cyb3rEng	6a7ac098ed	changed id uuid to v4 b45e1519-5de5-4dfe-bef6-73bc48c2b983	2021-09-09 21:31:20 -06:00
Cyb3rEng	7c9be6da32	Resolved more issues from last commit as per comments Added the following fixes to text inside the rule: date attack.defense_evasion added custome id	2021-09-09 21:24:05 -06:00
Cyb3rEng	ff08de6d20	Completed Changes based on review selection2: ParentPrcessName\|endswith:	2021-09-09 21:02:11 -06:00
$frack113$ frack113	d9cd1652f2	Split global sysmon rules	2021-09-09 16:11:41 +02:00
$frack113$ frack113	312ffe69e2	Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml	2021-09-09 06:28:48 +02:00
Cyb3rEng	b2c44ebd6e	Changed selection1 completed the following change to selection1 to keep inline with rule creation guideline - CommandLine\|contains: 'wmic '	2021-09-08 21:27:15 -06:00
Cyb3rEng	fe9b91c504	Completed changes to selection1 changed to the following to follow rule creation guidelines: - Image\|endswith: '\wbem\WMIC.exe' - ProcessCommandLine\|contains: 'wmic '	2021-09-08 21:26:01 -06:00
Cyb3rEng	851dfeee46	Changed selection2 condition changed from "\\wbem\\WmiPrvSE.exe" to "\wbem\WmiPrvSE.exe" to follow rule creation guidelines	2021-09-08 21:24:18 -06:00
Cyb3rEng	6ddc83901b	Changed Category Category Changed from process_creation to file_event	2021-09-08 20:38:07 -06:00
Cyb3rEng	5ac0fded26	Merge branch 'SigmaHQ:master' into master	2021-09-08 20:26:59 -06:00
$frack113$ frack113	e712d9696b	Merge pull request #2000 from frack113/split_global Split frack113 global rules	2021-09-08 06:26:35 +02:00
Cyb3rEng	e3b376e945	Completed Changes Based on Comments Removed : unnecessary event ID	2021-09-07 21:26:42 -06:00
Cyb3rEng	4130ceb208	Completed Changes Based on Comments Removed : unnecessary event ID	2021-09-07 21:25:52 -06:00
Cyb3rEng	8d47f9531b	Completed Changes Based on Comments Removed : unnecessary event ID	2021-09-07 21:22:01 -06:00
Cyb3rEng	13e6262055	Completed Changes Based on Comments Removed : unnecessary event ID	2021-09-07 21:20:51 -06:00
Cyb3rEng	8dc1b03fef	Completed Changes Based on Comments Removed : unnecessary event ID	2021-09-07 21:19:43 -06:00
Cyb3rEng	932b7cf2ba	Merge branch 'SigmaHQ:master' into master	2021-09-07 19:58:09 -06:00
Thomas Patzke	143744bc12	Various fixes * Backslashes in regular expressions * Casing of condition operators * Further small errors	2021-09-07 23:38:07 +02:00
$frack113$ frack113	0e5e4fa19d	Split global rules	2021-09-07 13:30:32 +02:00
$frack113$ frack113	be442182fe	convert to LF	2021-09-06 21:10:08 +02:00
$frack113$ frack113	9ef299c4f4	Change to LF	2021-09-06 21:07:49 +02:00
$frack113$ frack113	d02ee1eddd	Update global ID	2021-09-02 21:16:55 +02:00

1 2 3 4 5 ...

864 Commits