security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
frack113 aa8694fdef add missing category 2021-11-06 10:17:12 +01:00
frack113 68d30293b5 Cleanup process_creation 2021-11-06 10:16:16 +01:00
Austin Songer b30aec65de Update win_susp_registration_via_cscript.yml 2021-11-05 18:45:49 -05:00
Austin Songer aec6f40203 Update win_susp_registration_via_cscript.yml 2021-11-05 18:15:24 -05:00
Austin Songer 5778b6e24f Update win_susp_registration_via_cscript.yml 2021-11-05 18:14:42 -05:00
Austin Songer 588c3a1b0b Create win_susp_registration_via_cscript.yml 2021-11-05 18:12:57 -05:00
frack113 a3f3ec84c9 fix product windows case 2021-11-05 13:16:24 +01:00
frack113 80d2aee944 Merge pull request #2227 from redsand/remove_duplicate_powershell_check 
Removing duplicate rule of Powershell memory check
 2021-11-05 11:15:38 +01:00
frack113 3416db7301 Merge pull request #2225 from frack113/cmdl32 
add win_pc_susp_cmdl32_lolbas
 2021-11-04 20:58:50 +01:00
frack113 a811acde00 Merge pull request #2224 from frack113/schtasks_appdata 
add win_pc_susp_schtasks_user_temp
 2021-11-04 20:58:31 +01:00
Tim Shelton dda204bd51 updating yaml 2021-11-04 18:56:07 +00:00
Tim Shelton e266491f0a adding obsoletes tags 2021-11-04 18:36:55 +00:00
frack113 e058e56c22 fix unknown 2021-11-04 18:07:16 +01:00
Tim Shelton 1ae596b634 removing rule 867613fb-fa60-4497-a017-a82df74a172c . this is a duplicate of 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f and does not contain an allow list of known processes. 2021-11-04 17:07:00 +00:00
frack113 5506b1c566 add OriginalFileName 2021-11-04 13:42:04 +01:00
frack113 edb1458791 add win_pc_susp_cmdl32_lolbas 2021-11-03 20:45:21 +01:00
frack113 be6186fa1c Forget the Local 2021-11-03 17:01:34 +01:00
frack113 5a4db26ec7 add win_pc_susp_schtasks_user_temp 2021-11-03 15:14:34 +01:00
zakibro 30f13d41f5 Update lnx_auditd_load_module_insmod.yml 
fixing missing date
 2021-11-02 17:16:59 +01:00
Pawel Mazur dd7817917c Linux - Auditd - Loading of Kernel Module via Insmod rule 2021-11-02 17:04:39 +01:00
frack113 eb9428ff6a Merge pull request #2221 from skirankumar/master 
Added another application
 2021-11-02 16:28:33 +01:00
S.kiran kumar 802cdb0189 Added another application 2021-11-01 21:41:57 +05:30
frack113 2a2bfab06e add win_pc_set_policies_to_unsecure_level 2021-11-01 15:35:46 +01:00
frack113 fb750721b2 Merge pull request #2212 from frack113/new_status 
New status from discussions
 2021-10-31 20:38:28 +01:00
frack113 eb242fba28 Merge pull request #2214 from elhoim/patch-1 
Adding multiple named pipes
 2021-10-31 07:44:31 +01:00
frack113 9f7d4a832e Update sysmon_mal_namedpipes.yml 2021-10-31 07:03:27 +01:00
frack113 21654923be Merge pull request #2218 from frack113/malware_run 
add user temp folder
 2021-10-31 07:01:10 +01:00
frack113 eba2f3b68f add temp folder 2021-10-30 17:28:07 +02:00
David André 0de88e2f30 Added four other named pipes and corrected one missing slash 2021-10-29 16:33:07 +02:00
David André 8c57d29561 Added turla hyperstack named pipe 2021-10-29 15:49:04 +02:00
frack113 bcdf13c680 Merge pull request #2213 from frack113/fix_rule 
Fix detection file_event_mal_vhd_download.yml
 2021-10-29 12:26:06 +02:00
Florian Roth f0dd02f483 fix: FPs with Failed Logon Reason rule 2021-10-29 10:25:27 +02:00
phantinuss 4b18d5e45c chore: set status to test 2021-10-29 09:57:19 +02:00
frack113 ef0f836a71 Fix detection 2021-10-29 08:21:41 +02:00
frack113 c49b0d49fa Add deprecated status 2021-10-28 20:08:27 +02:00
phantinuss 6fb27eeb76 fix: fix FPs found in production environment 2021-10-28 13:32:15 +02:00
frack113 8b86a79ef0 Merge pull request #2206 from frack113/order 
Move rules to correct directory
 2021-10-28 06:26:45 +02:00
frack113 d91eb0d0c0 Merge pull request #2204 from phantinuss/newrules 
New Rule: windows commandline path obfuscation
 2021-10-28 06:25:52 +02:00
frack113 957ba042f0 Merge pull request #2203 from OTRF/feature/Sysmon-v1330-Rules 
Unsupported rules now possible with Sysmonv13.30
 2021-10-28 06:25:35 +02:00
Roberto Rodriguez 7543b3e2a6 added definition to Sysmon 13.30 rule for priv escalation 2021-10-27 11:56:19 -04:00
frack113 c228cde0cb Move to correct directory 2021-10-27 14:38:51 +02:00
phantinuss 8b12794486 fix: change title and filename 2021-10-27 14:07:27 +02:00
phantinuss eb4ef6bcfc fix: single list item to value 2021-10-27 11:16:12 +02:00
Roberto Rodriguez d80f73625f Added the right System string to User filter 2021-10-27 01:22:19 -04:00
Roberto Rodriguez 9c7a736ca6 added integrity level for user 2021-10-27 01:06:37 -04:00
Roberto Rodriguez 5aac1b6879 Unsupported rule now possible with Sysmonv13.30 2021-10-27 01:04:24 -04:00
frack113 bba1e68669 Merge pull request #2200 from frack113/susp_del 
add process_creation_susp_del
 2021-10-27 06:33:04 +02:00
frack113 98d7380a40 Merge pull request #2197 from frack113/fix_title 
Fix title process_creation_powershell_web_request
 2021-10-27 06:31:45 +02:00
Florian Roth fcecb951d5 Merge branch 'master' into rule-devel 2021-10-26 22:03:55 +02:00
phantinuss 3983baf2b0 windows commandline obfuscation 2021-10-26 16:35:06 +02:00