security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Hasan 8196fbaada Parenthesis for condition statement 2021-06-16 10:41:52 +05:00
mlp1515 b4883701b4 Update sysmon_wmi_module_load.yml 2021-06-15 16:16:28 +02:00
mlp1515 efeb5956a0 Merge branch 'SigmaHQ:master' into master 2021-06-15 16:12:07 +02:00
Hasan 415ced0023 Corrected MITRE reference tag 2021-06-15 19:07:50 +05:00
Hasan f079556067 Removed GUID phrase from description 2021-06-15 17:14:32 +05:00
Hasan 1764714e26 Rule to detect new TaskCache Entry 2021-06-15 17:08:14 +05:00
Hasan 1114a25a2c Removal of NODE from ALL filter for better coverage 2021-06-15 17:07:51 +05:00
Hasan 82bcfb29c3 Addition of Safemode flags 2021-06-15 17:07:02 +05:00
Florian Roth 9b93165ece BackdoorDiplomacy UA 2021-06-15 10:39:08 +02:00
Florian Roth 1650d4638d Merge pull request #1548 from luffynextgen/master 
Create sysmon_svchost_cred_dump.yml
 2021-06-14 14:27:25 +02:00
Florian Roth 0377a30893 fix: several issues 2021-06-14 09:42:25 +02:00
Florian Roth 59df5119c2 Merge pull request #1552 from frack113/fix_category 
Fix some sysmon category
 2021-06-14 09:34:15 +02:00
mlp1515 910aed232b Update sysmon_powershell_network_connection.yml 2021-06-14 09:10:34 +02:00
mlp1515 aa629d465b Update sysmon_powershell_network_connection.yml 
Add modified field
 2021-06-14 08:56:57 +02:00
mlp1515 aa5dab332e Update win_multiple_suspicious_cli.yml 
Modify modified field
 2021-06-14 08:54:07 +02:00
luffynextgen 6fd7979659 Update sysmon_svchost_cred_dump.yml 2021-06-14 08:52:16 +02:00
mlp1515 9a98a6dbed Update sysmon_powershell_network_connection.yml 
Add of the french OS value for User field
 2021-06-14 08:48:24 +02:00
frack113 558bcd5ceb Fix all the rules to pass the test 2021-06-14 07:33:26 +02:00
mlp1515 ecfb42fcb2 Update win_multiple_suspicious_cli.yml 
Add contains in CommandLine condition
 2021-06-13 13:43:43 +02:00
Florian Roth ae06ebcae0 Merge pull request #1551 from xg5-simon/xg5-simon 
Support for VMware Carbon Black Cloud EEDR
 2021-06-10 18:35:16 +02:00
Florian Roth ff314b1220 Merge pull request #1550 from humpalum/master 
Rules: persitence by exploiting Outlook or Exchange
 2021-06-10 18:34:43 +02:00
Florian Roth 3f46d0ea28 Update sysmon_outlook_newform.yml 2021-06-10 17:41:57 +02:00
frack113 fb2d0092f1 forget to add modified 2021-06-10 17:27:15 +02:00
Florian Roth bf40b64f91 docs: better title in crowdstrike config 2021-06-10 17:07:01 +02:00
frack113 4e516414c9 Split to Convert eventID to correct category 2021-06-10 16:58:45 +02:00
frack113 a0aed54f7d Convert eventID 22 to category dns_query 2021-06-10 16:43:33 +02:00
Tobias Michalski 54e98c8441 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 16:41:22 +02:00
Tobias Michalski 1f52763878 Removed EventIDs 2021-06-10 16:41:00 +02:00
frack113 7cb10b5475 convert eventID to category 2021-06-10 16:36:14 +02:00
Tobias Michalski e8c38a9d6c Renamed file to all lowercase 2021-06-10 16:35:02 +02:00
Florian Roth 83dddf99b4 Update win_exchange_TransportAgent.yml 2021-06-10 16:07:22 +02:00
Florian Roth 0cfc462fb9 fix: fixed driver load rule 2021-06-10 16:03:35 +02:00
Florian Roth cd0531b345 fix: removed process_creation log source 2021-06-10 15:37:00 +02:00
Florian Roth cd2792f82c Merge pull request #1547 from frack113/new_filter_condition 
Add New filter condition
 2021-06-10 14:42:44 +02:00
Tobias Michalski 3970934252 Switched EventID:1 to category: process_creation 2021-06-10 14:13:29 +02:00
Tobias Michalski b1913deaca Removed extra whitespace 2021-06-10 14:09:16 +02:00
luffynextgen e170a4a12a Update sysmon_svchost_cred_dump.yml 
following the advices given to me I changed the category and the filter to be closer to sysmon field.
 2021-06-10 14:04:58 +02:00
Simon 1d081e300d Support for VMware Carbon Black Cloud EEDR 
Add support for VMware Carbon Black Cloud EEDR. Field mappings derived from https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search-fields/
 2021-06-10 21:45:29 +10:00
Tobias Michalski 56d200bad0 Fixed meta informations 2021-06-10 12:44:19 +02:00
Tobias Michalski bbc8633c67 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 11:32:08 +02:00
Tobias Michalski 4d6e7e1338 Rules persitence by exploiting Outlook or Exchange 2021-06-10 11:26:21 +02:00
Florian Roth 5e35e387dd Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth 45c3d4702b Merge pull request #1520 from SyeedHasan/master 
Detection rule for 'ISO mounts'
 2021-06-10 09:51:29 +02:00
Florian Roth 78817d100b style: removed unneeded space chars 2021-06-10 09:42:19 +02:00
Florian Roth 9c0700bc56 Powershell artefacts to critical 2021-06-10 09:42:07 +02:00
Florian Roth 04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth f52ed7604c BabyShark Pattern 2021-06-10 09:41:36 +02:00
Florian Roth 28abdf3a81 Update win_iso_mount.yml 2021-06-10 09:31:40 +02:00
luffynextgen c75d92410d Create sysmon_svchost_cred_dump.yml 2021-06-10 09:30:08 +02:00
Florian Roth b2d0fbba2c Adjustments 2021-06-10 09:12:37 +02:00