blue-team-tools

Author	SHA1	Message	Date
Florian Roth	33af006479	Merge pull request #1389 from ZikyHD/patch_win_susp_wuauclt Fix ProcessCommandLine field	2021-03-20 08:29:23 +01:00
Florian Roth	01fcfd4f76	Merge pull request #1390 from ZikyHD/patch_win_proc_wrong_parent Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)	2021-03-20 08:29:09 +01:00
Florian Roth	2472926c48	Merge pull request #1391 from ZikyHD/patch_win_etw_trace_evasion Fix win_etw_trace_evasion rule	2021-03-20 08:28:51 +01:00
Florian Roth	6ac6b9295b	Merge pull request #1392 from hustlibraco/patch-1 Update winlogbeat.yml	2021-03-20 08:28:35 +01:00
Florian Roth	a6cd34dbc4	Merge pull request #1396 from albchen/patch-1 Updated for use with Image Load events	2021-03-20 08:28:19 +01:00
albchen	42e82c95df	Updated for use with Image Load events Added compatibility to add DeviceImageLoadEvents if "image_load" category is found. Also, field ImageLoaded added to the mapping.	2021-03-18 15:49:25 -07:00
Florian Roth	dd4a1ac393	fix: prone to FPs - use is unclear https://regex101.com/r/tss5TZ/1	2021-03-18 16:44:49 +01:00
Florian Roth	6b2bcd3d87	Merge pull request #1395 from SigmaHQ/rule-devel Rule devel	2021-03-18 10:52:02 +01:00
Florian Roth	d30e87d543	fix: lsass access - FPs with AV / EDR software	2021-03-18 09:04:03 +01:00
Florian Roth	92510e2507	extended Exchange post-exploitation rule	2021-03-17 18:01:45 +01:00
Florian Roth	6645e2b2dd	Merge pull request #1394 from Codehardt/master fix: syntax error in THOR's config file	2021-03-17 16:54:08 +01:00
Codehardt	6d626456f2	fix: syntax error in THOR's config file	2021-03-17 11:49:50 +01:00
Florian Roth	943f8513e2	Merge pull request #1393 from SigmaHQ/rule-devel Rule devel	2021-03-16 16:35:55 +01:00
Florian Roth	bfc99996b5	fix: Bug in rule condition	2021-03-16 16:35:21 +01:00
Florian Roth	32adf0c3ce	fix: prone to FPs	2021-03-16 15:52:35 +01:00
libraco	3c5624ca88	Update winlogbeat.yml add `SAMAccountName: winlog.event_data.SamAccountName` mapping for rules/windows/builtin/win_vul_cve_2020_1472.yml	2021-03-15 23:54:28 +08:00
libraco	2971a08734	Update winlogbeat.yml add AccessList mapping of winlogbeat for rules/windows/builtin/win_susp_lsass_dump_generic.yml.	2021-03-15 23:01:07 +08:00
zikyhd	e91822e070	Fix win_etw_trace_evasion rule	2021-03-15 15:02:18 +01:00
Cedric HIEN	864973888e	Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)	2021-03-15 12:07:05 +01:00
Cedric HIEN	e4f24f4e1f	Fix ProcessCommandLine field	2021-03-15 11:56:19 +01:00
Florian Roth	310888bae7	Merge pull request #1386 from SigmaHQ/rule-devel Rule devel	2021-03-15 10:52:57 +01:00
Florian Roth	70f9480ec5	fix: wrong field name	2021-03-15 08:14:43 +01:00
Cyb3rPandaH	f138a27426	CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property Rule to detect an adversary setting OabVirtualDirectory External URL property to a script	2021-03-15 00:33:47 -04:00
Thomas Patzke	f4734cd5e5	Merge pull request #1309 from WuerthIT:logsourcemerging functionality for parameter logsourcemerging	2021-03-13 22:25:29 +01:00
Thomas Patzke	c13f3f1383	Merge pull request #1325 from dennispo/align-simac-stixshifter sigmac to STIX enhancements	2021-03-13 18:49:12 +01:00
Thomas Patzke	bbe41fff95	Merge pull request #1364 from SigmaHQ/dependabot/pip/aiohttp-3.7.4 build(deps): bump aiohttp from 3.6.2 to 3.7.4	2021-03-13 18:47:33 +01:00
Thomas Patzke	99c7889363	Merge pull request #1368 from roysjosh/stable-risk-scores es-rule: make risk scores stable	2021-03-13 18:46:37 +01:00
Thomas Patzke	d4aa34c0ae	Merge pull request #1385 from socprime/chronicle_security_backend Chronicle Security Backend contributed by SOC Prime.	2021-03-13 18:45:12 +01:00
Florian Roth	a0b034aa2b	fix: better exclusion	2021-03-13 09:09:43 +01:00
Florian Roth	145c3bc2ca	refactor: more hafnium indicators	2021-03-13 09:07:58 +01:00
Florian Roth	69ee1cece2	fix: FPs	2021-03-13 09:07:44 +01:00
vh	7eeed68fb4	Chronicle Security Backend contributed by SOC Prime.	2021-03-12 12:21:44 +02:00
Florian Roth	48da4e1314	Update win_apt_hafnium.yml	2021-03-11 13:55:31 +01:00
Florian Roth	9084fc4fa7	Update on HAFNIUM rule https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3	2021-03-11 13:38:07 +01:00
Florian Roth	27fef60ace	Merge pull request #1383 from SigmaHQ/rule-devel fix: FPs with LSASS Access from Non System Account	2021-03-10 18:59:29 +01:00
Florian Roth	78004cc29c	fix: condition contains - values without 0x	2021-03-10 18:56:05 +01:00
Florian Roth	29dec7dd8b	fix: FPs with LSASS Access from Non System Account	2021-03-10 18:51:27 +01:00
yugoslavskiy	519e480333	Merge pull request #1176 from concorde18/DLL-execution-via-register-cimprovider.exe Dll execution via register cimprovider.exe	2021-03-10 17:40:54 +01:00
Bhabesh Rai	a58c5ed7cc	Added rule for CVE-2021-21978 in VMware View Planner	2021-03-10 18:05:15 +05:45
concorde18	87059fe80b	Merge branch 'oscd' into DLL-execution-via-register-cimprovider.exe	2021-03-10 11:35:55 +03:00
concorde18	f694de74aa	Create win_susp_diskshadow.yml	2021-03-10 11:33:12 +03:00
concorde18	b73815e883	Update win_susp_Register_cimprovider.yml	2021-03-10 11:25:13 +03:00
Johnny Walker	0873c57acf	Update netwitness.py nullExpression fixed to be really null (missing exclamation mark)	2021-03-09 17:43:44 +01:00
Johnny Walker	4e5a9a58a5	Update netwitness-epl.py nullExpression and notNullExpression fixed to be logically coherent and compatible with EPL syntax	2021-03-09 17:41:54 +01:00
Florian Roth	f0051ffcf6	Merge pull request #1378 from SigmaHQ/rule-devel HAFNIUM activity	2021-03-09 15:42:32 +01:00
Florian Roth	dca5c870d7	Merge pull request #1374 from hieuttmmo/master Detect HAFNIUM operations	2021-03-09 09:16:52 +01:00
Florian Roth	ec490b40ec	fix: 1 of them condition	2021-03-09 09:15:12 +01:00
Florian Roth	563335ec5a	rule: suspicious service binary location	2021-03-09 09:01:36 +01:00
Florian Roth	2ded9543f3	rule: HAFNIUM post-exploitation activity	2021-03-09 09:01:24 +01:00
BlueTeamOps	26a5300208	added spaces for oudmp and dclist	2021-03-09 08:22:36 +11:00

... 92 93 94 95 96 ...

10511 Commits