blue-team-tools

Author	SHA1	Message	Date
Florian Roth	9d974d1a1f	Merge pull request #3130 from nasbench/master Add/Update Linux Rules	2022-06-15 13:23:16 +02:00
Nasreddine Bencherchali	a2d19f3db2	Add FP filter + FP remark	2022-06-15 11:48:15 +01:00
Nasreddine Bencherchali	9f0989e49c	Quick typo fix	2022-06-15 11:38:34 +01:00
Nasreddine Bencherchali	894f6af09f	Removed double quotes	2022-06-15 11:30:01 +01:00
Nasreddine Bencherchali	ee23e653f9	Added "GET" method selection	2022-06-15 11:29:31 +01:00
Nasreddine Bencherchali	e42318b0fb	Update web_ssti_in_access_logs.yml	2022-06-14 22:10:09 +01:00
Nasreddine Bencherchali	143d70a959	Renamed CVE rule 5	2022-06-14 22:06:07 +01:00
Nasreddine Bencherchali	b54df8d9ce	Rename+Update	2022-06-14 21:58:34 +01:00
Nasreddine Bencherchali	029ddd3e98	Merge branch 'master' of https://github.com/nasbench/sigma	2022-06-14 21:58:08 +01:00
Florian Roth	9a048a90b7	Merge pull request #3129 from nasbench/master New/Update Rules	2022-06-14 21:18:01 +02:00
$frack113$ frack113	227eefc985	Merge pull request #3128 from f-block/patch-2 ProviderName seems to be wrong	2022-06-14 20:58:11 +02:00
Frank Block	e10a9f0257	Re-added powershell related "ProviderName" mapping	2022-06-14 20:48:36 +02:00
Nasreddine Bencherchali	6fd2339d0c	Merge branch 'master' of https://github.com/nasbench/sigma	2022-06-14 19:33:49 +01:00
Nasreddine Bencherchali	bc94d575b7	Update proc_creation_win_susp_explorer_break_proctree.yml	2022-06-14 19:31:25 +01:00
Nasreddine Bencherchali	5bf7b49671	Renamed More Rules	2022-06-14 19:28:27 +01:00
Nasreddine Bencherchali	f527b8eb4c	Rename Web CVE Rules Renamed WEB CVE rules to the format "web_cve_20XX_XXXX_rest_of_name"	2022-06-14 19:22:26 +01:00
Nasreddine Bencherchali	00db705ae6	Rename Web Rule	2022-06-14 19:13:15 +01:00
Nasreddine Bencherchali	3b7a405492	Update proc_creation_win_lolbin_forfiles.yml	2022-06-14 18:18:14 +01:00
$frack113$ frack113	d15c427f93	Merge pull request #3127 from f-block/patch-1 Fixes typo for TargetServerName mapping	2022-06-14 19:02:13 +02:00
Nasreddine Bencherchali	7f75aceaf7	Update proc_creation_win_lolbin_pcalua.yml	2022-06-14 17:41:09 +01:00
Nasreddine Bencherchali	f9bbe7e423	Update proc_creation_win_susp_explorer_break_proctree.yml	2022-06-14 17:40:01 +01:00
Nasreddine Bencherchali	f065928dc0	Create proc_creation_win_lolbin_pcalua.yml	2022-06-14 17:39:58 +01:00
Nasreddine Bencherchali	f34bc22537	Create proc_creation_win_lolbin_forfiles.yml	2022-06-14 17:39:55 +01:00
Nasreddine Bencherchali	6476152624	Create proc_creation_win_conhost_path_traversal.yml	2022-06-14 17:39:52 +01:00
Frank Block	1e0a9fd8c1	Mapping name "Provider_Name" instead of "ProviderName" The mapping identifier `ProviderName` doesn't occur in any windows rule (except one: `powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml`). Instead, the identifier `Provider_Name` is used.	2022-06-14 18:17:35 +02:00
Frank Block	06234d831d	ProviderName seems to be wrong `ProviderName: winlog.event_data.ProviderName` seems to be wrong (at least in our case). Actually, the mapping from the `winlogbeat-modules-enabled.yml` would be correct, but we definitely don't use the modules (the other mappings don't apply). Maybe the two got mixed up? Can't verify it for the modules config, but at least the `winlogbeat.yml` does seem to have this mapping wrong.	2022-06-14 17:45:36 +02:00
Frank Block	b6ecf5cffd	Fixes typo for TargetServerName mapping	2022-06-14 17:40:33 +02:00
Florian Roth	40be326cce	Merge pull request #3124 from nasbench/msdt-rules Update MSDT Rules	2022-06-13 23:04:12 +02:00
Florian Roth	afce3ffcae	Merge branch 'master' into msdt-rules	2022-06-13 22:55:40 +02:00
Florian Roth	2a4e6d8ebe	Merge pull request #3123 from phantinuss/master fix FP and add Follina reference to description	2022-06-13 22:54:54 +02:00
Florian Roth	90a12487d4	Merge pull request #3122 from nasbench/master Renaming LOLBIN rules + Other Updates	2022-06-13 22:54:37 +02:00
Florian Roth	037bf0f6bb	Update proc_creation_win_lolbin_susp_certreq_download.yml	2022-06-13 18:27:56 +02:00
Nasreddine Bencherchali	0e0f44fc0c	Update proc_creation_win_msdt.yml	2022-06-13 16:36:19 +01:00
Nasreddine Bencherchali	8ca55de64c	Update proc_creation_win_msdt.yml	2022-06-13 14:33:12 +01:00
Nasreddine Bencherchali	ffd236158c	Update MSDT Rules	2022-06-13 14:30:35 +01:00
phantinuss	d382f91313	fix: FP with AVG anti virus	2022-06-13 13:30:21 +02:00
phantinuss	92c2976793	docs: add Follina reference in description	2022-06-13 13:30:21 +02:00
Nasreddine Bencherchali	e96532344f	Removed "modified" date	2022-06-13 11:31:47 +01:00
Nasreddine Bencherchali	21f20c9e7a	Renamed to shorter names	2022-06-13 00:52:53 +01:00
Nasreddine Bencherchali	7b3e6c7f59	Update proc_creation_win_lolbin_rasautou_dll_execution.yml	2022-06-13 00:21:32 +01:00
Nasreddine Bencherchali	ffd135c6b6	Renamed LOLBIN rules + Other	2022-06-12 23:59:25 +01:00
Nasreddine Bencherchali	13b02a2aec	Renamed LOLBIN Rules 2	2022-06-12 21:37:42 +01:00
Nasreddine Bencherchali	3cfb370266	Renamed LOLBIN Rules	2022-06-12 21:36:52 +01:00
Florian Roth	6d07a3aaff	Merge pull request #3121 from frack113/Cmdkey Update Cmdkey	2022-06-12 18:37:19 +02:00
Florian Roth	1c8c9d4ff2	refactor: one more space char	2022-06-12 18:06:51 +02:00
$frack113$ frack113	dc67990e07	Update proc_creation_win_local_system_owner_account_discovery.yml	2022-06-12 17:58:33 +02:00
$frack113$ frack113	fb0618795f	Update proc_creation_win_mstsc.yml	2022-06-12 17:52:37 +02:00
Florian Roth	9caea8bb03	Merge pull request #3118 from SigmaHQ/rule-devel rules: DNS ext requests, ISO phish, BITS refactor	2022-06-12 17:51:11 +02:00
$frack113$ frack113	b0730c613b	Update Cmdkey	2022-06-12 17:31:24 +02:00
Florian Roth	49f37684dc	fix: FPs with BITS rule	2022-06-12 17:30:17 +02:00

... 3 4 5 6 7 ...

11629 Commits