security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
11,444 Commits 1 Branch 57 Tags
fda9c753e2dcbefeebfdb1505428feeeb2d5fef1
Commit Graph

11444 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth fda9c753e2 Update image_load_msdt_sdiageng.yml 2022-06-17 18:46:14 +02:00
Florian Roth 725cadc902 Update image_load_msdt_sdiageng.yml 2022-06-17 08:49:17 +02:00
eiger 764dbc4e3c Fix: Sigma title error 2022-06-17 14:40:01 +08:00
eiger e4ab54d60f Rule: Follina and DogWalk exploit msdt.exe loading sdiageng.dll 2022-06-17 09:41:08 +08:00
eiger 7444869de3 Rule: Follina and DogWalk exploit msdt.exe loading sdiageng.dll 2022-06-17 09:29:20 +08:00
eiger 21edcafa36 Rule: Follina or DogWalk exploit sdiageng.dll 2022-06-17 09:21:57 +08:00
frack113 4b17d2df48 Merge pull request #3134 from leegengyu/patch-1 
Update Description in proc_creation_win_sysinternals_eula_accepted.yml
 2022-06-16 17:14:31 +02:00
G Y 1eb02a0025 Update proc_creation_win_sysinternals_eula_accepted.yml 
Description changed (original description was taken from registry_add_sysinternals_eula_accepted.yml).
 2022-06-16 14:49:17 +08:00
frack113 b95470333e Merge pull request #3131 from securepeacock/patch-26 
Create registry_set_enabling_turn_off_check.yml
 2022-06-15 19:19:25 +02:00
securepeacock aa01c73f72 Update registry_set_enabling_turnoffcheck.yml 2022-06-15 11:49:38 -04:00
securepeacock bd6f9936a5 Rename registry_set_enabling_turn_off_check.yml to registry_set_enabling_turnoffcheck.yml 2022-06-15 11:07:55 -04:00
securepeacock 35c6084ef7 Update registry_set_enabling_turn_off_check.yml 2022-06-15 10:55:15 -04:00
securepeacock 1f279f633a Update registry_set_enabling_turn_off_check.yml 2022-06-15 10:54:23 -04:00
securepeacock cfabbc4bdf Update registry_set_enabling_turn_off_check.yml 2022-06-15 10:51:15 -04:00
securepeacock c0f01c84b3 Create registry_set_enabling_turn_off_check.yml 2022-06-15 10:49:19 -04:00
Florian Roth 9d974d1a1f Merge pull request #3130 from nasbench/master 
Add/Update Linux Rules
 2022-06-15 13:23:16 +02:00
Nasreddine Bencherchali a2d19f3db2 Add FP filter + FP remark 2022-06-15 11:48:15 +01:00
Nasreddine Bencherchali 9f0989e49c Quick typo fix 2022-06-15 11:38:34 +01:00
Nasreddine Bencherchali 894f6af09f Removed double quotes 2022-06-15 11:30:01 +01:00
Nasreddine Bencherchali ee23e653f9 Added "GET" method selection 2022-06-15 11:29:31 +01:00
Nasreddine Bencherchali e42318b0fb Update web_ssti_in_access_logs.yml 2022-06-14 22:10:09 +01:00
Nasreddine Bencherchali 143d70a959 Renamed CVE rule 5 2022-06-14 22:06:07 +01:00
Nasreddine Bencherchali b54df8d9ce Rename+Update 2022-06-14 21:58:34 +01:00
Nasreddine Bencherchali 029ddd3e98 Merge branch 'master' of https://github.com/nasbench/sigma 2022-06-14 21:58:08 +01:00
Florian Roth 9a048a90b7 Merge pull request #3129 from nasbench/master 
New/Update Rules
 2022-06-14 21:18:01 +02:00
frack113 227eefc985 Merge pull request #3128 from f-block/patch-2 
ProviderName seems to be wrong
 2022-06-14 20:58:11 +02:00
Frank Block e10a9f0257 Re-added powershell related "ProviderName" mapping 2022-06-14 20:48:36 +02:00
Nasreddine Bencherchali 6fd2339d0c Merge branch 'master' of https://github.com/nasbench/sigma 2022-06-14 19:33:49 +01:00
Nasreddine Bencherchali bc94d575b7 Update proc_creation_win_susp_explorer_break_proctree.yml 2022-06-14 19:31:25 +01:00
Nasreddine Bencherchali 5bf7b49671 Renamed More Rules 2022-06-14 19:28:27 +01:00
Nasreddine Bencherchali f527b8eb4c Rename Web CVE Rules 
Renamed WEB CVE rules to the format "web_cve_20XX_XXXX_rest_of_name"
 2022-06-14 19:22:26 +01:00
Nasreddine Bencherchali 00db705ae6 Rename Web Rule 2022-06-14 19:13:15 +01:00
Nasreddine Bencherchali 3b7a405492 Update proc_creation_win_lolbin_forfiles.yml 2022-06-14 18:18:14 +01:00
frack113 d15c427f93 Merge pull request #3127 from f-block/patch-1 
Fixes typo for TargetServerName mapping
 2022-06-14 19:02:13 +02:00
Nasreddine Bencherchali 7f75aceaf7 Update proc_creation_win_lolbin_pcalua.yml 2022-06-14 17:41:09 +01:00
Nasreddine Bencherchali f9bbe7e423 Update proc_creation_win_susp_explorer_break_proctree.yml 2022-06-14 17:40:01 +01:00
Nasreddine Bencherchali f065928dc0 Create proc_creation_win_lolbin_pcalua.yml 2022-06-14 17:39:58 +01:00
Nasreddine Bencherchali f34bc22537 Create proc_creation_win_lolbin_forfiles.yml 2022-06-14 17:39:55 +01:00
Nasreddine Bencherchali 6476152624 Create proc_creation_win_conhost_path_traversal.yml 2022-06-14 17:39:52 +01:00
Frank Block 1e0a9fd8c1 Mapping name "Provider_Name" instead of "ProviderName" 
The mapping identifier `ProviderName` doesn't occur in any windows rule (except one: `powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml`).

Instead, the identifier `Provider_Name` is used.
 2022-06-14 18:17:35 +02:00
Frank Block 06234d831d ProviderName seems to be wrong 
`ProviderName: winlog.event_data.ProviderName` seems to be wrong (at least in our case). Actually, the mapping from the `winlogbeat-modules-enabled.yml` would be correct, but we definitely don't use the modules (the other mappings don't apply). Maybe the two got mixed up? Can't verify it for the modules config, but at least the `winlogbeat.yml` does seem to have this mapping wrong.
 2022-06-14 17:45:36 +02:00
Frank Block b6ecf5cffd Fixes typo for TargetServerName mapping 2022-06-14 17:40:33 +02:00
Florian Roth 40be326cce Merge pull request #3124 from nasbench/msdt-rules 
Update MSDT Rules
 2022-06-13 23:04:12 +02:00
Florian Roth afce3ffcae Merge branch 'master' into msdt-rules 2022-06-13 22:55:40 +02:00
Florian Roth 2a4e6d8ebe Merge pull request #3123 from phantinuss/master 
fix FP and add Follina reference to description
 2022-06-13 22:54:54 +02:00
Florian Roth 90a12487d4 Merge pull request #3122 from nasbench/master 
Renaming LOLBIN rules + Other Updates
 2022-06-13 22:54:37 +02:00
Florian Roth 037bf0f6bb Update proc_creation_win_lolbin_susp_certreq_download.yml 2022-06-13 18:27:56 +02:00
Nasreddine Bencherchali 0e0f44fc0c Update proc_creation_win_msdt.yml 2022-06-13 16:36:19 +01:00
Nasreddine Bencherchali 8ca55de64c Update proc_creation_win_msdt.yml 2022-06-13 14:33:12 +01:00
Nasreddine Bencherchali ffd236158c Update MSDT Rules 2022-06-13 14:30:35 +01:00