security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,485 Commits 1 Branch 57 Tags
fe71d21d97de7d39efd4a0cc6a4c08d367cdaebd
Commit Graph

3485 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth fe71d21d97 style: removed new lines 2020-07-01 09:11:00 +02:00
Florian Roth b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Florian Roth ba682c5de6 Merge pull request #863 from qwerty1q2w/feature 
add win_not_allowed_rdp_access.yml rule
 2020-06-30 10:03:11 +02:00
Florian Roth 77553e11e8 Update win_not_allowed_rdp_access.yml 2020-06-30 10:03:00 +02:00
Florian Roth 2e3669a5a4 Merge pull request #865 from j91321/defender-rules 
Windows Defender logsource and rules
 2020-06-30 10:01:17 +02:00
Florian Roth eb3a6e86af Merge pull request #867 from HarishHary/suspicious_powershell_parent_process 
New Rule: Suspicious powershell parent process
 2020-06-30 10:00:28 +02:00
Florian Roth 2c3f98dc83 Merge pull request #868 from HarishHary/pwsh_xor_commandline 
New Rule: PowerShell xor commandline
 2020-06-30 10:00:07 +02:00
Harish SEGAR 9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR 5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Harish SEGAR 649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Florian Roth 5a11ef90d0 rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR 1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Florian Roth bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
j91321 24029d998a FIX: lint error for title 2020-06-28 11:05:19 +02:00
j91321 ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Thomas Patzke 0ee47e118c Merge branch 'pr-848' 2020-06-28 01:04:30 +02:00
Thomas Patzke 89ed9f3763 Merge pull request #819 from cclauss/patch-2 
Undefined name: from .exceptions import SigmaCollectionParseError
 2020-06-28 00:37:09 +02:00
Thomas Patzke 4309082d6b Merge pull request #818 from cclauss/patch-1 
Undefined name: parser_print_help() --> parser.print_help()
 2020-06-28 00:34:27 +02:00
Thomas Patzke 09378b5ebf Fixed unsupported attempt to index a set 2020-06-28 00:27:33 +02:00
Thomas Patzke 415f826ece Merge branch 'default-pop' of https://github.com/rtkbkish/sigma into rtkbkish-default-pop 2020-06-28 00:09:39 +02:00
Thomas Patzke b1e4f44c21 Merge pull request #823 from Kuermel/master 
Add more Options for XPackWatcherBackend (Elasticsearch)
 2020-06-28 00:03:04 +02:00
Thomas Patzke d1f37bdbd4 Merge pull request #828 from stevengoossensB/master 
Split rules based on Sysmon event ID
 2020-06-28 00:00:32 +02:00
Thomas Patzke de5e453e19 Merge pull request #831 from 404d/cbr-backend-tweaks 
Add parentheses around field list groups in CB
 2020-06-27 23:39:57 +02:00
Pushkarev Dmitry 502ec4b417 add win_not_allowed_rdp_access.yml rule 2020-06-26 22:15:53 +00:00
Florian Roth 555c94bd7e Merge pull request #861 from jaegeral/patch-4 
s/straight forward/straightforward
 2020-06-26 15:40:09 +02:00
Alexander J 839e06e37a s/straight forward/straightforward 
Fix a typo.
 2020-06-26 12:40:06 +02:00
Florian Roth da46ff6e93 docs: descriptions for source configs 2020-06-25 13:59:51 +02:00
Florian Roth 825bda397d desc: better descriptions in help for backends and configurations 2020-06-25 13:21:43 +02:00
Florian Roth 3decee07ba fix: bugfix and cosmetics 2020-06-24 18:10:58 +02:00
Florian Roth 07c0a6558e fix: wording on sysmon mapping file 2020-06-24 17:49:42 +02:00
Florian Roth f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Florian Roth 4224a6517d Merge pull request #859 from Neo23x0/rule-devel 
fix: duplicate IDs
 2020-06-24 17:23:13 +02:00
Florian Roth 6d7f991424 Merge pull request #853 from rtkbkish/fix-win_ad_object_writedac_access 
Fix quoting for AD Object WriteDAC Access
 2020-06-24 17:06:15 +02:00
Florian Roth c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Brad Kish d385cbfa69 Fix quoting for AD Object WriteDAC Access 
The AccessMask field needs to be quoted so that it is compared correctly.
 2020-06-22 15:31:03 -04:00
Florian Roth e2a16087c9 Merge pull request #851 from ozirus/master 
Update for new method
 2020-06-22 20:11:39 +02:00
Furkan ÇALIŞKAN b091e3b1c4 Update for new method 
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 2020-06-22 01:06:34 +03:00
Florian Roth 1ef81a36af Merge pull request #850 from Neo23x0/rule-devel 
K3chang and IE Registry Mods
 2020-06-19 11:25:43 +02:00
Florian Roth 912ad94771 fix: missing ATT&CK id in tests 2020-06-19 10:00:44 +02:00
Florian Roth e1225784f7 fix: fixed indentation 2020-06-19 09:54:08 +02:00
Florian Roth 62632db818 refactor: added variant to IE rule 2020-06-19 09:53:35 +02:00
Florian Roth 5cb6f5da9d fix: title adjusted 2020-06-19 09:39:11 +02:00
Florian Roth b8a5cd4787 Disabled IE Security Features 2020-06-19 09:37:10 +02:00
Florian Roth da060bfb90 Ke3chang rule 2020-06-19 09:36:54 +02:00
Florian Roth b675c4c706 Merge branch 'master' into rule-devel 2020-06-19 09:24:26 +02:00
Brad Kish 203aa192c7 Fix multiple references to default field mapping in same rule 
If there is a default mapping specified for a fieldmapping and that field is
referenced multiple times in the rule, the default mapping will be "pop"ped
and return the unmapped key on subsequent uses.

Don't pop the value. Just return the first entry.
 2020-06-18 13:01:31 -04:00
Florian Roth 4b0c80885f Merge pull request #810 from EccoTheFlintstone/fp 
add WMI module load false positives
 2020-06-18 12:50:40 +02:00
Florian Roth 32ecb81630 Merge pull request #845 from ikiril01/att&ck_subtechniques_v2 
ATT&CK subtechniques v2
 2020-06-18 09:10:09 +02:00
Ivan Kirillov 69760f6446 Added subtechniques to MITRE_TECHNIQUES 2020-06-17 11:51:48 -06:00