blue-team-tools

Author	SHA1	Message	Date
$frack113$ frack113	ffbeec134d	Update image_load_wmiprvse_wbemcomn_dll_hijack.yml	2021-09-09 19:56:20 +02:00
$frack113$ frack113	d9cd1652f2	Split global sysmon rules	2021-09-09 16:11:41 +02:00
Thomas Patzke	d9edc9f0e3	Merge branch 'fix'	2021-09-08 00:19:09 +02:00
Thomas Patzke	143744bc12	Various fixes * Backslashes in regular expressions * Casing of condition operators * Further small errors	2021-09-07 23:38:07 +02:00
Florian Roth	cfbde22d2d	rule: PRIVATELOG image load	2021-09-07 10:10:14 +02:00
$frack113$ frack113	a6bb5574fb	Update global id	2021-09-03 06:35:35 +02:00
$frack113$ frack113	ace46c17be	Update cve tags	2021-08-24 10:27:27 +02:00
$frack113$ frack113	768855e6d6	update modified after FP fix	2021-08-18 18:17:53 +02:00
Florian Roth	44013e25c8	fix: FPs with WMIADAP.exe	2021-08-18 17:26:57 +02:00
$frack113$ frack113	db0de126a5	test author for Detection Rule License 1.1	2021-08-14 19:16:36 +02:00
$frack113$ frack113	e45557316e	Fix selection with only 1 element	2021-08-14 09:54:27 +02:00
Florian Roth	7f071d7851	Merge pull request #1554 from mlp1515/master Update win_multiple_suspicious_cli.yml	2021-07-12 10:43:26 +02:00
Thomas Patzke	0b83c12dd1	Merge branch 'devel-tp'	2021-07-12 10:21:19 +02:00
Thomas Patzke	0b590aba5d	Adjusted Spool Service DLL load rule	2021-07-11 09:29:43 +02:00
Florian Roth	58a634b0b6	Merge branch 'master' into master	2021-07-11 00:32:55 +02:00
Florian Roth	db8cc0ee2d	Merge pull request #1656 from SigmaHQ/rule-devel rule: suspicious vss ps load / PrinternightMare updates	2021-07-08 15:03:28 +02:00
Florian Roth	2055f78780	refactor: make the rule more usable	2021-07-08 09:05:57 +02:00
Florian Roth	79338b2dbd	fix: title	2021-07-08 08:33:46 +02:00
Florian Roth	96ea35fd92	rule: suspicious vss ps load	2021-07-07 18:21:57 +02:00
mlp1515	29a6a2d5fb	Merge branch 'SigmaHQ:master' into master	2021-07-07 08:25:04 +02:00
leegengyu	5d10cc68da	Update mordordatasets references	2021-07-06 16:35:20 +08:00
wagga40	ae670603e8	Updated PrintNightmare Sysmon Imageload based rule with modifiers	2021-07-01 21:34:53 +02:00
Bhabesh Rai	69ca905506	Fixed bug in path	2021-07-01 12:26:00 +05:45
Bhabesh Rai	dac9831d59	Fixed modified date	2021-07-01 12:23:38 +05:45
Bhabesh Rai	86f0ff5e44	Added new paths	2021-07-01 12:21:27 +05:45
Bhabesh Rai	206adbb2b6	Merging upstream updates	2021-07-01 12:18:30 +05:45
Bhabesh Rai	e2c6b6977d	Added new path	2021-07-01 12:12:09 +05:45
mlp1515	b4883701b4	Update sysmon_wmi_module_load.yml	2021-06-15 16:16:28 +02:00
Florian Roth	adbdb5b22f	Merge branch 'master' into falsepositives_NOT_a_list	2021-05-27 10:23:19 +02:00
Jonhnathan	627a83914a	Update Threat Hunter Playbook Reference	2021-05-22 01:01:33 -03:00
Jonhnathan	3853d71c56	Update Threat Hunter Playbook Reference	2021-05-22 01:01:07 -03:00
$frack113$ frack113	168d5c9dff	Fix falsepositives list	2021-05-21 12:32:24 +02:00
Florian Roth	30bee7204c	Merge pull request #1475 from wagga40/master Modified some field values for case sensitive backends (SQL)	2021-05-14 08:59:39 +02:00
wagga40	8944ccea04	Modified some field values for case sensitive backends (SQL)	2021-05-13 06:19:04 +02:00
$frack113$ frack113	0fd8606e00	image_load is a category	2021-05-12 09:02:04 +02:00
$frack113$ frack113	fa72242ff0	image_load is a category	2021-05-12 08:59:51 +02:00
Steven	d263b937b4	Clean-up service: sysmon as it will be replaced by filling the category	2021-04-15 02:02:25 +02:00
Steven	7b679cc1f7	- Modified rules to use categories instead of hardcoded event IDs - Added file_delete category (Sysmon Event ID 23) to the generic translation file	2021-04-15 01:40:31 +02:00
Thomas Patzke	3fef2a10b8	Merge branch 'pr-1158'	2021-04-08 23:01:54 +02:00
Thomas Patzke	a10db2df89	Fixes&improvements	2021-04-08 01:06:40 +02:00
Thomas Patzke	90efe974b8	Fixes and improvements	2021-04-03 00:08:55 +02:00
Anton Kutepov	3f45269296	Merge branch 'oscd' B B B B A	2021-03-02 22:58:41 +03:00
jaegeral	e1f43f17c2	fixed various spelling errors all over rules and source code	2021-02-24 14:43:13 +00:00
yugoslavskiy	82e5d031b0	Merge pull request #1139 from omkar72/oscd-4 [OSCD] script applications loading .net dll	2021-01-05 23:17:25 +03:00
yugoslavskiy	b5c78212ad	Merge pull request #1076 from nsaddler/oscd5 [OSCD] Powershell without powershell.exe Rule Added	2021-01-05 23:06:37 +03:00
yugoslavskiy	c7e9522f29	Merge pull request #1077 from uchakin/oscd [OSCD] UAC bypass added	2021-01-05 23:06:24 +03:00
Daniel Masse	fedda17231	Update the azure image_load rule to be a generic sysmon rule	2020-12-23 16:29:49 -05:00
Jonhnathan	a9fde0117b	Merge branch 'oscd' into oscd_rules_improvement	2020-11-28 14:52:31 -03:00
Jonhnathan	43ffb80d94	Remove additional backslash	2020-11-19 23:09:50 -03:00
Jonhnathan	44652c4ffd	Remove additional backslash	2020-11-19 23:08:40 -03:00

1 2

91 Commits