security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

77 Commits

Author SHA1 Message Date
Florian Roth 6b2bacd2cc Merge pull request #1979 from frack113/test_global 
Change ID in global action rule
 2021-09-06 08:44:14 +02:00
frack113 135d0a2c61 Update global id 2021-09-03 06:50:00 +02:00
frack113 f90c7558a7 update global id 2021-09-02 21:03:25 +02:00
frack113 1ba0a7c7a3 add missing tags 2021-09-01 19:38:35 +02:00
phantinuss 3155f7172d detection for proxyshell MSF module 2021-08-31 12:51:16 +02:00
mlp1515 cce7cfc79a Update win_tool_psexec.yml 
French language settings
 2021-08-26 12:51:45 +00:00
Max Altgelt 82dde594d1 feat: Add rule for malicious CSR export on Exchange 2021-08-23 11:20:30 +02:00
Austin Songer c9128687ee Spelling Errors on Rules 2021-08-18 18:58:20 +00:00
frack113 f69868b5aa Merge pull request #1834 from secDre4mer/master 
Correct incorrect message / keyword usage
 2021-08-16 09:16:33 +02:00
Max Altgelt ce326cb903 fix: Correct broken rules, add documentation 2021-08-13 15:46:30 +02:00
frack113 62e541ec7f Merge pull request #1784 from frack113/winlogbeat-modules-enabled 
Update Mapping Winlogbeat modules enabled
 2021-08-12 19:14:17 +02:00
Max Altgelt 6f05e33feb fix: Correct incorrect message / keyword usage 
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
 2021-08-12 16:28:07 +02:00
Florian Roth 08883c8e32 refactor: removed old rule that uses Message field 
Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible.

We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details)
 2021-08-12 09:27:50 +02:00
phantinuss a880663d51 fix: add missing 'all of' for 'and' conjunction of the assignment keywords 2021-08-11 17:46:10 +02:00
phantinuss 1c919c07c7 exchange mailbox export with generic keyword search (Message is not a real field) 2021-08-11 16:57:15 +02:00
frack113 f4bef0fc39 Add Microsoft-Windows-Windows Defender/Operational 2021-08-06 11:12:34 +02:00
frack113 cf8d8d3ed4 fix TargetFilename case error 2021-08-06 08:43:05 +02:00
frack113 c6cb7f1247 fix missing references and duplicate UUID 2021-07-15 11:06:54 +02:00
phantinuss bf9b82fc45 medium level rule for Windows Defender Exclusions 2021-07-13 13:16:25 +02:00
Bhabesh Rai 3bc6532049 Added and updated Defender's tamper related rules 2021-07-05 20:30:07 +05:45
Bhabesh Rai 206adbb2b6 Merging upstream updates 2021-07-01 12:18:30 +05:45
mat b3e36281b5 fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00
Florian Roth b31ed47ccf Merge branch 'master' into devel 2020-11-26 09:44:56 +01:00
Florian Roth 2cd9b794e6 Merge pull request #1007 from d4rk-d4nph3/master 
Windows Defender AMSI Trigger Detected
 2020-09-15 15:45:00 +02:00
Bhabesh Rai 03c7d751c0 Windows Defender AMSI Trigger Detected 2020-09-14 18:10:38 +05:45
Yugoslavskiy Daniil 1fc202fe5d fix typos, update tags 2020-09-13 15:46:45 +02:00
Florian Roth de5444a81e Merge pull request #989 from oscd-initiative/master 
[OSCD Initiative][ATT&CK tags update]
 2020-09-08 13:27:58 +02:00
Florian Roth 39dfcd40ec Merge pull request #921 from d4rk-d4nph3/master 
Added support for Defender's PSExec and WMI ASR rules.
 2020-09-07 09:40:46 +02:00
Yugoslavskiy Daniil 5026438524 fix modified field 2020-08-25 01:29:57 +02:00
Yugoslavskiy Daniil 42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
Florian Roth f788a723b6 Merge pull request #986 from diskurse/devel 
win_defender_history_delete.yml
 2020-08-21 16:05:49 +02:00
Cian Heasley 28fe002f34 win_defender_history_delete.yml 
Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software".
 2020-08-21 13:51:05 +01:00
Aidan Bracher ad9a8ff956 Updated to include extra registry key 2020-07-18 02:37:11 +01:00
Aidan Bracher 2006aa8f5e Inclusion of registry keys for WinDefender disabling 2020-07-18 02:23:30 +01:00
Bhabesh Rai e0c1d84951 Added new Lateral Movement Attack ID 2020-07-14 22:32:29 +05:45
Bhabesh Rai 6fb045aa4b Conforming to Rule Creation Guide. 2020-07-14 14:20:07 +05:45
Bhabesh Rai 66ad325fde Added support for Defender's PSExec and WMI ASR rules. 2020-07-14 14:01:43 +05:45
Thomas Patzke 28013a15e1 Improved rule 2020-07-07 23:18:07 +02:00
Thomas Patzke 90f09f7b12 Merge branch 'devel' of https://github.com/diskurse/sigma into pr-829 2020-07-07 23:15:39 +02:00
j91321 24029d998a FIX: lint error for title 2020-06-28 11:05:19 +02:00
j91321 ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth a7136481f1 Update win_pcap_drivers.yml 2020-06-11 11:14:43 +02:00
Cian Heasley 9835c6d67d add win_pcap_drivers.yml 2020-06-10 15:53:22 +01:00
Florian Roth 35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
Florian Roth 82cae6d63c Merge pull request #604 from Neo23x0/devel 
New tests, colorized test output and rule cleanup
 2020-01-31 07:07:13 +01:00
Florian Roth e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth 30d872f98f Merge pull request #492 from booberry46/master 
Bypass Windows Defender
 2020-01-30 14:27:30 +01:00
Florian Roth 0a4d32c7c7 fix: fixing issues 2020-01-30 10:07:24 +01:00
Florian Roth d90ea6d267 improved rule 2020-01-30 09:58:32 +01:00