security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

850 Commits

Author SHA1 Message Date
frack113 92999468ee Merge pull request #2012 from frack113/upgrade_test 
Upgrade test_rules.py
 2021-09-11 15:29:19 +02:00
Austin Songer 1ea9aab455 Update Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml 2021-09-10 09:44:31 -05:00
Austin Songer 9d9a5088bb Update Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml 2021-09-10 09:43:24 -05:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
frack113 ac9ea531ae Merge pull request #1956 from Cyb3rEng/master 
Adding Various Rules To Monitor Process Creations in Sysmon, Event Logs & EDR
 2021-09-10 10:47:23 +02:00
Cyb3rEng f4155010ff Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:09:20 -06:00
Cyb3rEng 4af244b135 Duplicate Rule 
Removed rule as it was duplicated
 2021-09-09 23:08:52 -06:00
Cyb3rEng 361121c402 changed title 
title: Lolbins Process Created With WmiPrvSE
 2021-09-09 21:51:49 -06:00
Cyb3rEng a3a12375b5 changed title 
title: Lolbins Process Created With Office Application
 2021-09-09 21:51:22 -06:00
Cyb3rEng 6cae20b9b8 Changed title 
changed title
 2021-09-09 21:38:42 -06:00
Cyb3rEng ca19f43a06 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custom id
 2021-09-09 21:35:21 -06:00
Cyb3rEng d14c26f5f1 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:33:36 -06:00
Cyb3rEng ba995ef442 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:32:42 -06:00
Cyb3rEng f7b8fd571d Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:31:57 -06:00
Cyb3rEng 6a7ac098ed changed id uuid to v4 
b45e1519-5de5-4dfe-bef6-73bc48c2b983
 2021-09-09 21:31:20 -06:00
Cyb3rEng 7c9be6da32 Resolved more issues from last commit as per comments 
Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
 2021-09-09 21:24:05 -06:00
Cyb3rEng ff08de6d20 Completed Changes based on review 
selection2:
     ParentPrcessName|endswith:
 2021-09-09 21:02:11 -06:00
frack113 d9cd1652f2 Split global sysmon rules 2021-09-09 16:11:41 +02:00
frack113 312ffe69e2 Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml 2021-09-09 06:28:48 +02:00
Cyb3rEng b2c44ebd6e Changed selection1 
completed the following change to selection1 to keep inline with rule creation guideline
- CommandLine|contains: 'wmic '
 2021-09-08 21:27:15 -06:00
Cyb3rEng fe9b91c504 Completed changes to selection1 
changed to the following to follow rule creation guidelines:
    - Image|endswith: '\wbem\WMIC.exe'
    - ProcessCommandLine|contains: 'wmic '
 2021-09-08 21:26:01 -06:00
Cyb3rEng 851dfeee46 Changed selection2 condition 
changed from "\\wbem\\WmiPrvSE.exe" to "\wbem\WmiPrvSE.exe" to follow rule creation guidelines
 2021-09-08 21:24:18 -06:00
Cyb3rEng 6ddc83901b Changed Category 
Category Changed from process_creation to file_event
 2021-09-08 20:38:07 -06:00
Cyb3rEng 5ac0fded26 Merge branch 'SigmaHQ:master' into master 2021-09-08 20:26:59 -06:00
frack113 e712d9696b Merge pull request #2000 from frack113/split_global 
Split frack113 global rules
 2021-09-08 06:26:35 +02:00
Cyb3rEng e3b376e945 Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:26:42 -06:00
Cyb3rEng 4130ceb208 Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:25:52 -06:00
Cyb3rEng 8d47f9531b Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:22:01 -06:00
Cyb3rEng 13e6262055 Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:20:51 -06:00
Cyb3rEng 8dc1b03fef Completed Changes Based on Comments 
Removed :
unnecessary event ID
 2021-09-07 21:19:43 -06:00
Cyb3rEng 932b7cf2ba Merge branch 'SigmaHQ:master' into master 2021-09-07 19:58:09 -06:00
Thomas Patzke 143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
frack113 0e5e4fa19d Split global rules 2021-09-07 13:30:32 +02:00
frack113 be442182fe convert to LF 2021-09-06 21:10:08 +02:00
frack113 9ef299c4f4 Change to LF 2021-09-06 21:07:49 +02:00
frack113 d02ee1eddd Update global ID 2021-09-02 21:16:55 +02:00
frack113 f90c7558a7 update global id 2021-09-02 21:03:25 +02:00
frack113 086a15fc45 Update global ID 2021-09-02 20:07:03 +02:00
Cyb3rEng c5507658c0 Updated Rule 
updated title
 2021-08-31 22:13:31 -06:00
Cyb3rEng 785fc98ee3 Updated Rule 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 22:05:10 -06:00
Cyb3rEng d5f73a8910 Updated Rule 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 22:03:31 -06:00
Cyb3rEng fa3b882fdc Updated Rule 
Removed " " from falsepositives section
 2021-08-31 21:58:50 -06:00
Cyb3rEng c7c49c55d2 Updated Rule 
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 21:58:09 -06:00
Cyb3rEng d5fa226180 Updated Rule 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 21:54:32 -06:00
Cyb3rEng 900f71e6b2 Rule Update Review 
Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section. 
- Removed the service: Sysmon, updated selection1.
 2021-08-31 21:50:44 -06:00
Cyb3rEng 6c9b2a2f37 Add files via upload 2021-08-30 21:48:03 -06:00
frack113 a4021842de Fix invalid tags 2021-08-25 09:15:57 +02:00
frack113 c2302a15da fix cve tags 2021-08-24 10:10:45 +02:00
Max Altgelt 6f05e33feb fix: Correct incorrect message / keyword usage 
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
 2021-08-12 16:28:07 +02:00
frack113 cf8d8d3ed4 fix TargetFilename case error 2021-08-06 08:43:05 +02:00