security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

7892 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 9fce0fb42d Merge pull request #1680 from phantinuss/master 
medium level Rule for Windows Defender Exclusions
 2021-07-14 08:18:39 +02:00
Florian Roth 3faef2d94a Merge pull request #1681 from frack113/redcanary_t1228_v2 
Redcanary t1228 end
 2021-07-14 08:18:23 +02:00
Florian Roth f8afbf62aa Merge pull request #1682 from w0rk3r/master 
Remove Field Value Wildcard in ALA Backend
 2021-07-14 08:18:08 +02:00
G Y aacb5f767c Update winlogbeat-modules-enabled.yml 
Update mapping for EventID and TargetObject.
 2021-07-14 11:01:45 +08:00
Jonhnathan f6e7fc446f Remove Wildcard 2021-07-13 11:21:12 -03:00
frack113 8b14dc6c99 fix [colons] too many spaces after colon 2021-07-13 14:42:47 +02:00
frack113 c00dd0bf65 add win_susp_athremotefxvgpudisablementcommand.yml 2021-07-13 14:29:00 +02:00
frack113 6d1e8268ba update win_workflow_compiler.yml 2021-07-13 13:55:27 +02:00
phantinuss bf9b82fc45 medium level rule for Windows Defender Exclusions 2021-07-13 13:16:25 +02:00
frack113 6b9466ec20 Add process_creation_protocolhandler_suspicious_file.yml 2021-07-13 12:19:07 +02:00
frack113 33832acf5b fix Error: [colons] too many spaces before colon 2021-07-13 10:09:52 +02:00
frack113 c2d9b05191 Add process_creation_infdefaultinstall.yml 2021-07-13 09:56:34 +02:00
frack113 fd377fe163 update process_creation_syncappvpublishingserver_execute_arbitrary_powershell 2021-07-13 09:45:46 +02:00
Thomas Patzke 82b8b6890f Merge pull request #1663 from heyibrahimkhan/patch-4 
Create ala-azure-ad_auditlogs.yml
 2021-07-12 23:37:55 +02:00
Thomas Patzke 294a405481 Merge pull request #1662 from heyibrahimkhan/patch-3 
Create ala-azure-activitylogs.yml
 2021-07-12 23:37:46 +02:00
Thomas Patzke 98165cdd09 Merge pull request #1661 from heyibrahimkhan/patch-2 
Create ecs-azure-ad_auditlogs.yml
 2021-07-12 23:37:37 +02:00
Thomas Patzke a73c371c66 Merge pull request #1672 from mf1d3l:splunkdm_backend 
SplunkDM Backend: Splunk datamodels accelerated searches support
 2021-07-12 23:05:51 +02:00
Florian Roth 3761cd1b34 Merge pull request #1660 from heyibrahimkhan/patch-1 
Create ecs-azure-activitylogs.yml
 2021-07-12 17:42:49 +02:00
frack113 82f666c5da add process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml 2021-07-12 16:17:40 +02:00
frack113 d6a86a3fa0 add T1218 sysmon_creation_mavinject_dll.yml 2021-07-12 16:08:18 +02:00
Florian Roth 730e9eb883 Merge pull request #1667 from leegengyu/patch-10 
Update winlogbeat-modules-enabled.yml - Imphash Field
 2021-07-12 15:37:33 +02:00
Florian Roth ac7270ff32 Merge pull request #1669 from leegengyu/patch-11 
Update winlogbeat.yml - Imphash Field
 2021-07-12 15:37:00 +02:00
Florian Roth a16ce3b828 Merge pull request #1673 from frack113/ecs 
Add mapping for auditbeat and filebeat
 2021-07-12 15:36:07 +02:00
Florian Roth 382d5b2adb Merge pull request #1674 from frack113/fix_small_errors 
Fix some typo error
 2021-07-12 15:23:55 +02:00
Florian Roth 682e0458a3 Merge pull request #1675 from frack113/redcanary_attack.t1562.001 
Atomic Red team T1562.001
 2021-07-12 15:23:35 +02:00
Florian Roth 677c53a262 Merge pull request #1676 from d4rk-d4nph3/master 
Added latest McAfee zloader's reference for Office Security Settings …
 2021-07-12 14:02:49 +02:00
Bhabesh Rai 1fc5ec981d Added latest McAfee zloader's reference for Office Security Settings Changed 2021-07-12 16:56:21 +05:45
frack113 a96678d725 test 21 to 24 from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md 2021-07-12 10:54:44 +02:00
Florian Roth 7f071d7851 Merge pull request #1554 from mlp1515/master 
Update win_multiple_suspicious_cli.yml
 2021-07-12 10:43:26 +02:00
Thomas Patzke 0b83c12dd1 Merge branch 'devel-tp' 2021-07-12 10:21:19 +02:00
frack113 af140ebf84 fix some typo error 2021-07-12 09:40:18 +02:00
frack113 b6d2ec33cc Add mapping for auditbeat and filebeat 2021-07-12 09:00:57 +02:00
Thomas Patzke 176514bd7a New rule: suspicious spoolsv child process 2021-07-12 08:48:59 +02:00
Thomas Patzke 0b590aba5d Adjusted Spool Service DLL load rule 2021-07-11 09:29:43 +02:00
Thomas Patzke 6d41d538b2 Title fixed 2021-07-11 09:25:33 +02:00
Florian Roth 58a634b0b6 Merge branch 'master' into master 2021-07-11 00:32:55 +02:00
mf1d3l 9005b58649 extend cim 2021-07-10 23:06:29 +02:00
mf1d3l 681accf2ba add splunkdm to Makefile 2021-07-10 22:23:15 +02:00
mf1d3l 0271bc6b13 clean 2021-07-10 22:13:09 +02:00
mf1d3l b986ed0716 extend cim 2021-07-10 19:02:24 +02:00
G Y bdb77780b3 Update winlogbeat.yml 
Change Imphash's value as current one does not exist without the Sysmon processor module under Winlogbeat.
 2021-07-10 11:37:36 +08:00
G Y cb2985df75 Update winlogbeat-modules-enabled.yml 
Replaced mapping for Imphash (based on Winlogbeat's Sysmon processor module).
 2021-07-10 10:51:05 +08:00
mfidel ffadd110cb Update splunkdm.py 2021-07-10 00:03:41 +02:00
mfidel 82f8412988 Update splunkdm.py 2021-07-10 00:02:33 +02:00
mf1d3l 368388a7e6 Add Splunk Datamodel backend 2021-07-09 23:18:17 +02:00
Florian Roth 99b0d32cec Merge pull request #1666 from frack113/issue_1658 
Domain Trust Discovery - 2 Duplicate Rules
 2021-07-09 19:17:10 +02:00
frack113 17edaa0950 combines 2 rules 2021-07-09 16:41:03 +02:00
Florian Roth aa0231e1f8 Merge pull request #1664 from frack113/parentofparent 
Move to rules-unsupported as use special enrichment field
 2021-07-09 10:55:22 +02:00
Florian Roth 28cc6d102f Merge pull request #1665 from frack113/hope_last_windows_field_fix 
Last fix invalid windows field name
 2021-07-09 10:54:59 +02:00
frack113 a53e21eb77 2 more rule with custom field 2021-07-09 10:07:41 +02:00