security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,328 Commits 1 Branch 57 Tags
0744107fbb3fcf2444d00a8d3539dd1a2ce6bbd4
Commit Graph

134 Commits

Author SHA1 Message Date
Florian Roth 74e16fdccd Merge pull request #803 from gamma37/clear_cmd_history 
Edit Clear Command History
 2020-05-29 17:32:43 +02:00
gamma37 537bda4417 Update lnx_shell_clear_cmd_history.yml 2020-05-28 10:56:35 +02:00
gamma37 5a48934822 Edit Clear Command History 
I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line.
 2020-05-28 10:52:17 +02:00
Florian Roth 8321cc7ee1 Merge pull request #772 from gamma37/suspicious_activities 
Create a rule for "suspicious activities"
 2020-05-23 18:11:32 +02:00
Florian Roth e1a05dfc1c Update lnx_auditd_susp_C2_commands.yml 2020-05-23 16:49:03 +02:00
gamma37 71c507d8a9 remove space bedore colon 2020-05-18 11:34:53 +02:00
gamma37 55eec46932 Create a rule for "suspicious activities" 2020-05-18 11:25:18 +02:00
gamma37 cbf06b1e43 lowercased tag 2020-05-18 10:11:32 +02:00
gamma37 904716771a Create a new rule to detect "Create Account" 2020-05-18 10:03:34 +02:00
Florian Roth 7b713fbe7f rule: OpenSSHd rule adjusted 2020-05-15 17:19:32 +02:00
Thomas Patzke 373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Thomas Patzke d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke 593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Florian Roth 03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth efd3af0812 fix: fixed missing date fields in other files 2020-01-30 15:32:39 +01:00
Thomas Patzke 924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00
yugoslavskiy edad1695f6 Merge branch 'oscd' of https://github.com/mrblacyk/sigma into mrblacyk-oscd 2019-12-02 02:56:53 +01:00
yugoslavskiy 48a94d1609 Update lnx_dd_delete_file.yml 2019-12-02 02:54:48 +01:00
yugoslavskiy ca1c2f4436 Update lnx_chattr_immutable_removal.yml 2019-12-02 02:54:32 +01:00
yugoslavskiy 9e90335a5a Update lnx_pers_systemd_reload.yml 2019-12-02 02:54:13 +01:00
yugoslavskiy 46ca68436e Update lnx_file_or_folder_permissions.yml 2019-12-02 02:53:35 +01:00
mrblacyk 9d0889def4 Adding auditd compatibility 2019-11-29 09:34:08 +01:00
mrblacyk cafbb25d2e Update lnx_file_or_folder_permissions.yml 2019-11-29 09:33:04 +01:00
mrblacyk bf5e6cc56b Adding auditd compatibility 2019-11-29 09:32:05 +01:00
mrblacyk a15c84eb80 Adding auditd compatibility 2019-11-29 09:27:31 +01:00
yugoslavskiy efc404fbae resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml 2019-11-19 02:11:19 +01:00
Thomas Patzke 0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke 5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
yugoslavskiy a4331b0eec Merge pull request #498 from theRabbitCode/oscd 
[OSCD] Added Atomic Blue Detections Repo
 2019-11-11 23:22:57 +03:00
yugoslavskiy bdff2c312b Update lnx_auditd_ld_so_preload_mod.yml 2019-11-11 01:44:53 +03:00
yugoslavskiy 69a99bc2c3 Merge pull request #493 from alx1m1k/oscd 
[OSCD] rules from Jet CSIRT team
 2019-11-10 23:11:24 +03:00
yugoslavskiy 82f23c5f63 Merge pull request #477 from zinint/oscd 
add 13 new rules:

- rules/linux/auditd/lnx_auditd_masquerading_crond.yml 
- rules/linux/auditd/lnx_auditd_user_discovery.yml 
- rules/linux/auditd/lnx_data_compressed.yml 
- rules/linux/auditd/lnx_network_sniffing.yml 
- rules/windows/powershell/powershell_data_compressed.yml 
- rules/windows/powershell/powershell_winlogon_helper_dll.yml 
- rules/windows/process_creation/win_change_default_file_association.yml 
- rules/windows/process_creation/win_data_compressed_with_rar.yml 
- rules/windows/process_creation/win_local_system_owner_account_discovery.yml 
- rules/windows/process_creation/win_network_sniffing.yml 
- rules/windows/process_creation/win_query_registry.yml 
- rules/windows/process_creation/win_service_execution.yml 
- rules/windows/process_creation/win_xsl_script_processing.yml 

modify 1 rule:

- rules/windows/process_creation/win_possible_applocker_bypass.yml
 2019-11-05 04:55:29 +03:00
yugoslavskiy 534f5fc0e1 Update lnx_network_sniffing.yml 2019-11-05 04:40:40 +03:00
yugoslavskiy 70fdd9c7d7 Update lnx_data_compressed.yml 2019-11-05 04:38:27 +03:00
yugoslavskiy 75f2b8536f Update lnx_auditd_user_discovery.yml 2019-11-04 22:14:30 +03:00
yugoslavskiy 8b2216e94e Update lnx_auditd_masquerading_crond.yml 2019-11-04 22:14:10 +03:00
yugoslavskiy 0d5489bbb0 Update lnx_auditd_user_discovery.yml 2019-11-04 22:07:30 +03:00
yugoslavskiy bb71f95810 Update lnx_auditd_masquerading_crond.yml 2019-11-04 21:58:42 +03:00
yugoslavskiy 1f1fd68331 Merge pull request #472 from feedb/oscd 
add 11 new rules:

- rules/linux/auditd/lnx_auditd_web_rce.yml
- rules/windows/process_creation/process_creation_susp_bginfo.yml
- rules/windows/process_creation/process_creation_susp_cdb.yml
- rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml
- rules/windows/process_creation/process_creation_susp_dnx.yml
- rules/windows/process_creation/process_creation_susp_dxcap.yml
- rules/windows/process_creation/process_creation_susp_msoffice.yml
- rules/windows/process_creation/process_creation_susp_odbcconf.yml
- rules/windows/process_creation/process_creation_susp_openwith.yml
- rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml
- rules/windows/sysmon/sysmon_webshell_creation_detect.yml
 2019-11-04 20:40:58 +03:00
yugoslavskiy 8a35a51211 Update lnx_auditd_web_rce.yml 2019-11-04 18:08:17 +03:00
zinint 11e7bdc727 Update lnx_network_sniffing.yml 2019-10-30 22:59:46 +03:00
zinint fd09c00b35 Update lnx_network_sniffing.yml 2019-10-30 20:59:07 +03:00
zinint 3d106d8e7f Update lnx_network_sniffing.yml 2019-10-30 19:11:51 +03:00
zinint e0c5479f0a Update lnx_network_sniffing.yml 2019-10-30 19:10:48 +03:00
zinint b5b40f2861 Update lnx_network_sniffing.yml 2019-10-30 19:07:05 +03:00
zinint cc4a8df5e3 Update lnx_network_sniffing.yml 2019-10-30 19:06:53 +03:00
zinint 7e3d8ccaf3 T1040 2019-10-30 19:05:50 +03:00
zinint 4a560e9375 T1002 2019-10-29 22:56:45 +03:00