security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
2,332 Commits 1 Branch 57 Tags
0fa5ba925ee06b62b4e58d5e7d9eb5b0890dc06c
Commit Graph

2332 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 0fa5ba925e rule :improved bloodhound rule 2019-12-20 17:23:40 +01:00
Florian Roth 0e82dce2a0 fix: fixed wrong condition 2019-12-20 16:11:39 +01:00
Florian Roth 0000257371 rule: improved bloodhound rule 2019-12-20 16:08:26 +01:00
Florian Roth 3a933c38f2 rule: changed level of BloodHound rule 2019-12-20 15:37:58 +01:00
Florian Roth 68efeb909d rule: false positive condition for BloodHound rule 2019-12-20 15:35:13 +01:00
Florian Roth 5f061c15d0 fix: fixed missing condition 2019-12-20 15:18:05 +01:00
Florian Roth bb466407ee rule: operation Wocao activity 2019-12-20 15:00:07 +01:00
Florian Roth 708c17e2bc rule: Bloodhound 2019-12-20 14:59:36 +01:00
Florian Roth ab038d1ac7 style: minor changes 2019-12-20 14:59:26 +01:00
Florian Roth c8b6b5c556 rule: updating csc.exe rule 2019-12-17 13:45:40 +01:00
Florian Roth 7a3041c593 rule: improved csc.exe rule 2019-12-17 11:05:43 +01:00
Florian Roth e8d92fab0c rule: ryuk ransomware 2019-12-16 20:33:12 +01:00
Florian Roth bbaa9df217 rule: better JAB rule 2019-12-16 19:08:51 +01:00
Florian Roth f83eb2268e rule: improved JAB expression 2019-12-16 19:04:05 +01:00
Florian Roth bd7c996588 rule: suspicious PS rule modified to cover newest malware campaigns 2019-12-16 19:02:57 +01:00
Thomas Patzke ee4138c48e Merge pull request #526 from zouzias/hotfix_aggregate_count_distinct_groupby 
[feature] extend es-dsl to support nested aggregations
 2019-12-13 21:55:47 +01:00
Florian Roth 9c59e3cf13 Merge branch 'master' into devel 2019-12-12 09:40:02 +01:00
Florian Roth 065df363dc rule: added Empire UA 2019-12-12 09:39:28 +01:00
Florian Roth c25b902add Merge pull request #558 from vburov/patch-7 
Added svchost.exe as a parent image
 2019-12-10 20:17:22 +01:00
Florian Roth 611b72dba5 Merge pull request #559 from vburov/patch-8 
Added some suspicious locations
 2019-12-10 20:15:16 +01:00
Vasiliy Burov 977551c69d Added some suspicious locations 
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
 2019-12-10 20:17:40 +03:00
Vasiliy Burov 0dd4324aba Added svchost.exe as a parent image 
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
 2019-12-10 19:31:12 +03:00
Thomas Patzke b701e9be50 Added ECS proxy configuration 2019-12-09 16:34:07 +01:00
Thomas Patzke a9d6158dde Merge branch 'rules' 2019-12-09 16:17:39 +01:00
Thomas Patzke 2ea87f187c Added Ursnif proxy detections 2019-12-09 16:02:10 +01:00
Thomas Patzke 991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Thomas Patzke dd8442590f Fixed proxy rule field names 2019-12-07 00:11:33 +01:00
Thomas Patzke 51e9689425 Sigmatool release 0.15.0 0.15.0 2019-12-06 22:13:44 +01:00
Thomas Patzke 58d8512396 Merge pull request #553 from berggren/patch-1 
Add source distribution for PyPi when building
 2019-12-06 22:10:19 +01:00
Johan Berggren d8e1f56219 Add source distribution for PyPi when building 
Add sdist when building. This makes it easier to build packages from PyPi for example Debian PPA pkgs etc.
This will not affect anything else, just make the source distribution available in PyPi as a tar.gz archive.

If this gets merged, please bump the version and push to PyPi as well.
 2019-12-06 15:45:28 +01:00
Florian Roth e1244acf49 rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00
Florian Roth c1647ca4b7 Merge branch 'master' into devel 2019-12-06 13:38:29 +01:00
Florian Roth e91a79e707 Merge pull request #550 from refractionPOINT/lc-proxy-support 
LimaCharlie basic support for Proxy rule category.
 2019-12-06 08:20:14 +01:00
Florian Roth 6359223390 Merge pull request #551 from axi0m/patch-1 
Add hastebin raw URI to contains selection
 2019-12-06 08:19:44 +01:00
Kevin Dienst 865251238f Add hastebin raw URI to contains selection 2019-12-05 14:16:20 -06:00
Maxime Lamothe-Brassard 27bb07b74e Adding support for basic proxy rules using the HTTP_REQUEST events from the Chrome LC Agent. 2019-12-05 09:35:09 -08:00
Florian Roth ab2dd094a5 fix: fixed broken link in elise rule 2019-12-05 09:56:20 +01:00
Florian Roth 8e107f43a2 rule: raw paste service access 2019-12-05 08:54:49 +01:00
Thomas Patzke ad7d5d2a39 Added WMI login rule 2019-12-04 11:13:04 +01:00
Thomas Patzke e8c1c97f3e Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00
Thomas Patzke c47af5169c Increased SID history rule severity 2019-12-03 14:28:46 +01:00
Thomas Patzke 76578927e8 Added domain trust rule 2019-12-03 14:28:20 +01:00
Florian Roth c8e29da7ec fix: simplified rule with RE 2019-12-03 11:24:06 +01:00
Florian Roth fc09533f56 style: fixed title 2019-12-03 11:24:06 +01:00
Thomas Patzke 98be3ce069 Fixed changelog (missing title) 2019-11-30 00:34:17 +01:00
Florian Roth 39293d5f2b rule: another reference for CVE-2019-1388 rule 2019-11-20 15:09:30 +01:00
Florian Roth 00a26dff16 Merge pull request #536 from Neo23x0/devel 
Changes to CVE-2019-1388 rule
 2019-11-20 09:27:56 +01:00
Florian Roth f9e6a929ba rule: made it more specific - command line must contain URL 2019-11-20 09:23:04 +01:00
Florian Roth 55e66b1843 rule: added status 2019-11-20 09:21:42 +01:00
Florian Roth 0b9cd47c1e Merge pull request #535 from Neo23x0/devel 
Rule to detect CVE-2019-1388
 2019-11-20 09:19:52 +01:00