security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,807 Commits 1 Branch 57 Tags
291ca18d22f720f2ebcd30cf468f4434cecccdaa
Commit Graph

113 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 2c3d19f335 Merge pull request #4293 from danielbohannon/patch-1 2023-07-17 12:19:05 +02:00
Nasreddine Bencherchali e59f9d6f61 chore: add missing quotes 2023-06-23 10:17:09 +02:00
Nasreddine Bencherchali 1562630a17 chore: update structure 2023-06-23 10:16:53 +02:00
Nasreddine Bencherchali fac3e34f92 fix: broken selection 2023-06-23 10:12:23 +02:00
Nasreddine Bencherchali 135855e9a7 chore: update structure 2023-06-23 10:10:13 +02:00
Daniel Bohannon 7dbfa195bd Permiso p0-LUCR-1 (aka GUI-vil) 
Adding Sigma rules outlined in the following blog post associated with named cloud-focused threat actor p0-LUCR-1 (aka GUI-vil): https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 2023-06-06 17:18:06 -04:00
Daniel Bohannon 0348c1adbb Permiso p0-LUCR-1 (aka GUI-vil) 
Adding Sigma rules outlined in the following blog post associated with named cloud-focused threat actor p0-LUCR-1 (aka GUI-vil): https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 2023-06-06 17:08:14 -04:00
Nasreddine Bencherchali 7ce4a9b7ec fix: add missing modified 2023-04-28 11:12:30 +02:00
muratogul 961aebb8ef corrected eventSource on aws_enum_buckets.yml file 2023-04-27 22:53:34 -07:00
erickatwork 91bc015216 feat: update description ECS TASK DEF rule (#4181) 2023-04-25 11:00:24 +02:00
Nasreddine Bencherchali 3d9372bef3 feat: new rules, updates and fp fixes (#4136) 2023-04-03 12:06:14 +02:00
frack113 4023bf2c83 Remove mitre url 2023-01-10 18:09:04 +01:00
Nasreddine Bencherchali e08358de3b fix: add related field 2023-01-07 13:13:48 +01:00
frack113 d73fe7ecfe Update rules/cloud/aws/aws_enum_buckets.yml 2023-01-07 12:39:50 +01:00
securepeacock 4c3e79cccb Create aws_enum_buckets.yml 2023-01-06 17:36:08 -05:00
BlueTeamOps 05135ec828 Further improved several AWS rules (#3827) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-28 19:46:36 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali a1b2e0ee81 Merge pull request #3781 from blueteam0ps/aws_det 
Multiple AWS detection rules
 2022-12-23 12:41:15 +01:00
frack113 32b7ef47df Add count condition 2022-12-23 12:32:05 +01:00
Nasreddine Bencherchali a3f897606f fix: enhance metadata information 2022-12-23 11:01:57 +01:00
BlueTeamOps 426dc04fd1 Added timeframe 2022-12-22 07:56:14 +11:00
BlueTeamOps 855ca77253 Added a timeframe 2022-12-22 07:49:26 +11:00
BlueTeamOps 3b4bf47d59 Added timeframe 2022-12-22 07:40:48 +11:00
frack113 646351808e Refractor (#3794) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-18 21:00:14 +01:00
Nasreddine Bencherchali 97c43eaa73 fix: duplicate id 2022-12-16 10:32:18 +01:00
frack113 066ab2680d Change to LF 2022-12-16 09:24:19 +01:00
BlueTeamOps 02fdcf037e fixed the eventNames to be inline 2022-12-16 18:56:15 +11:00
BlueTeamOps 5563195c77 fixed up eventName 2022-12-16 18:55:09 +11:00
BlueTeamOps f1c53264b2 Multiple AWS rules 
Multiple AWS rules based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 2022-12-13 22:30:28 +11:00
BlueTeamOps 2958fc35e5 Delete aws_delete_identity.yml 2022-12-13 22:29:16 +11:00
BlueTeamOps 77accc82d7 Delete aws_ses_messaging_enabled.yml 2022-12-13 22:29:00 +11:00
BlueTeamOps d2f0f6ddec Delete aws_enum_storage.yml 2022-12-13 22:28:48 +11:00
BlueTeamOps 155aa8412e Delete aws_enum_network.yml 2022-12-13 22:28:36 +11:00
BlueTeamOps 4debb454a7 Delete aws_enum_logging.yml 2022-12-13 22:28:27 +11:00
BlueTeamOps 53cfd3b7a1 Multiple AWS use cases 
Multiple AWS use cases based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 2022-12-13 22:23:50 +11:00
frack113 556dd8f400 Order yaml field 2022-10-25 07:34:10 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali 88f10a5d39 Fix issues 2022-10-05 17:19:48 +02:00
David ANDRE 0b0190ccb1 Added quotes to strings 2022-09-01 15:22:26 +02:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Darin Smith d29eb1e48c Change to all selection elements rather than a filter and a selection 2022-06-08 09:13:48 -07:00
Darin Smith 04bcbcdb44 Minor change, filter param should not be a list 2022-06-08 06:58:19 -07:00
Darin Smith 61df0b9218 Update with suggested changes 2022-06-08 06:47:30 -07:00
Darin Smith 09e31d2045 update with command field 2022-06-07 10:45:05 -07:00
Darin Smith 8a59eb594e Add rule for ECS backdoors 2022-06-07 10:36:31 -07:00
Rachel Rice db58345bc6 Update selection_source for AWS ec2 startup script rule 
The JSON payload for `ModifyInstanceAttribute` event currently looks like:
```
"requestParameters": {
  "attribute": "userData",
  ...
},
```

Updating the selection_source from `requestParameters.userData: "*"` to `requestParameters.attribute: "userData"` accordingly.

Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-06-07 13:20:08 +01:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00