security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,079 Commits 1 Branch 57 Tags
2bfd4ea654d0cfe77d5c2ec4e7cb8692e3cd08bb
Commit Graph

2079 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
webhead404 2bfd4ea654 Added MITRE tags 2019-11-20 16:18:03 -06:00
webhead404 b96ad8ccd7 Merge pull request #2 from webhead404/webhead404-contrib 
Create win_external_device
 2019-11-20 16:09:15 -06:00
webhead404 5c5d28acdc Create win_external_device 2019-11-20 16:07:29 -06:00
webhead404 a704256632 Merge pull request #1 from webhead404/webhead404-patch-1 
Update and add another selection for regsvr32
 2019-11-06 15:51:30 -06:00
webhead404 f7a968e3d2 Update and add another selection for regsvr32 
Added cmd.exe to the detection after observing Atomic Red Team test 

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md#atomic-test-2---regsvr32-remote-com-scriptlet-execution
 2019-11-06 15:49:53 -06:00
Thomas Patzke ef14ee542d Added modifiers: startswith and endswith 2019-11-05 23:04:13 +01:00
Thomas Patzke 97d13660f7 Merge pull request #517 from Neo23x0/devel 
Firewall Deactivation Rule
 2019-11-05 22:54:50 +01:00
Thomas Patzke 7a81054cdd Merge pull request #518 from refractionPOINT/master 
LimaCharlie Productionization
 2019-11-05 22:54:01 +01:00
Maxime Lamothe-Brassard 1b9054c1f3 Adding some comments 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard b7018bcd4a Adding a post-mapper mechanism to fix some common issues in Sigma rules to LC. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard c2e621cf08 Fixing another edge case with string escape. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard 0c6b9e532b Remove debugging statement 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard 6f2f1d2bd7 Add ability to map fields and values based on callbacks. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard 0b9a3f3a08 Refactor to better support keyword fields. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard 9aedb8f764 Adding another exception case to get more "contains" shortcuts instead of REs. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard 102ab3081b Fix the convertion from simple wildcard strings to a full regular expression so that it is always correct. The previous solution just mostly-worked. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard e52f29dda9 Fix matches operator field set to value instead of re. 2019-11-05 08:38:06 -05:00
Florian Roth c60563e546 rule: add modified rule date 2019-11-05 11:24:52 +01:00
Florian Roth 5786688f97 rule: Firewall disabled via Netsh 2019-11-04 16:10:10 +01:00
Thomas Patzke 54c75167ce Default configurations for backends 2019-11-03 23:32:50 +01:00
Thomas Patzke 0c64992276 Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-11-02 23:05:41 +01:00
Thomas Patzke a5579fa8cd Merge pull request #513 from Karneades/fix-sysmon-rule 
fix: bound sysmon logon script rule to field
 2019-11-02 23:04:35 +01:00
Thomas Patzke c0f1b12833 Merge pull request #512 from Karneades/fix-win-rules 
fix: bound windows event log rules to message field
 2019-11-02 23:03:44 +01:00
Thomas Patzke 66d9de460d Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-11-02 22:56:32 +01:00
Thomas Patzke 4f19ef5708 Graylog backend now derived from es-qs 
Technically, Graylog is ES. Fixes and improvements for ES didn't
propagate to Graylog, now they do.
 2019-11-02 22:56:01 +01:00
Thomas Patzke 8af2b70594 Restrict search not bound to fields to keyword fields 2019-11-02 22:55:04 +01:00
Thomas Patzke c9eb921f68 ConditionAND/OR constructor now allows arbeitrary number of operands 2019-11-02 22:54:35 +01:00
Karneades 0117dac1db fix: bound sysmon logon script rule to field 
Fixed rule:
- rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
 2019-11-02 11:47:20 +01:00
Karneades 68fd20cb66 fix: bound windows event log rules to message field 
Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml
 2019-11-02 11:25:29 +01:00
Florian Roth 3107c0c268 rule: Formbook rule improved 2019-10-31 09:32:18 +01:00
Florian Roth 4741b6a4d6 rule: Mustang Panda dropper 2019-10-30 18:22:40 +01:00
Florian Roth d661771608 rule: another DTRACK reference 2019-10-30 18:22:25 +01:00
Florian Roth 3ac28f3eed rule: DTRACK process creation 2019-10-30 15:16:33 +01:00
Thomas Patzke 219f00e3fb Added command line parameter 
Implements #418
 2019-10-29 23:04:28 +01:00
Thomas Patzke 2eeccf48e0 Removed line breaks in Elastalert YAML output 
Fixes #453
 2019-10-29 22:45:37 +01:00
Thomas Patzke f4e9690d6b Merge pull request #508 from Karneades/fixRule3 
fix: bound keywords to field in multiple PS rules
 2019-10-29 22:34:08 +01:00
Thomas Patzke 78d8ca2b41 Merge pull request #507 from Karneades/fixRule2 
fix: bound keywords to field in PS cred prompt rule
 2019-10-29 22:31:01 +01:00
Thomas Patzke 40df0d4534 Merge pull request #506 from Karneades/fixRule1 
fix: bound keywords to field in WMI persistence rule
 2019-10-29 22:30:27 +01:00
Thomas Patzke 6eb49fc1ce Merge pull request #509 from Karneades/fixRule4 
fix: change keyword and bound it to a field in PS rule
 2019-10-29 22:27:54 +01:00
Thomas Patzke b6403793c1 Fixed escaping in rule 2019-10-29 22:06:23 +01:00
Karneades ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
Karneades aafab2e936 fix: bound keywords to field in multiple PS rules 
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
 2019-10-29 19:53:18 +01:00
Karneades f31750e567 fix: bound keywords to field in PS cred prompt rule 2019-10-29 19:43:04 +01:00
Karneades cd20e4a3fc fix: bound keywords to field in WMI persistence rule 
See #501.
 2019-10-29 19:22:41 +01:00
Thomas Patzke 632c45843b Merge pull request #500 from refractionPOINT/master 
Adding LimaCharlie to the README's supported targets.
 2019-10-28 21:17:30 +01:00
Maxime Lamothe-Brassard f01913c996 Adding LimaCharlie to the README's supported targets. 2019-10-28 14:48:04 -05:00
Thomas Patzke 6a76f5950b Merge pull request #499 from refractionPOINT/master 
Adding Backend for LimaCharlie D&R rules
 2019-10-28 20:38:33 +01:00
Maxime Lamothe-Brassard f6fb9c7f5f Fixing typo in response metadata. 2019-10-28 11:31:50 -05:00
Maxime Lamothe-Brassard 2873e1ded3 Small refactors to make more readable and remove deprecated code paths to increase coverage. 2019-10-28 10:49:05 -05:00
Florian Roth 8ff85499c8 rule: svchost dll search order hijack 2019-10-28 12:03:03 +01:00