security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
520 Commits 1 Branch 57 Tags
2ec5919b9e4e2f5ce0dca394b6fedf3950bcb653
Commit Graph

520 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
juju4 e2213347ad Merge remote-tracking branch 'upstream/master' 2017-09-09 11:33:18 -04:00
Thomas Patzke be3c0cfb89 sigmac: Kibana backend, first version 
* totally untested!
* only supports searches
* no visualizations/aggregation expressions
* some fields are filled with default values (see code comments)
 2017-09-05 00:14:13 +02:00
Thomas Patzke c5fc74f440 Further backend changes 
* backends get complete SigmaParser objects instead of condition
* addition of finalize step for backends
* Renaming of output classes
 2017-09-04 00:56:04 +02:00
Florian Roth bfe8378455 Rule: Suspicious svchost.exe process 2017-08-31 11:07:45 +02:00
secman-pl 9768f275d0 Update sysmon_susp_regsvr32_anomalies 
Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe. 
example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
SCT script code:
var objShell = new ActiveXObject("WScript.shell");
 2017-08-29 12:21:47 +02:00
Florian Roth f3f2c14b3a Added reference to regsvr32 rule 2017-08-29 08:45:29 +02:00
Thomas Patzke 39381305d8 sigmac: Generic Text File Output 
Moved output logic into generic class.
 2017-08-29 00:05:59 +02:00
Florian Roth 55f4c37e22 Rule: Microsoft Binary Github Communication 2017-08-24 18:27:40 +02:00
Florian Roth f46e86fbb1 WMI persistence modified 2017-08-24 18:27:40 +02:00
Thomas Patzke 783722e0b2 Merge pull request #44 from h0ng10/patch-1 
Small Typo fix
 2017-08-22 22:55:59 +02:00
Hans-Martin Münch 09e754a8f9 Small Typo fix 2017-08-22 10:56:25 +02:00
Florian Roth edf2787402 Removed some spaces and added Win 10 WMI eventlog 2017-08-22 10:04:56 +02:00
Florian Roth 59821d1bcb Office Shell: Reference added to new entry 2017-08-22 10:04:22 +02:00
Florian Roth 332f7d27da Win WMI Persistence 
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
https://twitter.com/mattifestation/status/899646620148539397
 2017-08-22 10:02:54 +02:00
Florian Roth 8f4a780c3b Added regsvr32.exe to suspicious child processes 2017-08-20 23:14:41 +02:00
Florian Roth e06cf6c43f Service install - net user persistence 2017-08-16 15:16:57 +02:00
juju4 b109a1277e Detects suspicious process related to rasdial.exe 2017-08-13 16:20:25 -04:00
juju4 012ed4cd7d Detects execution of executables that can be used to bypass Applocker whitelisting 2017-08-13 16:20:01 -04:00
juju4 f861969e95 tentative rule to detect admin users remote login 2017-08-13 16:19:24 -04:00
juju4 d2ae98b0de tentative rule to detect admin users interactive login 2017-08-13 16:18:58 -04:00
juju4 21b1c52d1e forfiles, bash detection 2017-08-13 16:18:13 -04:00
Thomas Patzke 238f27fa0d Added OperationalError to relevant Python DB exceptions 2017-08-13 00:10:00 +02:00
Thomas Patzke 33b2ff16cf Rule for generic Python SQL exceptuons 
according to PEP 249
 2017-08-12 00:44:18 +02:00
Thomas Patzke 7ba62b791c Application security rules 
* reorganization into separate folder
* adding category
* minor tweaks
 2017-08-12 00:43:10 +02:00
Thomas Patzke ac5e6a3e83 Moved tests into Makefile 2017-08-07 14:05:55 +02:00
Thomas Patzke 487ab99507 Changed sigmac error behavior on I/O errors 2017-08-07 08:54:18 +02:00
Thomas Patzke 7307812152 Changed Travis status image URL to main repository 2017-08-07 08:38:07 +02:00
Thomas Patzke 1d3b8e58bd Fixed description 2017-08-06 23:22:31 +02:00
Thomas Patzke 0795d14b41 Spring framework security exceptions rule 2017-08-06 23:21:53 +02:00
Thomas Patzke f0e6c28e8b Added Ruby on Rails security-related exceptions rule 2017-08-06 22:57:52 +02:00
Thomas Patzke 98f99cebc0 Added author attribute 2017-08-05 23:56:13 +02:00
Thomas Patzke d84f9dcc1c Aggregation 'near' raises NotImplementedError in backends splunk and logpoint 2017-08-05 23:48:28 +02:00
Thomas Patzke 685f32fdef Added sigmac target list to Travis tests 2017-08-05 23:43:15 +02:00
Thomas Patzke 9ba3c36f0e Added tests for all backends in Travis CI config 2017-08-05 23:39:32 +02:00
Thomas Patzke f58c1b768b Django security errors 2017-08-05 00:56:05 +02:00
Thomas Patzke 4578756cfd Merge remote-tracking branch 'origin/master' 2017-08-05 00:35:24 +02:00
Thomas Patzke 03985288f6 Removed 'last' from timeframe 2017-08-05 00:32:24 +02:00
Thomas Patzke f5b07dc9af Added semantic parsing of near expressions 2017-08-05 00:28:22 +02:00
Florian Roth edb52e098a Extended hh.exe in Office Shell detection 
https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
 2017-08-04 09:18:55 +02:00
Thomas Patzke a5a2f21378 Merge branch 'travis-test' into travis-test-working 2017-08-03 00:15:17 +02:00
Thomas Patzke d17604d007 Merge branch 'master' into travis-test 2017-08-03 00:11:08 +02:00
Thomas Patzke 36212fd5c2 Merge branch 'devel-sigmac' 2017-08-03 00:10:37 +02:00
Thomas Patzke 5706361464 Parsing of "near ... within" aggregation operator 
* Operator is only parsed. No processing or passing of parsed data to
  backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
 2017-08-03 00:05:48 +02:00
Thomas Patzke 7706067540 Merge branch 'master' into travis-test 2017-08-02 23:32:40 +02:00
Thomas Patzke 27e5d0c2b4 Fixed further parse error 2017-08-02 23:32:00 +02:00
Thomas Patzke 0217cd5b1d Merge branch 'master' into travis-test-working 2017-08-02 23:03:03 +02:00
Thomas Patzke 167b1f0191 Merge branch 'master' into travis-test 2017-08-02 22:53:52 +02:00
Thomas Patzke f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke 004d3933dc Changed Travis CI config to use sigmac with different error behavior 2017-08-02 00:59:50 +02:00
Thomas Patzke 52525236a5 sigmac: added parameter to control error behavior 
* --defer-abort
* --ignore-not-implemented
 2017-08-02 00:56:22 +02:00