security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,815 Commits 1 Branch 57 Tags
362f4e4e603a4ade05c0bfac2274f1dafa5bb28e
Commit Graph

755 Commits

Author SHA1 Message Date
Wagga 273fdb9985 fix: typos in multiple rules (#4011) 2023-02-06 13:53:23 +01:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
frack113 66700a69e2 Merge pull request #3994 from ionsor/patch-8 
Update proc_creation_lnx_hack_tools.yml
 2023-01-31 17:45:11 +01:00
Nasreddine Bencherchali 2684f0f63c fix: remove unnecessary entry 2023-01-31 17:21:42 +01:00
Nasreddine Bencherchali 412efdad03 fix: update selection 2023-01-31 17:15:49 +01:00
Nasreddine Bencherchali 164ee358c3 fix: update modified date 2023-01-31 17:12:20 +01:00
Nasreddine Bencherchali 6a337151d1 feat: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-01-31 17:11:18 +01:00
Feathers 8f6242c35f Update proc_creation_lnx_hack_tools.yml 
added to the list of hacking tools, Linpeas, a privilege escalation script
 2023-01-31 17:01:17 +01:00
Nasreddine Bencherchali 33952874f1 fix: update selection 2023-01-31 14:14:50 +01:00
Nasreddine Bencherchali e158d6c1eb feat: add shadow file 2023-01-31 12:25:33 +01:00
Nasreddine Bencherchali 6a65920dd6 feat: new rules from blackberry 2023-01-31 00:38:06 +01:00
frack113 1033b3f404 change status to test 2023-01-27 06:48:34 +01:00
frack113 cb67871bd2 Revert "Change status of old rules" 2023-01-26 19:37:18 +01:00
frack113 5323fd4baa Change status of old rules 2023-01-25 18:41:18 +01:00
frack113 f7b159350d Merge pull request #3954 from nasbench/nasbench-rule-devel 
feat: updates and enhancements
 2023-01-25 13:21:44 +01:00
Nasreddine Bencherchali f42eb77f29 fix: rule logic 2023-01-25 12:03:11 +01:00
Nasreddine Bencherchali d47215d469 fix: single element selection 2023-01-25 01:35:47 +01:00
Nasreddine Bencherchali 7d2b70cb91 feat: add bpf related rules 2023-01-25 01:14:49 +01:00
Nick Moore 0312c481d9 Change rules using all of required-lists to |all 
When a Sigma rule writer wants to create a list of values where all of
them must be matched for the rule to trigger, the approach used
previously was to have an `all of` condition for a single selector.
However, this has now changed, and the new approach is to use an empty
key and the |all modifier (i.e., `'|all'`).

This commit (tries to) identify all the rules that used the old
approach and modifies them to use the new approach instead.

See SigmaHQ/sigma-specification#53 for further discussion.
 2023-01-23 14:37:25 +00:00
Nasreddine Bencherchali 1c0bf6e262 feat: update windows firewall rules 2023-01-17 19:01:37 +01:00
Nasreddine Bencherchali 85fb255bc9 feat: new rules and updates 2023-01-17 01:00:44 +01:00
frack113 e886902374 Update proc_creation_lnx_system_network_connections_discovery.yml 2023-01-13 10:12:10 +01:00
Veramine d91a1d0903 filter some legitimate activity 
Filter landscape-sysinfo tool calling who
 2023-01-13 00:47:40 -08:00
Nasreddine Bencherchali 15757c2b7d fix: remove tactic links 2023-01-10 19:20:31 +01:00
frack113 4023bf2c83 Remove mitre url 2023-01-10 18:09:04 +01:00
frack113 d6059d801b Filename normalisation 2023-01-07 08:52:11 +01:00
Nasreddine Bencherchali ea4b844c8e fix: broken selections 2023-01-06 17:28:29 +01:00
Nasreddine Bencherchali 7e73028c5e feat: updates and enhancements 2023-01-06 16:35:34 +01:00
frack113 39d4b577a1 Merge pull request #3872 from frack113/linux_order 
order linux file
 2023-01-05 10:18:53 +01:00
frack113 379fa4f3df Update modified 2023-01-05 09:11:49 +01:00
xFFninja a499c7076d fix Image field 
On Linux git has no .exe extension
 2023-01-05 09:47:11 +02:00
frack113 01e7adeb30 order linux file 2023-01-05 08:14:19 +01:00
Nasreddine Bencherchali d8b8cf04bd fix: wrong fp 2023-01-04 18:38:04 +01:00
Nasreddine Bencherchali 2b04519923 fix: unique item list 2023-01-04 18:26:59 +01:00
Nasreddine Bencherchali 711ba956e3 feat: updates and enhancements 2023-01-04 17:49:32 +01:00
frack113 b6426ab3f9 Fix file name 2022-12-31 18:23:37 +01:00
frack113 c2ce5d01fc Add sysmon linux v1.0.2 2022-12-31 18:08:11 +01:00
frack113 ddb5cd0ead Add sysmon linux v1.0.2 2022-12-31 18:04:21 +01:00
signalblur 73f56c2f0e Hidden Linux Binary Execution (#3108) 
Co-authored-by: Florian Roth <venom14@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2022-12-31 08:27:32 +01:00
Nasreddine Bencherchali 425c29cf1c feat: add new linux rules 2022-12-29 11:17:42 +01:00
Nasreddine Bencherchali 85aa0220d0 Merge pull request #3819 from blueteam0ps/master 
lnx_auditd_debugfs_usage.yml
 2022-12-27 16:57:22 +01:00
Nasreddine Bencherchali 0d2ddb4a9b fix: small selection fix for clarity 2022-12-27 16:23:09 +01:00
Nasreddine Bencherchali 256d6a839e fix: update condition 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2022-12-27 16:13:56 +01:00
Nasreddine Bencherchali 281dc11fc5 fix: remove correlation 2022-12-27 15:31:51 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
tuan 2d759cad94 Add rule delete group or user (#3822) 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 11:21:14 +01:00
BlueTeamOps 1d8256fa69 Update lnx_auditd_debugfs_usage.yml 2022-12-25 09:47:19 +11:00
BlueTeamOps 81d8d1a5a7 replaced timeframe with timespan 2022-12-25 08:10:03 +11:00
BlueTeamOps 976d994cee Updated to include additional tools 
Expanded the list of Linux tools that may be used to obtain volume meta info and also included the auditd.
Removed specific switches for tools as those tools and debugfs exec within that time period will be rare.
 2022-12-25 07:57:18 +11:00
BlueTeamOps de84fbcd62 lnx_auditd_debugfs_usage.yml 2022-12-24 23:41:20 +11:00