security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,175 Commits 1 Branch 57 Tags
3da07164ce0d651bf72691bac1cfcafbf20249de
Commit Graph

98 Commits

Author SHA1 Message Date
BlueTeamOps 05135ec828 Further improved several AWS rules (#3827) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-28 19:46:36 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali a1b2e0ee81 Merge pull request #3781 from blueteam0ps/aws_det 
Multiple AWS detection rules
 2022-12-23 12:41:15 +01:00
frack113 32b7ef47df Add count condition 2022-12-23 12:32:05 +01:00
Nasreddine Bencherchali a3f897606f fix: enhance metadata information 2022-12-23 11:01:57 +01:00
BlueTeamOps 426dc04fd1 Added timeframe 2022-12-22 07:56:14 +11:00
BlueTeamOps 855ca77253 Added a timeframe 2022-12-22 07:49:26 +11:00
BlueTeamOps 3b4bf47d59 Added timeframe 2022-12-22 07:40:48 +11:00
frack113 646351808e Refractor (#3794) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-18 21:00:14 +01:00
Nasreddine Bencherchali 97c43eaa73 fix: duplicate id 2022-12-16 10:32:18 +01:00
frack113 066ab2680d Change to LF 2022-12-16 09:24:19 +01:00
BlueTeamOps 02fdcf037e fixed the eventNames to be inline 2022-12-16 18:56:15 +11:00
BlueTeamOps 5563195c77 fixed up eventName 2022-12-16 18:55:09 +11:00
BlueTeamOps f1c53264b2 Multiple AWS rules 
Multiple AWS rules based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 2022-12-13 22:30:28 +11:00
BlueTeamOps 2958fc35e5 Delete aws_delete_identity.yml 2022-12-13 22:29:16 +11:00
BlueTeamOps 77accc82d7 Delete aws_ses_messaging_enabled.yml 2022-12-13 22:29:00 +11:00
BlueTeamOps d2f0f6ddec Delete aws_enum_storage.yml 2022-12-13 22:28:48 +11:00
BlueTeamOps 155aa8412e Delete aws_enum_network.yml 2022-12-13 22:28:36 +11:00
BlueTeamOps 4debb454a7 Delete aws_enum_logging.yml 2022-12-13 22:28:27 +11:00
BlueTeamOps 53cfd3b7a1 Multiple AWS use cases 
Multiple AWS use cases based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 2022-12-13 22:23:50 +11:00
frack113 556dd8f400 Order yaml field 2022-10-25 07:34:10 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali 88f10a5d39 Fix issues 2022-10-05 17:19:48 +02:00
David ANDRE 0b0190ccb1 Added quotes to strings 2022-09-01 15:22:26 +02:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Darin Smith d29eb1e48c Change to all selection elements rather than a filter and a selection 2022-06-08 09:13:48 -07:00
Darin Smith 04bcbcdb44 Minor change, filter param should not be a list 2022-06-08 06:58:19 -07:00
Darin Smith 61df0b9218 Update with suggested changes 2022-06-08 06:47:30 -07:00
Darin Smith 09e31d2045 update with command field 2022-06-07 10:45:05 -07:00
Darin Smith 8a59eb594e Add rule for ECS backdoors 2022-06-07 10:36:31 -07:00
Rachel Rice db58345bc6 Update selection_source for AWS ec2 startup script rule 
The JSON payload for `ModifyInstanceAttribute` event currently looks like:
```
"requestParameters": {
  "attribute": "userData",
  ...
},
```

Updating the selection_source from `requestParameters.userData: "*"` to `requestParameters.attribute: "userData"` accordingly.

Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-06-07 13:20:08 +01:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
frack113 c6caab9e1e Fix optional section name 2021-11-27 11:27:40 +01:00
frack113 b293372913 Add product aws 2021-11-14 09:56:59 +01:00
Stefan Grimminck 47502e6701 add MITRE technique mapping 2021-10-20 14:29:57 +02:00
Austin Songer 7ad0887704 Update passed_role_to_glue_development_endpoint.yml 2021-10-14 12:10:48 -05:00
Austin Songer 70b55f2c2d Update aws_lambda_function_created_or_invoked.yml 2021-10-14 12:10:29 -05:00
Austin Songer 40879252a8 Update aws_lambda_function_created_or_invoked.yml 2021-10-13 16:25:28 -05:00
Austin Songer f7dba3fbff Update passed_role_to_glue_development_endpoint.yml 2021-10-13 12:34:16 -05:00
Austin Songer 503a4bc72b Update and rename aws_pass_role_to_lambda_function.yml to aws_lambda_function_created_or_invoked.yml 2021-10-13 12:27:24 -05:00
Austin Songer e08f6333b8 Update aws_pass_role_to_lambda_function.yml 2021-10-13 06:59:13 -05:00
Austin Songer 010b0e2868 Update passed_role_to_glue_development_endpoint.yml 2021-10-13 06:58:57 -05:00
frack113 d081d20a13 Merge pull request #2119 from austinsonger/privilege_escalation_pass_role_to_lambda_function.yml 
passed_role_to_glue_development_endpoint.yml and passed_role_to_lambda_function.yml
 2021-10-10 11:01:36 +02:00
Austin Songer 1987897a76 Update aws_pass_role_to_lambda_function.yml 2021-10-09 15:26:38 -05:00
Austin Songer de52890a62 Update passed_role_to_glue_development_endpoint.yml 2021-10-09 15:24:49 -05:00
Rachel Rice d9e5da6c86 Use startswith for eventName selection 
Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2021-10-05 17:52:52 +01:00