security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,175 Commits 1 Branch 57 Tags
3da07164ce0d651bf72691bac1cfcafbf20249de
Commit Graph

204 Commits

Author SHA1 Message Date
signalblur 73f56c2f0e Hidden Linux Binary Execution (#3108) 
Co-authored-by: Florian Roth <venom14@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2022-12-31 08:27:32 +01:00
Nasreddine Bencherchali 85aa0220d0 Merge pull request #3819 from blueteam0ps/master 
lnx_auditd_debugfs_usage.yml
 2022-12-27 16:57:22 +01:00
Nasreddine Bencherchali 0d2ddb4a9b fix: small selection fix for clarity 2022-12-27 16:23:09 +01:00
Nasreddine Bencherchali 256d6a839e fix: update condition 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2022-12-27 16:13:56 +01:00
Nasreddine Bencherchali 281dc11fc5 fix: remove correlation 2022-12-27 15:31:51 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
BlueTeamOps 1d8256fa69 Update lnx_auditd_debugfs_usage.yml 2022-12-25 09:47:19 +11:00
BlueTeamOps 81d8d1a5a7 replaced timeframe with timespan 2022-12-25 08:10:03 +11:00
BlueTeamOps 976d994cee Updated to include additional tools 
Expanded the list of Linux tools that may be used to obtain volume meta info and also included the auditd.
Removed specific switches for tools as those tools and debugfs exec within that time period will be rare.
 2022-12-25 07:57:18 +11:00
BlueTeamOps de84fbcd62 lnx_auditd_debugfs_usage.yml 2022-12-24 23:41:20 +11:00
Nasreddine Bencherchali 57e51cca2a fix: typo in near operator 2022-12-22 16:08:21 +01:00
Nasreddine Bencherchali 120196b2fc fix: resolve #2613 2022-12-21 10:33:31 +01:00
Nasreddine Bencherchali c36acb333f fix: typo in comment 2022-12-20 22:28:49 +01:00
Nasreddine Bencherchali e72bc1dcaf fix: add reference 2022-12-20 22:14:46 +01:00
Nasreddine Bencherchali 592e0062a1 fix: update condition and add new ref 2022-12-20 22:14:14 +01:00
zakibro 1a117d38e7 Update rules/linux/auditd/lnx_auditd_create_account.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-20 19:30:26 +01:00
zakibro 59e4dc3e1c Modifying Creation Of An User Account 
Added additional test for record type of ADD_USER which should be generated whether you have created auditd rule or not.
 2022-12-20 15:51:40 +01:00
frack113 646351808e Refractor (#3794) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-18 21:00:14 +01:00
jstnk9 647f6dc2ef Update title (#3734) 2022-11-29 07:36:45 +01:00
frack113 c820216541 Update Title (#3733) 2022-11-28 06:43:17 +01:00
frack113 cd4121d966 Update Title (#3731) 
Co-authored-by: Florian Roth <venom14@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-27 19:19:27 +01:00
Nasreddine Bencherchali ae149345b5 fix: fix #1972 2022-11-17 00:53:00 +01:00
frack113 11cb03181e Order yaml field 2022-10-25 08:53:44 +02:00
frack113 cf7a348028 Fix related 2022-10-09 17:28:05 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali 88f10a5d39 Fix issues 2022-10-05 17:19:48 +02:00
nasreddine.bencherchali@nextron-systems.com 4fc62dee7c Linux rules update 2022-09-16 09:22:57 +02:00
Wagga 4573ab0a21 Fix a lot of typos in rules text and comments #Part 3 (#3446) 2022-08-30 08:21:25 +02:00
frack113 823cf26633 Merge pull request #3356 from Zandmann/patch-3 
Create BPF_Door_port_redirect.yml
 2022-08-13 10:34:38 +02:00
Zandmann 1339317b16 Update lnx_auditd_bpfdoor_port_redirect.yml 2022-08-12 21:41:35 +02:00
Zandmann 5bc4b2de27 Update lnx_auditd_bpfdoor_file_accessed.yml 2022-08-12 21:39:11 +02:00
Zandmann 1d6199494d Update lnx_auditd_bpfdoor_port_redirect.yml 2022-08-11 19:51:48 +02:00
Zandmann a3dcc61eac Rename lnx_auditd_BPF_Door_port_redirect.yml to lnx_auditd_bpfdoor_port_redirect.yml 2022-08-11 19:34:43 +02:00
Zandmann 28ee157216 Rename lnx_auditd_BPFDoor_file_accessed.yml to lnx_auditd_bpfdoor_file_accessed.yml 2022-08-11 19:32:17 +02:00
Zandmann 35d69a5a4b Update and rename BPF_Door_port_redirect.yml to lnx_auditd_BPF_Door_port_redirect.yml 2022-08-11 19:04:17 +02:00
Zandmann f001d35c8b Update and rename BPFDoor_abnormal_process_id_or_lock_file_accessed.yml to lnx_auditd_BPFDoor_file_accessed.yml 2022-08-11 18:59:58 +02:00
Zandmann 327a2b7e7b Create BPF_Door_port_redirect.yml 
BPFDoor ports redirect for evasion
 2022-08-10 19:14:14 +02:00
Zandmann a1b9065a19 Create BPFDoor_abnormal_process_id_or_lock_file_accessed.yml 
detection for BPFDoor IoC files run from temporary file storage
 2022-08-10 19:12:35 +02:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
securepeacock ecdd32c462 Update lnx_auditd_hidden_files_directories.yml 
Fixing typo.
 2022-06-29 13:24:24 -04:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Nasreddine Bencherchali 5bf7b49671 Renamed More Rules 2022-06-14 19:28:27 +01:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
zakibro 7a33aac1ed Update lnx_auditd_keylogging_with_pam_d.yml 
adding missing uuid
 2022-05-24 17:15:54 +02:00
zakibro 89d88288d6 New detection - Linux Keylogging 2022-05-24 17:05:38 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
phantinuss b991a5be52 chore: test rules: warn on errors or invalid FP reasons 
also adapted the existing rules to pass the tests
 2022-05-09 16:07:55 +02:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00