security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
16,304 Commits 1 Branch 57 Tags
4f4ef7a8cc077b2b54c71c598db50fe8b1f14d55
Commit Graph

174 Commits

Author SHA1 Message Date
github-actions[bot] 04df2e483a Merge PR #5051 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-11-01 10:49:49 +01:00
github-actions[bot] 8ebc58cf42 Merge PR #5028 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-10-01 14:55:39 +02:00
github-actions[bot] 23c4c0b90c Merge PR #5009 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-09-18 23:55:08 +02:00
github-actions[bot] 9eb4dea0a6 Merge PR #4992 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-09-02 10:01:12 +02:00
github-actions[bot] 8bf0ef1253 Merge PR #4970 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-08-15 11:13:47 +02:00
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
 2024-08-12 12:02:50 +02:00
peterydzynski ace902b68f Merge PR #4957 from @peterydzynski - Update regex for Powershell Token Obfuscation rules 
update: Powershell Token Obfuscation - Process Creation - Optimized used regex
update: Powershell Token Obfuscation - Powershell - Optimized used regex
chore: Fixed SigmaHQ conventions broken links
 2024-08-10 13:26:42 +02:00
frack113 51d0119a58 Merge PR #4959 from @frack113 - Freeze pySigma to 0.11.9 before migration to v2 
chore: freeze pySigma before migrating all rules to v2
 2024-08-10 11:26:33 +02:00
github-actions[bot] b8e67f13d5 Merge PR #4943 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-08-01 10:26:40 +02:00
Josh 6dd993aa24 Merge PR #4918 from @joshnck - Update goodlog-tests.yml 
chore: Update `goodlog-tests.yml` - Explicitly add the execute permission to the `.github/workflows/matchgrep.sh` via `chmod +x` 

---------

thanks: @joshnck
 2024-07-19 11:19:33 +02:00
github-actions[bot] 73f0078e92 Merge PR #4915 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-07-15 13:31:18 +02:00
Nasreddine Bencherchali c2915a678b Merge PR #4912 from @nasbench - update pySigma-validators-sigmahq to version 0.7.0 and sigma_cli_conf.yml 
chore: update `pySigma-validators-sigmahq` to version 0.7.0 and `sigma_cli_conf.yml`

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2024-07-11 11:24:01 +02:00
github-actions[bot] 7682688ca9 Merge PR #4892 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-07-01 10:51:28 +02:00
github-actions[bot] 5a05ffc541 Merge PR #4879 from @nasbench - archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-06-20 11:44:19 +02:00
github-actions[bot] 3be29eb79e Merge PR #4868 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-06-03 10:28:40 +02:00
github-actions[bot] e9cb6fc400 Merge PR #4855 from @nasbench - Update rule ref archive cache 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-05-27 12:53:54 +02:00
frack113 7d6f32d1be Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard 
chore: Cleanup conditions
update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-13 12:10:33 +02:00
frack113 2cfa9a2d1f Merge PR #4847 from @frack113 - Update test Workflow to use pySigma-validators-sigmahq 
chore: update workflow to use "pySigma-validators-sigmahq"
 2024-05-10 10:32:54 +02:00
github-actions[bot] 45b93fcfab Merge PR #4842 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file
 2024-05-02 10:33:45 +02:00
github-actions[bot] 9104b4d22b Merge PR #4816 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file
 2024-04-15 10:25:48 +02:00
github-actions[bot] 720397d731 Merge PR #4792 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-04-01 15:13:17 +02:00
Mostafa Moradian 49adcf9a00 Merge PR #4775 from @mostafa - change action name to sigma-rules-validator 
chore: change action name to sigma-rules-validator

Thanks: @mostafa
 2024-03-18 16:44:59 +01:00
frack113 b24da5c685 Merge PR #4771 from @frack113 - Fix false positive found in testing 
update: Uncommon Outbound Kerberos Connection - Security - Update filter to include device type paths and reduce the level to "medium"
update: Uncommon Outbound Kerberos Connection - Update filters to include tomcat and reduce the level to "medium"
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-03-18 12:00:59 +01:00
Mostafa Moradian d52189daa3 Merge PR #4772 from @mostafa - update sigma validation CI workflow to fix errors 
chore: update sigma validation CI workflow to fix errors.
 2024-03-15 18:21:15 +01:00
Mostafa Moradian 416de03cdc Merge PR #4769 from @mostafa - Update sigma validation workflow 
chore: Add comment to the code
chore: Ignore inaccessible file
chore: Switch to using the action for validating Sigma rules

Thanks: @mostafa
 2024-03-15 11:03:15 +01:00
github-actions[bot] 250e7d7fa8 Merge PR #4770 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file
 2024-03-15 11:02:08 +01:00
frack113 583f08ecac Merge PR #4768 from @frack113 - Update workflows action version 
chore: update workflows action version
 2024-03-14 11:29:54 +01:00
Mostafa Moradian 5d39223dd5 Merge PR #4724 from @mostafa - Update validation script and CI 
chore: update sigma validation script and CI

Thanks: @mostafa
 2024-03-12 12:49:55 +01:00
github-actions[bot] 24a70692f3 Merge PR #4747 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file
 2024-03-01 15:38:04 +01:00
github-actions[bot] 0993b7852c Merge PR #4722 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file
 2024-02-15 11:05:58 +01:00
github-actions[bot] 889efd1663 Merge PR #4701 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file
 2024-02-01 12:12:53 +01:00
Nasreddine Bencherchali be359ef3f2 Merge PR #4681 from @nasbench - Add Missing Ref & Tags
Create Release / Create Release (push) Waiting to run
Details 
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
fix: Metasploit SMB Authentication - Remove unnecessary field
fix: Service Installation in Suspicious Folder - Update FP filter
update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
remove: SAM Dump to AppData
update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
update: New or Renamed User Account with '$' Character - Reduced level to "medium"
update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
update: Prefetch File Deleted - Update selection to remove 'C:' prefix
update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
update: Shell Process Spawned by Java.EXE - Add "bash.exe"
update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
update: Sysmon Application Crashed - Add 32bit version of sysmon binary
update: Tap Driver Installation - Security - Reduce level to "low"
update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-01-29 13:37:20 +01:00
frack113 a158d8973f Merge PR #4656 from @frack113 - Upgrade rule promotion script to use pySigma 
chore: workflow - update promote_rules_status to pySigma
 2024-01-26 12:55:24 +01:00
github-actions[bot] 16adc03973 Merge PR #4671 from @nasbench - Archive new rule references and update the cache file 
chore: archive new rule references and update the cache file
 2024-01-15 14:49:42 +01:00
github-actions[bot] aaebc73537 chore: archive new rule references and update cache file (#4652) 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-01-01 09:01:23 +01:00
github-actions[bot] 426ff8c412 Merge PR #4629 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file
 2023-12-15 12:00:29 +01:00
Nasreddine Bencherchali 64c79b90ec Merge PR #4610 from @nasbench - Update Workflow 
chore: use different branch names in workflows that uses the "create-pr" action to avoid override
 2023-12-01 12:10:41 +01:00
github-actions[bot] af37ad5c4b Merge PR #4608 from @nasbench - Update Archiver Reference List 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2023-12-01 12:06:18 +01:00
Nasreddine Bencherchali 6e4644c2b6 Merge PR #4605 from @nasbench - Revert Greetings Workflow 
chore: revert greetings workflow and update to 1.3.0
 2023-11-30 01:39:10 +01:00
Nasreddine Bencherchali 7b2406e607 Merge PR #4595 from @nasbench - Disable Greetings Workflow 
chore: temporarily disable greetings workflow
 2023-11-27 00:50:05 +01:00
phantinuss 2c24b24cf1 Merge PR #4585 from @phantinuss - Update evtx-baseline to v0.8 and fix FP found in baseline 
chore: update evtx-baseline to v0.8
chore: add file paths that impact the test
chore: split goodlog and QA tests into two separate workflows
fix: File or Folder Permissions Modifications - FPs with partial paths
 2023-11-21 15:16:18 +01:00
phantinuss 01730d0e0e Merge PR #4582 from @phantinuss - cleanup duplicate release entries and enhance manual thanking output
Create Release / Create Release (push) Waiting to run
Details
2023-11-20 15:16:55 +01:00
phantinuss 130227bc05 Merge PR #4581 from @phantinuss - Remove in changlog, additional attribution, workflow optimization, FP tuning 
chore: run sigma rule repo tests only on specific paths
chore: add manual thanks and list removed rules in changelog
fix: Rundll32 Execution Without DLL File - remove command line restriction bc of numerous FPs

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-11-20 13:45:53 +01:00
frack113 d577872761 Merge PR #4551 from @frack113 - chore: move more tests to pySigma 
chore: Add attacktag and tlptag to pySigma tests
---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-11-15 16:40:33 +01:00
github-actions[bot] 0f5f989604 Merge PR #4573 from @nasbench - Update Archived References 
chore: archive new rule references and update cache file

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2023-11-15 15:54:47 +01:00
Nasreddine Bencherchali d7a0f0e523 Merge PR #4558 from @nasbench - Update greetings workflow 
chore: update greetings workflow
 2023-11-09 11:20:16 +01:00
phantinuss 2a64bc1f88 Merge PR #4546 from @phantinuss - Update Release Script and Workflow 
chore: use less strict merge messages
chore: add version.txt to release packages
chore: generate release as draft to enable manual reviewing
 2023-11-06 15:40:11 +01:00
Nasreddine Bencherchali 880081931f Merge PR #4535 from @nasbench - Update Release Package Naming Convention 
chore: remove date tag from the release filename
 2023-11-06 13:12:02 +01:00
frack113 f6eca9a262 Merge PR #4541 from @frack113 - Update SIGMA tests 
chore: remove duplicate tests that already covered by pysigma validation
 2023-11-06 13:06:55 +01:00
frack113 271f972468 Merge PR #4538 from @frack113 - Add Sigma CLI Configuration File 
chore: add sigma-cli configuration file
fix: Suspicious Non-Browser Network Communication With Google API - Fix escaped wildcard issue and Update modifiers
fix: Uncommon PowerShell Hosts - Fix escaped wildcard issue
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - Update logsource

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-11-03 16:59:53 +01:00