security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,661 Commits 1 Branch 57 Tags
58b68758b4e5c8fcaec8d8b6b95b5e1f273df481
Commit Graph

3661 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Florian Roth cf25b9c509 feat: filename test 2020-07-14 12:33:16 +02:00
Florian Roth 495376df77 refactor: references test without warnings for missing refs 2020-07-14 12:33:02 +02:00
Florian Roth bae979f5c7 refactor: ignore sub techniques as long as we do not have a complete list 2020-07-14 11:56:28 +02:00
Florian Roth 781667ef22 fix: zeek rule references isn't a list 2020-07-14 00:33:47 +02:00
Florian Roth b3e15eea68 fix: nested check 2020-07-13 18:49:00 +02:00
Florian Roth 91c0bea570 fix: typo and reordered 2020-07-13 18:22:47 +02:00
Florian Roth 758f5039b5 fix: no error on rules without references 2020-07-13 18:16:32 +02:00
Florian Roth 8d91659c2a fix: typo in field value 2020-07-13 18:08:00 +02:00
Florian Roth 4c610ec693 feat: test references is list 2020-07-13 18:07:19 +02:00
Florian Roth f12cb7309b fix: references is not a list 2020-07-13 17:37:03 +02:00
Florian Roth 437a567e4f Merge pull request #917 from Neo23x0/rule-devel 
New Empire Rules and Updates
 2020-07-13 16:37:59 +02:00
Florian Roth 1c63a93643 fix: wrong casing in tag 2020-07-13 16:20:51 +02:00
Florian Roth 87ce5e5745 fix: missing MITRE ATT&CK IDs in test 2020-07-13 16:02:22 +02:00
Florian Roth 1b75a3a96b Merge pull request #916 from viniciusvec/patch-2 
Update lnx_shell_clear_cmd_history.yml
 2020-07-13 15:54:11 +02:00
Florian Roth 557e8b0faf rule: improved Empire detection 2020-07-13 15:47:53 +02:00
viniciusvec 26f0d49772 Update lnx_shell_clear_cmd_history.yml 
Renamed tags to match production MITRE: https://attack.mitre.org/techniques/T1070/003/
 2020-07-13 14:06:14 +01:00
Florian Roth 7e8aa7b12b Merge pull request #915 from Neo23x0/rule-devel 
rule: regsvr32 flags anomaly
 2020-07-13 12:16:05 +02:00
Florian Roth 7a63fd56da rule: regsvr32 flags anomaly 2020-07-13 11:59:44 +02:00
Florian Roth 1a87492bd4 Merge pull request #912 from Neo23x0/rule-devel 
rule: improved Citrix rule
 2020-07-10 19:46:09 +02:00
Florian Roth 129925ce0b rule: improved Citrix rule 2020-07-10 18:15:35 +02:00
Florian Roth 17dedddbdd Merge pull request #911 from Neo23x0/rule-devel 
rule: Citrix Netscaler Attack CVE-2020-8193 CVE-2020-8195
 2020-07-10 18:09:19 +02:00
Florian Roth 383953c74e rule: better rule name and descriptions, plus MITRE ATT&CK tags 2020-07-10 17:55:13 +02:00
Florian Roth 0d89208242 rule: updated Citrix rule 2020-07-10 17:49:18 +02:00
Florian Roth eda08e3a89 rule: Citrix Netscaler Attack CVE-2020-8193 CVE-2020-8195 2020-07-10 17:45:11 +02:00
Florian Roth 3ab5eb97d8 Merge pull request #901 from brachera/master 
rule: Leviathan registry key
 2020-07-10 16:42:02 +02:00
Florian Roth 49aa0b4621 Merge pull request #909 from EccoTheFlintstone/fp2 
add WMI module load false positive
 2020-07-10 15:45:53 +02:00
Florian Roth 5de82628fa Update sysmon_apt_leviathan.yml 2020-07-10 15:41:55 +02:00
Florian Roth 168952840b Merge pull request #910 from Neo23x0/rule-devel 
Rule devel
 2020-07-10 14:17:22 +02:00
Florian Roth 268a28daed rule: Evilnum Golden Chicken rule OCX 2020-07-10 13:02:52 +02:00
ecco e30eaa0202 be more specific about file location 2020-07-09 13:33:59 -04:00
ecco 94e3bd9e6b add WMI module load false positive 2020-07-09 13:32:21 -04:00
Florian Roth 6ad2f07193 Merge pull request #907 from EccoTheFlintstone/fix_fp 
add WMI and powershell false positives
 2020-07-09 17:42:53 +02:00
ecco 905f1b3823 add WMI and powershell false positives 2020-07-09 10:26:54 -04:00
Florian Roth 7949729fa4 rule: PowerShell encoded character syntax 2020-07-09 08:52:32 +02:00
Florian Roth 5200f1f85d Merge pull request #905 from barvhaim/stix-mapping 
Incorrect mapping fixes [stix backend]
 2020-07-08 19:22:23 +02:00
bar ca7cf8478d - IntegrityLevel mapping to integritylevel 2020-07-08 19:37:24 +03:00
Florian Roth 14210aba16 Merge pull request #906 from GelosSnake/patch-1 
adding google chrome to FP list
 2020-07-08 16:57:29 +02:00
bar 8855a87dbf - TargetProcessAddress mapping should be as startaddress mapping 
- remove extra '-'
 2020-07-08 17:35:57 +03:00
Florian Roth e3734aaa27 fix: missing upper tick 2020-07-08 15:53:04 +02:00
GelosSnake efae210556 adding google chrome to FP list 
legitimate errors generated by Google Chrome are reported often.

Official google standpoint on this:
https://support.google.com/chrome/a/thread/15440066?hl=en
 2020-07-08 16:44:41 +03:00
bar 8889ae21ca DestinationPort to network-traffic:dst_port mapping fix 2020-07-08 14:31:04 +03:00
bar 50ef79b398 Custom STIX object "x-sigma" for fields that missing mapping, so the pattern is STIX valid 2020-07-08 14:09:26 +03:00
Thomas Patzke 8cec884d96 Merge branch 'pr-709' 2020-07-08 08:00:03 +02:00
Thomas Patzke bd9410fe06 Added CI test 2020-07-07 23:46:49 +02:00
Thomas Patzke 205b584e80 Merge branch 'pr-829' 2020-07-07 23:42:57 +02:00
Thomas Patzke 3e17cc1900 Merge pull request #894 from caliskanfurkan/master 
ditsnap, a credential access tool used in ransomware attacks
 2020-07-07 23:21:36 +02:00
Thomas Patzke 28013a15e1 Improved rule 2020-07-07 23:18:07 +02:00
Thomas Patzke 90f09f7b12 Merge branch 'devel' of https://github.com/diskurse/sigma into pr-829 2020-07-07 23:15:39 +02:00
Thomas Patzke 3c760fabc1 Merge pull request #745 from Rettila/master 
Added new rules
 2020-07-07 23:14:19 +02:00