security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

2542 Commits

Author SHA1 Message Date
Florian Roth 94bb7dd77f fix: issues 2020-02-13 09:17:21 +01:00
james dickenson 21e4aa33dc rule modification: fixed filter condition on zeek suspicious rc4 traffic 2020-02-12 21:27:36 -08:00
james dickenson 93367d725d rule: zeek suspicious kerberos RC4 traffic 2020-02-12 21:21:46 -08:00
faloker 6d9c8e44d7 Update rules titles 2020-02-12 23:09:16 +02:00
faloker 1b15dba712 Correct the indentation 2020-02-12 22:48:46 +02:00
faloker f387cf0c37 Add the rule to detect changes to startup scripts 2020-02-12 22:23:18 +02:00
faloker 01d2f9f99d Add the rule to detect backdooring of users keys 2020-02-12 22:22:38 +02:00
faloker b26c5d8c51 Add rules to detect AWS RDS exfiltration 2020-02-12 22:21:52 +02:00
faloker ddf5f8ec23 Update conditions 2020-02-12 22:20:15 +02:00
faloker aacab37f84 Add a rule for guardduty trusted IPs manipulation 2020-02-11 23:28:23 +02:00
faloker b6c834195e Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00
Florian Roth a4c210ed16 rule: remove keywords in powershell rule prone to FPs 2020-02-11 16:26:17 +01:00
Florian Roth bf98d286f9 Merge pull request #615 from Neo23x0/devel 
fix: dumpert rule with wrong sysmon event id
 2020-02-08 20:03:28 +01:00
Florian Roth d9645af840 rule: added Emotet UA 
https://twitter.com/webbthewombat/status/1225827092132179968
 2020-02-08 10:37:56 +01:00
Florian Roth 080532d20c logsource change 
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
 2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC) f70f847524 additional gallium ttp 
sha1 process creation only makes sense for sysmon
 2020-02-07 14:08:40 +00:00
Florian Roth be9b80d6ab fix: dumpert rule with wrong sysmon event id 2020-02-07 13:14:18 +01:00
Thomas Patzke 7fdd6f7bce Swapped accidental deletion of older rule duplicate 2020-02-06 23:41:05 +01:00
Florian Roth 1a80b180fd Merge pull request #613 from Neo23x0/devel 
rule: dumpert process dump tool
 2020-02-04 23:07:07 +01:00
Florian Roth 10490a6cee rule: reworked dumpert rule 2020-02-04 22:56:04 +01:00
Florian Roth 1f44969afd rule: avoiding build issues with sysmon event id 1 2020-02-04 22:50:46 +01:00
Florian Roth 535e2d149b rule: improved dumpert rule 2020-02-04 22:46:16 +01:00
Florian Roth 8f8b977c85 rule: dumpert process dump tool 2020-02-04 22:38:06 +01:00
Thomas Patzke d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke f7394d09e0 Deduplication 2020-02-03 22:41:55 +01:00
Kevin Dienst 98471bc53c Update proxy_raw_paste_service_access.yml 
Add another paste provider website, ghostbin.co to the list. Note that saved pastes generate pseudo random 5 character strings before being suffixed with `/raw` at the end of the URL. e.g. `https://ghostbin.co/paste/y4e9a/raw`

Thus, I've added a regex match between /paste and /raw. I'm unsure if this is supported, I skimmed the Sigma specification wiki but didn't see anything other than that contains adds '*' to end and beginning of each selection. If this regex isn't going to work then I'd imagine we just have to remove the `.+/raw/` from the URI.
 2020-02-03 07:29:42 -06:00
Thomas Patzke 815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
Thomas Patzke f59b36d891 Fixed rule 2020-02-02 12:54:56 +01:00
Thomas Patzke ba83b8862a Moved rules with enrichments into unsupported 2020-02-02 12:46:03 +01:00
Thomas Patzke 593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Neis Markus 0d7f55948c additional execution observed 2020-02-02 08:07:00 +01:00
Florian Roth aa8a0f5e1f Merge pull request #606 from Neo23x0/devel 
refactor: moved rues from 'apt' folder in respective folders
 2020-02-01 18:25:19 +01:00
Florian Roth 03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth 6ea861da53 Merge pull request #605 from Neo23x0/devel 
Winnti rule and helpful message in test script
 2020-02-01 15:51:16 +01:00
Florian Roth a752e6c95f rule: winnti group campaign against HK universities 2020-02-01 15:43:30 +01:00
Florian Roth 7a222920df added 'date' 2020-01-31 15:27:30 +01:00
Florian Roth 913c839780 added 'id' 2020-01-31 15:26:43 +01:00
Florian Roth 848e0c90e4 Merge branch 'master' into master 2020-01-31 14:45:29 +01:00
Florian Roth 1213712978 Merge branch 'master' into patch-1 2020-01-31 14:32:27 +01:00
Florian Roth afecca3c13 Merge pull request #511 from 4A616D6573/patch-3 
Created win_susp_local_anon_logon_created.yml
 2020-01-31 14:30:54 +01:00
Florian Roth 8c4aadb423 Merge branch 'master' into Renamed_Files 2020-01-31 08:49:10 +01:00
Florian Roth 190afcac88 Missing ID, wrong tag 2020-01-31 07:32:28 +01:00
Florian Roth e3d61d5579 Missing ID 2020-01-31 07:31:56 +01:00
Florian Roth 033ab26d5e Added date 2020-01-31 07:21:02 +01:00
Florian Roth 82cae6d63c Merge pull request #604 from Neo23x0/devel 
New tests, colorized test output and rule cleanup
 2020-01-31 07:07:13 +01:00
Florian Roth ae2c186872 rule: wsreset.exe UAC bypass 2020-01-30 18:05:47 +01:00
Florian Roth d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth efd3af0812 fix: fixed missing date fields in other files 2020-01-30 15:32:39 +01:00
Florian Roth 617ece1aa2 fix: fixed missing date fields in proxy rules 2020-01-30 15:20:52 +01:00