security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

517 Commits

Author SHA1 Message Date
Florian Roth fe5b5a7782 Merge pull request #673 from j91321/rules-minor-fixes 
Minor fixes to several rules
 2020-03-28 13:27:05 +01:00
Iveco 3f577c98e7 Title capalized 2020-03-26 17:03:33 +01:00
Iveco 39a3af04ce Fixed title length 2020-03-26 16:56:06 +01:00
iveco ddacde9e6b add LDAPFragger detections 2020-03-26 15:13:36 +01:00
j91321 3c74d8b87d Add correct Source to detection to avoid FP 2020-03-24 19:49:24 +01:00
neu5ron 4b572f3ccb newline in description - typo 2020-03-14 14:58:58 -04:00
Florian Roth 07914c2783 Merge pull request #652 from 2XXE-SRA/patch-1 
MMC Lateral Movement Rule 1
 2020-03-07 11:02:16 +01:00
Florian Roth 2e184382f5 fix: eventid in process_creation rules 2020-03-07 10:43:47 +01:00
Florian Roth b040c129be fix: author field starting with an '@' symbol 2020-03-07 10:38:02 +01:00
2XXE (SRA) ae56db97ff mmc lateral movement detection 1 
see https://github.com/Neo23x0/sigma/issues/576
 2020-03-04 14:57:41 -05:00
Remco Hofman d4b5dd5749 Exclude Azure AD sync accounts from AD Replication rule 2020-03-02 16:43:20 +01:00
Florian Roth 19d383989c fix: keyword expression in rule 2020-02-29 16:03:31 +01:00
Florian Roth fa6458b70f rule: two rules to detect CVE-2020-0688 exploitation 2020-02-29 15:45:45 +01:00
Thomas Patzke 61d31c3f3a Fixed tagging 2020-02-20 23:51:12 +01:00
Thomas Patzke 373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
yugoslavskiy 7f3f1944d9 fix redundancy 2020-02-18 01:10:56 +03:00
Thomas Patzke 01d6c3b58d Fixes 2020-02-16 23:24:00 +01:00
Thomas Patzke f118839664 Further fixes and deduplications 
From suggestions of @yugoslavskiy in issue #554.
 2020-02-16 14:03:07 +01:00
Thomas Patzke d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke 593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Florian Roth aa8a0f5e1f Merge pull request #606 from Neo23x0/devel 
refactor: moved rues from 'apt' folder in respective folders
 2020-02-01 18:25:19 +01:00
Florian Roth 03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth 1213712978 Merge branch 'master' into patch-1 2020-01-31 14:32:27 +01:00
Florian Roth afecca3c13 Merge pull request #511 from 4A616D6573/patch-3 
Created win_susp_local_anon_logon_created.yml
 2020-01-31 14:30:54 +01:00
Florian Roth 8c4aadb423 Merge branch 'master' into Renamed_Files 2020-01-31 08:49:10 +01:00
Florian Roth e3d61d5579 Missing ID 2020-01-31 07:31:56 +01:00
Florian Roth 82cae6d63c Merge pull request #604 from Neo23x0/devel 
New tests, colorized test output and rule cleanup
 2020-01-31 07:07:13 +01:00
Florian Roth d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth 30d872f98f Merge pull request #492 from booberry46/master 
Bypass Windows Defender
 2020-01-30 14:27:30 +01:00
Florian Roth 8cef4b2941 fix: missing id 2020-01-30 10:14:18 +01:00
Florian Roth bf81ff90a8 fix: using a specific field 2020-01-30 10:13:33 +01:00
Florian Roth 0207eeece4 fix: hyphen 2020-01-30 10:10:03 +01:00
Florian Roth 2f1890b5e8 Update win_rdp_reverse_tunnel.yml 2020-01-30 10:09:41 +01:00
Florian Roth 8ec0060938 fix: fixing bug 2020-01-30 10:09:22 +01:00
Florian Roth 6ca100cabf reverted changes 2020-01-30 10:08:25 +01:00
Florian Roth 9828d7f81d re-added old reference 2020-01-30 10:03:09 +01:00
Florian Roth 240b764660 rule: reduced level of system time mod rule 2020-01-27 14:30:09 +01:00
Florian Roth 4066ae6371 rule: added a reference 2020-01-24 15:31:06 +01:00
Florian Roth 11607a8621 rule: windows audit cve 2020-01-24 15:31:06 +01:00
sbousseaden a4e62fcb1b Update win_lm_namedpipe.yml 2020-01-24 15:31:06 +01:00
Thomas Patzke 9bb50f3d60 OSCD QA wave 2 
* Improved rules
* Added filtering
* Adjusted severity
 2020-01-17 15:46:28 +01:00
Thomas Patzke ae6fcefbcd Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00
Thomas Patzke 8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00
Thomas Patzke 9ca52259dd Fixed identifier 2019-12-20 00:11:34 +01:00
Thomas Patzke 924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00
Thomas Patzke 694d666539 Merge branch 'master' into oscd 2019-12-19 23:15:15 +01:00
Thomas Patzke 1369b3a2dc Merge pull request #537 from webhead404/webhead404-contrib-sigma 
Added sigma rule to detect external devices or USB drive
 2019-12-13 21:50:01 +01:00
Rob Rankin b771dd3d3b Rule name conflicts in Elastalert output 2019-12-09 16:14:28 +00:00
Yugoslavskiy Daniil 185a634bd9 update authors for 2 rules 2019-12-07 02:10:06 +01:00