security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

4063 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke 1797a1e56b Merge pull request #733 from NVISO-BE/fix-732 
Fix for broken endswith modifier
 2020-05-06 22:17:08 +02:00
Remco Hofman 24029a8f27 Fix for broken endswith modifier 2020-05-06 17:10:54 +02:00
Rettila 6aed82a039 Update win_metasploit_authentication.yml 2020-05-06 17:04:47 +02:00
Rettila 2beb65076c Update win_metasploit_authentication.yml 2020-05-06 16:44:19 +02:00
Rettila 7371ce234b Create win_metasploit_authentication.yml 2020-05-06 16:42:27 +02:00
Rettila ddb02c6820 Merge pull request #1 from Neo23x0/master 2020-05-06 11:24:26 +02:00
Florian Roth 1ce527c9be Merge pull request #729 from Rettila/master 
Rule correction and enhancement
 2020-05-05 19:25:49 +02:00
Florian Roth 473c31232e add additional reference 2020-05-05 19:25:33 +02:00
Rettila 0e1fa5c135 Update win_possible_dc_shadow.yml 2020-05-05 18:14:32 +02:00
Rettila 55d018255c Update win_possible_dc_shadow.yml 2020-05-05 16:52:08 +02:00
Rettila 3302c63e0c Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml 2020-05-05 16:51:35 +02:00
Rettila f27aa4bfee Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00
Rettila db810b342f Delete win_possible_dc_shadow.yml 2020-05-05 16:48:39 +02:00
Rettila e3f21805f3 Update win_possible_dc_shadow.yml 2020-05-05 16:43:56 +02:00
Rettila 0f4cc9d365 Create win_possible_dc_shadow.yml 2020-05-05 16:40:52 +02:00
pdr9rc 31ad81874f capitalized titles 
corrected capitalization of titles and removed literals from config
 2020-05-05 11:32:18 +01:00
neu5ron a01a85cf9b CI/CD check fixes (missing ID's) 2020-05-04 15:22:18 -04:00
neu5ron 90730508f0 Merge remote-tracking branch 'neu5ron-sigma/socprime_add_zeek_and_corelight' into socprime_add_zeek_and_corelight 2020-05-04 15:17:54 -04:00
neu5ron a61b1da47a fixed yaml space causing condition to not be found 2020-05-04 15:17:43 -04:00
neu5ron 98f163e752 fixed yaml space causing condition to not be found 2020-05-04 15:10:48 -04:00
pdr9rc aa175a7d5b wip 
wip
 2020-05-04 18:02:27 +01:00
pdr9rc dd9e128a15 kibana target update 
kibana target now compatible with overrides
 2020-05-04 17:35:12 +01:00
pdr9rc b32093e734 Merge remote-tracking branch 'upstream/master' 
Keeping up with the sigmas.
 2020-05-04 17:26:51 +01:00
pdr9rc b3194e66c4 Update base.py 2020-05-04 16:37:36 +01:00
Florian Roth d298bb5714 Merge pull request #480 from hillu/override-coverage 
Make coverage binary overridable
 2020-05-02 18:50:58 +02:00
Wietze 2b3828730c Reversed disabling FileDelete 2020-05-02 17:31:50 +01:00
Wietze e5574e07f2 Disabled FileDelete event (Sysmon 11 - no rules available yet) 2020-05-02 16:21:56 +01:00
Wietze 5abf4cbea9 Reordered fields 2020-05-02 14:46:55 +01:00
Wietze 661108903b Minor consistency fix 2020-05-02 14:37:37 +01:00
Wietze 46737cbfd3 Improved Microsoft ATP mapping, using Advanced Hunting Schema 
See https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference
 2020-05-02 14:31:02 +01:00
Florian Roth 030898ba9c Merge branch 'master' into override-coverage 2020-05-02 14:22:03 +02:00
Florian Roth c71e10a7f3 Merge pull request #717 from Karneades/renamedbinary 
Add netsh to renamed binary rule
 2020-05-02 14:12:34 +02:00
Florian Roth b4b9b0155f Merge pull request #716 from Karneades/patch-1 
Add rule to detect wifi creds harvesting using netsh
 2020-05-02 14:12:10 +02:00
Florian Roth 7f8baee10d Merge pull request #720 from 0xThiebaut/specification 
Update rules to follow the Sigma state specification
 2020-05-02 14:11:45 +02:00
neu5ron d300027848 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
add rules for Zeek. This includes Windows Event Channel Security EventID:5145 that have same fields as Zeek SMB
Also, converted some of (MITRE ATT&CK BZAR)[https://github.com/mitre-attack/bzar] which are Zeek (sensor) scripts.
 2020-05-02 07:27:51 -04:00
neu5ron c66540c029 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
create `zeek` folder to store Zeek rules
 2020-05-02 07:25:21 -04:00
neu5ron cbe5af01a1 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
add a total of 5 sigmac's (sigma configs) for 3 different backends. full git message to follow in PR.
 2020-05-02 07:23:11 -04:00
Tiago Faria dd85467a27 Update aws_ec2_vm_export_failure.yml 2020-05-02 00:13:55 +01:00
Thomas Patzke 2fafff3278 Fixed: escaping of backslashes before added * 
Fixes issue #722.
 2020-05-02 00:13:15 +02:00
pdr9rc bc0a2c7ab9 wip 
wip
 2020-05-01 19:20:05 +01:00
pdr9rc 98391f985a wip 
wip
 2020-04-30 15:19:38 +01:00
pdr9rc adcc3766e3 Merge branch 'master' of https://github.com/3CORESec/sigma 2020-04-30 15:08:25 +01:00
pdr9rc 8142244449 wip 
wip
 2020-04-30 15:08:20 +01:00
Tiago Faria dfdb5b9550 better description and event.outcome 2020-04-29 23:59:26 +01:00
pdr9rc ac4a2b1f26 wip 
wip
 2020-04-29 22:55:46 +01:00
pdr9rc 9ce84a38e5 overrides section support + one example rule + cloudtrail config 
ditto
 2020-04-29 20:36:45 +01:00
Maxime Thiebaut 4600bf73dc Update rules to follow the Sigma state specification 
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following:

> Declares the status of the rule:
>  - stable: the rule is considered as stable and may be used in production systems or dashboards.
>  - test: an almost stable rule that possibly could require some fine tuning.
>  - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.

However the Sigma Rx YAML specification states the following:

> ```yaml
> status:
>     type: //any
>     of:
>         - type: //str
>           value: stable
>         - type: //str
>           value: testing
>         - type: //str
>           value: experimental
> ```

The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
 - [`sigma/sigma-schema.rx.yml`](https://github.com/Neo23x0/sigma/blob/a805d18bbae60d3e4f291c8a18304104ed2e71c7/sigma-schema.rx.yml#L49)
 - [`sigma/tools/sigma/filter.py`](https://github.com/Neo23x0/sigma/blob/f3c60a63099f80296c8750aaba667e98ac71a4f7/tools/sigma/filter.py#L26)
 - [`sigma/tools/sigmac`](https://github.com/Neo23x0/sigma/blob/4e42bebb3480720966a59528cd8482c6271e603c/tools/sigmac#L98)

Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
 2020-04-24 20:50:31 +02:00
Andreas Hunkeler 7d437c2969 Add netsh to renamed binary rule 2020-04-20 17:12:25 +02:00
Andreas Hunkeler d4e9606266 Improve netsh wifi rule another time due to arg shortcut 2020-04-20 16:40:03 +02:00
Andreas Hunkeler af498d8a8c Improve rule to detect argument shortcut in netsh wlan rule 2020-04-20 16:32:25 +02:00