security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,265 Commits 1 Branch 57 Tags
85403d353ca9e030ae1e53527682fd582176b752
Commit Graph

97 Commits

Author SHA1 Message Date
Thomas Patzke 0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke 5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
yugoslavskiy 82f23c5f63 Merge pull request #477 from zinint/oscd 
add 13 new rules:

- rules/linux/auditd/lnx_auditd_masquerading_crond.yml 
- rules/linux/auditd/lnx_auditd_user_discovery.yml 
- rules/linux/auditd/lnx_data_compressed.yml 
- rules/linux/auditd/lnx_network_sniffing.yml 
- rules/windows/powershell/powershell_data_compressed.yml 
- rules/windows/powershell/powershell_winlogon_helper_dll.yml 
- rules/windows/process_creation/win_change_default_file_association.yml 
- rules/windows/process_creation/win_data_compressed_with_rar.yml 
- rules/windows/process_creation/win_local_system_owner_account_discovery.yml 
- rules/windows/process_creation/win_network_sniffing.yml 
- rules/windows/process_creation/win_query_registry.yml 
- rules/windows/process_creation/win_service_execution.yml 
- rules/windows/process_creation/win_xsl_script_processing.yml 

modify 1 rule:

- rules/windows/process_creation/win_possible_applocker_bypass.yml
 2019-11-05 04:55:29 +03:00
yugoslavskiy 534f5fc0e1 Update lnx_network_sniffing.yml 2019-11-05 04:40:40 +03:00
yugoslavskiy 70fdd9c7d7 Update lnx_data_compressed.yml 2019-11-05 04:38:27 +03:00
yugoslavskiy 75f2b8536f Update lnx_auditd_user_discovery.yml 2019-11-04 22:14:30 +03:00
yugoslavskiy 8b2216e94e Update lnx_auditd_masquerading_crond.yml 2019-11-04 22:14:10 +03:00
yugoslavskiy 0d5489bbb0 Update lnx_auditd_user_discovery.yml 2019-11-04 22:07:30 +03:00
yugoslavskiy bb71f95810 Update lnx_auditd_masquerading_crond.yml 2019-11-04 21:58:42 +03:00
yugoslavskiy 1f1fd68331 Merge pull request #472 from feedb/oscd 
add 11 new rules:

- rules/linux/auditd/lnx_auditd_web_rce.yml
- rules/windows/process_creation/process_creation_susp_bginfo.yml
- rules/windows/process_creation/process_creation_susp_cdb.yml
- rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml
- rules/windows/process_creation/process_creation_susp_dnx.yml
- rules/windows/process_creation/process_creation_susp_dxcap.yml
- rules/windows/process_creation/process_creation_susp_msoffice.yml
- rules/windows/process_creation/process_creation_susp_odbcconf.yml
- rules/windows/process_creation/process_creation_susp_openwith.yml
- rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml
- rules/windows/sysmon/sysmon_webshell_creation_detect.yml
 2019-11-04 20:40:58 +03:00
yugoslavskiy 8a35a51211 Update lnx_auditd_web_rce.yml 2019-11-04 18:08:17 +03:00
zinint 11e7bdc727 Update lnx_network_sniffing.yml 2019-10-30 22:59:46 +03:00
zinint fd09c00b35 Update lnx_network_sniffing.yml 2019-10-30 20:59:07 +03:00
zinint 3d106d8e7f Update lnx_network_sniffing.yml 2019-10-30 19:11:51 +03:00
zinint e0c5479f0a Update lnx_network_sniffing.yml 2019-10-30 19:10:48 +03:00
zinint b5b40f2861 Update lnx_network_sniffing.yml 2019-10-30 19:07:05 +03:00
zinint cc4a8df5e3 Update lnx_network_sniffing.yml 2019-10-30 19:06:53 +03:00
zinint 7e3d8ccaf3 T1040 2019-10-30 19:05:50 +03:00
zinint 4a560e9375 T1002 2019-10-29 22:56:45 +03:00
zinint 583980f8ec Delete win_data_compressed.yml 2019-10-29 22:56:30 +03:00
zinint 4eb7965662 T1002 2019-10-29 22:54:42 +03:00
zinint 950796f71f Update lnx_auditd_masquerading_crond.yml 2019-10-29 22:48:39 +03:00
zinint c5599399b5 Update lnx_auditd_masquerading_crond.yml 2019-10-29 22:48:00 +03:00
zinint 47f7d648a3 T1036 2019-10-29 22:33:03 +03:00
zinint d1cf80d9b6 Update lnx_auditd_user_discovery.yml 2019-10-28 00:00:06 +03:00
zinint 68b4541274 t1033 2019-10-27 23:59:16 +03:00
root fb53855ae5 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:50:49 +02:00
root e47caf4749 add rule lnx_auditd_web_rce.yml 2019-10-21 11:54:21 +02:00
root a499141483 modified rule lnx_auditd_web_rce.yml 2019-10-21 11:28:59 +02:00
root ac8308dfc9 add rule lnx_auditd_web_rce.yml 2019-10-21 11:14:24 +02:00
Florian Roth 454ba2b576 rule: modified sudo vuln rule to be most generic 2019-10-20 14:02:10 +02:00
Florian Roth 08ff2f38bc Revert "rule: modified sudo vuln rule to be most generic" 
This reverts commit ef6a25d109.
 2019-10-20 14:01:14 +02:00
Florian Roth ef6a25d109 rule: modified sudo vuln rule to be most generic 2019-10-20 10:37:05 +02:00
Thomas Patzke 522f021ef1 Merge pull request #461 from Galapag0s/patch-2 
Added Additional history clearing options
 2019-10-16 22:35:41 +02:00
Florian Roth 36f678930d rule: updated sudo vuln rule to detect 0-padding part 2 
https://twitter.com/joshbressers/status/1184455759620378627
 2019-10-16 15:10:44 +02:00
Florian Roth 5374d18e4b rule: updated sudo vuln rule to detect 0-padding 
https://twitter.com/taviso/status/1184238670343065600
 2019-10-16 15:03:28 +02:00
Florian Roth 921a39f1e3 rule: extended sudo rule with variant for USER field 2019-10-15 14:55:09 +02:00
Florian Roth 96d77447d2 rule: added reference and mitre tags 2019-10-15 09:44:17 +02:00
Florian Roth 49ed76004c rule: sudo priv esc vuln CVE-2019-14287 2019-10-15 09:39:08 +02:00
Galapag0s 1e4ef648db Added Additional history clearing options 
history -w will clear the current shell history
shred purposely overwrites data replacing it with random data
 2019-09-26 12:53:13 -04:00
Galapag0s ccdda5e82b Update lnx_shell_priv_esc_prep.yml 2019-09-06 11:29:42 -04:00
Galapag0s 23021aa110 Added Sticky Bits 
Attackers may look to exploit binaries with the sticky bits enabled.  By being able to run a binary as a different user or group, they may be able to run separate commands as an elevated user.
 2019-09-06 11:25:48 -04:00
Florian Roth f5a8a81ff7 fix: linux cmds rule 2019-07-02 15:22:26 +02:00
petermmm b6c4e64a9b fixed attack category number 2->3 2019-05-12 11:59:13 +02:00
petermmm 2778558ae3 added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00
Thomas Patzke 46c789105b Fix and ordering 2019-05-10 00:08:26 +02:00
patrick ca4b710c01 Added Sigma Use Case detecting Privilege Escalation Preparation in Linux 2019-04-07 15:36:19 +02:00
Florian Roth 2b814011cd Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature 
Add new signature for linux clear command history
 2019-04-03 19:45:06 +02:00
Florian Roth 6cc1770351 Merge pull request #294 from Pr0t3an/patch-3 
Update lnx_shell_susp_rev_shells.yml
 2019-04-03 01:07:07 +02:00
Florian Roth b76925f838 Rule: extending rule with /dev/udp 2019-04-02 20:09:13 +02:00