security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
15,863 Commits 1 Branch 57 Tags
871f41df73e68fc6b16403b3f8a53bbc8b2cd8eb
Commit Graph

784 Commits

Author SHA1 Message Date
Mladia a3f39d8fb6 Merge PR #4458 from @Mladia - Update Coverage 
update: Linux Network Service Scanning - Auditd - Update coverage to add `ncat` and `nc.openbsd`

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-09-27 10:27:45 +02:00
kidrek e738fff0a3 Merge PR #4425 from @kidrek - ESXi Syslog Configuration Change Via ESXCLI 
new: ESXi Syslog Configuration Change Via ESXCLI

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-09-07 15:49:06 +02:00
kidrek b177b1e46b Merge PR #4424 from @kidrek - Account Creation Via ESXCLI 
new: ESXi Account Creation Via ESXCLI

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-09-06 11:43:21 +02:00
kidrek 359292e572 Merge PR #4396 from @kidrek - Add New Rules Related To ESXCLI Usage 
new: ESXi Network Configuration Discovery Via ESXCLI
new: ESXi Admin Permission Assigned To Account Via ESXCLI
new: ESXi Storage Information Discovery Via ESXCLI
new: ESXi System Information Discovery Via ESXCLI
new: ESXi VM List Discovery Via ESXCLI
new: ESXi VM Kill Via ESXCLI
new: ESXi VSAN Information Discovery Via ESXCLI

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-09-06 11:42:23 +02:00
Tessa Georgen 60b8e9b70f Merge PR #4392 from @tjgeorgen - Update MITRE Tags 
- update: update MITRE tags for multiple rules

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-08-28 16:53:27 +02:00
SethHanford df4fa62bca Merge PR #4380 from @SethHanford - Lnx container discovery 
new: Container Residence Discovery Via Proc Virtual FS
new: Docker Container Discovery Via Dockerenv Listing
new: Potential Container Discovery Via Inodes Listing

---------

Co-authored-by: Seth Hanford <shanford@seth-mba.local>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-08-24 13:04:25 +02:00
Nasreddine Bencherchali 22f98bb3d8 Merge pull request #4365 from Mladia/patch-1 
Update lnx_auditd_masquerading_crond.yml
 2023-08-22 18:53:52 +02:00
Nasreddine Bencherchali b34f098b0d Update lnx_auditd_masquerading_crond.yml 2023-08-22 18:36:03 +02:00
Nasreddine Bencherchali 1e0fb02ef7 Update proc_creation_lnx_ssm_agent_abuse.yml 2023-08-04 00:09:48 +02:00
z00t d854c66616 Title has been update to avoid duplication. 2023-08-03 19:38:29 +05:00
z00t 5c0f48ae55 New rule created for Linux OS. 2023-08-03 18:35:12 +05:00
Mladia 25d7fb85d4 Update lnx_auditd_masquerading_crond.yml 
Adapting the rule so it corresponds to the linked atomic red scenario.
 2023-08-01 12:35:34 +02:00
Nasreddine Bencherchali 8dca7aa1ba feat: more updates 2023-07-28 14:32:57 +02:00
Ryan Plas cda0fbff62 fix:F multiple 404 links in references (#4332) 2023-06-26 10:10:04 +01:00
Nasreddine Bencherchali 44e0625360 fix: update rules for tests 2023-06-19 09:24:18 +02:00
Nasreddine Bencherchali 22628faaf0 feat: add rules related to Barracuda ESG exploitation 2023-06-18 22:14:57 +02:00
jstnk9 04cf7e9ea3 feat: new linux rules related to GobRAT malware (#4272) 2023-06-02 15:49:43 +02:00
dan21san 331a65103f feat: add new rule related to linux sensitive file tampering (#4263) 2023-05-30 16:23:19 +02:00
Nasreddine Bencherchali f3104f748f Merge pull request #4211 from fukusuket/refactor-use-all-modifier-without-field-instead-of-all-of 
chore: refactor use `'|all'` instead of using `all of` for a single selector.
 2023-05-05 18:44:35 +02:00
kidrek 239afc945d fix: update curl rules flags to use regex (#4213) 2023-05-03 10:16:01 +02:00
Nasreddine Bencherchali d7f1e8c443 Update lnx_auditd_binary_padding.yml 2023-05-03 01:09:55 +02:00
fukusuket 78fe42f78c refactor: use '|all' instead of using all of for a single selector. 2023-04-30 21:49:32 +09:00
dan21san 4b8f70fb97 feat: add new rules related to linux reverse shells (#4166) 2023-04-25 11:03:11 +02:00
tareq-alkhatib 999cd5763a chore: split selection clause into two (#4160) 2023-04-05 05:04:54 +02:00
Nasreddine Bencherchali 3d9372bef3 feat: new rules, updates and fp fixes (#4136) 2023-04-03 12:06:14 +02:00
iai-rsa 66f3c54b89 feat: new linux rules #4095) 
- Updated lnx_auditd_system_info_discovery.yml
- Added lnx_auditd_modify_system_firewall.yml
- Depracted lnx_auditd_alter_bash_profile.yml and replaced by an enhanced version in lnx_auditd_unix_shell_configuration_modification.yml
 2023-03-27 13:17:54 +02:00
tuan a035aa0385 feat: new rule related to process termination using kill (#4112) 2023-03-20 22:04:26 +01:00
tuan 2a1124e95e feat: new rules Linux Package Uninstall (#4098) 2023-03-13 00:04:53 +01:00
Nasreddine Bencherchali e3503d5d60 feat: more updates 2023-03-06 00:39:26 +01:00
Wagga 273fdb9985 fix: typos in multiple rules (#4011) 2023-02-06 13:53:23 +01:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
frack113 66700a69e2 Merge pull request #3994 from ionsor/patch-8 
Update proc_creation_lnx_hack_tools.yml
 2023-01-31 17:45:11 +01:00
Nasreddine Bencherchali 2684f0f63c fix: remove unnecessary entry 2023-01-31 17:21:42 +01:00
Nasreddine Bencherchali 412efdad03 fix: update selection 2023-01-31 17:15:49 +01:00
Nasreddine Bencherchali 164ee358c3 fix: update modified date 2023-01-31 17:12:20 +01:00
Nasreddine Bencherchali 6a337151d1 feat: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-01-31 17:11:18 +01:00
Feathers 8f6242c35f Update proc_creation_lnx_hack_tools.yml 
added to the list of hacking tools, Linpeas, a privilege escalation script
 2023-01-31 17:01:17 +01:00
Nasreddine Bencherchali 33952874f1 fix: update selection 2023-01-31 14:14:50 +01:00
Nasreddine Bencherchali e158d6c1eb feat: add shadow file 2023-01-31 12:25:33 +01:00
Nasreddine Bencherchali 6a65920dd6 feat: new rules from blackberry 2023-01-31 00:38:06 +01:00
frack113 1033b3f404 change status to test 2023-01-27 06:48:34 +01:00
frack113 cb67871bd2 Revert "Change status of old rules" 2023-01-26 19:37:18 +01:00
frack113 5323fd4baa Change status of old rules 2023-01-25 18:41:18 +01:00
frack113 f7b159350d Merge pull request #3954 from nasbench/nasbench-rule-devel 
feat: updates and enhancements
 2023-01-25 13:21:44 +01:00
Nasreddine Bencherchali f42eb77f29 fix: rule logic 2023-01-25 12:03:11 +01:00
Nasreddine Bencherchali d47215d469 fix: single element selection 2023-01-25 01:35:47 +01:00
Nasreddine Bencherchali 7d2b70cb91 feat: add bpf related rules 2023-01-25 01:14:49 +01:00
Nick Moore 0312c481d9 Change rules using all of required-lists to |all 
When a Sigma rule writer wants to create a list of values where all of
them must be matched for the rule to trigger, the approach used
previously was to have an `all of` condition for a single selector.
However, this has now changed, and the new approach is to use an empty
key and the |all modifier (i.e., `'|all'`).

This commit (tries to) identify all the rules that used the old
approach and modifies them to use the new approach instead.

See SigmaHQ/sigma-specification#53 for further discussion.
 2023-01-23 14:37:25 +00:00
Nasreddine Bencherchali 1c0bf6e262 feat: update windows firewall rules 2023-01-17 19:01:37 +01:00
Nasreddine Bencherchali 85fb255bc9 feat: new rules and updates 2023-01-17 01:00:44 +01:00