security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1457 Commits

Author SHA1 Message Date
Thomas Patzke 8e854b06f6 Specified source to prevent EventID collisions 
Issue #263
 2019-04-01 23:45:55 +02:00
Florian Roth d06a5431eb Changes 2019-04-01 14:03:54 +02:00
Florian Roth e473efb7c3 Trying to fix ATT&CK framework tag 2019-04-01 10:36:35 +02:00
Florian Roth 3f2ce4b71f Lowered level to medium 2019-04-01 09:47:14 +02:00
t0x1c-1 51c42a15a7 Allow Incoming Connections by Port or Application on Windows Firewall 2019-04-01 08:16:56 +02:00
patrick 0242c40360 Add new signature for linux clear command history 2019-03-24 10:10:14 +01:00
Nate Guagenti 60c4fed2e0 Create win_etw_trace_evasion.yml 
there are two versions of clear and two variations of set that can be used with something like wevtutil
`wevtutil cl | wevtutil clear-log | wevtutil sl | wevtutil set-log `

Also, I am adding a `*` match at the end, because there are other parameters that could be placed on the end -- so unless this was used on a general search on a text/analyzed field then the `*` is necessary.

example `wevtutil set-log Microsoft-Windows-WMI-Activity/Trace /e:disable /q:true`
 2019-03-22 11:36:55 -04:00
Florian Roth ffac77fb37 Rule: extended LockerGoga description 2019-03-22 11:03:48 +01:00
Florian Roth 1adb040e0b Rule: LockerGoga 2019-03-22 10:59:31 +01:00
Florian Roth 2ad2ba9589 fix: rule field fix in proc_creation rule 2019-03-22 10:59:18 +01:00
Thomas Patzke be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00
Thomas Patzke 8512417de0 Incorporated MITRE CAR mapping from #55 2019-03-16 00:03:27 +01:00
Thomas Patzke 5e3a25537e Merge pull request #283 from LiamSennitt/master 
Added and fixed tags on APT rules
 2019-03-15 23:00:25 +01:00
yugoslavskiy 33db032a16 added missed service 2019-03-14 00:44:26 +01:00
Liam Sennitt bb026e4692 fixed tag typo on rules 2019-03-13 10:25:41 +00:00
Liam Sennitt 0aaac1a48e add tags to crime fireball rule 2019-03-13 10:10:12 +00:00
Liam Sennitt 1e29c9c1ce add tags to apt zxshell rule 2019-03-13 10:09:05 +00:00
Liam Sennitt 1f47dc1cdc add tags to apt turla commands rule 2019-03-13 10:06:34 +00:00
Liam Sennitt 96492834c5 add tags to apt sofacy rule 2019-03-13 09:53:02 +00:00
Liam Sennitt aca36c88cc add tags to apt slingshot rule 2019-03-13 09:50:39 +00:00
Liam Sennitt aac632bb41 add tags on apt equationgroup dll_u load rule 2019-03-13 09:48:27 +00:00
Liam Sennitt 5ffc027f22 fix tags in apt carbonpaper turla rule 2019-03-13 09:43:18 +00:00
Liam Sennitt 25b680bfec fix and add tags to apt bear activity gtr19 rule 2019-03-13 09:40:28 +00:00
Liam Sennitt 3b193fb691 add tags to apt babyshark rule 2019-03-13 09:32:10 +00:00
Liam Sennitt aee0d1dd67 fix tags on apt29 tor rule 2019-03-13 09:25:28 +00:00
Liam Sennitt 5dc229b590 add tags to apt29 thinktanks rule 2019-03-13 09:22:41 +00:00
Florian Roth 95b47972f0 fix: transformed rule to new proc_creation format 2019-03-12 09:03:30 +01:00
Florian Roth c4003ff410 Merge pull request #264 from darkquasar/master 
adding rule win-susp-mshta-execution.yml
 2019-03-11 23:50:56 +01:00
Florian Roth bd38cff042 Merge pull request #272 from LiamSennitt/master 
fix tagging in turla png dropper service rule
 2019-03-11 23:48:18 +01:00
Yugoslavskiy Daniil 5d54e9c8a1 nbstat.exe -> nbtstat.exe 2019-03-11 19:28:29 +01:00
Yugoslavskiy Daniil c22265c655 updated detection logic 2019-03-11 16:58:57 +01:00
Tareq AlKhatib 783d8c4268 Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00
Tareq AlKhatib 075df83118 Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
Florian Roth fe9e50167f Rule: renamed bitsadmin rule 2019-03-08 16:25:16 +01:00
Florian Roth 49532438eb Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00
Thomas Patzke 3c1948f089 Merge pull request #277 from megan201296/patch-18 
Remove invalid link
 2019-03-07 23:49:13 +01:00
Yugoslavskiy Daniil 475113b1c1 fixed incorrect date format 2019-03-07 22:52:11 +01:00
megan201296 c2a16591af Remove invalid link 
Cybereason link was broken. Couldn't find anything with a super similar file path. The below link might be a valid replacement but went better safe than sorry and just removed it completely. https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
 2019-03-07 14:22:29 -06:00
Florian Roth a82ea0a022 Merge pull request #276 from krakow2600/master 
ATC windows rules review
 2019-03-06 17:16:32 +01:00
Florian Roth 83c0c71bc7 Reworked for process_creation rules 2019-03-06 17:09:43 +01:00
Yugoslavskiy Daniil cb7243de5d fixed wrong tags 2019-03-06 06:18:38 +01:00
Yugoslavskiy Daniil 8bec627ff1 fixed multiple tags issue 2019-03-06 06:09:37 +01:00
Yugoslavskiy Daniil 5154460726 changed service to product 2019-03-06 05:57:01 +01:00
Yugoslavskiy Daniil 05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy 725ab99e90 Merge pull request #1 from AverageS/master 
Fix rules
 2019-03-06 04:31:01 +01:00
Wydra Mateusz 534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00
Wydra Mateusz bb95347745 rules update 2019-03-06 00:43:42 +01:00
mrblacyk 6232362f04 Missing tags 2019-03-06 00:16:40 +01:00
mrblacyk 07807837ee Missing tags 2019-03-06 00:02:37 +01:00
mikhail be108d95cc Merge branch 'master' of https://github.com/AverageS/sigma 2019-03-06 01:57:38 +03:00