security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Pr0t3an d067087632 Update lnx_shell_susp_rev_shells.yml 
added 
 - 'bash -i >& /dev/udp/'
        - 'sh -I >$ /dev/udp/'
        - 'sh -i   >$ /dev/tcp/'
 2019-04-02 18:22:18 +01:00
Florian Roth 5c5a16c4d5 Rule: adding xterm -display string to rule 2019-04-02 18:48:18 +02:00
Florian Roth 453bd10e6e Rule: Suspicious reverse shell command lines 2019-04-02 17:03:57 +02:00
Thomas Patzke 8e854b06f6 Specified source to prevent EventID collisions 
Issue #263
 2019-04-01 23:45:55 +02:00
Thomas Patzke 0419ff215a Fixed quoting of single quotes in grep backend 2019-04-01 23:22:05 +02:00
Florian Roth d06a5431eb Changes 2019-04-01 14:03:54 +02:00
Florian Roth c7553dc8a1 Merge pull request #292 from yt0ng/development 
Allow Incoming Connections by Port or Application on Windows Firewall
 2019-04-01 14:02:10 +02:00
Florian Roth e473efb7c3 Trying to fix ATT&CK framework tag 2019-04-01 10:36:35 +02:00
Florian Roth 3f2ce4b71f Lowered level to medium 2019-04-01 09:47:14 +02:00
t0x1c-1 51c42a15a7 Allow Incoming Connections by Port or Application on Windows Firewall 2019-04-01 08:16:56 +02:00
patrick 0242c40360 Add new signature for linux clear command history 2019-03-24 10:10:14 +01:00
Nate Guagenti 60c4fed2e0 Create win_etw_trace_evasion.yml 
there are two versions of clear and two variations of set that can be used with something like wevtutil
`wevtutil cl | wevtutil clear-log | wevtutil sl | wevtutil set-log `

Also, I am adding a `*` match at the end, because there are other parameters that could be placed on the end -- so unless this was used on a general search on a text/analyzed field then the `*` is necessary.

example `wevtutil set-log Microsoft-Windows-WMI-Activity/Trace /e:disable /q:true`
 2019-03-22 11:36:55 -04:00
Florian Roth ffac77fb37 Rule: extended LockerGoga description 2019-03-22 11:03:48 +01:00
Florian Roth 1adb040e0b Rule: LockerGoga 2019-03-22 10:59:31 +01:00
Florian Roth 2ad2ba9589 fix: rule field fix in proc_creation rule 2019-03-22 10:59:18 +01:00
Thomas Patzke 140a32d8c9 Sigma tools release 0.10 0.10 2019-03-16 01:02:48 +01:00
Thomas Patzke 2dda9a7b77 Moved Sysmon schema XML from contrib directory into module 2019-03-16 00:59:29 +01:00
Thomas Patzke be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00
Thomas Patzke 8512417de0 Incorporated MITRE CAR mapping from #55 2019-03-16 00:03:27 +01:00
Thomas Patzke 5c4d8bc2ca Merge branch 'christophetd-backend-config-file' 2019-03-15 23:47:24 +01:00
Thomas Patzke 5e973a6321 Fixes and CI testing of --backend-config 2019-03-15 23:46:38 +01:00
Thomas Patzke 0864d05aa5 Merge branch 'backend-config-file' of https://github.com/christophetd/sigma into christophetd-backend-config-file 2019-03-15 23:35:11 +01:00
Thomas Patzke 9be6b8b1a5 Merge branch 'tuckner-master' 2019-03-15 23:27:40 +01:00
Thomas Patzke 3f7e08733a Added backend option 'sysmon' for ala backend 2019-03-15 23:26:15 +01:00
Thomas Patzke 8d1723e65c Merge branch 'master' of https://github.com/tuckner/sigma into tuckner-master 2019-03-15 23:06:08 +01:00
Thomas Patzke 5e3a25537e Merge pull request #283 from LiamSennitt/master 
Added and fixed tags on APT rules
 2019-03-15 23:00:25 +01:00
Florian Roth 4650271117 Merge pull request #284 from krakow2600/master 
added missed service
 2019-03-14 08:20:48 +01:00
yugoslavskiy 33db032a16 added missed service 2019-03-14 00:44:26 +01:00
Liam Sennitt bb026e4692 fixed tag typo on rules 2019-03-13 10:25:41 +00:00
Liam Sennitt 0aaac1a48e add tags to crime fireball rule 2019-03-13 10:10:12 +00:00
Liam Sennitt 1e29c9c1ce add tags to apt zxshell rule 2019-03-13 10:09:05 +00:00
Liam Sennitt 1f47dc1cdc add tags to apt turla commands rule 2019-03-13 10:06:34 +00:00
Liam Sennitt 96492834c5 add tags to apt sofacy rule 2019-03-13 09:53:02 +00:00
Liam Sennitt aca36c88cc add tags to apt slingshot rule 2019-03-13 09:50:39 +00:00
Liam Sennitt aac632bb41 add tags on apt equationgroup dll_u load rule 2019-03-13 09:48:27 +00:00
Liam Sennitt 5ffc027f22 fix tags in apt carbonpaper turla rule 2019-03-13 09:43:18 +00:00
Liam Sennitt 25b680bfec fix and add tags to apt bear activity gtr19 rule 2019-03-13 09:40:28 +00:00
Liam Sennitt 3b193fb691 add tags to apt babyshark rule 2019-03-13 09:32:10 +00:00
Liam Sennitt aee0d1dd67 fix tags on apt29 tor rule 2019-03-13 09:25:28 +00:00
Liam Sennitt 5dc229b590 add tags to apt29 thinktanks rule 2019-03-13 09:22:41 +00:00
Florian Roth 95b47972f0 fix: transformed rule to new proc_creation format 2019-03-12 09:03:30 +01:00
Florian Roth c4003ff410 Merge pull request #264 from darkquasar/master 
adding rule win-susp-mshta-execution.yml
 2019-03-11 23:50:56 +01:00
Florian Roth bd38cff042 Merge pull request #272 from LiamSennitt/master 
fix tagging in turla png dropper service rule
 2019-03-11 23:48:18 +01:00
Florian Roth 909c09f4ac Merge pull request #282 from krakow2600/master 
updated detection logic
 2019-03-11 23:47:53 +01:00
Yugoslavskiy Daniil 5d54e9c8a1 nbstat.exe -> nbtstat.exe 2019-03-11 19:28:29 +01:00
Yugoslavskiy Daniil c22265c655 updated detection logic 2019-03-11 16:58:57 +01:00
Florian Roth 8dd39a2653 Merge pull request #281 from TareqAlKhatib/oops 
Migrated the last detections to process_creation
 2019-03-09 19:40:25 +01:00
Tareq AlKhatib 783d8c4268 Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00
Tareq AlKhatib 7f4557d183 Enabled check for process_creation 2019-03-09 21:00:11 +03:00
Tareq AlKhatib 075df83118 Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00