security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth dd857c4470 Cosmetics 
If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
 2018-07-25 07:37:17 +02:00
Florian Roth cf7f5c7473 Changes 
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? 
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
 2018-07-25 07:35:59 +02:00
yt0ng b415fc8d42 Possible SafetyKatz Dump of debug.bin 
https://github.com/GhostPack/SafetyKatz
 2018-07-24 23:51:46 +02:00
Lurkkeli db82322d17 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00
Lurkkeli 0e9c5bb14a Update sysmon_rundll32_net_connections.yml 2018-07-24 20:01:47 +02:00
Lurkkeli fd8c5c5bf6 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:00:21 +02:00
Lurkkeli ad580635ea Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00
Thomas Patzke afe8bd6a57 Merge pull request #129 from nbareil/patch-1 
use yaml.safe_load()
 2018-07-24 11:22:24 +02:00
Nicolas Bareil 6728a5ccaa use yaml.safe_load() 2018-07-24 11:14:01 +02:00
Thomas Patzke 0fa914139c Merge pull request #128 from ntim/master 
Tagged windows powershell, other and malware rules.
 2018-07-24 11:05:50 +02:00
ntim c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Thomas Patzke bfc7012043 Merge pull request #127 from dspautz/master 
Add tags to windows builtin rules
 2018-07-24 08:24:39 +02:00
Thomas Patzke 0d8bc922a3 Merge branch 'master' into master 2018-07-24 08:23:37 +02:00
Thomas Patzke 1601b00862 Merge pull request #125 from james0d0a/attack_tags 
windows builtin mitre attack tags
 2018-07-24 08:18:47 +02:00
Thomas Patzke 01e7675e24 Merge pull request #124 from samsson/patch-1 
ATT&CK tagging
 2018-07-24 07:58:50 +02:00
Thomas Patzke 30d255ab6f Fixed tag 2018-07-24 07:58:25 +02:00
Thomas Patzke baaf8006bc Merge pull request #123 from yt0ng/sysmon 
added additional binaries and attack tactics/techniques
 2018-07-24 07:57:30 +02:00
Thomas Patzke ee330bf7fb Merge pull request #121 from sekuryti/sekuryti-CVE-2018-2894--rule-changes 
Update web_cve_2018_2894_weblogic_exploit.yml
 2018-07-24 07:56:53 +02:00
David Spautz e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
James Dickenson c4edc26267 windows builtin mitre attack tags 2018-07-23 21:34:20 -07:00
Thomas Patzke 1abb13c5d9 Split parser - Copy condition 2018-07-24 00:13:37 +02:00
Thomas Patzke a8501cb446 Split parser - Copy exceptions 2018-07-24 00:08:23 +02:00
Thomas Patzke 983ee6eeb9 Splitting parser - copying collections 2018-07-24 00:06:02 +02:00
Thomas Patzke 54f5870658 Removed debugging code 2018-07-24 00:04:24 +02:00
Thomas Patzke b76fa884ec Changed copyright notices accordingly 2018-07-24 00:01:16 +02:00
Lurkkeli 1898157df5 ATT&CK tagging 
Added tag for technique t1015
 2018-07-23 23:57:15 +02:00
yt0ng 16160dfc80 added additional binaries and attack tactics/techniques 2018-07-23 15:47:56 +02:00
Florian Roth 1134051fba Update web_cve_2018_2894_weblogic_exploit.yml 
Ah, we could do it this way *.js*
 2018-07-23 06:19:25 -06:00
Florian Roth 03a64cca74 Update web_cve_2018_2894_weblogic_exploit.yml 
We try to avoid false positives
 2018-07-23 06:18:38 -06:00
MATTHEW CARR dfb77e936d Update web_cve_2018_2894_weblogic_exploit.yml 
To detect all possible extensions .jspx, .jsw, .jsv, and .jspf
 2018-07-23 07:41:47 +02:00
Florian Roth 0f1b440b91 Rule: widened the CVE-2018-2894 WebLogic rule 
https://twitter.com/lo_security/status/1021148314308358144
 2018-07-22 20:36:10 -06:00
Florian Roth ffb0cf5ed5 Rule: CVE-2018-2894 Oracle WebLogic exploit and webshell drop 2018-07-22 15:09:45 -06:00
Florian Roth 5f48fa64ff Merge pull request #120 from suleymanozarslan/master 
Further ATT&CK tagging
 2018-07-22 12:11:31 -06:00
Suleyman Ozarslan e6cbc17c12 ATT&CK tagging of Scheduled Task Creation 2018-07-22 15:56:47 +03:00
Suleyman Ozarslan 8d9b12be07 ATT&CK tagging of Default PowerSploit Schtasks Persistence 2018-07-22 15:53:56 +03:00
Süleyman Özarslan 28705b3790 Merge pull request #2 from Neo23x0/master 
merge
 2018-07-22 15:47:36 +03:00
Thomas Patzke fbde251ebc Added missing exception import in ES backend 2018-07-22 09:26:25 +02:00
Thomas Patzke 91e6b8ca6b Merging refactoring changes into master 2018-07-22 09:23:07 +02:00
Thomas Patzke cf175d7b7e Removal from sigma.backends.qradar 2018-07-22 09:14:50 +02:00
Thomas Patzke 097660c678 Splitting backends - Copy qradar.py 2018-07-22 09:12:29 +02:00
Thomas Patzke c8e21b3f24 Fixing after split 
* Fixing imports
* Discovery in new sub modules
 2018-07-21 01:09:02 +02:00
Thomas Patzke b85aec6157 Merging backend split branches 2018-07-21 00:59:50 +02:00
Thomas Patzke 3e2184ac61 Removal from sigma.backends.elasticsearch 2018-07-21 00:37:36 +02:00
Thomas Patzke 408a961e59 Merge pull request #119 from suleymanozarslan/master 
Further ATT&CK tagging
 2018-07-20 09:06:20 +02:00
Suleyman Ozarslan 080892b5ab ATT&CK tagging of MSHTA Spawning Windows Shell 2018-07-20 09:53:55 +03:00
Suleyman Ozarslan 76f277d5fe ATT&CK tagging of Malicious Named Pipe rule 2018-07-20 09:41:54 +03:00
Suleyman Ozarslan 7e74527344 ATT&CK software tag is added to Bitsadmin Download rule 2018-07-20 09:35:35 +03:00
Süleyman Özarslan 9f607a7c43 Merge pull request #1 from Neo23x0/master 
mere forks
 2018-07-20 09:33:37 +03:00
Florian Roth 1e61adfad1 rule: Changed Registry persistence Explorer RUN key rule 2018-07-19 16:27:19 -06:00
Florian Roth 83d6f12ce3 rule: Registry persistence in Explorer RUN key pointing to suspicious folder 2018-07-19 16:27:19 -06:00