security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 2ae57166ac Updated README 2018-06-25 18:29:02 +02:00
Florian Roth 3283c52c0f Added WDATP in the list of supported backends 2018-06-25 18:09:21 +02:00
Florian Roth f4b150def8 Rule: Powershell remote thread creation in Rundll32 2018-06-25 15:23:19 +02:00
Florian Roth 1a1011b0ad Merge pull request #96 from yt0ng/master 
Detects the creation of a schtask via PowerSploit Default Configuration
 2018-06-23 17:15:14 +02:00
yt0ng c59d0c7dca Added additional options 2018-06-23 15:54:31 +02:00
yt0ng cc3fd9f5d0 Detects the creation of a schtask via PowerSploit Default Configuration 
https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
 2018-06-23 15:45:58 +02:00
Roey 14464f8c79 Added support of splunk dashboards (xml) 2018-06-22 14:17:58 +02:00
Florian Roth 28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke 7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke d8e036f737 sigmac: Parameter for ignoring "not supported" errors 
Used to pass tests with complete rule set that would fail for backends
which target systems don't support required features.
 2018-06-22 00:23:59 +02:00
Thomas Patzke 31727b3b25 Added Windows Defender ATP backend 
Missing:
* Aggregations
 2018-06-22 00:03:10 +02:00
Thomas Patzke df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Thomas Patzke e72c0d5de4 SingleTextQueryBackend ignores empty components in composed queries 
Example: one component of a AND-composition is ignored if invoked
generate* call returns None.
 2018-06-21 23:59:41 +02:00
Thomas Patzke d8a7bcad39 Reordered rule generation 
Generation of query parts before and after main query gives access to
information possibly gathered while main query generation.
 2018-06-21 23:50:13 +02:00
Florian Roth b05856eae1 Rule: Update suspicious TLD downloads 2018-06-13 00:08:46 +02:00
Florian Roth 3d52030391 Changed help text for -r flag 2018-06-13 00:08:46 +02:00
Florian Roth 946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth 7edd95744a Windows NTLM 2018-06-13 00:08:46 +02:00
Florian Roth e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth c9658074dd Removed "not yet implemented" comment from -r flag 2018-06-13 00:08:46 +02:00
Florian Roth df2745ec6c Merge pull request #92 from yt0ng/patch-2 
Update proxy_ua_apt.yml
 2018-06-10 10:29:16 +02:00
Florian Roth f6f718c54f Cosmetics 2018-06-10 10:28:59 +02:00
yt0ng 3166bf5b05 Update proxy_ua_apt.yml 
user Agent seen in https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
 2018-06-10 10:17:02 +02:00
Thomas Patzke dbc25b6bfa Integrated Qualys backend to CI testing 2018-06-07 23:33:47 +02:00
Thomas Patzke f6d5e5dd99 Sigmac parameter -I now ignores all backend errors 
New backends introduced further exceptions and the intention of -I is to
get a successful run.
 2018-06-07 23:33:12 +02:00
Thomas Patzke 8ddb369df3 Integration of Qualys backend 
* Changed description text to one-liner
* Output to intended class
* Minor code optimizations
 2018-06-07 23:31:09 +02:00
Thomas Patzke ce9db548ff Integration of ArcSight backend 
* Rename
* Changed description to one line to beautify output of backend list
* Small bugfix in handling of numeric values
 2018-06-07 23:04:36 +02:00
Thomas Patzke 17c894005c Merge branch 'master' of https://github.com/socprime/sigma into socprime-backends 2018-06-07 22:18:51 +02:00
nikotin d13e8d7bd3 Added ArcSight & Qualys backends 2018-06-07 16:18:23 +03:00
Florian Roth bd61f223ee Sofacy Zebrocy samples 2018-06-06 23:24:18 +02:00
Florian Roth 667b3b4935 Rule: Added 2 more Sofacy User-Agents 2018-06-06 22:38:50 +02:00
Florian Roth 9640806678 Rules: Telegram Bot API access 2018-06-05 16:25:43 +02:00
Florian Roth 9c817a493b Rule: DCSync 2018-06-03 16:00:57 +02:00
Florian Roth d1d4473505 Rule: ADS with executable 
https://twitter.com/0xrawsec/status/1002478725605273600
 2018-06-03 02:08:57 +02:00
Florian Roth 4eabc5ea5c Sigmac Usage 2018-06-01 10:33:11 +02:00
Florian Roth 8e500d2caa Bugfix in rule 2018-05-29 14:11:12 +02:00
Florian Roth 0d97522b5a Merge pull request #88 from noraj/patch-1 
enhance web server paths
 2018-05-29 11:54:46 +02:00
Alexandre ZANNI 74da324d8f remove old public_html 
remove old public_html
 2018-05-29 11:44:38 +02:00
Alexandre ZANNI a1de770b64 enhance web server paths 
- specify when it is apache only
- add Per-user path
- add archlinux paths
 2018-05-29 11:41:36 +02:00
Florian Roth f9596c1ae0 MISP added 2018-05-28 09:15:48 +02:00
Florian Roth fc8a21fac5 Evt2Sigma 2018-05-28 09:13:08 +02:00
Florian Roth 51c6d0a767 Rule: Proxy User-Agent VPNFilter 2018-05-24 00:34:07 +02:00
Florian Roth 65cc78f9e8 Windows Config Update - DNS logs 2018-05-22 16:59:58 +02:00
Florian Roth 2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke bd23946f06 Merge of Graylog backend pull request 2018-05-18 15:55:02 +02:00
Thomas Patzke 21040f04cc Added CI test for Graylog backend 2018-05-18 15:53:25 +02:00
Thomas Patzke b28480495e Merge branch 'master' of https://github.com/DefenceLogic/sigma into DefenceLogic-master 2018-05-18 15:49:19 +02:00
Thomas Patzke 079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Paul Dutot 715a88542d Graylog backend added 2018-05-17 15:51:25 +01:00
Paul Dutot 05e108a4d1 Merge pull request #1 from Neo23x0/master 
Updating Fork
 2018-05-17 10:49:54 +01:00