security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 1fd4172832 Merge pull request #84 from mgreen27/patch-1 
Update_WebDAV
 2018-05-17 09:40:32 +02:00
Florian Roth 57dc02aa9f Merge pull request #85 from HacknowledgeCH/es-dsl-patch 
patched es-dsl
 2018-05-17 09:39:55 +02:00
milkmix 37ee355a77 patched es-dsl 2018-05-17 08:44:50 +02:00
Matthew Green 16365b7793 Update_WebDAV 
Made the name a bit generic as WebDAV can be used by several download cradles.
Added in HttpMethod as a select as GET requests makes for a great filter point with much less false positives.
 2018-05-16 13:05:15 +10:00
Thomas Patzke 33ffd2683e Disabled failing pypy3 build 2018-05-13 22:52:25 +02:00
Thomas Patzke 738d03c751 Fixed position of line separation if rulecomment and verbose is active 2018-05-13 22:36:51 +02:00
Thomas Patzke 6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth 429ae0729a README Update 2018-05-12 08:33:31 +02:00
Florian Roth 1aaed07dd7 Rule: Suspicious base64 encoded part of DNS query 2018-05-10 14:08:52 +02:00
Florian Roth 62b490396d Rule: Cobalt Strike DNS Beaconing 2018-05-10 14:08:52 +02:00
Thomas Patzke f60e7e125f Sigma tools release 0.4 
* Various bug fixes in quoting of specific characters
* New backend es-dsl
0.4 		2018-05-01 00:50:07 +02:00
Thomas Patzke 7647587a8b Fixed quoting of backslashes in generated queries 2018-05-01 00:45:59 +02:00
Thomas Patzke de2ed08695 Merge branch 'ci-es' 2018-05-01 00:34:11 +02:00
Thomas Patzke a1c32123f1 Setup ES 6.2.4 in Travis CI 2018-05-01 00:23:48 +02:00
Thomas Patzke e411039b56 Fixed escaping of \u in Elasticsearch Query String queries 2018-05-01 00:05:16 +02:00
Florian Roth ae6df590a9 Delphi downloader https://goo.gl/rMVUSM 2018-04-24 23:23:21 +02:00
Florian Roth 49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth 3c1c9d2b31 Merge pull request #81 from yt0ng/sigma-yt0ng 
added SquiblyTwo Detection
 2018-04-18 16:39:37 +02:00
Florian Roth 8420d3174a Reordered 2018-04-18 16:34:16 +02:00
yt0ng c637c2e590 Adding Detections for renamed wmic and format 
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
 2018-04-18 15:02:52 +02:00
Florian Roth 9b8df865b1 Extended rule 2018-04-18 12:13:45 +02:00
yt0ng a4fb39a336 also for http 2018-04-18 08:19:47 +02:00
yt0ng 169a4404c2 added SquiblyTwo Detection 2018-04-17 21:33:26 +02:00
Florian Roth 6d293d498d Merge pull request #80 from marvi/marvi-patch-1 
"author" should be a string and not a list.
 2018-04-17 08:27:29 +02:00
Markus Härnvi cf237cf658 "author" should be a string and not a list, according to the specification 2018-04-16 23:42:51 +02:00
Florian Roth d8bbf26f2c Added msiexec to rule in order to cover new threats 
https://twitter.com/DissectMalware/status/984252467474026497
 2018-04-12 09:12:50 +02:00
Thomas Patzke 15a6c5efb5 Detailed error messages for failed queries 2018-04-12 00:20:54 +02:00
Thomas Patzke aeda30a389 Python rewrite of es-qs query test 2018-04-11 23:59:44 +02:00
Florian Roth 58517907ad Improved rule to provide support for for old sysmon \REGISTRY syntax 2018-04-11 20:15:17 +02:00
Florian Roth 0ffd226293 Moved new rule to sysmon folder 2018-04-11 20:11:54 +02:00
Florian Roth 52d405bb1b Improved shell spawning rule 2018-04-11 20:09:42 +02:00
Florian Roth ef7fb4cff1 Merge pull request #78 from Karneades/patch-1 
Add rule for Windows registry persistence mechanisms
 2018-04-11 19:35:55 +02:00
Florian Roth b065c2c35c Simplified rule 2018-04-11 19:03:35 +02:00
Karneades fa6677a41d Remove @ in author 
Be nice to Travis: "error    syntax error: found character '@' that cannot start any token"
 2018-04-11 15:21:42 +02:00
Karneades be3c27981f Add rule for Windows registry persistence mechanisms 2018-04-11 15:13:00 +02:00
Thomas Patzke 788111f174 Fixes for Elasticsearch query correctness CI tests 
* Quoting in rule
* Reading queries without special processing of backslashes

Unfortunately, backslashes still cause breaks caused by Bash handling of
them.
 2018-04-09 22:33:29 +02:00
Florian Roth 56172ae174 Corrected CrackMapExec rule 2018-04-09 08:40:03 +02:00
Florian Roth a9c7fe202e Rule: Windows shell spawning suspicious program 2018-04-09 08:37:30 +02:00
Florian Roth 8ddd40e18e PowerShell Cradle - WebDAV UA 2018-04-09 08:37:30 +02:00
Florian Roth e53826e167 Extended Sysmon Office Shell rule 2018-04-09 08:37:30 +02:00
Florian Roth 6eb8cdfeab TSCookie UA 2018-04-09 08:37:30 +02:00
Thomas Patzke 05928d4f8f Merge pull request #76 from HacknowledgeCH/es-dsl 
es-dsl backend
 2018-04-08 23:39:23 +02:00
Thomas Patzke f113832c04 Merge pull request #69 from jmallette/rules 
Create cmdkey recon rule
 2018-04-08 23:23:30 +02:00
Thomas Patzke 35d43c5ed9 Merge pull request #77 from yt0ng/sigma-yt0ng 
added NCSC CrackMapExecWin Description in apt_dragonfly.yml
 2018-04-08 23:21:49 +02:00
root 69671733a8 added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 17:10:00 +02:00
milkmix 0b3b0c3aaf imported es-dsl code from repo 2018-04-06 17:36:11 +02:00
Thomas Patzke 24d94d39b8 CI: Testing backend es-qs against Elasticsearch 2018-04-04 00:32:48 +02:00
Thomas Patzke 4183b1b59e Sigma tools release 0.3.3 0.3.3 2018-03-29 11:17:03 +02:00
Thomas Patzke 22ee6f4521 sigmac: escaped wildcards (\* and \?) are passed in generated query 2018-03-29 11:15:20 +02:00
Thomas Patzke 17c1c1adff Added field name mappings to HELK configuration 2018-03-27 14:41:02 +02:00