security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,536 Commits 1 Branch 57 Tags
a67ab607a18787f94a3de0f8e3379745fa0c1928
Commit Graph

678 Commits

Author SHA1 Message Date
Florian Roth be9bda1d54 Merge pull request #3673 from SigmaHQ/rule-devel 
fix: Adfind rule, rework: Racoon stealer UA, rule: ngrok tunneling
 2022-11-04 17:55:21 +01:00
Florian Roth ffbaee0c56 Update rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-04 10:49:12 +01:00
Florian Roth f27466ef2b Update rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-11-04 10:49:01 +01:00
Florian Roth 4fcac3089d Rule: Ngrok tunnel LNX 2022-11-03 17:41:23 +01:00
phantinuss 8c209f0ed1 Update lnx_shell_priv_esc_prep.yml 2022-11-01 12:32:46 +01:00
securepeacock f6acf8e4cc Update lnx_shell_priv_esc_prep.yml 
Added ip6tables
 2022-10-31 09:38:45 -04:00
frack113 11cb03181e Order yaml field 2022-10-25 08:53:44 +02:00
frack113 cf7a348028 Fix related 2022-10-09 17:28:05 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali 545d8170e6 Update proc_creation_lnx_sudo_cve_2019_14287.yml 2022-10-06 00:18:18 +02:00
Nasreddine Bencherchali 2c26614ce4 Update Wildcard + Int to Str fields 2022-10-05 23:15:20 +02:00
Nasreddine Bencherchali 7176d672b5 Fix wildcard 2022-10-05 17:21:34 +02:00
Nasreddine Bencherchali 88f10a5d39 Fix issues 2022-10-05 17:19:48 +02:00
Rachel Rice 24e87d0f34 fix: Rename Linux process creation rule to use established pattern 
One rule had filename beginning 'prox' rather than 'proc'.

Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-09-22 17:42:54 +01:00
nasreddine.bencherchali@nextron-systems.com 9d5652c4c2 Update proc_creation_lnx_services_stop_and_disable.yml 2022-09-16 13:43:01 +02:00
nasreddine.bencherchali@nextron-systems.com 7f3158d09e Fix after review 2022-09-16 11:47:19 +02:00
nasreddine.bencherchali@nextron-systems.com 5dfa871cef Update proc_creation_lnx_base64_shebang_cli.yml 2022-09-16 09:38:00 +02:00
nasreddine.bencherchali@nextron-systems.com 33271e9034 Quick update 2022-09-16 09:29:45 +02:00
nasreddine.bencherchali@nextron-systems.com 4fc62dee7c Linux rules update 2022-09-16 09:22:57 +02:00
Wagga 4573ab0a21 Fix a lot of typos in rules text and comments #Part 3 (#3446) 2022-08-30 08:21:25 +02:00
frack113 823cf26633 Merge pull request #3356 from Zandmann/patch-3 
Create BPF_Door_port_redirect.yml
 2022-08-13 10:34:38 +02:00
Zandmann 1339317b16 Update lnx_auditd_bpfdoor_port_redirect.yml 2022-08-12 21:41:35 +02:00
Zandmann 5bc4b2de27 Update lnx_auditd_bpfdoor_file_accessed.yml 2022-08-12 21:39:11 +02:00
Zandmann 1d6199494d Update lnx_auditd_bpfdoor_port_redirect.yml 2022-08-11 19:51:48 +02:00
Zandmann a3dcc61eac Rename lnx_auditd_BPF_Door_port_redirect.yml to lnx_auditd_bpfdoor_port_redirect.yml 2022-08-11 19:34:43 +02:00
Zandmann 28ee157216 Rename lnx_auditd_BPFDoor_file_accessed.yml to lnx_auditd_bpfdoor_file_accessed.yml 2022-08-11 19:32:17 +02:00
Zandmann 35d69a5a4b Update and rename BPF_Door_port_redirect.yml to lnx_auditd_BPF_Door_port_redirect.yml 2022-08-11 19:04:17 +02:00
Zandmann f001d35c8b Update and rename BPFDoor_abnormal_process_id_or_lock_file_accessed.yml to lnx_auditd_BPFDoor_file_accessed.yml 2022-08-11 18:59:58 +02:00
Zandmann 327a2b7e7b Create BPF_Door_port_redirect.yml 
BPFDoor ports redirect for evasion
 2022-08-10 19:14:14 +02:00
Zandmann a1b9065a19 Create BPFDoor_abnormal_process_id_or_lock_file_accessed.yml 
detection for BPFDoor IoC files run from temporary file storage
 2022-08-10 19:12:35 +02:00
Florian Roth 8041ab5130 Merge pull request #3325 from nasbench/nasbench-rule-devel 
Update+New Rules
 2022-08-05 23:42:09 +02:00
Florian Roth d5f7de1314 Merge pull request #3324 from SigmaHQ/rule-devel 
Suspicious IIS Registration, Plink refactoring, remove Github compromise rules
 2022-08-05 09:39:41 +02:00
Florian Roth 664ec8b43e refactor: remove rules for false alarm 
https://twitter.com/cyb3rops/status/1555242921850544131
 2022-08-04 20:05:16 +02:00
Nasreddine Bencherchali d6a2c13738 Update rules (desc, selection, logic) 2022-08-04 18:08:08 +01:00
Florian Roth 3c67479ce2 Merge pull request #3318 from SigmaHQ/rule-devel 
rule: myjino github repo compromise
 2022-08-03 08:42:17 +02:00
Florian Roth 72dbfffc0f rule: myjino github repo compromise 2022-08-03 08:34:28 +02:00
Nasreddine Bencherchali be25ff87e2 Update proc_creation_lnx_webshell_detection.yml 2022-08-01 23:40:34 +01:00
Nasreddine Bencherchali f45eba2002 Update proc_creation_lnx_webshell_detection.yml 2022-08-01 23:28:49 +01:00
Paul Hager ecf12bf6af new rules: lnx susp shell exec 2022-07-26 16:40:12 +02:00
Nasreddine Bencherchali a0a318edfc Update proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml 2022-07-21 15:17:48 +01:00
Nasreddine Bencherchali a46b20b78c Update proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml 2022-07-21 14:42:54 +01:00
Nasreddine Bencherchali a8b283ba5f Update 2022-07-20 13:40:24 +01:00
Nasreddine Bencherchali 1392ca1ec5 Fix review 2022-07-11 20:27:42 +01:00
Nasreddine Bencherchali cee1206b18 Update proc_creation_lnx_system_network_discovery.yml 2022-07-11 18:18:38 +01:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Nasreddine Bencherchali aec95b6d65 Update selections and indentation 2022-07-07 20:13:45 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Nasreddine Bencherchali 6cd83a232d Update file_create_lnx_persistence_sudoers_files.yml 2022-07-05 19:43:58 +01:00
Nasreddine Bencherchali d89b20d06e Switch links to permalinks 2022-07-05 19:43:07 +01:00