security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,036 Commits 1 Branch 57 Tags
ab5556ae8caaef4e446cbd01324c0525cbb2b38f
Commit Graph

2036 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Karneades ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
Thomas Patzke 632c45843b Merge pull request #500 from refractionPOINT/master 
Adding LimaCharlie to the README's supported targets.
 2019-10-28 21:17:30 +01:00
Maxime Lamothe-Brassard f01913c996 Adding LimaCharlie to the README's supported targets. 2019-10-28 14:48:04 -05:00
Thomas Patzke 6a76f5950b Merge pull request #499 from refractionPOINT/master 
Adding Backend for LimaCharlie D&R rules
 2019-10-28 20:38:33 +01:00
Maxime Lamothe-Brassard f6fb9c7f5f Fixing typo in response metadata. 2019-10-28 11:31:50 -05:00
Maxime Lamothe-Brassard 2873e1ded3 Small refactors to make more readable and remove deprecated code paths to increase coverage. 2019-10-28 10:49:05 -05:00
Florian Roth 8ff85499c8 rule: svchost dll search order hijack 2019-10-28 12:03:03 +01:00
Florian Roth 1a3444d0ef docs: comment on rule expression 2019-10-28 12:02:46 +01:00
Maxime Lamothe-Brassard a7003c2aa3 Adding support for "unix", looking like a mistake by the creator. 2019-10-27 15:55:12 -05:00
Maxime Lamothe-Brassard d019cef439 Ading a bit more of early support for netflow and some linux exe. 2019-10-27 15:48:28 -05:00
Maxime Lamothe-Brassard a57a7b58cf Added conceptial support for aliasing keyworkds to a specific field depending on the log source. 2019-10-27 15:28:54 -05:00
Maxime Lamothe-Brassard 60b20a76a6 Fixing handling of unsupported sources. 2019-10-27 12:37:06 -05:00
Maxime Lamothe-Brassard 0fe72d6133 Emit error on full-text searches not being supported. 2019-10-27 12:26:36 -05:00
Maxime Lamothe-Brassard f43300af8e Fix the top level pre-condition for Windows Event Logs on LC. 2019-10-27 12:17:15 -05:00
Maxime Lamothe-Brassard 91e48d8c1b Adding setup links and fixing test that would crash Not node, but not seen in prod rules. 2019-10-27 11:56:32 -05:00
Maxime Lamothe-Brassard 8d866b0868 Adding comments. 2019-10-26 17:37:13 -05:00
Maxime Lamothe-Brassard bc5e9bd03a Making rule output a full D&R (with the Response component) and includes a lot of metadata from the rule in the report. 2019-10-26 17:30:40 -05:00
Maxime Lamothe-Brassard 8cc3990aef Extending support for more random rules with odd names. 2019-10-26 16:59:33 -05:00
Maxime Lamothe-Brassard 4d65b62063 Adding support for generating rules for Windows builtin category for use in the External Logs of LC. 2019-10-26 16:30:50 -05:00
Maxime Lamothe-Brassard 30cc7ee809 Refactor mappings into a flat structure to account for missing parameters in some combinations. 2019-10-26 16:09:39 -05:00
Maxime Lamothe-Brassard 77329714c5 Adding service to indirection of mappings since it will be used for Windows Event Logs. 2019-10-26 16:06:42 -05:00
Maxime Lamothe-Brassard 823d86c7d9 Remove unimplemented config entries and fix bug with valueNode. 2019-10-26 15:54:08 -05:00
Maxime Lamothe-Brassard bba43c7a86 First draft of support for LimaCharlie D&R rules. 2019-10-26 15:45:48 -05:00
Florian Roth 66a32549f1 rule: proxy malware ua - Zebrocy 2019-10-26 14:20:29 +02:00
Florian Roth 42808b7eb8 rule: webshell detection improved 2019-10-26 09:14:54 +02:00
Thomas Patzke 30948b9c1a Added sigma-similarity tool 
Fixed also bug in backend base class that was triggered by the way
backends are used by this tool.
 2019-10-25 21:59:03 +02:00
Florian Roth a5ec6722a1 rule: the actual changes to hwp rule 2019-10-24 15:35:13 +02:00
Florian Roth 86c1b4ae4b rule: hwp exploits 2019-10-24 11:46:56 +02:00
Florian Roth 3d4ce9d175 rule: another reference link for 'execution by ordinal' 2019-10-22 15:18:19 +02:00
Florian Roth b3654947bc rule: suspicious call by ordinal (rundll32) 2019-10-22 12:40:26 +02:00
Florian Roth 0f02f2bdfc rule: adjusted very noisy rule on AppLocker whitelist bypass 2019-10-22 12:32:37 +02:00
Florian Roth 3bd3e724f1 Merge pull request #473 from joesecurity/patch-3 
Update README.md
 2019-10-21 13:34:41 +02:00
Florian Roth 439045a87b Reordered projects 2019-10-21 13:34:30 +02:00
Florian Roth 4e7ad5c948 rule: added date to crypto miner rule 2019-10-21 13:24:33 +02:00
Florian Roth e8963b2599 rule: crypto miner user agents in proxy logs 2019-10-21 13:21:50 +02:00
Joe Security b815b15255 Update README.md 
Added Joe Sandbox to list of supported Projects or Products.
 2019-10-21 13:13:49 +02:00
Florian Roth c8b5b91815 Merge pull request #471 from a2tf/rule_change_proxy_uri_to_url 
rule: changed two proxy rules from uri-query to url
 2019-10-21 12:52:36 +02:00
Thomas Patzke 8a545b973b Sigmatools release 0.13 0.13 2019-10-21 11:58:26 +02:00
Florian Roth 9457f01c29 Update proxy_ios_implant.yml 2019-10-21 11:20:11 +02:00
Florian Roth f8d8eb7948 Update proxy_chafer_malware.yml 2019-10-21 11:19:59 +02:00
Florian Roth 454ba2b576 rule: modified sudo vuln rule to be most generic 2019-10-20 14:02:10 +02:00
Florian Roth 08ff2f38bc Revert "rule: modified sudo vuln rule to be most generic" 
This reverts commit ef6a25d109.
 2019-10-20 14:01:14 +02:00
Florian Roth ef6a25d109 rule: modified sudo vuln rule to be most generic 2019-10-20 10:37:05 +02:00
Florian Roth bd93425639 Added Sumologic to list 2019-10-19 10:11:28 +02:00
a2tf a2753ba5a6 rule: changed two proxy rules from uri-query to url 2019-10-18 14:15:39 +00:00
Thomas Patzke fc276612b6 Added encoding modifiers 2019-10-16 23:52:06 +02:00
Thomas Patzke 522f021ef1 Merge pull request #461 from Galapag0s/patch-2 
Added Additional history clearing options
 2019-10-16 22:35:41 +02:00
Thomas Patzke 02d193c518 Merge pull request #470 from stevengoossensB/master 
Mapping the fields in the select statement according to the configuration file
 2019-10-16 22:34:28 +02:00
Florian Roth deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Steven Goossens 5f7813f71e Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-10-16 16:38:59 +02:00