security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,992 Commits 1 Branch 57 Tags
bd9342563943900a856bca7af51863af3a2e8a2a
Commit Graph

1992 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth bd93425639 Added Sumologic to list 2019-10-19 10:11:28 +02:00
Thomas Patzke fc276612b6 Added encoding modifiers 2019-10-16 23:52:06 +02:00
Thomas Patzke 522f021ef1 Merge pull request #461 from Galapag0s/patch-2 
Added Additional history clearing options
 2019-10-16 22:35:41 +02:00
Thomas Patzke 02d193c518 Merge pull request #470 from stevengoossensB/master 
Mapping the fields in the select statement according to the configuration file
 2019-10-16 22:34:28 +02:00
Florian Roth deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Steven Goossens 5f7813f71e Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-10-16 16:38:59 +02:00
Steven Goossens 6a1a96a918 Implement mapping when selecting the fields for the AQL query. This was not being done correctly 2019-10-16 16:37:09 +02:00
Florian Roth ab292a4029 rule: simplified Emotet rule 2019-10-16 15:29:42 +02:00
Florian Roth 36f678930d rule: updated sudo vuln rule to detect 0-padding part 2 
https://twitter.com/joshbressers/status/1184455759620378627
 2019-10-16 15:10:44 +02:00
Florian Roth 5374d18e4b rule: updated sudo vuln rule to detect 0-padding 
https://twitter.com/taviso/status/1184238670343065600
 2019-10-16 15:03:28 +02:00
Florian Roth c396526f40 rule: LSASS DLL load via undocumented Registry key 
https://twitter.com/SBousseaden/status/1183745981189427200
 2019-10-16 13:18:44 +02:00
Florian Roth 5d143f4f22 rule: emotet rule references extended 2019-10-16 13:18:44 +02:00
Thomas Patzke 8c8ac52b57 Merge pull request #469 from stevengoossensB/master 
Added the cleanValue function for Qradar
 2019-10-16 11:24:57 +02:00
Steven Goossens c6e0e10613 Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-10-16 11:06:53 +02:00
Steven Goossens 2837d3ba74 Added the cleanValue function for Qradar 2019-10-16 10:27:24 +02:00
Florian Roth d46154da5c rule: extending Emotet rule 2019-10-16 10:22:48 +02:00
Florian Roth 38c19db1c5 Set theme jekyll-theme-minimal 2019-10-15 16:39:49 +02:00
Florian Roth 4ea469d138 rule: suspicious compression tool parameters 2019-10-15 16:38:53 +02:00
Florian Roth e870c86fb0 rule: keyboad layout preloads extended with ' 2019-10-15 15:11:00 +02:00
Florian Roth 921a39f1e3 rule: extended sudo rule with variant for USER field 2019-10-15 14:55:09 +02:00
Florian Roth 96d77447d2 rule: added reference and mitre tags 2019-10-15 09:44:17 +02:00
Florian Roth 49ed76004c rule: sudo priv esc vuln CVE-2019-14287 2019-10-15 09:39:08 +02:00
Florian Roth 52fef7ae10 Merge pull request #468 from 2d4d/lsass_without_exe 
remove .exe from lsass
 2019-10-14 18:03:13 +02:00
Florian Roth 8db1cac910 fix: made rule compatible with event id 4688 2019-10-14 18:01:24 +02:00
Florian Roth 0e2284a176 rule: modified the default 2019-10-14 17:50:48 +02:00
Florian Roth 312311494d rule: suspicious code page switch using chcp 2019-10-14 17:45:25 +02:00
2d4d cf5d7f11ad remove .exe from lsass 2019-10-14 17:26:33 +02:00
Florian Roth 7ee3974428 rule: suspicious keyboard layout load 2019-10-14 16:25:27 +02:00
Florian Roth 5583684efd rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00
Florian Roth 98f0d01b2e rule: mimikatz use extended 2019-10-11 18:50:33 +02:00
Florian Roth 60af1f5a4b rule: WMI Backdoor Exchange Transport Agent 2019-10-11 12:12:44 +02:00
Thomas Patzke 849a5a520d Conditional field mapping resolve_fieldname now functional 
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
 2019-10-09 23:57:41 +02:00
Florian Roth ec5bb71049 fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00
Florian Roth 14971a7b9c fix: FPs with Mimikatz DC Sync rule 2019-10-08 17:44:00 +02:00
Thomas Patzke 95c8d25858 Improved --backend-config help text 2019-10-07 22:30:57 +02:00
Thomas Patzke 60ef593a6f Fixed wrong backslash escaping of * 
Fixes issue #466
 2019-10-07 22:14:44 +02:00
Thomas Patzke 4711d4cad6 Merge pull request #464 from neu5ron/updates-to-sigma-main 
update HELK and add winlogbeat module enabled taxonomy
 2019-10-07 21:36:40 +02:00
Florian Roth d096ab0e21 rules: AV rules updated to reflect 1.7.2 auf AV cheat sheet 2019-10-04 16:17:34 +02:00
Florian Roth 3eaf4d6e94 fix: fixed typo in bluemashroom rule 2019-10-02 15:45:55 +02:00
Florian Roth 6d78a5fede rule: extended the command line in bluemashroom rule 2019-10-02 14:03:34 +02:00
Florian Roth 7423fe2072 fix: fixed typo in APT group name 2019-10-02 14:02:07 +02:00
Florian Roth e993ef46f0 rule: APT blue mushroom 2019-10-02 13:57:14 +02:00
Florian Roth 4bc7f6ea52 rule: QBot process creation 2019-10-01 17:25:04 +02:00
neu5ron a729cc7905 create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js) sigmac conversion 2019-10-01 10:16:42 -04:00
neu5ron f7fd936433 update HELK config taxonomy/mapping for sigmac conversion 2019-10-01 10:14:54 -04:00
Florian Roth e0009bfb4a fix: merged duplicate rules 2019-10-01 16:14:38 +02:00
Florian Roth d8af435827 rule: RUN key pointing to suspicious folders 2019-10-01 16:08:31 +02:00
Florian Roth c44f940fb6 rule: suspicious RUN key created by exe in temp/download folders 2019-10-01 16:08:13 +02:00
Florian Roth 52df9e9f44 rule: execution in Outlook temp folder 2019-10-01 16:07:43 +02:00
Florian Roth 9a7ef0e3c2 fix: fixed rule warning 2019-09-30 19:38:40 +02:00