security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
1,084 Commits 1 Branch 57 Tags
cd3661b60c39e7ec011be7add1b47b2d64fbb70b
Commit Graph

1084 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Daniel Roethlisberger cd3661b60c Fix optimization of NOT corner cases 2018-10-02 22:48:33 +02:00
Daniel Roethlisberger bed88cf813 Make uniq work for lists within definitions 2018-10-02 22:12:54 +02:00
Daniel Roethlisberger 7165128fa5 Remove None from AST - fixes None-related test failures 2018-10-02 21:44:37 +02:00
Daniel Roethlisberger 2242fc5ac8 Optimize the boolean expressions in the AST before generating output 
Add code optimizing the boolean expressions in the abstract syntax tree
before generating output using the backend.

The main idea behind optimizing the AST is that less repeated terms is
generally better for backend performance.  This is especially relevant
to backends that do not perform any query language optimization down
the road, such as those that generate code.

The following optimizations are currently performed:

-   Removal of empty OR(), AND()
-   OR(X), AND(X)                 =>  X
-   OR(X, X, ...), AND(X, X, ...) =>  OR(X, ...), AND(X, ...)
-   OR(X, OR(Y))                  =>  OR(X, Y)
-   OR(AND(X, ...), AND(X, ...))  =>  AND(X, OR(AND(...), AND(...)))
-   NOT(NOT(X))                   =>  X

A common example for when these suboptimal rules actually occur in
practice is when a rule has multiple alternative detections that are
OR'ed together in the condition, and all of the detections include a
common element, such as the same EventID.

This implementation is not optimized for performance and will perform
poorly on very large expressions.
 2018-10-02 21:14:25 +02:00
Florian Roth 85f0ddd188 Delete win_alert_LSASS_access.yml 2018-10-02 16:48:09 +02:00
Florian Roth 19e2bad96e Delete sysmon_powershell_DLL_execution.yml 2018-10-02 08:56:09 +02:00
Florian Roth daddec9217 Delete sysmon_powershell_AMSI_bypass.yml 2018-10-02 08:55:48 +02:00
Florian Roth aafe9c6dae Delete sysmon_lethalHTA.yml 2018-10-02 08:55:19 +02:00
Florian Roth f29ffc0697 Merge pull request #174 from esebese/patch-1 
sysmon_susp_run_key_img_folder.yml - Rule simplification
 2018-10-01 14:24:54 +02:00
Florian Roth bbddcd0f9a Merge pull request #176 from Karneades/fix-missing-list-handling 
Add missing event id list handling in PowerShell backend
 2018-10-01 14:23:48 +02:00
Karneades 468af42de5 Add missing event id list handling in PowerShell backend 2018-09-29 14:43:28 +02:00
Florian Roth f2d83a5a00 Merge pull request #175 from Karneades/fix-powershell-backend 
Improve default field handling in PowerShell backend
 2018-09-29 14:08:30 +02:00
Karneades c289484c5c Improve default field handling in PowerShell backend 2018-09-29 12:29:44 +02:00
Ensar Şamil dec7568d4c Rule simplification 
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
 2018-09-28 10:58:50 +03:00
Florian Roth 1c2431f33b Merge pull request #169 from Karneades/fix-aggregation-exeption 
Add rule filename to "not implemented" exception output
 2018-09-26 11:50:25 +02:00
Florian Roth 451c18628d Merge pull request #170 from Karneades/fix-suspicious-cli 
Add group by to windows multiple suspicious cli rule
 2018-09-26 11:49:57 +02:00
Florian Roth 38d17e5169 Merge pull request #173 from b2az/patch-1 
Missing Character
 2018-09-26 11:49:17 +02:00
Florian Roth a2c6f344ba Lower case T 2018-09-26 11:44:12 +02:00
Braz f35308a4d3 Missing Character 
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
 2018-09-26 11:40:24 +02:00
Florian Roth 815236449b Added PowerShell as target, updated project list 2018-09-24 13:44:14 +02:00
Florian Roth d0a527af5e Merge pull request #172 from Karneades/powershell-backend 
Add initial version of the PowerShell backend
 2018-09-24 13:30:24 +02:00
Florian Roth 14337a2aac Tests: PowerShell backend tests 2018-09-24 13:23:38 +02:00
Florian Roth 2766d8f881 Merge pull request #171 from Karneades/fix-certutil 
Fix CommandLine in rule sysmon_susp_certutil_command
 2018-09-24 07:51:07 +02:00
Karneades c66b00356d Add initial version of PowerShell backend 
* Add PowerShell backend
* Add PowerShell config file

State: Work in progress :)

See https://github.com/Neo23x0/sigma/issues/94
 2018-09-23 21:41:48 +02:00
Florian Roth edf8dde958 Include cases in which certutil.exe is used 2018-09-23 20:57:34 +02:00
Karneades c73a9e4164 Fix CommandLine in rule sysmon/sysmon_susp_certutil_command 
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.

We could also use both the Image path and the Command Line.

Message     : Process Create:
              Image: C:\Windows\SysWOW64\certutil.exe
              CommandLine: certutil  xx -decode xxx
              Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
              ParentImage: C:\Windows\System32\cmd.exe
              ParentCommandLine: "C:\Windows\system32\cmd.exe"
 2018-09-23 20:28:56 +02:00
Karneades cc82207882 Add group by to win multiple suspicious cli rule 
* For the detection it's important that these cli
  tools are started on the same machine for alerting.
 2018-09-23 19:38:23 +02:00
Karneades fe6f4c7475 Add rule filename to exception output for unsupported aggregation 2018-09-23 19:12:50 +02:00
Thomas Patzke 81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Thomas Patzke 1d12fc290c Added Winlogbeat configuration 2018-09-20 12:08:11 +02:00
Florian Roth 13276ecf31 Rule: AV alerts - webshells 2018-09-09 11:04:27 +02:00
Florian Roth e5c7dd18de Rule: AV alerts - relevant files 2018-09-09 11:04:27 +02:00
Florian Roth 7311d727ba Rule: AV alerts - password dumper 2018-09-09 11:04:27 +02:00
Florian Roth 84b8eb5154 Rule: AV alerts - exploiting frameworks 2018-09-09 11:04:27 +02:00
Florian Roth 82916f0cff Merge pull request #159 from t0x1c-1/t0x1c-devel 
Suspicious SYSVOL Domain Group Policy Access
 2018-09-08 15:56:54 +02:00
Florian Roth 1294af4a71 Merge pull request #166 from yt0ng/master 
Malleable Amazon Profile
 2018-09-08 15:56:22 +02:00
yt0ng 48254f7a7e Merge pull request #1 from yt0ng/apt/rules 
Malleable Amazon Profile
 2018-09-08 11:54:29 +02:00
Florian Roth 6f5a73b2e2 style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
Florian Roth 68896d9294 style: renamed rule files to all lower case 2018-09-08 10:25:20 +02:00
Florian Roth 788678feb8 Merge pull request #165 from JohnLaTwC/patch-1 
Create win_susp_powershell_hidden_b64_cmd.yml
 2018-09-08 10:23:05 +02:00
Florian Roth 5d714ab44e Rule: Added malware UA 2018-09-08 10:22:26 +02:00
Florian Roth d0f2fbb6d6 Merge pull request #161 from megan201296/patch-12 
Fix typo
 2018-09-08 10:21:20 +02:00
Florian Roth 3f444b5fc2 Merge pull request #162 from megan201296/patch-13 
Added .yml extension and fix typo
 2018-09-08 10:21:00 +02:00
Florian Roth 69e65c0bdc Merge pull request #164 from yt0ng/apt/rules 
Adding CMStar user-agent "O/9.27 (W; U; Z)"
 2018-09-08 10:19:41 +02:00
Unknown 7a74e86819 Merge remote-tracking branch 'origin/apt/rules' into apt/rules 2018-09-08 09:35:57 +02:00
Unknown 863736587c Adding ATTCK 2018-09-08 09:34:27 +02:00
Unknown 4bb01a8c24 ATTCK Tags 2018-09-08 09:29:54 +02:00
John Lambert 7ce5b3515b Create win_susp_powershell_hidden_b64_cmd.yml 
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
 2018-09-07 20:23:11 -07:00
Unknown d866097c07 CobaltStrike Malleable Amazon browsing traffic profile 2018-09-07 19:52:35 +02:00
Unknown cf48a77d5a Adding CMStar user-agent "O/9.27 (W; U; Z)" 2018-09-07 09:07:24 +02:00