security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 5d763581fa Adding status "experimental" to that rule 2018-02-22 13:28:01 +01:00
Florian Roth 0be687d245 Rule: Detect CVE-2017-0261 exploitation 2018-02-22 13:27:20 +01:00
Florian Roth b88a81a9e1 Rule: Linux > named > suspicious activity 2018-02-20 14:56:28 +01:00
Florian Roth ef0cd4c110 Rules: Extended and fixed (*) sshd rules 2018-02-20 13:44:06 +01:00
Dominik Schaudel cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth 058d719e2b Rule update: Proxy UA > Loki Bot 2018-02-12 10:08:32 +01:00
Thomas Patzke 6f6d662ae5 Dropped support for Python 3.4 
Dict unpacking in dict initialization not supported in Python 3.4.
 2018-02-11 22:48:40 +01:00
Florian Roth fa4dbc0f2e Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
Florian Roth 0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth 443afcba0a README Update: Rule creation tutorial, smaller fixes 2018-02-10 15:24:43 +01:00
Florian Roth a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
Florian Roth 1382edb5e3 Cosmetics 2018-02-09 10:13:39 +01:00
Thomas Patzke 89aa300bbc Improved xpack-watcher actions 
* Log and mail
* Details in message
 2018-02-09 00:03:41 +01:00
Thomas Patzke 8336929d76 XPack Watcher Backend: Improved aggregation capabilities 
* Aggregation with "...count(field)...", "...by field..." and
  combination of both
* Still only count() supported
 2018-02-08 22:17:35 +01:00
Thomas Patzke 4762a1cc30 Removed abandoned SigmaAggregationParser.trans_timeframe() method 2018-02-05 23:30:00 +01:00
Thomas Patzke 841bb65ca0 Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-02-05 22:51:37 +01:00
Thomas Patzke 69efb05c5f First draft of Rx schema 2018-02-04 00:27:09 +01:00
Florian Roth 34e0352a21 Rule: Proxy UAs - malware - Ghost419 
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
 2018-02-03 14:47:04 +01:00
Thomas Patzke 01d6b2be3a Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-02-01 22:49:52 +01:00
Thomas Patzke ec3f0f6d60 Fixed before/after logic 
If nothing was generated "None" was printed.
 2018-02-01 22:49:02 +01:00
Florian Roth 635d052fcc Renamed rule - not APT32 related 2018-01-31 23:52:24 +01:00
Florian Roth 4152442bfa Changed reference to references in Elise rule 2018-01-31 23:13:00 +01:00
Florian Roth f1b339504e Rule: APT32 Elise 2018-01-31 23:12:00 +01:00
Sherif Eldeeb 376d0414d8 Condition is a str, not a list 
To be consistent with schema and all the other rules:
- `condition` should be a `str`
- if an `or` condition needs to be applied, use parentheses and literal `or` instead of a `list`
 2018-01-28 16:16:00 +03:00
Sherif Eldeeb 90a8cc9d40 Merge pull request #3 from Neo23x0/master 
Merge pull request #64 from SherifEldeeb/master
 2018-01-28 16:11:19 +03:00
Thomas Patzke f35c50049f Merge pull request #64 from SherifEldeeb/master 
Update rules to reflect schema changes "and add consistency"
 2018-01-28 10:56:27 +01:00
SherifEldeeb 348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb 48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb 112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Sherif Eldeeb 21bc16393b Merge pull request #1 from Neo23x0/master 
Update
 2018-01-28 02:00:09 +03:00
Thomas Patzke e76ef7da76 Merge branch 'devel-sigmac' 2018-01-27 23:50:00 +01:00
Thomas Patzke 76bdcba71f Added rulecomment option to all single-query output backends 
Prints comment with rule before output.
 2018-01-27 23:48:10 +01:00
Florian Roth 0f2e1c5934 Bugfix: Missing wildcard in IIS module install rule 2018-01-27 16:15:25 +01:00
Florian Roth d93d7d8e7b Rule: IIS nativ-code module command line installation 2018-01-27 11:13:13 +01:00
Florian Roth aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth f31ed7177e Added status 'experimental' to newly created auditd rules 2018-01-23 11:15:02 +01:00
Florian Roth fe80ae7885 Rule: Linux auditd 'program execution in suspicious folders' 2018-01-23 11:13:23 +01:00
Florian Roth 228ca1b765 Rule: Linux auditd 'suspicious commands' 2018-01-23 11:13:23 +01:00
Thomas Patzke 7708a538f4 New PyPI release 0.1.3 2017-12-14 22:40:31 +01:00
Thomas Patzke fc2dd90aaf Skipping dotfiles 2017-12-14 22:39:51 +01:00
Thomas Patzke 497496fdf1 New release 0.1.2 2017-12-13 00:28:50 +01:00
Thomas Patzke f3d19f394e Fixed encoding issues 
Some OS environments don't use UTF-8 as default encoding. Enforced it
for output files and stdout.
 2017-12-13 00:12:56 +01:00
Florian Roth 379b2dd207 New recon activity rule 2017-12-11 09:31:54 +01:00
Florian Roth 8e2aef035c Removed commands - false positive reduction 2017-12-11 09:31:54 +01:00
Florian Roth 1464ab4ab8 Renamed rule: recon activity > net recon activity - to be more specific 2017-12-11 09:31:54 +01:00
Florian Roth 285f5bab4f Removed duplicate string 2017-12-11 09:31:54 +01:00
Thomas Patzke 19cc299c57 Added PyPI README 0.1.1 2017-12-09 22:13:25 +01:00
Thomas Patzke fd7b7bb438 Fixed build 
Reference to main README
 2017-12-09 08:57:51 +01:00
Thomas Patzke da9127276c PyPI release documentation 2017-12-09 00:23:34 +01:00