security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke d84f9dcc1c Aggregation 'near' raises NotImplementedError in backends splunk and logpoint 2017-08-05 23:48:28 +02:00
Thomas Patzke 685f32fdef Added sigmac target list to Travis tests 2017-08-05 23:43:15 +02:00
Thomas Patzke 9ba3c36f0e Added tests for all backends in Travis CI config 2017-08-05 23:39:32 +02:00
Thomas Patzke f58c1b768b Django security errors 2017-08-05 00:56:05 +02:00
Thomas Patzke 4578756cfd Merge remote-tracking branch 'origin/master' 2017-08-05 00:35:24 +02:00
Thomas Patzke 03985288f6 Removed 'last' from timeframe 2017-08-05 00:32:24 +02:00
Thomas Patzke f5b07dc9af Added semantic parsing of near expressions 2017-08-05 00:28:22 +02:00
Florian Roth edb52e098a Extended hh.exe in Office Shell detection 
https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
 2017-08-04 09:18:55 +02:00
Thomas Patzke a5a2f21378 Merge branch 'travis-test' into travis-test-working 2017-08-03 00:15:17 +02:00
Thomas Patzke d17604d007 Merge branch 'master' into travis-test 2017-08-03 00:11:08 +02:00
Thomas Patzke 36212fd5c2 Merge branch 'devel-sigmac' 2017-08-03 00:10:37 +02:00
Thomas Patzke 5706361464 Parsing of "near ... within" aggregation operator 
* Operator is only parsed. No processing or passing of parsed data to
  backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
 2017-08-03 00:05:48 +02:00
Thomas Patzke 7706067540 Merge branch 'master' into travis-test 2017-08-02 23:32:40 +02:00
Thomas Patzke 27e5d0c2b4 Fixed further parse error 2017-08-02 23:32:00 +02:00
Thomas Patzke 0217cd5b1d Merge branch 'master' into travis-test-working 2017-08-02 23:03:03 +02:00
Thomas Patzke 167b1f0191 Merge branch 'master' into travis-test 2017-08-02 22:53:52 +02:00
Thomas Patzke f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke 004d3933dc Changed Travis CI config to use sigmac with different error behavior 2017-08-02 00:59:50 +02:00
Thomas Patzke 52525236a5 sigmac: added parameter to control error behavior 
* --defer-abort
* --ignore-not-implemented
 2017-08-02 00:56:22 +02:00
Thomas Patzke bfcc119a7f Merge branch 'master' into travis-test 2017-08-02 00:37:07 +02:00
Thomas Patzke 6f5b9e183c Merge branch 'master' into travis-test-working 2017-08-02 00:32:52 +02:00
Thomas Patzke 3148660fa3 Removed build status image description 2017-08-02 00:28:09 +02:00
Thomas Patzke b82a6fdc51 Added wildcards to windows/builtin/win_susp_rundll32_activity.yml 2017-08-02 00:09:34 +02:00
Thomas Patzke 84418d2045 Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-02 00:04:28 +02:00
Thomas Patzke c350a90b21 Merge branch 'master' into rules-juju4 2017-08-01 23:55:53 +02:00
Thomas Patzke 3495bac9cb sigmac: return error codes 2017-07-31 00:31:49 +02:00
Thomas Patzke ced98e269a Changed URL for CI status in README 2017-07-31 00:24:34 +02:00
Thomas Patzke 97ec999878 Temporary removed sigmac run from Travis configuration 
* sigmac actually doesn't supports all features used in Sigma rules.
* It returns the wrong exit code on parse errors. Parse failures cause
  passed builds.
 2017-07-31 00:15:53 +02:00
juju4 86644cdc30 formatting 2017-07-30 11:48:34 -04:00
juju4 45bf3f856b travis status inside README 2017-07-30 11:46:58 -04:00
juju4 5b778c9833 yamllint: quote twitter-formatted nickname 2017-07-30 11:42:25 -04:00
juju4 bbb730c719 yamllint starter configuration, bad path for sigmac 2017-07-30 11:36:33 -04:00
juju4 a5b2ed641a trigger travis 2017-07-30 11:30:17 -04:00
juju4 ead44ca2e4 basic travis test: lint + sigma convert 2017-07-30 11:29:24 -04:00
juju4 5b42c64fcd Merge remote-tracking branch 'upstream/master' 2017-07-30 11:12:03 -04:00
juju4 31b033d492 suspicious rundll32 activity rules 2017-07-30 11:11:45 -04:00
juju4 3a8946a3ac suspicious phantom dll rules 2017-07-30 11:11:17 -04:00
juju4 fbbf29fd80 suspicious cli escape character rules 2017-07-30 11:10:43 -04:00
juju4 83fa83aa43 suspicious certutil activity rules 2017-07-30 11:09:51 -04:00
juju4 f487451c45 more suspicious cli process 2017-07-30 11:09:24 -04:00
Florian Roth d1cdb3c480 Certutil duplicate entry and "-ping" command 2017-07-23 14:51:57 -06:00
Florian Roth 433293ea40 'ruler' User Agent 
https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
 2017-07-22 09:24:45 -06:00
Florian Roth cdf0894e6a Corrected error in certutil rules (-f means force overwrite, not file) 
> the -urlcache is the relevant command
 2017-07-20 12:54:55 -06:00
Florian Roth 3a55b31da2 certutil file download - more generic approach 2017-07-20 12:48:47 -06:00
Florian Roth b85d96e458 certutil detections (renamed, extended) 
see https://twitter.com/subTee/status/888102593838362624
 2017-07-20 12:38:10 -06:00
Florian Roth 061d3bea27 ZxShell 2017-07-20 12:36:24 -06:00
Florian Roth 4bff14acd1 User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00
Florian Roth eeb31964da User-Agent Rules 2017-07-08 08:37:44 -06:00
Florian Roth cf42847b74 Suspicious User Agent strings 2017-07-07 20:53:22 -06:00
Florian Roth cec48ece04 Suspicious User-Agent Strings, starting with empty value 2017-07-07 18:38:32 -06:00