security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nasreddine Bencherchali ca5107890b Update bug_report.md 2023-02-21 23:23:17 +01:00
Nasreddine Bencherchali 8220d9b5b2 fix: add slash to image field 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-21 23:17:09 +01:00
Nasreddine Bencherchali 5c70495257 feat: add issues templates and update pr template 2023-02-21 23:10:18 +01:00
Nasreddine Bencherchali 5f1231b5f2 fix: unused selection 2023-02-21 22:25:34 +01:00
Nasreddine Bencherchali dbf4e05309 Merge branch 'SigmaHQ:master' into nasbench-rule-devel 2023-02-21 22:16:07 +01:00
Nasreddine Bencherchali 63888f7a53 feat: multiple fixes and updates 2023-02-21 22:15:30 +01:00
Thomas Patzke b4f8a7a118 Merge pull request #4064 from fukusuket/fix-sigmac-conversion-error-with-base64offset-contains-rule 
fix: sigmac conversion error with `base64offset|contains` rule
 2023-02-21 21:33:22 +01:00
Nasreddine Bencherchali b246439c75 Merge pull request #4065 from phantinuss/master 
FP fix + cti submodule update
 2023-02-21 16:52:33 +01:00
phantinuss 2530cd72de chore: update submodule cti 2023-02-21 16:38:33 +01:00
phantinuss ecc41ad20b fix: FP with chocolatey 2023-02-21 16:38:05 +01:00
fukusuket f710664dc0 fix: sigmac conversion error with base64offset|contains rule 2023-02-21 21:53:05 +09:00
Florian Roth 3085a4025a Update PULL_REQUEST_TEMPLATE.md 2023-02-20 19:37:30 +01:00
Florian Roth 0a734bde8c Merge pull request #4061 from wagga40/master 
Typo correction
 2023-02-20 17:29:48 +01:00
Nasreddine Bencherchali 41e844e0cc fix: add missing modified 2023-02-20 17:08:48 +01:00
Qasim Qlf 908b25bccb fix: One value of imagePath was wrong 
it was "clip" that is already covered by "clipboard]::".

Real value is "&&" .

Reference: 
Sigma Rule Id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
Link: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml
 2023-02-20 20:49:52 +05:00
D4rkCiph3r 848a64fa69 Create proc_creation_macos_persistence_via_plistbuddy.yml (#4057) 2023-02-20 14:15:31 +01:00
D4rkCiph3r d0af939108 Create proc_creation_macos_enable_guest_account.yml (#4054) 2023-02-20 14:13:52 +01:00
Wagga 7387648bb1 Update proc_creation_win_mstsc_remote_connection.yml 2023-02-20 14:13:26 +01:00
D4rkCiph3r f9a73c7a79 Update proc_creation_macos_create_account.yml (#4052) 2023-02-20 14:13:06 +01:00
Wagga e7492c0f75 Update proc_creation_win_apt_cozy_bear_phishing_campaign_indicators.yml 2023-02-20 14:12:51 +01:00
Wagga fae6d7066a Update and rename proc_creation_win_apt_cozy_bear_phishing_campaing_indicators.yml to proc_creation_win_apt_cozy_bear_phishing_campaign_indicators.yml 2023-02-20 14:12:32 +01:00
Wagga 71b849146c Update proc_creation_win_certutil_export_pfx.yml 2023-02-20 14:11:48 +01:00
Wagga ffc9044b07 Update registry_add_persistence_amsi_providers.yml 2023-02-20 14:11:11 +01:00
Wagga 2d283ff885 Update and rename file_event_win_apt_cozy_bear_phishing_campaing_indicators.yml to file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml 2023-02-20 14:10:03 +01:00
Wagga cbc9a10eba Update java_xxe_exploitation_attempt.yml 2023-02-20 14:08:28 +01:00
D4rkCiph3r 97e2717343 Update proc_creation_macos_susp_installer_child_process.yml 
Updated the selection syntax
 2023-02-20 18:19:43 +05:30
Nasreddine Bencherchali b1866adb07 Merge pull request #4049 from nasbench/nasbench-rule-devel 
feat: new rules, updates and fixes
 2023-02-20 13:44:04 +01:00
Nasreddine Bencherchali ef68f4b116 Merge pull request #4050 from nasbench/pr-issue-templates 
feat: add PULL_REQUEST_TEMPLATE.md
 2023-02-20 13:18:49 +01:00
Nasreddine Bencherchali d86e5122cf Merge pull request #4060 from qasimqlf/patch-33 
fix: typo in taskName property
 2023-02-20 12:16:26 +01:00
Qasim Qlf 2ec65de9a2 fix: taskName property 2023-02-20 16:08:53 +05:00
m4nbat ae469ddefe New rules added for LockBit and Reddit used for C2. (#4045) 2023-02-20 12:07:02 +01:00
Nasreddine Bencherchali f0afc4cce6 fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-20 12:06:37 +01:00
Nasreddine Bencherchali 5ab9b790b7 fix: typo 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-20 11:29:45 +01:00
Nasreddine Bencherchali 4921fa3494 Update PULL_REQUEST_TEMPLATE.md 2023-02-20 10:57:41 +01:00
frack113 cd16dff85d Update rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml 2023-02-20 06:32:47 +01:00
D4rkCiph3r c016748316 Update proc_creation_macos_susp_installer_child_process.yml 2023-02-18 19:10:01 +05:30
D4rkCiph3r cc5bce2035 Create proc_creation_macos_susp_installer_child_process.yml 
Summary of the Pull Request:
The pull request adds a new rule for macOS (T1059, T1059.007, T1071, T1071.001)

Detailed Description of the Pull Request / Additional comments:
The rule helps detect the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters. The legitimate softwares also use scripts(preinstall and postinstall). Baselining or application allow-listing monitoring helps reduce the false positives

Example Log Event (In Case of FP Fixes)
NA

Relevant Issues (In Case of Issue Fixes)
NA
 2023-02-18 19:04:22 +05:30
frack113 e327427f13 Merge pull request #4048 from YamatoSecurity/update-powershell-usage-of-base64-IEX 
added other potential IEX strings
 2023-02-18 07:13:14 +01:00
Nasreddine Bencherchali a0236b669a Create PULL_REQUEST_TEMPLATE.md 2023-02-18 00:35:11 +01:00
Nasreddine Bencherchali 1d4a6dee3d fix: more fp 2023-02-17 23:23:31 +01:00
Nasreddine Bencherchali 6a0b38291f fix: fp found in baseline 2023-02-17 23:16:42 +01:00
Nasreddine Bencherchali 1dba328ddc fix: add missing modified 2023-02-17 22:52:09 +01:00
Yamato Security 9c673bbb15 added other potential IEX strings 2023-02-18 05:51:40 +09:00
frack113 db23238016 Merge pull request #4047 from D4rkCiph3r/patch-2 
Update proc_creation_macos_binary_padding.yml
 2023-02-17 21:50:57 +01:00
Nasreddine Bencherchali 2ae212f5ab fix: remove unnecessary filter 2023-02-17 21:36:54 +01:00
Nasreddine Bencherchali ee7d1d9890 feat: add reference 2023-02-17 19:58:26 +01:00
Nasreddine Bencherchali 787ea00ff7 feat: new rule for events.asp technique 2023-02-17 19:41:14 +01:00
D4rkCiph3r c965a8dca0 Update proc_creation_macos_binary_padding.yml 
Updated the modified field
reference link is same, I have a PR in ART Repo for the same, which is yet to be verified, maybe if it's allowed the man pages of "truncate" and "dd" can be referenced
Discarding the filter, there should either be "of="(output file) or a redirection or append symbol
 2023-02-17 23:16:28 +05:30
Nasreddine Bencherchali 68c052aab7 feat: updates and fixes 2023-02-17 17:51:44 +01:00
D4rkCiph3r 45ff572bd2 Update proc_creation_macos_binary_padding.yml 
Minor changes
 2023-02-17 18:22:26 +05:30