security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

15089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 1b9ce19b2c fix: several issues 2022-05-12 17:30:30 +02:00
Florian Roth 23fbf66679 Removed duplicate rule 2022-05-12 17:19:57 +02:00
Florian Roth 2cd5a93fb6 refactor: update antivirus rules 2022-05-12 17:19:46 +02:00
frack113 1f7021fedd Merge pull request #2996 from frack113/WerFault 
Add file_event_win_werfault_dll_hijacking
 2022-05-12 17:13:11 +02:00
Florian Roth ccfa7742da Update file_event_win_werfault_dll_hijacking.yml 2022-05-12 13:59:49 +02:00
Florian Roth d74d287bac Merge pull request #2998 from redsand/spotify_co_for_bits_admin 
Adds allow for spotify streaming, which uses this service
 2022-05-12 13:02:48 +02:00
Florian Roth ee3aba2541 Merge pull request #3005 from BlackB0lt/patch-27 
Create win_security_krbrelayup_service_installation.yml
 2022-05-12 13:01:44 +02:00
Florian Roth fe312319d3 Update win_security_krbrelayup_service_installation.yml 2022-05-12 13:01:24 +02:00
frack113 69b4bd551c Merge pull request #3004 from redsand/fp_dnsZoneScope 
filtering out dnsZoneScope
 2022-05-12 06:56:50 +02:00
frack113 ca19c41192 Merge pull request #3001 from redsand/fp_zeek_add_ip6_non_routable 
FP - adding ip6 non routable filter for zeek
 2022-05-11 16:48:23 +02:00
Tim Shelton 3f3f986259 unifying detection 2022-05-11 14:30:14 +00:00
Tim Shelton 20e09530cf removing leading carrot. moved to startswith usage 2022-05-11 14:07:47 +00:00
Florian Roth 2b0db86440 Merge pull request #3002 from phantinuss/master 
Various new Rule Tests
 2022-05-11 15:49:46 +02:00
Sittikorn S 800669d90c Update win_security_krbrelayup_service_installation.yml 2022-05-11 18:59:37 +07:00
Sittikorn S df8c6c118f Create win_security_krbrelayup_service_installation.yml 
Detects service creation from KrbRelayUp tool
 2022-05-11 18:59:14 +07:00
phantinuss 6f92a11c02 chore: test rules: check for all modifier with single item 2022-05-11 11:06:09 +02:00
Tim Shelton af32096ead moving to startswith 2022-05-10 22:19:51 +00:00
Tim Shelton b68e491055 updating ipv4 private ranges 2022-05-10 22:18:58 +00:00
Tim Shelton d072472b25 filtering out dnsZoneScope 2022-05-10 21:29:05 +00:00
frack113 4b829c45cd Merge pull request #3000 from redsand/fp_win_direct_syscall_ntopenprocess 
Fp win direct syscall ntopenprocess
 2022-05-10 17:50:18 +02:00
frack113 75d8f97c79 Merge pull request #2999 from redsand/hawk_backend_zeek 
BACKEND: Hawk backend zeek support and bug fix for matching system user in windows
 2022-05-10 17:33:40 +02:00
frack113 8cba1e0e06 Merge pull request #2997 from nasbench/master 
Small Update
 2022-05-10 17:29:39 +02:00
frack113 7e7c3955d6 Merge pull request #2993 from frack113/Ft_aurora 
Explorer.exe FP
 2022-05-10 17:27:07 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
Tim Shelton 232fd9ad17 removing duplicate 2022-05-10 13:19:22 +00:00
jstnk9 cf975127b6 title modified 2022-05-10 11:41:19 +02:00
phantinuss 0b72aff084 chore: test rules: check title has no . in the end 2022-05-10 11:25:09 +02:00
phantinuss b4fdb13e8a chore: test rules: check for unused selections 2022-05-10 11:07:40 +02:00
Tim Shelton ad727e11e9 adding additional zeek categories to sort out false positive matching 2022-05-10 03:39:16 +00:00
Tim Shelton fdc1a1711a adding ip6 non routable filter 2022-05-10 03:07:14 +00:00
Tim Shelton c64197233d fixing error in translation 2022-05-10 02:19:23 +00:00
Tim Shelton 50a4a02364 adding additional field with ip_src as initial cardinal 2022-05-10 01:51:37 +00:00
Tim Shelton 8674e26218 adding cardinality of each group by to include source address. otherwise lookups will only be using "command" for example 2022-05-10 01:50:46 +00:00
Tim Shelton 278e825794 fixing hawk backend fields for zeek. wrong character 2022-05-10 01:45:17 +00:00
Tim Shelton db6d32c6b9 Adding condition update 2022-05-09 23:55:37 +00:00
Tim Shelton 5f0ca05492 Adding FP filter for cylance 2022-05-09 23:54:40 +00:00
Tim Shelton 0709758651 Adding updates for zeek, as well as some missing sections for windows. internal review of rules will continue. 2022-05-09 23:23:35 +00:00
Tim Shelton 6aa0064c28 adding support for splitting out domain and user for nt authority, since its split in the application into 2 fields, only works for system currently. not aware of other examples 2022-05-09 23:23:07 +00:00
Tim Shelton 574df099f9 Adds allow for spotify streaming, which uses this service 2022-05-09 20:38:25 +00:00
Nasreddine Bencherchali 5151fc25c9 Updated "modified" field 2022-05-09 19:28:50 +01:00
Nasreddine Bencherchali b987752cfe Small update 
- Updated regini rules to take into consideration OriginalFileName
- Added another function to execute execute click-once via rundll32 (dfshim)
 2022-05-09 19:26:51 +01:00
frack113 c1a99350e6 Add file_event_win_werfault_dll_hijacking 2022-05-09 19:27:11 +02:00
Florian Roth 4e7ceae0e1 rule: added another keyword 2022-05-09 18:33:34 +02:00
Florian Roth ec4beca37b Merge branch 'master' into rule-devel 2022-05-09 18:03:29 +02:00
Florian Roth aa1c506892 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-05-09 18:03:18 +02:00
Florian Roth 9d87716dfb rule: encrypted ZIP files 2022-05-09 18:03:16 +02:00
Florian Roth 8b798fbf21 refactor: tightened task scheduler rule 2022-05-09 18:03:02 +02:00
Florian Roth cc68a89ad0 refactor: moved rule 2022-05-09 18:02:36 +02:00
phantinuss 654e9e9b9c fix: typo 2022-05-09 16:13:53 +02:00
phantinuss f6e893dde5 chore: test rules: check that title is given in the first line 2022-05-09 16:13:50 +02:00