security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,061 Commits 1 Branch 57 Tags
e52f29dda997cdb3fa084555c0cdcaeee6a73a5d
Commit Graph

2061 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Maxime Lamothe-Brassard e52f29dda9 Fix matches operator field set to value instead of re. 2019-11-05 08:38:06 -05:00
Thomas Patzke 54c75167ce Default configurations for backends 2019-11-03 23:32:50 +01:00
Thomas Patzke 0c64992276 Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-11-02 23:05:41 +01:00
Thomas Patzke a5579fa8cd Merge pull request #513 from Karneades/fix-sysmon-rule 
fix: bound sysmon logon script rule to field
 2019-11-02 23:04:35 +01:00
Thomas Patzke c0f1b12833 Merge pull request #512 from Karneades/fix-win-rules 
fix: bound windows event log rules to message field
 2019-11-02 23:03:44 +01:00
Thomas Patzke 66d9de460d Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-11-02 22:56:32 +01:00
Thomas Patzke 4f19ef5708 Graylog backend now derived from es-qs 
Technically, Graylog is ES. Fixes and improvements for ES didn't
propagate to Graylog, now they do.
 2019-11-02 22:56:01 +01:00
Thomas Patzke 8af2b70594 Restrict search not bound to fields to keyword fields 2019-11-02 22:55:04 +01:00
Thomas Patzke c9eb921f68 ConditionAND/OR constructor now allows arbeitrary number of operands 2019-11-02 22:54:35 +01:00
Karneades 0117dac1db fix: bound sysmon logon script rule to field 
Fixed rule:
- rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
 2019-11-02 11:47:20 +01:00
Karneades 68fd20cb66 fix: bound windows event log rules to message field 
Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml
 2019-11-02 11:25:29 +01:00
Florian Roth 3107c0c268 rule: Formbook rule improved 2019-10-31 09:32:18 +01:00
Florian Roth 4741b6a4d6 rule: Mustang Panda dropper 2019-10-30 18:22:40 +01:00
Florian Roth d661771608 rule: another DTRACK reference 2019-10-30 18:22:25 +01:00
Florian Roth 3ac28f3eed rule: DTRACK process creation 2019-10-30 15:16:33 +01:00
Thomas Patzke 219f00e3fb Added command line parameter 
Implements #418
 2019-10-29 23:04:28 +01:00
Thomas Patzke 2eeccf48e0 Removed line breaks in Elastalert YAML output 
Fixes #453
 2019-10-29 22:45:37 +01:00
Thomas Patzke f4e9690d6b Merge pull request #508 from Karneades/fixRule3 
fix: bound keywords to field in multiple PS rules
 2019-10-29 22:34:08 +01:00
Thomas Patzke 78d8ca2b41 Merge pull request #507 from Karneades/fixRule2 
fix: bound keywords to field in PS cred prompt rule
 2019-10-29 22:31:01 +01:00
Thomas Patzke 40df0d4534 Merge pull request #506 from Karneades/fixRule1 
fix: bound keywords to field in WMI persistence rule
 2019-10-29 22:30:27 +01:00
Thomas Patzke 6eb49fc1ce Merge pull request #509 from Karneades/fixRule4 
fix: change keyword and bound it to a field in PS rule
 2019-10-29 22:27:54 +01:00
Thomas Patzke b6403793c1 Fixed escaping in rule 2019-10-29 22:06:23 +01:00
Karneades ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
Karneades aafab2e936 fix: bound keywords to field in multiple PS rules 
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
 2019-10-29 19:53:18 +01:00
Karneades f31750e567 fix: bound keywords to field in PS cred prompt rule 2019-10-29 19:43:04 +01:00
Karneades cd20e4a3fc fix: bound keywords to field in WMI persistence rule 
See #501.
 2019-10-29 19:22:41 +01:00
Thomas Patzke 632c45843b Merge pull request #500 from refractionPOINT/master 
Adding LimaCharlie to the README's supported targets.
 2019-10-28 21:17:30 +01:00
Maxime Lamothe-Brassard f01913c996 Adding LimaCharlie to the README's supported targets. 2019-10-28 14:48:04 -05:00
Thomas Patzke 6a76f5950b Merge pull request #499 from refractionPOINT/master 
Adding Backend for LimaCharlie D&R rules
 2019-10-28 20:38:33 +01:00
Maxime Lamothe-Brassard f6fb9c7f5f Fixing typo in response metadata. 2019-10-28 11:31:50 -05:00
Maxime Lamothe-Brassard 2873e1ded3 Small refactors to make more readable and remove deprecated code paths to increase coverage. 2019-10-28 10:49:05 -05:00
Florian Roth 8ff85499c8 rule: svchost dll search order hijack 2019-10-28 12:03:03 +01:00
Florian Roth 1a3444d0ef docs: comment on rule expression 2019-10-28 12:02:46 +01:00
Maxime Lamothe-Brassard a7003c2aa3 Adding support for "unix", looking like a mistake by the creator. 2019-10-27 15:55:12 -05:00
Maxime Lamothe-Brassard d019cef439 Ading a bit more of early support for netflow and some linux exe. 2019-10-27 15:48:28 -05:00
Maxime Lamothe-Brassard a57a7b58cf Added conceptial support for aliasing keyworkds to a specific field depending on the log source. 2019-10-27 15:28:54 -05:00
Maxime Lamothe-Brassard 60b20a76a6 Fixing handling of unsupported sources. 2019-10-27 12:37:06 -05:00
Maxime Lamothe-Brassard 0fe72d6133 Emit error on full-text searches not being supported. 2019-10-27 12:26:36 -05:00
Maxime Lamothe-Brassard f43300af8e Fix the top level pre-condition for Windows Event Logs on LC. 2019-10-27 12:17:15 -05:00
Maxime Lamothe-Brassard 91e48d8c1b Adding setup links and fixing test that would crash Not node, but not seen in prod rules. 2019-10-27 11:56:32 -05:00
Maxime Lamothe-Brassard 8d866b0868 Adding comments. 2019-10-26 17:37:13 -05:00
Maxime Lamothe-Brassard bc5e9bd03a Making rule output a full D&R (with the Response component) and includes a lot of metadata from the rule in the report. 2019-10-26 17:30:40 -05:00
Maxime Lamothe-Brassard 8cc3990aef Extending support for more random rules with odd names. 2019-10-26 16:59:33 -05:00
Maxime Lamothe-Brassard 4d65b62063 Adding support for generating rules for Windows builtin category for use in the External Logs of LC. 2019-10-26 16:30:50 -05:00
Maxime Lamothe-Brassard 30cc7ee809 Refactor mappings into a flat structure to account for missing parameters in some combinations. 2019-10-26 16:09:39 -05:00
Maxime Lamothe-Brassard 77329714c5 Adding service to indirection of mappings since it will be used for Windows Event Logs. 2019-10-26 16:06:42 -05:00
Maxime Lamothe-Brassard 823d86c7d9 Remove unimplemented config entries and fix bug with valueNode. 2019-10-26 15:54:08 -05:00
Maxime Lamothe-Brassard bba43c7a86 First draft of support for LimaCharlie D&R rules. 2019-10-26 15:45:48 -05:00
Florian Roth 66a32549f1 rule: proxy malware ua - Zebrocy 2019-10-26 14:20:29 +02:00
Florian Roth 42808b7eb8 rule: webshell detection improved 2019-10-26 09:14:54 +02:00