security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

582 Commits

Author SHA1 Message Date
zinint 950796f71f Update lnx_auditd_masquerading_crond.yml 2019-10-29 22:48:39 +03:00
zinint c5599399b5 Update lnx_auditd_masquerading_crond.yml 2019-10-29 22:48:00 +03:00
zinint 47f7d648a3 T1036 2019-10-29 22:33:03 +03:00
Yugoslavskiy Daniil 3376cf4dd8 fix some typos and remove redundand references 2019-10-29 01:40:06 +03:00
RRRabbit becfca6b41 Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00
zinint d1cf80d9b6 Update lnx_auditd_user_discovery.yml 2019-10-28 00:00:06 +03:00
zinint 68b4541274 t1033 2019-10-27 23:59:16 +03:00
Mikhail Larin 334301c185 OSCD event rules from Jet CSIRT team 2019-10-25 17:57:56 +03:00
mrblacyk 499627edf3 File permissions modification (T1222) 2019-10-23 11:24:13 -07:00
mrblacyk c2d906c15f DD overwrite with zero/null (T1485) 2019-10-23 11:22:33 -07:00
mrblacyk 5ae267e326 Linux systemd reload or start rule (T1501) 2019-10-23 11:21:19 -07:00
root fb53855ae5 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:50:49 +02:00
root e47caf4749 add rule lnx_auditd_web_rce.yml 2019-10-21 11:54:21 +02:00
root a499141483 modified rule lnx_auditd_web_rce.yml 2019-10-21 11:28:59 +02:00
root ac8308dfc9 add rule lnx_auditd_web_rce.yml 2019-10-21 11:14:24 +02:00
Florian Roth 454ba2b576 rule: modified sudo vuln rule to be most generic 2019-10-20 14:02:10 +02:00
Florian Roth 08ff2f38bc Revert "rule: modified sudo vuln rule to be most generic" 
This reverts commit ef6a25d109.
 2019-10-20 14:01:14 +02:00
Florian Roth ef6a25d109 rule: modified sudo vuln rule to be most generic 2019-10-20 10:37:05 +02:00
Thomas Patzke 522f021ef1 Merge pull request #461 from Galapag0s/patch-2 
Added Additional history clearing options
 2019-10-16 22:35:41 +02:00
Florian Roth 36f678930d rule: updated sudo vuln rule to detect 0-padding part 2 
https://twitter.com/joshbressers/status/1184455759620378627
 2019-10-16 15:10:44 +02:00
Florian Roth 5374d18e4b rule: updated sudo vuln rule to detect 0-padding 
https://twitter.com/taviso/status/1184238670343065600
 2019-10-16 15:03:28 +02:00
Florian Roth 921a39f1e3 rule: extended sudo rule with variant for USER field 2019-10-15 14:55:09 +02:00
Florian Roth 96d77447d2 rule: added reference and mitre tags 2019-10-15 09:44:17 +02:00
Florian Roth 49ed76004c rule: sudo priv esc vuln CVE-2019-14287 2019-10-15 09:39:08 +02:00
Galapag0s 1e4ef648db Added Additional history clearing options 
history -w will clear the current shell history
shred purposely overwrites data replacing it with random data
 2019-09-26 12:53:13 -04:00
Galapag0s ccdda5e82b Update lnx_shell_priv_esc_prep.yml 2019-09-06 11:29:42 -04:00
Galapag0s 23021aa110 Added Sticky Bits 
Attackers may look to exploit binaries with the sticky bits enabled.  By being able to run a binary as a different user or group, they may be able to run separate commands as an elevated user.
 2019-09-06 11:25:48 -04:00
Florian Roth f5a8a81ff7 fix: linux cmds rule 2019-07-02 15:22:26 +02:00
petermmm b6c4e64a9b fixed attack category number 2->3 2019-05-12 11:59:13 +02:00
petermmm 2778558ae3 added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00
Thomas Patzke 46c789105b Fix and ordering 2019-05-10 00:08:26 +02:00
patrick ca4b710c01 Added Sigma Use Case detecting Privilege Escalation Preparation in Linux 2019-04-07 15:36:19 +02:00
Florian Roth 2b814011cd Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature 
Add new signature for linux clear command history
 2019-04-03 19:45:06 +02:00
Florian Roth 6cc1770351 Merge pull request #294 from Pr0t3an/patch-3 
Update lnx_shell_susp_rev_shells.yml
 2019-04-03 01:07:07 +02:00
Florian Roth b76925f838 Rule: extending rule with /dev/udp 2019-04-02 20:09:13 +02:00
Pr0t3an d067087632 Update lnx_shell_susp_rev_shells.yml 
added 
 - 'bash -i >& /dev/udp/'
        - 'sh -I >$ /dev/udp/'
        - 'sh -i   >$ /dev/tcp/'
 2019-04-02 18:22:18 +01:00
Florian Roth 5c5a16c4d5 Rule: adding xterm -display string to rule 2019-04-02 18:48:18 +02:00
Florian Roth 453bd10e6e Rule: Suspicious reverse shell command lines 2019-04-02 17:03:57 +02:00
Florian Roth d06a5431eb Changes 2019-04-01 14:03:54 +02:00
patrick 0242c40360 Add new signature for linux clear command history 2019-03-24 10:10:14 +01:00
Florian Roth 5092b1e603 Rule: removed overlapping strings in Linux rule 2019-02-05 16:12:07 +01:00
Florian Roth 32c098294f Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00
Florian Roth b92c032c2d Linux JexBoss back connect shell 2018-11-08 23:21:36 +01:00
Florian Roth 6bde2cd08f Update lnx_buffer_overflows.yml 2018-08-25 00:20:34 +02:00
Florian Roth 234a48af19 rule: Linux SSHD exploit CVE-2018-15473 
https://github.com/Rhynorater/CVE-2018-15473-Exploit
 2018-08-24 16:40:41 +02:00
Florian Roth 9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
Alexandre ZANNI 74da324d8f remove old public_html 
remove old public_html
 2018-05-29 11:44:38 +02:00
Alexandre ZANNI a1de770b64 enhance web server paths 
- specify when it is apache only
- add Per-user path
- add archlinux paths
 2018-05-29 11:41:36 +02:00
Thomas Patzke 59eff939f2 Merge branch 'devel-sigmac' 2018-03-04 22:59:41 +01:00
Thomas Patzke 4792700726 Fixed rule 2018-03-04 22:07:01 +01:00