security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth f12cb7309b fix: references is not a list 2020-07-13 17:37:03 +02:00
Florian Roth 437a567e4f Merge pull request #917 from Neo23x0/rule-devel 
New Empire Rules and Updates
 2020-07-13 16:37:59 +02:00
Florian Roth 1c63a93643 fix: wrong casing in tag 2020-07-13 16:20:51 +02:00
Florian Roth 1b75a3a96b Merge pull request #916 from viniciusvec/patch-2 
Update lnx_shell_clear_cmd_history.yml
 2020-07-13 15:54:11 +02:00
Florian Roth 557e8b0faf rule: improved Empire detection 2020-07-13 15:47:53 +02:00
viniciusvec 26f0d49772 Update lnx_shell_clear_cmd_history.yml 
Renamed tags to match production MITRE: https://attack.mitre.org/techniques/T1070/003/
 2020-07-13 14:06:14 +01:00
Florian Roth 7e8aa7b12b Merge pull request #915 from Neo23x0/rule-devel 
rule: regsvr32 flags anomaly
 2020-07-13 12:16:05 +02:00
Florian Roth 7a63fd56da rule: regsvr32 flags anomaly 2020-07-13 11:59:44 +02:00
Ömer Günal bee467dbd6 Rename lnx_setgid_setuid to lnx_setgid_setuid.yml 2020-07-13 01:36:20 +03:00
Ömer Günal bf8f0307b7 Rename lnx_space_after_filename_ to lnx_space_after_filename_.yml 2020-07-13 01:33:59 +03:00
Ömer Günal 4b74a0df76 Create lnx_space_after_filename_ 2020-07-13 01:33:39 +03:00
Ömer Günal c749aa2539 Create lnx_setgid_setuid 2020-07-13 01:33:09 +03:00
Ömer Günal 6b24a5df65 Create lnx_security_tools_disabling.yml 2020-07-13 01:32:24 +03:00
Ömer Günal bdeca13825 Create lnx_proxy_connection.yml 2020-07-13 01:31:05 +03:00
Ömer Günal 708a28e307 Delete lnx_space_after_filename.yml 2020-07-13 01:26:37 +03:00
Ömer Günal af6ad5a41b Delete lnx_setuid_setgid.yml 2020-07-13 01:26:29 +03:00
Ömer Günal 64a9b6e098 Delete lnx_disabling_security_tools.yml 2020-07-13 01:26:11 +03:00
Ömer Günal 7466c8d425 Delete lnx_connection_proxy.yml 2020-07-13 01:26:03 +03:00
Ömer Günal 7ce16d1bbc Update lnx_space_after_filename.yml 2020-07-13 01:07:32 +03:00
Ryan Plas 25d978d9bd Update powershell_shellcode_b64.yml logsource to use the correct Sigma schema values 2020-07-11 22:17:06 -04:00
Ryan Plas 3bb45f00af Update web_citrix_cve_2019_19781_exploit.yml logsource to use the correct Sigma schema values 2020-07-11 00:00:21 -04:00
Florian Roth 1a87492bd4 Merge pull request #912 from Neo23x0/rule-devel 
rule: improved Citrix rule
 2020-07-10 19:46:09 +02:00
Florian Roth 129925ce0b rule: improved Citrix rule 2020-07-10 18:15:35 +02:00
Florian Roth 17dedddbdd Merge pull request #911 from Neo23x0/rule-devel 
rule: Citrix Netscaler Attack CVE-2020-8193 CVE-2020-8195
 2020-07-10 18:09:19 +02:00
Florian Roth 383953c74e rule: better rule name and descriptions, plus MITRE ATT&CK tags 2020-07-10 17:55:13 +02:00
Florian Roth 0d89208242 rule: updated Citrix rule 2020-07-10 17:49:18 +02:00
Florian Roth eda08e3a89 rule: Citrix Netscaler Attack CVE-2020-8193 CVE-2020-8195 2020-07-10 17:45:11 +02:00
Florian Roth 3ab5eb97d8 Merge pull request #901 from brachera/master 
rule: Leviathan registry key
 2020-07-10 16:42:02 +02:00
Florian Roth 49aa0b4621 Merge pull request #909 from EccoTheFlintstone/fp2 
add WMI module load false positive
 2020-07-10 15:45:53 +02:00
Florian Roth 5de82628fa Update sysmon_apt_leviathan.yml 2020-07-10 15:41:55 +02:00
Florian Roth 168952840b Merge pull request #910 from Neo23x0/rule-devel 
Rule devel
 2020-07-10 14:17:22 +02:00
Florian Roth 268a28daed rule: Evilnum Golden Chicken rule OCX 2020-07-10 13:02:52 +02:00
ecco e30eaa0202 be more specific about file location 2020-07-09 13:33:59 -04:00
ecco 94e3bd9e6b add WMI module load false positive 2020-07-09 13:32:21 -04:00
ecco 905f1b3823 add WMI and powershell false positives 2020-07-09 10:26:54 -04:00
Florian Roth 7949729fa4 rule: PowerShell encoded character syntax 2020-07-09 08:52:32 +02:00
Florian Roth e3734aaa27 fix: missing upper tick 2020-07-08 15:53:04 +02:00
GelosSnake efae210556 adding google chrome to FP list 
legitimate errors generated by Google Chrome are reported often.

Official google standpoint on this:
https://support.google.com/chrome/a/thread/15440066?hl=en
 2020-07-08 16:44:41 +03:00
Thomas Patzke 205b584e80 Merge branch 'pr-829' 2020-07-07 23:42:57 +02:00
Thomas Patzke 3e17cc1900 Merge pull request #894 from caliskanfurkan/master 
ditsnap, a credential access tool used in ransomware attacks
 2020-07-07 23:21:36 +02:00
Thomas Patzke 28013a15e1 Improved rule 2020-07-07 23:18:07 +02:00
Thomas Patzke 90f09f7b12 Merge branch 'devel' of https://github.com/diskurse/sigma into pr-829 2020-07-07 23:15:39 +02:00
Thomas Patzke 3c760fabc1 Merge pull request #745 from Rettila/master 
Added new rules
 2020-07-07 23:14:19 +02:00
Thomas Patzke 7eb499ad85 Added rule id 2020-07-07 22:54:55 +02:00
Thomas Patzke 360b5714a8 Splitted and improved new rule 2020-07-07 22:47:14 +02:00
Thomas Patzke 0ce5f2cc75 Merge branch 'patch-2' of https://github.com/4A616D6573/sigma into pr-483 2020-07-07 22:37:11 +02:00
Thomas Patzke 4762a59b89 Merge pull request #891 from rtkbkish/image-load-fixes 
Fix typo for rule in image_load category
 2020-07-07 22:31:32 +02:00
Thomas Patzke 2032a1e7fd Merge pull request #898 from rtkbkish/fix-uac-registry 
Proposed fix for sysmon_uac_bypass_eventvwr
 2020-07-07 22:29:39 +02:00
Thomas Patzke 9e85731253 Merge pull request #899 from rtkbkish/refix-rules 
Re-fix sysmon rules that lost changes with category refactoring.
 2020-07-07 22:28:37 +02:00
Florian Roth acfe20aa34 rule: extended F5 BIG-IP exploitation detection rule 2020-07-07 21:45:08 +02:00