security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
ZikyHD 8963c0a65e Remove duplicate 'CommandLine' in fields 2020-05-20 11:54:47 +02:00
Florian Roth 9ab65cd1c7 Update win_alert_ad_user_backdoors.yml 2020-05-19 14:50:22 +02:00
neu5ron 7c3dea22b8 small T, big T 2020-05-19 05:13:48 -04:00
neu5ron 602c8917ef domain user enumeration via zeek rpc (dce_rpc) log. 2020-05-19 05:08:26 -04:00
Tatsuya Ito c815773b1a enhancement rule 2020-05-19 18:05:51 +09:00
Tatsuya Ito 49f68a327a enhancement rule 2020-05-19 18:00:50 +09:00
neu5ron effb2a8337 add exe webdav download 2020-05-19 04:41:00 -04:00
neu5ron 858ebcd3d3 author typo update 2020-05-19 04:35:47 -04:00
neu5ron 2fc8d513d6 zeek, swap path and name 2020-05-19 04:35:30 -04:00
ecco 1aa97fe577 flake 8 2020-05-18 10:03:18 -04:00
ecco 088800cd18 fix rule due to sigmac bug? 2020-05-18 09:39:48 -04:00
ecco e89613aee0 add some false positives checks 2020-05-18 07:19:06 -04:00
Florian Roth 8154ca355a Merge pull request #768 from maximelb/master 
Remove "condition" from global rule in CVE-2020-1048.
 2020-05-18 12:52:49 +02:00
gamma37 71c507d8a9 remove space bedore colon 2020-05-18 11:34:53 +02:00
gamma37 55eec46932 Create a rule for "suspicious activities" 2020-05-18 11:25:18 +02:00
gamma37 cbf06b1e43 lowercased tag 2020-05-18 10:11:32 +02:00
gamma37 904716771a Create a new rule to detect "Create Account" 2020-05-18 10:03:34 +02:00
Maxime Lamothe-Brassard 25d3a5a893 Remove "condition" from global rule. 
The condition field in this rule was in the global section which overwrote the condition in sub-rules and generated FPs. For example, once Sigma read the rule, the bottom sub-rule's "condition" was overwritten with "1 of them".
 2020-05-17 12:44:57 -07:00
Florian Roth a46e357874 Merge branch 'master' into rule-devel 2020-05-16 08:59:34 +02:00
Florian Roth d5e7d4e302 fix: missing condition in CVE-2020-1048 rule 2020-05-16 08:59:05 +02:00
ecco fd386fe8eb standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine 2020-05-15 12:35:32 -04:00
Florian Roth 7b713fbe7f rule: OpenSSHd rule adjusted 2020-05-15 17:19:32 +02:00
ecco 0575fa8d81 fix CVE 2020-1048 rule 2020-05-15 07:25:05 -04:00
Florian Roth cc26b26377 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/sysmon/sysmon_cve-2020-1048.yml
 2020-05-15 12:09:47 +02:00
Florian Roth 8e7caf0e4d rule: CVE-2020-1048 2020-05-15 12:08:31 +02:00
Florian Roth 8e082283f0 Merge pull request #754 from Neo23x0/rule-devel 
Rule devel
 2020-05-15 12:07:04 +02:00
Florian Roth beb62dc163 fix: condition location 2020-05-15 12:06:34 +02:00
Florian Roth 5854cc4677 fix: small bug in new CVE-2020-1048 rule 2020-05-15 11:37:46 +02:00
Florian Roth 2282432b6f Merge pull request #753 from hieuttmmo/master 
New Sigma rule to detect possible CVE-2020-1048 exploitation and Suspicious network connection from Notepad
 2020-05-15 11:35:12 +02:00
Florian Roth 28dc2a2267 Minor changes 
hints: 
- contains doesn't require wildcards in the strings
- we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day)
- we can use "1 of them" to say that 1 of the conditions has to match
 2020-05-15 11:33:36 +02:00
ecco 54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
Trent Liffick 40ab1b7247 added 'action: global' 2020-05-14 23:33:08 -04:00
Trent Liffick 56a2747a70 Corrected missing condition 
learning! fail fast & forward
 2020-05-14 23:18:33 -04:00
Trent Liffick fb1d8d7a76 Corrected typo 2020-05-14 23:04:14 -04:00
Trent Liffick 8aff6b412e added rule for Blue Mockingbird (cryptominer) 2020-05-14 22:58:23 -04:00
Florian Roth ab950fb89d fix: removed rules missing in master 2020-05-14 15:53:09 +02:00
Tiago Faria 2893becf8c Merge remote-tracking branch 'upstream/master' 2020-05-14 14:02:20 +01:00
Tran Trung Hieu e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu 443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu 97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Florian Roth 7652813c2c Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives 
Widen the search as it gives too many false negatives
 2020-05-13 21:02:12 +02:00
Tran Trung Hieu d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu 3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
zaphod 78a5c743f2 Widen the search as it gives too many false negatives 2020-05-13 16:20:23 +02:00
Florian Roth 78a8266a1b Merge pull request #749 from teddy-ROxPin/patch-6 
Create win_advanced_ip_scanner.yml
 2020-05-13 14:09:12 +02:00
Florian Roth 220a14f31c fix: typo in contains 2020-05-13 12:38:54 +02:00
zaphod 1a598282f4 Add 'Add-Content' to powershell_ntfs_ads_access 2020-05-13 11:57:10 +02:00
Florian Roth a1856c5743 Update win_advanced_ip_scanner.yml 2020-05-13 11:56:25 +02:00
zaphod a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00