security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Roberto Rodriguez a35f945c71 Update win_disable_event_logging.yml 
Description value breaking SIGMA Elastalert Backend
 2018-12-06 05:09:41 +03:00
Florian Roth 2e5a739c6c fix: fixed author string (cannot be list according to sigma specs) 2018-12-05 11:59:10 +01:00
Florian Roth 9b15b64a9a fix: fixed author string (cannot be list according to sigma specs) 2018-12-05 11:44:20 +01:00
Roberto Rodriguez 87ce07088f Update sysmon_plugx_susp_exe_locations.yml 
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Executable+used+by+PlugX+in+Uncommon+Location&unscoped_q=Executable+used+by+PlugX+in+Uncommon+Location

This impats Elastalert integration since you cannot have two rules with the same name
 2018-12-05 07:58:13 +03:00
Roberto Rodriguez bff7ec52db Update av_relevant_files.yml 
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Antivirus+Exploitation+Framework+Detection&unscoped_q=Antivirus+Exploitation+Framework+Detection

This affetcs Elastalert integration
 2018-12-05 07:53:53 +03:00
Roberto Rodriguez 104ee6c33b Update win_susp_commands_recon_activity.yml 
Rule missing "by CommandLine" which marchs the query_key value of the elastalert format to NULL.
 2018-12-05 05:55:36 +03:00
Roberto Rodriguez 328762ed67 Update powershell_xor_commandline.yml 
Ducplicate names again for https://github.com/Neo23x0/sigma/search?q=Suspicious+Encoded+PowerShell+Command+Line&unscoped_q=Suspicious+Encoded+PowerShell+Command+Line . This brakes elastalert integration since each rule needs to have its own unique name.
 2018-12-05 05:51:41 +03:00
Roberto Rodriguez 6dc36c8749 Update win_eventlog_cleared.yml 
Experimental Rule is a duplicate of https://github.com/Neo23x0/sigma/blob/bfc7012043317632265a897c8a4901f266cda992/rules/windows/builtin/win_susp_eventlog_cleared.yml. I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format
 2018-12-05 05:40:00 +03:00
Roberto Rodriguez c8990962d2 Update win_rare_service_installs.yml 
same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration
 2018-12-05 05:33:56 +03:00
Roberto Rodriguez f0b23af10d Update win_rare_schtasks_creations.yml 
Count(taskName) not being taken by elastalert integration with Sigmac
 2018-12-05 05:10:08 +03:00
Thomas Patzke 900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Florian Roth 3861dd5912 Rule: APT29 campaign against US think tanks 
https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
 2018-12-04 17:04:03 +01:00
Florian Roth a805d18bba Merge pull request #198 from kpolley/consistent_filetype 
changed .yaml files to .yml for consistency
 2018-12-03 09:00:14 +01:00
AL 9f1df6164b adding new rules detecting recently active APTs 2018-12-03 09:42:29 +02:00
Florian Roth 2ebbdebe46 rule: Cobalt Strike beacon detection via Remote Threat Creation 
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
 2018-11-30 10:25:05 +01:00
Thomas Patzke f6ad36f530 Fixed rule 2018-11-29 00:00:18 +01:00
Florian Roth 7ba1fe4309 Turla PNG Dropper Service Name 2018-11-23 08:46:20 +01:00
Florian Roth e7762c71ce Merge remote-tracking branch 'origin/master' 2018-11-22 19:14:12 +01:00
Florian Roth ec83ab5e13 APT28 Zebrocy rule 
https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
 2018-11-22 19:14:07 +01:00
Thomas Patzke a1940c6eaa Simplified rule 2018-11-21 22:34:04 +01:00
Kyle Polley 60538e2e12 changed .yaml files to .yml for consistency 2018-11-20 21:07:36 -08:00
Florian Roth a31acd6571 fix: fixed procdump rule 2018-11-17 09:10:26 +01:00
Florian Roth fd06cde641 Rule: Detect base64 encoded PowerShell shellcode 
https://twitter.com/cyb3rops/status/1063072865992523776
 2018-11-17 09:10:09 +01:00
Sherif Eldeeb 23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Sherif Eldeeb cd5950749e revert to upstream 2018-11-15 08:45:25 +03:00
Sherif Eldeeb 742192b452 Merge pull request #4 from Neo23x0/master 
fetch updates from upstream
 2018-11-15 08:32:33 +03:00
Florian Roth b92c032c2d Linux JexBoss back connect shell 2018-11-08 23:21:36 +01:00
Nate Guagenti 9bfdcba400 Update win_alert_ad_user_backdoors.yml 
add another detection rule for delegation via the attack described in harmj0y's blog:
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
 2018-11-05 21:08:19 -05:00
Florian Roth 37294d023f Suspicious svchost.exe executions 2018-10-30 09:37:40 +01:00
Florian Roth 580692aab4 Improved procdump on lsass rule 2018-10-30 09:37:40 +01:00
Thomas Patzke ff98991c80 Fixed rule 2018-10-18 16:20:51 +02:00
Thomas Patzke a2da73053d Merge branch 'patch-9' of https://github.com/samsson/sigma into samsson-patch-9 2018-10-18 16:16:57 +02:00
Thomas Patzke 732de3458f Merge pull request #186 from megan201296/patch-15 
Update sysmon_cmstp_com_object_access.yml
 2018-10-18 15:49:06 +02:00
Thomas Patzke fdd0823e07 Merge pull request #187 from megan201296/patch-16 
Additional MITRE ATT&CK Tagging
 2018-10-18 15:38:11 +02:00
Florian Roth 3c3b14a26b rule: new malware UA 2018-10-10 15:27:58 +02:00
Florian Roth fd34437575 fix: fixed date in rule 2018-10-10 15:27:58 +02:00
megan201296 fdd264d946 Update sysmon_susp_powershell_rundll32.yml 2018-10-09 19:11:47 -05:00
megan201296 440b0ddffe Update sysmon_susp_powershell_parent_combo.yml 2018-10-09 19:11:17 -05:00
megan201296 b0983047eb Update sysmon_powersploit_schtasks.yml 2018-10-09 19:10:37 -05:00
megan201296 2f533c54b3 Update sysmon_powershell_network_connection.yml 2018-10-09 19:10:17 -05:00
megan201296 1b92a158b5 Add MITRE ATT&CK Tagging 2018-10-09 19:09:19 -05:00
megan201296 ffbb968fcd Update sysmon_cmstp_com_object_access.yml 
Edit tule logic for `and` instead of `or
 2018-10-09 19:03:30 -05:00
megan201296 7997cb3001 Remove duplicate value 2018-10-08 13:00:59 -05:00
Florian Roth 54678fcb36 Rule: CertUtil UA 
https://twitter.com/ItsReallyNick/status/1047151134501216258
 2018-10-06 16:47:37 +02:00
Florian Roth 85f0ddd188 Delete win_alert_LSASS_access.yml 2018-10-02 16:48:09 +02:00
Florian Roth 19e2bad96e Delete sysmon_powershell_DLL_execution.yml 2018-10-02 08:56:09 +02:00
Florian Roth daddec9217 Delete sysmon_powershell_AMSI_bypass.yml 2018-10-02 08:55:48 +02:00
Florian Roth aafe9c6dae Delete sysmon_lethalHTA.yml 2018-10-02 08:55:19 +02:00
Ensar Şamil dec7568d4c Rule simplification 
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
 2018-09-28 10:58:50 +03:00
Florian Roth 451c18628d Merge pull request #170 from Karneades/fix-suspicious-cli 
Add group by to windows multiple suspicious cli rule
 2018-09-26 11:49:57 +02:00