security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth 47504fbd56 fix: shellshock expression 2021-04-28 11:46:49 +02:00
BlueTeamOps 59d23535ce Update win_lateral_movement.yml 2021-04-27 23:03:03 +10:00
BlueTeamOps 793504dd6b Rename win_lateral_movement to win_lateral_movement.yml 2021-04-27 22:59:52 +10:00
BlueTeamOps f75ad98903 Create win_lateral_movement 
EID 4674 with the proposed attributes is very rare in prod environment. 
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
 2021-04-27 22:55:58 +10:00
Florian Roth 9166167447 Merge pull request #1433 from d4rk-d4nph3/master 
Added rule for Lazarus activity of Apr 2021
 2021-04-26 20:34:51 +02:00
Florian Roth 3008e5b9e7 Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy 
Fix typo on CommandLine field
 2021-04-26 20:33:56 +02:00
Florian Roth 194b0af4d2 Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas 
Fix typo on CommandLine field
 2021-04-26 20:33:45 +02:00
Ian Thieves 65294d97c4 Update win_scm_database_handle_failure.yml 
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
 2021-04-26 11:28:16 -07:00
Ian Thieves 8efa10465e Update win_scm_database_privileged_operation.yml 
Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43

Query should match where SubjectLogonID != "0x3e4"
 2021-04-26 11:25:16 -07:00
Florian Roth d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Cedric Hien 748005fc14 Fix typo on CommandLine field 2021-04-25 15:52:59 +02:00
Cedric Hien c580db166c Fix typo on CommandLine field 2021-04-25 15:50:44 +02:00
Florian Roth 1ff5e226ad Merge pull request #1436 from SigmaHQ/rule-devel 
Rule devel
 2021-04-23 17:33:07 +02:00
Florian Roth f2fa8dd956 rules: CobaltStrike named pipes 2021-04-23 17:16:09 +02:00
Florian Roth c7ce9154d1 Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
Florian Roth a29ac79a3f refactor: extended comsvcs.dll MiniDump rule 2021-04-23 16:46:04 +02:00
Florian Roth 6f12a1b099 docs: FPs and changed level 2021-04-23 16:45:52 +02:00
Florian Roth 1333a95c51 rule: get-process lsass 2021-04-23 16:44:53 +02:00
Florian Roth 5aed7c80db Merge pull request #1435 from SigmaHQ/rule-devel 
fix: FPs with certutil command and McAfee Chromium Container
 2021-04-23 14:55:31 +02:00
Florian Roth 85582c540e docs: changed modification date 2021-04-23 14:55:04 +02:00
Florian Roth ce03ca9485 fix: Jitter keyword prone to FPs 2021-04-23 14:54:32 +02:00
Florian Roth 6256261d0e fix: FPs with Certutil and McAfee Chromium Container 2021-04-23 12:49:16 +02:00
Florian Roth 64f5af4c45 Merge pull request #1432 from SigmaHQ/rule-devel 
fix: splunk windows config, additional rule
 2021-04-23 10:30:44 +02:00
Florian Roth d5e88d369c fix: fixed rule title 2021-04-23 09:51:31 +02:00
Florian Roth b447e6338f rule: Export-PfxCertificate 2021-04-23 09:01:14 +02:00
Scoubi 23791664eb Rename win_Outlook_C2_Macro_Creation.yml to win_Outlook_C2_Registry_Key.yml 
Gave the wrong name to the file, this is the correct one.
 2021-04-21 08:45:15 -04:00
Scoubi 0b7ed7e690 Add a space 
There was a missing space in `-attack` changed for `- attack`
 2021-04-20 20:50:20 -04:00
Scoubi fadb889116 Create win_Outlook_C2_Macro_Creation.yml 
BEC is for Business Email Compromise (this can be changed)
 2021-04-20 20:38:20 -04:00
Scoubi 678ce5d528 Create win_Outlook_C2_Macro_Creation.yml 
Not 100% if this is the best place to put it.
 2021-04-20 20:34:19 -04:00
Bhabesh Rai dd391cd0b9 Added rule for Lazarus activity of Apr 2021 2021-04-20 20:05:51 +05:45
Josh Brower dfc1218e6a false positive - added Azure AD Connect 2021-04-20 08:24:38 -04:00
Florian Roth 68c59850af Merge pull request #1422 from ZikyHD/fix_lnx_system_info_discovery 
Fix invalid logsource on lnx_system_info_discovery rule
 2021-04-20 09:06:54 +02:00
Florian Roth 20c5356c9e Merge pull request #1424 from ZikyHD/fix_process_creation_dotnet 
Fix typo on CommandLine
 2021-04-20 09:06:38 +02:00
Josh Brower 2486a85a1f Added MS Threat Docs for 4616 to references 2021-04-19 08:15:42 -04:00
Florian Roth 7039209a7a Merge pull request #1425 from SigmaHQ/rule-devel 
refactor: tightened filter
 2021-04-19 11:32:02 +02:00
Florian Roth 53c6a7c54e refactor: tightened filter 2021-04-19 09:30:32 +02:00
Cedric Hien 1d6aec3c25 Fix typo on CommandLine 2021-04-19 08:20:44 +02:00
Cedric Hien bbdbab700d Fix invalid logsource on lnx_system_info_discovery rule 2021-04-17 12:57:30 +02:00
Florian Roth 941d47bc28 Merge pull request #1416 from sycophantic/master 
Remove extra spaces
 2021-04-15 13:20:49 +02:00
Steven a8d8165541 Yet another syntax fix 2021-04-15 09:25:04 +02:00
Steven 8703d9f352 Remove another reference to hardcoded event ID 2021-04-15 03:07:18 +02:00
Steven 9f5e8a02a4 Fix parse errors 2021-04-15 02:46:41 +02:00
Steven 8301b9c221 Fix selection vs selection_1 in rule files 2021-04-15 02:41:04 +02:00
Steven cce8d945a0 Clean rule rules/windows/malware/win_mal_octopus_scanner.yml to use category 2021-04-15 02:30:41 +02:00
Steven a9f2a80b8c - Remove duplicate rule 
- Fix linux rule (categories -> category)
 2021-04-15 02:23:08 +02:00
Steven f57e1a2231 Delete .keep file 2021-04-15 02:17:36 +02:00
Steven 70b106ef52 Fix syntax error 2021-04-15 02:11:13 +02:00
Steven ecbd730dad Fix syntax errors in some rules 2021-04-15 02:07:43 +02:00
Steven d263b937b4 Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 02:02:25 +02:00
Steven 7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00