security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke aa5396cb9f Merge pull request #1246 from oscd-initiative/oscd_art_macos_task_14_T1049 
[OSCD] ART sync, test T1049: System Network Connections Discovery (macOS)
 2020-12-30 22:57:29 +01:00
Thomas Patzke fb9698345b Merge pull request #1247 from oscd-initiative/oscd_art_linux_task_8__T1049 
[OSCD] ART sync, test T1049: System Network Connections Discovery (Linux)
 2020-12-30 22:57:11 +01:00
Thomas Patzke 675d93ee3d Replaced string comparison with isinstance 2020-12-30 22:50:13 +01:00
Thomas Patzke 6a7991ee96 Merge pull request #1250 from oscd-initiative/oscd_art_macos_task_41_T1518.001 
[OSCD] ART sync, test T1518.001: Security Software Discovery (macOS)
 2020-12-30 22:41:18 +01:00
Thomas Patzke a88c853237 Merge pull request #1251 from oscd-initiative/oscd_art_linux_task_26_T1518.001 
[OSCD] ART sync, test T1518.001: Security Software Discovery (Linux)
 2020-12-30 22:40:32 +01:00
Thomas Patzke 436fd37655 Merge pull request #1252 from oscd-initiative/oscd_art_macos_task_55_T1553.001 
[OSCD] ART sync, test T1553.001: Gatekeeper Bypass (macOS)
 2020-12-30 22:39:36 +01:00
Thomas Patzke 5de952d488 Merge pull request #1253 from oscd-initiative/oscd_art_macos_task_60_T1562.001 
[OSCD] ART sync, test T1562.001: Disable or Modify Tools (macOS)
 2020-12-30 22:39:15 +01:00
Thomas Patzke e223d34a6e Merge pull request #1257 from alejandroortuno/service-scanning 
[OSCD] Network Service Scanning
 2020-12-30 22:35:47 +01:00
Thomas Patzke 5c03c4d4ec Merge pull request #1258 from alejandroortuno/applescript 
[OSCD] MacOS Applescript
 2020-12-30 22:31:30 +01:00
Thomas Patzke 06c168d9b2 Merge pull request #1259 from alejandroortuno/firewall 
[OSCD] Firewall Disable (Linux)
 2020-12-30 22:30:41 +01:00
Thomas Patzke 1bb0963784 Moved set_size option to class where it's used 2020-12-30 22:25:57 +01:00
Thomas Patzke ac55c7fdd4 Merge branch 'elasticsearch_backend' of https://github.com/WuerthIT/sigma into pr-1308 2020-12-30 22:18:13 +01:00
Florian Roth ab408750ac Merge pull request #1314 from Neo23x0/rule-devel 
rule: Lazarus activity
 2020-12-30 13:27:38 +01:00
Florian Roth 9ecaeb715f Merge pull request #1317 from rtkdmasse/fix-missing-product-mouse-lock 
Fix missing product mouse lock
 2020-12-30 13:27:20 +01:00
Florian Roth 15f5efc9c4 Merge pull request #1322 from maravedi/patch-1 
Update sumologic.yml
 2020-12-29 17:59:13 +01:00
Florian Roth 126a17a276 Merge pull request #1323 from ZikyHD/master 
Typo on field name
 2020-12-29 15:39:36 +01:00
ZikyHD 8a6b182fee Update win_susp_adfind.yml 2020-12-29 14:41:46 +01:00
ZikyHD ece829bb25 Update win_susp_adfind.yml 
Typo on field name
 2020-12-29 14:40:36 +01:00
maravedi fa6f75f07e Update sumologic.yml 
The commit from vihreb on October 6, 2020 (https://github.com/Neo23x0/sigma/commit/51df5ad8764cd6896a3ef83ad388aebc136d5815) removed some items from the allowed fields list for the sumologic backend (https://github.com/Neo23x0/sigma/blob/51df5ad8764cd6896a3ef83ad388aebc136d5815/tools/sigma/backends/sumologic.py#L161) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable."

I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic.

Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
 2020-12-28 16:46:32 -05:00
Florian Roth 0a83f91386 Merge pull request #1321 from d4rk-d4nph3/master 
Fixed typo in file format
 2020-12-28 09:13:48 +01:00
Bhabesh Rai bf77c8266a Fixed typo in file format 2020-12-28 11:46:02 +05:45
Florian Roth 896fc21911 Merge pull request #1320 from d4rk-d4nph3/master 
Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass
 2020-12-27 20:37:36 +01:00
Florian Roth a6212a4490 style: some minor style changes 2020-12-27 20:06:19 +01:00
Bhabesh Rai 1cfad987b0 Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass 2020-12-27 17:34:49 +05:45
Florian Roth 43033ab874 Update win_susp_emotet_rudll32_execution.yml 2020-12-25 09:05:55 +01:00
Tran Trung Hieu d551b88d5c Edit title convention 2020-12-25 14:21:26 +07:00
Tran Trung Hieu 4297e68704 Detect Emotet DLL loading by looking rundll32.exe 2020-12-25 14:09:40 +07:00
Daniel Masse fedda17231 Update the azure image_load rule to be a generic sysmon rule 2020-12-23 16:29:49 -05:00
Daniel Masse bf539fd1fe Revert "Fix bug changing the logsource service to category" 
This reverts commit 0f51e53d0e.
 2020-12-23 15:50:49 -05:00
Daniel Masse 71ea5c7437 Add missing product in logsource 2020-12-23 15:45:00 -05:00
Daniel Masse 0f51e53d0e Fix bug changing the logsource service to category 2020-12-23 15:12:31 -05:00
Daniel Masse e4c052154d Remove unneeded file 2020-12-23 14:30:24 -05:00
Daniel Masse d2edf715f2 Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00
Florian Roth dedc34e91a fix: typos and description 2020-12-23 14:46:08 +01:00
Florian Roth cdc29dfbe8 rule: Lazarus activity 2020-12-23 14:43:32 +01:00
Florian Roth 821af35557 Merge pull request #1313 from Neo23x0/rule-devel 
Rule devel
 2020-12-23 13:57:11 +01:00
Florian Roth 7286d01f78 fix: typo in rule 2020-12-23 13:26:44 +01:00
Florian Roth 80aa398392 rule: Lazarus group loaders 2020-12-23 13:25:16 +01:00
Florian Roth e67d17a967 rule: improved solarwinds webshell rule 2020-12-22 10:36:34 +01:00
Florian Roth c3f891beab Merge pull request #1286 from V3T0/v3t0_oscd_lolbas_runonce_susp_persistence_ 
[OSCD] Added a rule to detect potential persistence using registry keys
 2020-12-21 18:33:17 +01:00
Florian Roth 7954684fbf Merge pull request #1260 from alejandroortuno/remote-system-discovery 
[OSCD] Remote System Discovery
 2020-12-21 18:32:08 +01:00
Florian Roth 64197d0dec Merge pull request #1261 from alejandroortuno/emond 
[OSCD] MacOS Emond Launch Daemon
 2020-12-21 18:30:56 +01:00
Florian Roth 133b98ffcb Merge pull request #1262 from invrep-de/oscd 
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy
 2020-12-21 18:30:21 +01:00
Florian Roth f20f346a6a Merge pull request #1264 from omkar72/sdev-1 
Adding 2 rules - Conhost & office test registry persistence
 2020-12-21 18:28:59 +01:00
Florian Roth f46c590d91 Merge pull request #1288 from 0xtf/patch-1 
add SIEGMA and S2AN
 2020-12-21 18:27:52 +01:00
Florian Roth a314b54f93 docs: fix typo 2020-12-21 18:27:43 +01:00
Florian Roth e78d7e6aee Merge pull request #1296 from mat-gas/fix-references 
fix "references" field + add test for references in plural form
 2020-12-21 18:25:35 +01:00
Florian Roth 377454cb31 Merge pull request #1299 from tjgeorgen/patch-1 
ATT&CK subtechnique tag updates
 2020-12-21 18:24:00 +01:00
Florian Roth 35ab80b39e Merge pull request #1306 from d4rk-d4nph3/master 
Added rule for Impacket's PsExec execution
 2020-12-21 18:23:41 +01:00
Florian Roth 1bb249c6ec Merge pull request #1312 from Neo23x0/rule-devel 
rule: Solarwinds SUPERNOVA web shell access
 2020-12-21 11:30:56 +01:00