security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Timur Zinniatullin 72fdf0da45 Update lnx_auditd_susp_cmds.yml 2020-08-04 20:00:30 +03:00
Timur Zinniatullin 4e688233d7 ATT&CK mapping update suggestions for \linux\ 2020-08-04 19:48:18 +03:00
Florian Roth 4529e4cd52 Merge pull request #966 from Neo23x0/rule-devel 
rule: TAIDOOR malware load
 2020-08-04 14:54:24 +02:00
Florian Roth 052379a512 fix: tightened TAIDOOR rule 2020-08-04 14:37:18 +02:00
Florian Roth c4953409aa rule: TAIDOOR malware load 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 2020-08-04 14:31:29 +02:00
Florian Roth fa36adfe6d Merge pull request #965 from IPv777/patch-2 
.002 	= 	SMB/Windows Admin Shares
 2020-08-03 18:05:12 +02:00
IPv777 a52583dc68 .002 = SMB/Windows Admin Shares 2020-08-03 17:43:14 +02:00
Florian Roth 732c1fa356 Merge pull request #964 from Neo23x0/rule-devel 
New rules
 2020-08-03 15:28:45 +02:00
Florian Roth 5625f471d7 Merge pull request #963 from diskurse/rule-devel 
win_webshell_regeorg.yml
 2020-08-03 13:51:16 +02:00
Florian Roth 3abc3d0a76 docs: add FP condition 2020-08-03 13:50:47 +02:00
Florian Roth 6f7aecbe06 fix: preventive change to avoid FPs 2020-08-03 13:49:52 +02:00
Cian Heasley de33b953ba Add files via upload 
Webshell ReGeorg Detection Via Web Logs
 2020-08-03 12:20:04 +01:00
Florian Roth df3bfb1b37 rule: Winnti Pipemon 2020-07-30 18:55:47 +02:00
bar 8352eefe22 STIX Support keywords (value without field) 2020-07-28 18:52:02 +03:00
bar 53f36d2ab6 Merge remote-tracking branch 'upstream/master' 2020-07-28 16:24:51 +03:00
Florian Roth 5abf101c0b Merge pull request #954 from Neo23x0/rule-devel 
Rule devel
 2020-07-28 10:22:52 +02:00
Florian Roth 8970d03f6f Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00
bar 565f77c199 Added STIX target to README.md 2020-07-27 15:35:30 +03:00
bar de475bb500 updated STIX mapping for more rule fields 2020-07-27 14:36:30 +03:00
Florian Roth 80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
Florian Roth 051e2ce905 feat: detect duplicate tags 2020-07-27 11:37:58 +02:00
Thomas Patzke 481b695eff Merge pull request #950 from barvhaim/master 
STIX Backend bug-fix and mapping updates
 2020-07-26 18:33:35 +02:00
bar 32cf352236 Merge remote-tracking branch 'upstream/master' 2020-07-26 14:56:06 +03:00
bar 9643e01b54 extension should use '..' 2020-07-26 12:16:48 +03:00
Thomas Patzke dcb07bab2f Merge pull request #949 from 0xballistics/powershell_backend_fix 
partial(?) fix of #762
 2020-07-25 10:18:05 +02:00
Florian Roth a0ac6c46c7 Merge pull request #948 from IPv777/patch-1 
remove duplicate tag
 2020-07-24 20:32:40 +02:00
Simran Kaur Soin b8b1f83ae6 Merge pull request #3 from simrankaursoin/master 
Fix bug with NOT handling
 2020-07-24 11:55:17 -04:00
IPv777 77a8ac59ef remove duplicate 2020-07-24 16:38:08 +02:00
Florian Roth a55630f02c Merge pull request #947 from ryanplasma/master 
Minor fixes to two rules
 2020-07-24 09:25:55 +02:00
Ryan Plas aa548ba1a9 Add quotes due to a colon in the falsepositives string 2020-07-23 23:33:36 -04:00
Ryan Plas e52489aaf6 Change production status to stable 2020-07-23 23:33:36 -04:00
Simran Soin c329f6412d Fix bug with NOT handling 2020-07-23 11:47:55 -04:00
Simran Kaur Soin 7e32557ffc Merge pull request #2 from simrankaursoin/master 
Update base.py and qradar.py
 2020-07-23 11:12:17 -04:00
Florian Roth 8a4b53eb3a fix: rule leads to FPs on systems that don't log the cmdline parameters 2020-07-23 17:04:16 +02:00
Simran Soin 6c7b4cf408 Revert additional change in base.py 2020-07-23 10:47:22 -04:00
Simran Soin ef9af3730a Remove unnecessary edits from qradar.py 2020-07-23 10:34:29 -04:00
Simran Soin 0e49a6acdf Default NOT to false for all functions 2020-07-23 10:18:16 -04:00
Simran Soin 0fac21f4a3 Remove modifications from base file and override in stix.py 2020-07-23 10:13:30 -04:00
Simran Kaur Soin a03d1b091e Merge pull request #1 from simrankaursoin/master 
Fix NOT bug
 2020-07-23 09:50:18 -04:00
Simran Soin 30ff22776a Fix NOT bug 2020-07-23 09:41:33 -04:00
Florian Roth 951c6fee8b Update sysmon_password_dumper_lsass.yml 2020-07-23 14:31:21 +02:00
bar 5019f2f160 added mapping for stix web, cloud, linux 2020-07-22 21:41:46 +03:00
Florian Roth 02a6b20f5f Merge pull request #944 from rtkdmasse/update-rule-selections 
Add 'contains' for the ps encoded chars rule
 2020-07-22 17:48:18 +02:00
Daniel Masse 13cf0488ae Add 'contains' for the ps encoded chars rule 2020-07-22 10:49:22 -04:00
Florian Roth db98fe79b0 Revert "rule: update - MATA framework UserAgent" 
This reverts commit 81ef0137c5.
 2020-07-22 14:02:51 +02:00
Florian Roth 81ef0137c5 rule: update - MATA framework UserAgent 2020-07-22 14:02:13 +02:00
Florian Roth 9682d37ead Merge pull request #941 from architect00/master 
fixed wrong function call for elastalert aggregation. fixes #940
 2020-07-22 13:13:18 +02:00
Florian Roth 769a9212a5 Merge pull request #943 from diskurse/rule-devel 
Webshell Recon Detection Via CommandLine & ProcessesAdd files via upload
 2020-07-22 13:02:44 +02:00
Cian Heasley 023bf76363 Add files via upload 
Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
 2020-07-22 09:05:50 +01:00
bar 0543ec1ae3 mapping update, removed unused fields 2020-07-21 19:49:26 +03:00