security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tiago Faria 06abd6e76a added ci tests for ecs-cloudtrail 2020-05-14 14:03:23 +01:00
Tiago Faria 2893becf8c Merge remote-tracking branch 'upstream/master' 2020-05-14 14:02:20 +01:00
Tran Trung Hieu e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu 443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu 97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Thomas Patzke 133319c417 Merge pull request #737 from NVISO-BE/backend-ee-outliers 
ee-outliers backend
 2020-05-13 22:38:02 +02:00
Florian Roth 7652813c2c Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives 
Widen the search as it gives too many false negatives
 2020-05-13 21:02:12 +02:00
Tran Trung Hieu d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu 3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
zaphod 78a5c743f2 Widen the search as it gives too many false negatives 2020-05-13 16:20:23 +02:00
Florian Roth 78a8266a1b Merge pull request #749 from teddy-ROxPin/patch-6 
Create win_advanced_ip_scanner.yml
 2020-05-13 14:09:12 +02:00
hieuttmmo 9ad3427d68 Merge pull request #1 from Neo23x0/master 
Update
 2020-05-13 18:36:52 +07:00
Florian Roth 220a14f31c fix: typo in contains 2020-05-13 12:38:54 +02:00
zaphod 1a598282f4 Add 'Add-Content' to powershell_ntfs_ads_access 2020-05-13 11:57:10 +02:00
Florian Roth a1856c5743 Update win_advanced_ip_scanner.yml 2020-05-13 11:56:25 +02:00
Florian Roth 904a31103d Merge pull request #750 from zaphodef/fix/win_bootconf_mod_bad_commandline 
Fix a bad CommandLine search
 2020-05-13 11:55:16 +02:00
zaphod a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00
teddy_ROxPin bb17fd74ee Create win_advanced_ip_scanner.yml 
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
 2020-05-12 21:43:01 -06:00
Florian Roth e01734fda1 rule: proxy UA hidden cobra 2020-05-12 17:43:54 +02:00
zaphod d510e1aad4 Fix 'source' value for win_susp_backup_delete 2020-05-11 18:31:59 +02:00
Rettila 6ec74364f2 Create win_global_catalog_enumeration.yml 2020-05-11 17:40:47 +02:00
Rettila ccacedf621 Merge pull request #3 from Neo23x0/master 
merge
 2020-05-11 17:38:27 +02:00
Florian Roth 37c33cb6d9 Merge pull request #743 from tliffick/master 
Registry entry for Azorult malware
 2020-05-11 16:37:15 +02:00
Remco Hofman 37b08543ac Updated author reference in license 2020-05-11 11:47:56 +02:00
Florian Roth 1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth 2b18b66c16 Merge branch 'master' into rule-devel 2020-05-11 10:50:10 +02:00
Florian Roth 4366a95024 rule: Maze ransomware 2020-05-11 10:46:26 +02:00
Florian Roth f96c3a5fd4 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2020-05-11 10:44:19 +02:00
Florian Roth 09d1b00459 Changed level to ciritcal 2020-05-11 10:40:23 +02:00
tliffick c98be55d21 Update mal_azorult_reg.yml 2020-05-08 21:31:33 -04:00
tliffick 61f061333b Registry entry for Azorult malware 
Detects registry keys used by Azorult malware
 2020-05-08 21:26:24 -04:00
Remco Hofman c5c5e1b79b Added ee-outliers test to Makefile 2020-05-08 17:51:35 +02:00
Florian Roth fd7968d4f8 Merge pull request #734 from NVISO-BE/win_susp_failed_logon_source 
New rule: Failed Logon From Public IP
 2020-05-08 16:24:12 +02:00
vh fb9c5841f4 Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00
Florian Roth 64a5ad0d07 Merge pull request #735 from nl5887/master 
fix incorrect use of action global
 2020-05-08 12:20:33 +02:00
Florian Roth 24c0765694 Merge branch 'master' into devel 2020-05-08 12:17:14 +02:00
Florian Roth 7cc1b300d2 rule: maze ransomware patterns 2020-05-08 11:42:06 +02:00
Remco Hofman dc96b7ffb3 Removed dependency on slugify 2020-05-08 11:40:16 +02:00
Remco Hofman 2d3ee85c46 README updates 2020-05-08 10:40:41 +02:00
Remco Hofman c5be83eb01 Added ee-outliers backend 2020-05-08 10:18:35 +02:00
Rettila 07a50edf89 Update win_metasploit_authentication.yml 2020-05-07 14:42:00 +02:00
Thomas Patzke 3b96b5e497 Merge pull request #723 from neu5ron/socprime_add_zeek_and_corelight 
sigmacs for Zeek and Corelight(Zeek)
 2020-05-06 23:22:14 +02:00
Remco Verhoef 2d38cb7b52 fix incorrect use of global 2020-05-06 23:00:45 +02:00
Remco Verhoef 40539a0c0e fix incorrect use of action global 2020-05-06 22:53:02 +02:00
Remco Hofman 123a23adae win_susp_failed_logon_source rule 2020-05-06 22:24:02 +02:00
Thomas Patzke 1797a1e56b Merge pull request #733 from NVISO-BE/fix-732 
Fix for broken endswith modifier
 2020-05-06 22:17:08 +02:00
Remco Hofman 24029a8f27 Fix for broken endswith modifier 2020-05-06 17:10:54 +02:00
Rettila 6aed82a039 Update win_metasploit_authentication.yml 2020-05-06 17:04:47 +02:00
Rettila 2beb65076c Update win_metasploit_authentication.yml 2020-05-06 16:44:19 +02:00