security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth dec0c108f9 Merge pull request #683 from NVISO-BE/powershell_wmimplant 
WMImplant detection rule
 2020-04-02 11:54:09 +02:00
Florian Roth 1196f8d60f Merge pull request #695 from cobsec/master 
Date typos
 2020-04-02 10:20:18 +02:00
Chris O'Brien fe5dbece3d Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Chris O'Brien 97c0872c81 Date typo. 2020-04-02 09:53:09 +02:00
Thomas Patzke 0db3bbb097 Merge pull request #693 from Neo23x0/dependabot/pip/pyyaml-5.1 
Bump pyyaml from 3.13 to 5.1
 2020-04-01 23:25:57 +02:00
Florian Roth af49c24419 Merge pull request #694 from cobsec/master 
Fixed date typo - by the looks of the commit date the month/date were…
 2020-04-01 18:28:14 +02:00
Chris O'Brien 95e0b12d88 Fixed date typo - by the looks of the commit date the month/date were swapped. 2020-04-01 18:18:13 +02:00
Thomas Patzke 13dbb4cdbd Moved tools into sigma namespace 2020-03-31 23:46:58 +02:00
dependabot[bot] c9c73bec3f Bump pyyaml from 3.13 to 5.1 
Bumps [pyyaml](https://github.com/yaml/pyyaml) from 3.13 to 5.1.
- [Release notes](https://github.com/yaml/pyyaml/releases)
- [Changelog](https://github.com/yaml/pyyaml/blob/master/CHANGES)
- [Commits](https://github.com/yaml/pyyaml/compare/3.13...5.1)

Signed-off-by: dependabot[bot] <support@github.com>
 2020-03-31 20:40:52 +00:00
Thomas Patzke 2bda0e097f Merge pull request #691 from Neo23x0/cleanup 
Cleanup
 2020-03-31 22:37:04 +02:00
Thomas Patzke 8c69c7bb02 PyPI deployment via GitHub Actions 2020-03-31 22:36:16 +02:00
Florian Roth 6aba430de6 fix: sigma_uuid occurances 2020-03-31 16:29:58 +02:00
Florian Roth 8e39b09ba5 Merge pull request #690 from cnotin/patch-1 
Small typo
 2020-03-31 16:27:21 +02:00
Clément Notin 18cdddb09e Small typo 2020-03-31 15:22:00 +02:00
Florian Roth 4d67dff89a fix: renamed tools to allow for console_scripts list entries 2020-03-31 14:07:34 +02:00
Florian Roth 18e505c458 fix: list_configurations default values 2020-03-31 12:42:02 +02:00
Florian Roth c82156a3c9 fix: second list_configurations function params 2020-03-31 11:46:05 +02:00
Florian Roth 23ce69eaae fix: functions parameters outside of main 2020-03-31 11:42:16 +02:00
Florian Roth bb50571b13 fix: print_verbose scope 2020-03-31 11:35:21 +02:00
Florian Roth c83b4fd37c fix: fixing script install for Windows end systems 2020-03-31 11:30:47 +02:00
Florian Roth 536ad78fc2 refactor: following best practices reg main functions in Python 
https://realpython.com/python-main-function/
 2020-03-31 11:30:14 +02:00
Florian Roth 6a70bdb126 Merge pull request #689 from 0xThiebaut/win_ad_enumeration 
Add AD User Enumeration
 2020-03-31 10:56:48 +02:00
Maxime Thiebaut 8dcbfd9aca Add AD User Enumeration 
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.

This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.

Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.

False positives may include administrators performing the initial
configuration of new users.
 2020-03-31 09:40:07 +02:00
Remco Hofman b791d599ee Disabled keywords that could cause FPs 2020-03-30 08:53:52 +02:00
Thomas Patzke d33f4b290d Dependency cleanup 
* Consolidated dependencies into main and development (MISP and test
  intergrated).
* Splitted Pipfile dependencies into main and development
* Specified compatible dependencies
 2020-03-29 22:55:09 +02:00
Thomas Patzke 38a5fe3a29 Removed Travis CI configuration 2020-03-29 22:20:04 +02:00
Florian Roth f2a2420e24 Merge pull request #687 from Neo23x0/ci-testing 
Ci testing
 2020-03-29 17:25:28 +02:00
Thomas Patzke 4dbe5e2f17 Moved Elasticsearch dependencies to generic dependencies 
Omitting waiting for Elasticsearch as it should be started at this time.
 2020-03-29 15:19:13 +02:00
Thomas Patzke 5e258efbe7 Improved Elasticsearch waiting process 2020-03-29 14:57:34 +02:00
Thomas Patzke d68b900077 Wait for Elasticsearch before running tests 2020-03-29 14:37:27 +02:00
Thomas Patzke 821a631325 Run Elasticsearch installation as root 2020-03-29 14:00:15 +02:00
Thomas Patzke fbe40bd1e8 Fixed Elasticsearch test 
* Splitted into separate action
* Install dependencies
 2020-03-29 13:41:03 +02:00
Thomas Patzke d24c1e2800 CI testing with GitHub Actions 2020-03-29 13:25:04 +02:00
teddy-ROxPin 1a3731f7ae Typo fix for powershell_suspicious_invocation_generic.yml 
' - windowstyle hidden ' changed to ' -windowstyle hidden '
 2020-03-29 04:16:15 -06:00
Florian Roth 8ea6b12eed Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini 
Add "Suspicious desktop.ini Action" rule
 2020-03-28 13:34:01 +01:00
Florian Roth fe5b5a7782 Merge pull request #673 from j91321/rules-minor-fixes 
Minor fixes to several rules
 2020-03-28 13:27:05 +01:00
Florian Roth 5f0250bff5 Merge pull request #669 from 0xThiebaut/winlogbeat-rulename 
Add Winlogbeat's RuleName field to mapping
 2020-03-28 13:20:08 +01:00
Florian Roth e2b90220a2 Update sysmon_susp_desktop_ini.yml 2020-03-28 13:19:10 +01:00
Florian Roth bbb10a51f4 Update win_powershell_downgrade_attack.yml 2020-03-28 13:17:58 +01:00
Florian Roth 0e94eb9e86 Update win_powershell_downgrade_attack.yml 2020-03-28 13:12:07 +01:00
Florian Roth 2426b39d83 Merge pull request #678 from justintime/title_collision 
Eliminate title collision
 2020-03-28 12:57:55 +01:00
Florian Roth 597d914b71 Merge pull request #679 from Iveco/master 
add LDAPFragger detections
 2020-03-28 12:57:33 +01:00
Remco Hofman f52ed4150d WMImplant parameter detection 2020-03-27 15:08:35 +01:00
Iveco 55258e1799 Title capitalized 2020-03-26 17:04:08 +01:00
Iveco 3f577c98e7 Title capalized 2020-03-26 17:03:33 +01:00
Iveco 68c20dca20 Fixed title length 2020-03-26 16:56:46 +01:00
Iveco 39a3af04ce Fixed title length 2020-03-26 16:56:06 +01:00
Justin Ellison dabc759136 Eliminate title collision 
Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start.
 2020-03-26 09:13:52 -05:00
iveco ddacde9e6b add LDAPFragger detections 2020-03-26 15:13:36 +01:00
Florian Roth 0e973d1454 Merge pull request #677 from Neo23x0/devel 
Devel
 2020-03-25 19:14:03 +01:00