security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tim Burrell (MSTIC) f70f847524 additional gallium ttp 
sha1 process creation only makes sense for sysmon
 2020-02-07 14:08:40 +00:00
Florian Roth be9b80d6ab fix: dumpert rule with wrong sysmon event id 2020-02-07 13:14:18 +01:00
Thomas Patzke 7fdd6f7bce Swapped accidental deletion of older rule duplicate 2020-02-06 23:41:05 +01:00
vunx2 d0e9af171f cleanIPRange 2020-02-06 17:20:52 +07:00
vunx2 627f46abc2 backslash fix 2020-02-06 16:28:27 +07:00
vunx2 bc4c6ce8db cleanValue 2020-02-06 11:02:22 +07:00
vunx2 19d9e4856e clean Value + config 2020-02-05 17:47:35 +07:00
Florian Roth 1a80b180fd Merge pull request #613 from Neo23x0/devel 
rule: dumpert process dump tool
 2020-02-04 23:07:07 +01:00
Florian Roth 10490a6cee rule: reworked dumpert rule 2020-02-04 22:56:04 +01:00
Florian Roth 1f44969afd rule: avoiding build issues with sysmon event id 1 2020-02-04 22:50:46 +01:00
Florian Roth 535e2d149b rule: improved dumpert rule 2020-02-04 22:46:16 +01:00
Florian Roth 8f8b977c85 rule: dumpert process dump tool 2020-02-04 22:38:06 +01:00
vunx2 579e7481c7 cleanValue + eventID list 2020-02-04 18:14:40 +07:00
Thomas Patzke d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke f7394d09e0 Deduplication 2020-02-03 22:41:55 +01:00
Thomas Patzke 1bc2c0b930 Deduplication of backend list 
Fixes issue #609. Added backend list debug output (class name).
 2020-02-03 22:16:00 +01:00
Thomas Patzke 666542ae7f Added colorama to Pipfile 2020-02-03 22:15:27 +01:00
Kevin Dienst 98471bc53c Update proxy_raw_paste_service_access.yml 
Add another paste provider website, ghostbin.co to the list. Note that saved pastes generate pseudo random 5 character strings before being suffixed with `/raw` at the end of the URL. e.g. `https://ghostbin.co/paste/y4e9a/raw`

Thus, I've added a regex match between /paste and /raw. I'm unsure if this is supported, I skimmed the Sigma specification wiki but didn't see anything other than that contains adds '*' to end and beginning of each selection. If this regex isn't going to work then I'd imagine we just have to remove the `.+/raw/` from the URI.
 2020-02-03 07:29:42 -06:00
vunx2 2930df17d6 update sigma 2020-02-03 09:47:06 +07:00
Thomas Patzke 815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
Thomas Patzke f59b36d891 Fixed rule 2020-02-02 12:54:56 +01:00
Thomas Patzke ba83b8862a Moved rules with enrichments into unsupported 2020-02-02 12:46:03 +01:00
Thomas Patzke 593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Florian Roth 016d726d4e fix: bug in formatting 2020-02-02 11:31:39 +01:00
Florian Roth dcc7d03c37 docs: better description 2020-02-02 11:31:22 +01:00
Florian Roth 296cf6aa08 fix: fixed examples and added a new one 2020-02-02 09:27:56 +01:00
Florian Roth 68b34467a8 Merge pull request #608 from yt0ng/development 
additional execution observed
 2020-02-02 08:37:59 +01:00
Neis Markus 0d7f55948c additional execution observed 2020-02-02 08:07:00 +01:00
Florian Roth aa8a0f5e1f Merge pull request #606 from Neo23x0/devel 
refactor: moved rues from 'apt' folder in respective folders
 2020-02-01 18:25:19 +01:00
Florian Roth 03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth 6ea861da53 Merge pull request #605 from Neo23x0/devel 
Winnti rule and helpful message in test script
 2020-02-01 15:51:16 +01:00
Florian Roth a752e6c95f rule: winnti group campaign against HK universities 2020-02-01 15:43:30 +01:00
Florian Roth 9876623710 doc: helpful link in error message 2020-02-01 15:43:11 +01:00
vh dc5a31aebc Updated Azure Sentinel backend 2020-01-31 17:17:24 +02:00
Florian Roth 5b157efd7e Merge pull request #340 from virtuallaik/master 
Create powershell_nishang_malicious_commandlets.yml + edits
 2020-01-31 15:37:59 +01:00
Florian Roth 7a222920df added 'date' 2020-01-31 15:27:30 +01:00
Florian Roth 913c839780 added 'id' 2020-01-31 15:26:43 +01:00
Florian Roth 848e0c90e4 Merge branch 'master' into master 2020-01-31 14:45:29 +01:00
Florian Roth aba4f37517 Merge pull request #366 from dvas0004/patch-1 
Update win_alert_ad_user_backdoors.yml
 2020-01-31 14:41:50 +01:00
Florian Roth 1213712978 Merge branch 'master' into patch-1 2020-01-31 14:32:27 +01:00
Florian Roth afecca3c13 Merge pull request #511 from 4A616D6573/patch-3 
Created win_susp_local_anon_logon_created.yml
 2020-01-31 14:30:54 +01:00
Florian Roth 70034bd793 Merge pull request #388 from yt0ng/Renamed_Files 
Renamed Jusched
 2020-01-31 14:18:28 +01:00
Florian Roth 8c4aadb423 Merge branch 'master' into Renamed_Files 2020-01-31 08:49:10 +01:00
Florian Roth 190afcac88 Missing ID, wrong tag 2020-01-31 07:32:28 +01:00
Florian Roth e3d61d5579 Missing ID 2020-01-31 07:31:56 +01:00
Florian Roth 033ab26d5e Added date 2020-01-31 07:21:02 +01:00
Florian Roth 82cae6d63c Merge pull request #604 from Neo23x0/devel 
New tests, colorized test output and rule cleanup
 2020-01-31 07:07:13 +01:00
Florian Roth ae2c186872 rule: wsreset.exe UAC bypass 2020-01-30 18:05:47 +01:00
Florian Roth 1735614747 feat: rule title tests 2020-01-30 17:26:21 +01:00
Florian Roth d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00