security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Karneades 18bbec4bcd improve(rule): add Empire links and userland match 
Add default task name and powershell task command to match what the rule name says: detects default config.
 2019-08-09 11:58:43 +02:00
Florian Roth 4fcb52d098 fix: removed mmc susp rule due to many FPs 2019-08-07 14:26:15 +02:00
Michiel Meersmans 0708fdd28e Correctly escape slashes within es-dsl wildcard queries 2019-08-07 12:56:19 +02:00
Florian Roth abd233d66f Merge pull request #415 from deralexxx/patch-1 
Add Contribute section
 2019-08-06 12:22:41 +02:00
Florian Roth 6513828cc1 Fix 2019-08-06 12:22:31 +02:00
Florian Roth 1fa2e59014 Extended contribution section 2019-08-06 12:22:03 +02:00
Alexander J 4d78b6c037 Add Contribute section 
As @Neo23x0 was writing in Twitter, more contribution is needed, so a Contribute section seems reasonable to tell people how they can contribute.

https://twitter.com/cyb3rops/status/1158660279825252352
 2019-08-06 11:36:54 +02:00
Florian Roth f6fd1df6f4 Rule: separate Ryuk rule created for VBurovs strings 2019-08-06 10:33:46 +02:00
Florian Roth a8b738e346 Merge pull request #380 from vburov/patch-5 
Ryuk Ransomware commands from real case
 2019-08-06 10:29:00 +02:00
Florian Roth 9c85d5e80f Merge pull request #406 from tuckner/master 
Fix ala parsing issues
 2019-08-06 10:28:07 +02:00
Florian Roth ecf2a6be80 Merge pull request #413 from Karneades/patch-1 
Fix small typos in file breaking-changes
 2019-08-06 10:27:35 +02:00
Karneades 6617dee59a Fix small typos in file breaking-changes 2019-08-06 09:57:00 +02:00
Thomas Patzke 940c36a4cd Fixed build 
Missing package specification
0.12.1 		2019-08-05 23:42:33 +02:00
Florian Roth 83841ea117 Merge pull request #411 from nikotin69/master 
compliance rules by SOC prime
 2019-08-05 20:53:02 +02:00
Florian Roth 302ae9c5d0 Added level 2019-08-05 19:51:22 +02:00
Florian Roth 4dbf392562 Title, Level adjusted 2019-08-05 19:48:56 +02:00
Florian Roth fdb9b351d0 Level to low 2019-08-05 19:48:21 +02:00
Florian Roth 317c0bd07a Removed "Detects" keyword from title 2019-08-05 19:47:46 +02:00
Florian Roth 2af8cb0d0e Update cleartext_protocols.yml 2019-08-05 19:47:03 +02:00
Florian Roth b3780022d3 Merge pull request #412 from Karneades/mmc-rules 
Improve MMC rules: fix generic rule and add new rule for shell spawning
 2019-08-05 19:46:31 +02:00
Florian Roth c7ec45c0ff Update workstation_was_locked.yml 2019-08-05 19:44:14 +02:00
Florian Roth e64fcb32a2 Update group_modification_logging.yml 2019-08-05 19:43:59 +02:00
Florian Roth 5caf4f5f14 Update default_credentials_usage.yml 2019-08-05 19:43:46 +02:00
Florian Roth 10cc1de4c9 Fixed global rule syntax 2019-08-05 19:43:15 +02:00
Florian Roth dcdd021dc6 Duplicate port 3306 2019-08-05 19:36:50 +02:00
Karneades 42e6c9149b Remove unneeded event code 2019-08-05 19:13:39 +02:00
Karneades 0e3cc042f4 Add more exclusions to mmc process rule 2019-08-05 18:53:33 +02:00
Karneades 5caa951b8f Add new rule for detecting MMC spawning a shell 
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml. And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml.
 2019-08-05 18:42:31 +02:00
nikotin 780d9223e6 compliance rules by SOC prime 2019-08-05 19:42:19 +03:00
Karneades cfe44ad17d Fix win_susp_mmc_source to match what title says 
Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.
 2019-08-05 16:21:56 +02:00
Florian Roth 6a8adc72ac rule: reworked vssadmin rule 2019-08-04 11:27:17 +02:00
Thomas Patzke a65a9655f4 Fixed config naming in es-qs query backend test 2019-08-02 08:25:21 +02:00
Thomas Patzke b8d3642c29 Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-08-01 23:46:33 +02:00
Thomas Patzke d5885686fc Sigmatools release 0.12 
* Value modifiers
* Config name cleanup
0.12 		2019-08-01 23:45:07 +02:00
Thomas Patzke 805c739611 Merge branch 'devel-modifiers' 2019-07-31 23:44:10 +02:00
Thomas Patzke 31c6ffcb61 No escaping for typed values 2019-07-31 23:43:29 +02:00
Florian Roth d32fc2b2cf fix: fixing rule win_cmstp_com_object_access 
https://github.com/Neo23x0/sigma/issues/408
 2019-07-31 14:16:52 +02:00
Florian Roth 0657f29c99 Rule: reworked win_susp_powershell_enc_cmd 2019-07-30 14:36:30 +02:00
tuckner 8f2f1922c6 Merge pull request #1 from Neo23x0/master 
update fork
 2019-07-27 21:27:52 -05:00
Florian Roth 9143e89f3e Rule: renamed and reworked hacktool Ruler rule 2019-07-26 14:49:09 +02:00
Florian Roth f3fb2b41b2 Rule: FP filters extended 2019-07-23 14:58:36 +02:00
Florian Roth 2c57b443e4 docs: modification date in rule 2019-07-17 09:21:35 +02:00
Florian Roth de74eb4eb7 Merge pull request #400 from yugoslavskiy/win_susp_dhcp_config_failed_fix 
Win susp dhcp config failed fix
 2019-07-17 09:20:25 +02:00
Florian Roth bf0179c0d5 Merge pull request #397 from neu5ron/patch-5 
prevent EventID collision for dhcp
 2019-07-17 09:17:05 +02:00
yugoslavskiy e8b9a6500e author string modified 2019-07-17 07:02:59 +03:00
yugoslavskiy a295334355 win_susp_dhcp_config_failed fixed 2019-07-17 07:01:58 +03:00
yugoslavskiy bb1c040b1b rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved 2019-07-17 06:19:18 +03:00
yugoslavskiy 803f2d4074 changed logic to detect events related to sid history adding 2019-07-17 04:28:21 +03:00
yugoslavskiy 310e3b7a44 rules/windows/builtin/win_susp_add_sid_history.yml improved 2019-07-17 03:55:02 +03:00
Thomas Patzke 0ca15e5c5e Added test case for value modifiers 2019-07-16 23:14:55 +02:00