security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke d789eb9c6f Merge pull request #1409 from roysjosh/es-barf-on-multiple-conditions 
Elastic: raise an error from the base backend if a rule has multiple conditions
 2021-04-06 00:50:05 +02:00
Thomas Patzke 9606fc9c38 Merge pull request #1411 from wietze/mdatp_improvements 
Various Defender for Endpoint (mdatp) bug fixes
 2021-04-06 00:37:40 +02:00
Thomas Patzke 42cf81478b Merge pull request #1412 from defensivedepth/patch-1 
Clean up: Webshell ReGeorg Detection
 2021-04-06 00:35:35 +02:00
Thomas Patzke 1e029b98cf Merge branch 'oscd-merge' 2021-04-06 00:22:37 +02:00
Thomas Patzke d1de168295 Merge branch 'oscd' 2021-04-06 00:05:35 +02:00
Thomas Patzke 0a28a42498 CI: Install Python dependencies in virtual env 2021-04-05 22:57:50 +02:00
Josh Brower af09dd8e3c Clean up: Webshell ReGeorg Detection 2021-04-05 13:01:10 -04:00
Thomas Patzke b1b0240692 Fixes 2021-04-03 23:21:13 +02:00
Thomas Patzke 3d519a874b Added dev dependencies from requirements 2021-04-03 23:12:36 +02:00
Thomas Patzke 5f2ff99eea Replaced pip requirements with pipenv 2021-04-03 01:00:22 +02:00
Thomas Patzke 90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
Florian Roth a9879670c8 Merge pull request #1410 from phantinuss/fp-tuning 
FP Tunings, fixes and value modifier refactoring
 2021-04-01 17:44:23 +02:00
Wietze 30c6d753fd Removed unnecessary imports 2021-04-01 16:08:22 +01:00
Wietze fb1bb91c3c Apply changes to Defender for Endpoint backend 2021-04-01 16:02:06 +01:00
JohnConnorRF 477f05c5f2 Added in Product entry for winlogbeat-old 2021-04-01 09:24:24 -04:00
JohnConnorRF 1f3ee87e55 Added Product field to winlogbeat-modules-enabled.config. Note that the ECS details for Process do not include Product (https://www.elastic.co/guide/en/ecs/1.4/ecs-process.html) so winlog.event_data.Product was used instead of process.Product 2021-04-01 09:19:21 -04:00
phantinuss 4934f80601 fix: FP tuning for IIS Express and making use of value modifiers 2021-04-01 14:37:20 +02:00
phantinuss 8b4234de3b refactor: make use of value modifiers 2021-04-01 14:37:17 +02:00
phantinuss 794865c79d fix: adding filter to condition and reintroducing the users folder constraint 2021-04-01 14:37:17 +02:00
phantinuss 43be8c8cba refactor: make use of value modifiers 2021-04-01 14:37:16 +02:00
phantinuss bd5ba2ae01 fix: adding only as a known false positive as it cannot be filtered out in a generic and public way 2021-04-01 14:37:15 +02:00
phantinuss 65bc62d401 fix: adding filter out for CamMute.exe 2021-04-01 14:37:14 +02:00
phantinuss 2cab121c71 refactor: merging rule process_creation/win_susp_exec_folder.yml and process_creation/win_susp_prog_location_process_starts.yml because of significant overlap 2021-04-01 14:37:13 +02:00
phantinuss 109b7890db fix: taking windows security 4688 events into account for filter out 2021-04-01 14:36:57 +02:00
Florian Roth 2560f40e06 Merge pull request #1406 from roysjosh/winlogbeat-mapping 
Map CommandLine appropriately
 2021-04-01 09:16:28 +02:00
Joshua Roys 7923852cc3 Elastic: raise an error from the base backend if a rule has multiple conditions 2021-03-31 16:01:05 -04:00
Joshua Roys 0448e46870 Implement Elastic threshold detection rules 
Transform supported count() aggregations (> and >=, no count field,
optionally a group by field) into a threshold detection rule.
 2021-03-31 15:19:04 -04:00
JohnConnorRF 3fd396f4db Updated winlogbeat configuration file to support File Product details 2021-03-30 13:21:14 -04:00
Joshua Roys 30ab2aad75 Map CommandLine appropriately 
Args is an array of the exploded command line and causes many rules to misfire.
 2021-03-30 10:15:10 -04:00
Thomas Patzke eb98f0ba28 Merge pull request #1402 from refractionPOINT/lc-support-live-wel 
Add option to support different LimaCharlie targets.
 2021-03-29 23:13:01 +02:00
Florian Roth ac1f82f7ca Merge pull request #1380 from iosonogio/bugfix/netwitness-null 
[bugfix] netwitness and netwitness-epl backends have incoherent null expressions
 2021-03-29 11:23:18 +02:00
Florian Roth 428db0c74a Merge pull request #1382 from d4rk-d4nph3/master 
Added rule for CVE-2021-21978 in VMware View Planner
 2021-03-29 11:22:56 +02:00
Florian Roth b296c643de Merge pull request #1346 from blueteam0ps/patch-3 
Added win_ad_find_discovery.yml
 2021-03-29 11:20:49 +02:00
Florian Roth 8262b01e1a Merge pull request #1404 from blueteam0ps/patch-5 
Added detection for Dumpert
 2021-03-29 11:19:57 +02:00
BlueTeamOps 6ef5f0a0a2 Added detection for Dumpert 
-Dumpert based LSASS dump using DLL
-Dumpert.exe detection
 2021-03-27 07:34:05 +11:00
Florian Roth 14a872faac Merge pull request #1403 from blueteam0ps/patch-4 
Added  additional CS signatures
 2021-03-25 17:18:22 +01:00
BlueTeamOps 8916459bab Added additional CS signatures 2021-03-25 22:44:24 +11:00
Maxime Lamothe-Brassard e0666036a4 Add option to support different LimaCharlie targets. 2021-03-24 17:58:50 -07:00
Florian Roth 6b0f66e876 refactor: change level 2021-03-24 12:38:00 +01:00
Florian Roth 6d9fc65585 fix: FPs with www6 2021-03-24 12:37:35 +01:00
Florian Roth a465f2722f refactor: CobaltStrike beacon rule 2021-03-24 11:29:05 +01:00
Florian Roth 48265ad71a Merge pull request #1398 from SigmaHQ/rule-devel 
MSExchange Management log mapping, some fixes
 2021-03-20 17:21:31 +01:00
Florian Roth 7d7dd4cb67 fix: missing index field in FE helix config 2021-03-20 09:09:45 +01:00
Florian Roth 8b145e20e4 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-03-20 09:04:40 +01:00
Florian Roth 58a1ab9817 fix: wrong indentation in fireeye helix mapping 2021-03-20 09:04:38 +01:00
Florian Roth 525f4b6a6b Merge pull request #1388 from Cyb3rPandaH/master 
CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property
 2021-03-20 08:53:04 +01:00
Florian Roth e47ee24889 Merge branch 'master' into rule-devel 2021-03-20 08:52:55 +01:00
Florian Roth 9e287a1b89 feat: MSExchange Management log mapping 2021-03-20 08:49:59 +01:00
Florian Roth 1fc408bfaa fix: duplicate field values in YAML configs 2021-03-20 08:49:43 +01:00
Florian Roth 334dd9a058 Update win_set_oabvirtualdirectory_externalurl.yml 2021-03-20 08:34:02 +01:00