security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Bhabesh Rai 63e2f4bbce Added rule for Sudo CVE-2021-3156 Exploitation Attempt 2021-02-01 23:08:45 +05:45
Nate Guagenti a3a90068e3 Merge branch 'master' of https://github.com/Neo23x0/sigma into qoutes_and_wildcards 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-02-01 09:55:13 -05:00
Florian Roth 179db920ec Merge pull request #1343 from Neo23x0/rule-devel 
Rule devel
 2021-02-01 12:28:22 +01:00
Florian Roth aaeb72a2b6 fix: FPs 2021-02-01 11:47:23 +01:00
Florian Roth 33fee6af8b rule: security product uninstallation 2021-01-30 11:24:08 +01:00
Florian Roth e533b4effb fix: tags 2021-01-28 13:51:51 +01:00
Florian Roth cd4491cba2 rule: disable volume snaptshots 2021-01-28 13:48:30 +01:00
Gregor 921ebf7445 Optimizing Qradar query generation in cases where field definitions are missing 2021-01-26 15:24:44 +01:00
Gregor ac3730d2fa Fixing Qradar implementation for create valid AQL queries 2021-01-25 15:37:05 +01:00
Florian Roth 6b9eef58da Merge pull request #1338 from Neo23x0/rule-devel 
Improved UNC2452 activity rules
 2021-01-25 14:36:44 +01:00
Florian Roth 7d99a48bb2 rule: new Quakbot pattern 2021-01-25 12:03:30 +01:00
Florian Roth a4bec724a6 rule: SonicWall exploitation 2021-01-25 11:54:23 +01:00
Bhabesh Rai 465ab713b0 Added rule for TerraMaster TOS CVE-2020-28188 2021-01-25 13:01:27 +05:45
Thomas Patzke 72468e671f Merge pull request #1340 from WuerthIT/bugfix_field_support 
bugfix field support
 2021-01-22 16:58:45 +01:00
Florian Roth e34bed0f76 Merge pull request #1339 from WuerthIT/fix_for_pcap_rule 
fix service from system to security for rule win_pcap_drivers.yml
 2021-01-22 16:15:23 +01:00
k-vdv 89a4e48b0a bugfix field support 2021-01-22 09:28:23 +01:00
Florian Roth b62c705bf0 Improved UNC2452 activity rules 2021-01-22 09:18:11 +01:00
k-vdv e4edf7bc1b fix service from system to security for rule win_pcap_drivers.yml 2021-01-22 09:10:02 +01:00
David Straßegger 6a6929cfb6 implemented rule for scheduled task deletion 2021-01-22 08:09:56 +01:00
Florian Roth efa39eb18d Merge pull request #1336 from Neo23x0/rule-devel 
rule: Raccine uninstall
 2021-01-21 18:17:31 +01:00
Florian Roth 4ad70f0aaa rule: Raccine uninstall 2021-01-21 17:59:17 +01:00
Florian Roth 492d931138 Merge pull request #1335 from Neo23x0/rule-devel 
rule: UNC2452 PowerShell pattern
 2021-01-21 09:20:22 +01:00
Florian Roth c5a7558ca0 fix: fixed actor name in description 2021-01-21 09:19:51 +01:00
Florian Roth a0b8eeac6f fix: minor issues 2021-01-20 18:52:50 +01:00
Florian Roth 8b319e3686 rule: UNC2452 PowerShell pattern 2021-01-20 18:51:49 +01:00
Florian Roth cd4fbca66b Merge pull request #1330 from d4rk-d4nph3/master 
Added Stealthy Office Persistence via VSTO
 2021-01-20 11:36:25 +01:00
Florian Roth c00d3a8fe0 Merge pull request #1334 from Neo23x0/rule-devel 
rule: plink anomaly rules
 2021-01-20 11:36:16 +01:00
Bhabesh Rai dac229a8bb Added rule for Oracle WebLogic Exploit CVE-2021-2109 2021-01-20 14:28:18 +05:45
Florian Roth eedc483be4 rework: impossible rule with Sysmon 2021-01-19 14:12:40 +01:00
Florian Roth fdc969385a rule: plink anomaly rules 2021-01-19 12:39:40 +01:00
Nate Guagenti 36656c3fac Add to ElasticsearchDSLBackend the logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-01-18 07:01:50 -05:00
Nate Guagenti caf6586928 Add logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-01-18 06:49:57 -05:00
Nate Guagenti 47bd41f012 revert commented line 2021-01-18 05:55:12 -05:00
Florian Roth 7162528a1a docs: removed CVE 2021-01-15 13:25:10 +01:00
Florian Roth 3d2c6a118d Merge pull request #1332 from 2d4d/master 
Add xHunt Campaign: BumbleBee Webshell
 2021-01-13 18:19:01 +01:00
Florian Roth d58cdeab3a Merge pull request #1331 from Neo23x0/rule-devel 
rule: NTFS vulnerability
 2021-01-12 09:09:33 +01:00
Arnim Rupp b2860b870e Update win_webshell_detection.yml 2021-01-11 21:08:20 +01:00
Florian Roth cf37abee4d docs: more details 2021-01-11 19:56:36 +01:00
Arnim Rupp 5d80d634c3 Add xHunt Campaign: BumbleBee Webshell 
add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
 2021-01-11 19:44:07 +01:00
Florian Roth a0fccf8647 rule: NTFS vulnerability 
https://twitter.com/jonasLyk/status/1347900440000811010
 2021-01-11 14:51:26 +01:00
Bhabesh Rai 93c7931037 Added Stealthy Office Persistence via VSTO 2021-01-10 17:54:17 +05:45
Florian Roth c571285fd8 Merge pull request #1329 from Neo23x0/rule-devel 
Rule devel
 2021-01-09 11:32:36 +01:00
Florian Roth 63cc0d23c6 changes provided by FPT.EagleEye Team in 
https://github.com/Neo23x0/sigma/pull/1218/files
 2021-01-09 10:38:20 +01:00
Florian Roth 19171f5bed Merge pull request #1315 from rtkdmasse/split-up-cmstp-rule 
Split up cmstp rule into 3 separate rules and remove duplicates
 2021-01-09 10:30:33 +01:00
Florian Roth 947925d81f Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic 
Update the azure image_load rule to be a generic sysmon rule
 2021-01-09 10:29:52 +01:00
Florian Roth 04f7766d7a Merge pull request #1319 from hieuttmmo/master 
Detect Emotet DLL loading by looking rundll32.exe
 2021-01-09 10:29:24 +01:00
Florian Roth 1a8bb9c991 Merge pull request #1327 from 2d4d/master 
more AV event and suspicious commands
 2021-01-09 10:28:30 +01:00
GlebSukhodolskiy 3f519ffa20 Just Check 2021-01-07 21:31:51 +03:00
Arnim Rupp d5de3fe5f9 more AV event and suspicious commands 
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
 2021-01-07 17:54:19 +01:00
Florian Roth 30dcc28a1f Cisco ASA FTD Exploit CVE-2020-3452 2021-01-07 13:17:58 +01:00