security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

52 Commits

Author SHA1 Message Date
frack113 e43b917dab fix space error 2021-08-10 17:35:32 +02:00
frack113 f4bef0fc39 Add Microsoft-Windows-Windows Defender/Operational 2021-08-06 11:12:34 +02:00
frack113 65251e13e9 Add missing system field 2021-08-06 10:52:24 +02:00
frack113 4b44ee654b Fix missing a space 2021-08-05 13:36:18 +02:00
frack113 0b053e79cc fix syntax error 2021-08-05 13:33:39 +02:00
frack113 439b3cecc3 Add most of security EventID 2021-08-05 13:31:39 +02:00
frack113 ac43eecc36 Add eventid 4624 2021-08-05 11:20:22 +02:00
frack113 1d1b58d712 add sysmon mapping 2021-08-05 10:54:58 +02:00
frack113 481cd9aca1 add security 7045 2021-08-04 15:46:05 +02:00
frack113 47086d5d78 fix duplicate 2021-08-04 15:12:01 +02:00
frack113 21228a21c7 update SYSMON Hashes 2021-08-04 15:09:02 +02:00
Gábor Lipták d2592ee0b6 Add yamllint to GHA 
Signed-off-by: Gábor Lipták <gliptak@gmail.com>
 2021-07-26 21:26:16 -04:00
G Y aacb5f767c Update winlogbeat-modules-enabled.yml 
Update mapping for EventID and TargetObject.
 2021-07-14 11:01:45 +08:00
G Y cb2985df75 Update winlogbeat-modules-enabled.yml 
Replaced mapping for Imphash (based on Winlogbeat's Sysmon processor module).
 2021-07-10 10:51:05 +08:00
frack113 4e3b275056 Fix more windows fields name 2021-07-07 12:28:00 +02:00
frack113 5c9ca35bb6 Add the last missing 2021-07-07 09:10:50 +02:00
frack113 e76f30d59c Add some missing fields mapping 2021-07-06 15:56:33 +02:00
Florian Roth 825ff5520b Merge pull request #1597 from SigmaHQ/rule-devel 
config: add PrintService Operational
 2021-07-01 10:27:43 +02:00
Florian Roth 63f3fd7e73 config: add PrintService Operational 2021-07-01 09:55:15 +02:00
Florian Roth 19962c6fe4 Merge pull request #1590 from SigmaHQ/rule-devel 
config: mappings for Microsoft print service
 2021-06-30 14:50:52 +02:00
Florian Roth a49bfb14dd refactor: Admin log - not Operational 2021-06-30 14:22:40 +02:00
Florian Roth 26cfbb9c34 config: mapping for Microsoft SMBClient service - security 2021-06-30 14:16:26 +02:00
Florian Roth 8262a1d98b config: mappings for Microsoft print service 2021-06-30 14:09:44 +02:00
Joshua Roys 2034d36677 Add support for Elastic EQL 
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
 2021-06-08 13:38:38 -04:00
frack113 e66a3f9513 T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp. 2021-06-07 15:03:19 +02:00
frack113 3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
frack113 bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
frack113 aa34ff8e3c Addition of System channel for more accurate detection 2021-05-30 09:27:08 +02:00
JohnConnorRF 1574d263cc Updated Winlogbeat Modules config based on: https://github.com/elastic/beats/blob/048c3cc19bf43c8a6b332afaafdd0a2eb8e5bd49/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js#L171-L178 2021-05-05 10:25:36 -04:00
John Connor McLaughlin 3926e2388f Added ScriptBlockText as a field for winlogbeat configs as per https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html 2021-05-04 15:23:47 -04:00
Thomas Patzke 5118be6bf6 Merge pull request #1407 from JohnConnorRF/winlogbeat_config_update 
Update winlogbeat configuration file to support File Product details
 2021-04-06 00:51:27 +02:00
JohnConnorRF 1f3ee87e55 Added Product field to winlogbeat-modules-enabled.config. Note that the ECS details for Process do not include Product (https://www.elastic.co/guide/en/ecs/1.4/ecs-process.html) so winlog.event_data.Product was used instead of process.Product 2021-04-01 09:19:21 -04:00
Joshua Roys 30ab2aad75 Map CommandLine appropriately 
Args is an array of the exploded command line and causes many rules to misfire.
 2021-03-30 10:15:10 -04:00
Florian Roth 9e287a1b89 feat: MSExchange Management log mapping 2021-03-20 08:49:59 +01:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Hendrik 7e742cc049 kibana-ndjson for all configs which already have kibana 2020-11-09 08:46:17 +01:00
Sander 94272c7770 Revert "Ref #933 - Added windows Process Creation to config" 
This reverts commit 6c35a7afa0.
 2020-07-16 14:30:17 +02:00
Sander 6c35a7afa0 Ref #933 - Added windows Process Creation to config 2020-07-16 13:16:57 +02:00
Pushkarev Dmitry c30a256030 Added AppLocker log source 2020-07-13 20:21:46 +00:00
Thomas Patzke 43e5ae5d24 Added Windows NTLM log source + fixes 2020-07-02 23:20:36 +02:00
j91321 ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Thomas Patzke 24b08bbf30 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-05-24 17:06:32 +02:00
vh e8b956f575 Updated config 2020-05-20 12:35:00 +03:00
neu5ron 177f0a783b winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00
vh fb9c5841f4 Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00
Remco Hofman c5be83eb01 Added ee-outliers backend 2020-05-08 10:18:35 +02:00
Maxime Thiebaut c5bdd18d8d Add Winlogbeat's RuleName field to mapping 
When Sysmon logs a "RegistryEvent" event of ID 13, the event might contain a field named "RuleName" as shown in the following excerpt.

```xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
	<Event
		xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
		<System>
			<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
			<EventID>13</EventID>
			<Version>2</Version>
			<Level>4</Level>
			<Task>13</Task>
			<Opcode>0</Opcode>
			<Keywords>0x8000000000000000</Keywords>
			<TimeCreated SystemTime='2020-03-18T03:52:07.173448000Z'/>
			<EventRecordID>160631</EventRecordID>
			<Correlation/>
			<Execution ProcessID='2156' ThreadID='3628'/>
			<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
			<Computer>win10.sec699-40.lab</Computer>
			<Security UserID='S-1-5-18'/>
		</System>
		<EventData>
			<Data Name='RuleName'>Context,ProtectedModeExitOrMacrosUsed</Data>
			<Data Name='EventType'>SetValue</Data>
			<Data Name='UtcTime'>2020-03-18 03:52:07.129</Data>
			<Data Name='ProcessGuid'>{36aa6401-9acb-5e71-0000-0010e3ed6803}</Data>
			<Data Name='ProcessId'>5064</Data>
			<Data Name='Image'>C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE</Data>
			<Data Name='TargetObject'>HKU\S-1-5-21-1850752718-2055233276-2633568556-1126\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Documents/sec699.docm</Data>
			<Data Name='Details'>Binary Data</Data>
		</EventData>
	</Event>
</Events>
```

When used in combination with Elastic's Winlogbeat, the resulting field is named `winlog.event_data.RuleName`.
This commit introduces a mapping between the Sigma `RuleName` field (pre-existing in the `arcsight.yml` config) and Elastic's `winlog.event_data.RuleName`.

The presence of this field could be leveraged to build Sigma rules detecting events such as the above where a malicious macro was executed.
 2020-03-19 19:40:18 +01:00
Thomas Patzke 5b42135935 Added es-rule backend to all ES configurations 2020-02-24 23:20:48 +01:00
vh 5dc30bd388 Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
Thomas Patzke 8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00