security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

7892 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
JohnConnorRF 1574d263cc Updated Winlogbeat Modules config based on: https://github.com/elastic/beats/blob/048c3cc19bf43c8a6b332afaafdd0a2eb8e5bd49/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js#L171-L178 2021-05-05 10:25:36 -04:00
Florian Roth 8560dea0e6 Merge pull request #1463 from phantinuss/master 
New rules linux lds.so preload persistence and windows hidden local user creation
 2021-05-05 15:49:36 +02:00
phantinuss da533c7425 fixed title capitalization 2021-05-05 15:22:09 +02:00
phantinuss 254a3bb122 new rules detecting the creation of a local hidden user 2021-05-05 15:12:07 +02:00
phantinuss 4b520de373 new rule detecting ld.so preload persistence by keyword 2021-05-05 15:12:07 +02:00
Florian Roth 9e662b9159 Update sysmon_vuln_dell_driver_load.yml 2021-05-05 14:31:01 +02:00
Florian Roth 80c7899c56 rule: whoami priv 2021-05-05 14:27:36 +02:00
Florian Roth c4ad770830 Merge pull request #1462 from SigmaHQ/rule-devel 
Rule devel
 2021-05-05 13:21:30 +02:00
Florian Roth a9417b3f7b docs: better error highlighting 2021-05-05 12:59:13 +02:00
Florian Roth 7f65d5e943 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-05-05 12:56:27 +02:00
Florian Roth 8497c8a9e6 fix: linux keywords rule 2021-05-05 12:56:24 +02:00
Florian Roth 615a284de3 Merge pull request #1461 from d4rk-d4nph3/master 
Added rule for Pingback backdoor
 2021-05-05 12:42:27 +02:00
Florian Roth 0ca2d05247 revert changes to powershell backend 2021-05-05 12:26:59 +02:00
Florian Roth 44097243bf rule: dell driver load 2021-05-05 12:12:08 +02:00
Florian Roth 0e9176776d refactor: moved rule 2021-05-05 12:11:59 +02:00
Florian Roth 55c39122e3 Merge branch 'master' into rule-devel 2021-05-05 11:56:20 +02:00
Florian Roth 29f26e0ae0 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-05-05 11:55:52 +02:00
Florian Roth 15ab1d5e8b Create lnx_symlink_etc_passwd.yml 2021-05-05 11:55:49 +02:00
Bhabesh Rai 4529fbd1f3 Fixed too many spaces after hyphen error 2021-05-05 12:48:29 +05:45
Bhabesh Rai 1352f0b0a6 Added rule for Pingback backdoor 2021-05-05 12:37:50 +05:45
Nate Guagenti 4152199073 add netbios port exclusion 
netbios - every defenders nightmare and reality of FPs
 2021-05-04 18:27:05 -04:00
Nate Guagenti d4bd69dd77 Suspicious DNS Z Flag Set 
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
references:
  - 'https://twitter.com/neu5ron/status/1346245602502443009'
  - 'https://tools.ietf.org/html/rfc2929#section-2.1'
  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
 2021-05-04 18:13:08 -04:00
John Connor McLaughlin 3926e2388f Added ScriptBlockText as a field for winlogbeat configs as per https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html 2021-05-04 15:23:47 -04:00
partyh4rd 5a98e36905 Update powershell_suspicious_getprocess_lsass.yml 
fix mitre_code 1552.004 -> 1003.001
 2021-05-04 14:04:52 +03:00
Florian Roth 451f25910d Merge pull request #1430 from Scoubi/patch-1 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:56 +02:00
Florian Roth de8386d553 Merge pull request #1429 from Scoubi/patch-2 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:50 +02:00
Florian Roth 4ad3316d74 Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml 2021-05-04 09:41:38 +02:00
Florian Roth 8973b573bd Update and rename rules/windows/other/win_Outlook_C2_Macro_Creation.yml to rules/windows/file_event/win_outlook_c2_macro_creation.yml 2021-05-04 09:36:26 +02:00
Florian Roth c877a9a68d Merge pull request #1454 from ZikyHD/fix_sysmon_registry_persistence_search_order 
Fix sysmon registry persistence search order
 2021-05-04 09:31:16 +02:00
Florian Roth ecb133f97d docs: extended authors of malicious pipe rule 2021-05-04 09:28:17 +02:00
Florian Roth c6aeee958e rule: more named pipes by @blueteam0ps 2021-05-04 09:27:11 +02:00
Florian Roth 2f12c5c540 fix: too broad definition of *.log on linux 2021-05-03 17:04:55 +02:00
Florian Roth a9c837659b backend: powershell: escape $ symbols in strings 2021-05-03 15:30:33 +02:00
Florian Roth 1758b69e3d Merge pull request #1452 from gliptak/patch-1 
Bump requests to 2.25
 2021-05-03 14:11:16 +02:00
Florian Roth 6605d302cd fix: trying to fix pipenv issue 2021-05-03 13:05:21 +02:00
wagga40 cc13a5e3de Add a backend option to specify table name for SQL Backend 2021-05-02 14:39:41 +02:00
SomeOne 4aae26cabd Grouping filters 2021-05-01 21:05:34 +02:00
SomeOne 80dc6aaf59 Add FP and fix filters 2021-05-01 20:54:26 +02:00
Gábor Lipták 10fb216c9a Bump requests to 2.25 2021-04-30 12:03:27 -04:00
Florian Roth ff50b5b659 Merge pull request #1451 from SigmaHQ/rule-devel 
Different FP filters
 2021-04-30 08:31:02 +02:00
Florian Roth 020e6c9e29 fix: FP with Edge and call by ordinal 2021-04-29 18:23:14 +02:00
Florian Roth 04709ab9f4 refactor: renamed procdump rule 2021-04-29 17:59:49 +02:00
Florian Roth 1bde7b3799 Merge pull request #1445 from blueteam0ps/patch-8 
Create win_lateral_movement
 2021-04-29 14:39:52 +02:00
Florian Roth 8af86fa97e docs: change title and add references 2021-04-29 12:33:10 +02:00
Florian Roth 4b86d3f407 Merge pull request #1449 from SigmaHQ/rule-devel 
Rule devel
 2021-04-29 12:28:12 +02:00
Florian Roth f2181e6779 Merge pull request #1448 from refractionPOINT/linux-platforms 
Add support for macOS rules and fix case sensitivity.
 2021-04-29 12:28:01 +02:00
Florian Roth 3e5f7aeb5e rule: PowerShell Cmdlet Defender Exclusions 2021-04-29 09:56:26 +02:00
Maxime Lamothe-Brassard 11982abec0 Add support for macOS rules and fix case sensitivity. 2021-04-28 16:49:59 -07:00
Florian Roth 6420224c1c Merge pull request #1447 from secDre4mer/master 
chore: Revert log file changes for THOR sigma configuration
 2021-04-28 19:26:44 +02:00
Max Altgelt 7c8cca744f chore: Revert log file changes for THOR sigma configuration 
Revert recent changes for Windows / Linux .log files for THOR
because of massive performance impacts.
 2021-04-28 17:48:17 +02:00