security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #695 from cobsec/master

Browse Source 
Date typos
This commit is contained in:
Florian Roth
2020-04-02 10:20:18 +02:00
committed by GitHub
parent 0db3bbb097 fe5dbece3d
commit 1196f8d60f
7 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_susp_mshta_execution.yml
+2 -2
View File
@@ -2,8 +2,8 @@ title: MSHTA Suspicious Execution 01
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: experimental
description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
date: 22/02/2019
modified: 22/02/2019
date: 2019/02/22
modified: 2019/02/22
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files
rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
+1 -1
View File
@@ -5,7 +5,7 @@ description: Trickbot enumerates domain/network topology and executes certain co
references:
- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
author: David Burkett
date: 12/28/2019
date: 2019/12/28
tags:
- attack.t1482
logsource:
rules/windows/process_creation/win_susp_svchost_no_cli.yml
+1 -1
View File
@@ -5,7 +5,7 @@ description: It is extremely abnormal for svchost.exe to spawn without any CLI a
references:
- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
author: David Burkett
date: 12/28/2019
date: 2019/12/28
tags:
- attack.t1055
logsource:
rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml
+1 -1
View File
@@ -6,7 +6,7 @@ description: Detects the access to processes by other suspicious processes which
few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain
routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
status: experimental
date: 27/10/2019
date: 2019/10/27
author: Perez Diego (@darkquassar), oscd.community
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml
+1 -1
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this
API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and
transfer it over the network back to the attacker's machine.
date: 27/10/2019
date: 2019/10/27
modified: 2019/11/13
author: Perez Diego (@darkquassar), oscd.community
references:
rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
+1 -1
View File
@@ -8,7 +8,7 @@ author: Florian Roth, Markus Neis
tags:
- attack.persistence
- attack.t1060
date: 2018/25/08
date: 2018/08/25
modified: 2020/02/26
logsource:
product: windows
rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
+1 -1
View File
@@ -6,7 +6,7 @@ description: Offensive tradecraft is switching away from using APIs like "Create
notes:
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
status: experimental
date: 27/10/2019
date: 2019/10/27
modified: 2019/11/13
author: Perez Diego (@darkquassar), oscd.community
references: