security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
403 Commits 1 Branch 57 Tags
012ed4cd7da63ea38e5081512aa0ecf69f9b034f
Commit Graph

229 Commits

Author SHA1 Message Date
juju4 012ed4cd7d Detects execution of executables that can be used to bypass Applocker whitelisting 2017-08-13 16:20:01 -04:00
juju4 f861969e95 tentative rule to detect admin users remote login 2017-08-13 16:19:24 -04:00
juju4 d2ae98b0de tentative rule to detect admin users interactive login 2017-08-13 16:18:58 -04:00
juju4 21b1c52d1e forfiles, bash detection 2017-08-13 16:18:13 -04:00
Thomas Patzke 238f27fa0d Added OperationalError to relevant Python DB exceptions 2017-08-13 00:10:00 +02:00
Thomas Patzke 33b2ff16cf Rule for generic Python SQL exceptuons 
according to PEP 249
 2017-08-12 00:44:18 +02:00
Thomas Patzke 7ba62b791c Application security rules 
* reorganization into separate folder
* adding category
* minor tweaks
 2017-08-12 00:43:10 +02:00
Thomas Patzke 1d3b8e58bd Fixed description 2017-08-06 23:22:31 +02:00
Thomas Patzke 0795d14b41 Spring framework security exceptions rule 2017-08-06 23:21:53 +02:00
Thomas Patzke f0e6c28e8b Added Ruby on Rails security-related exceptions rule 2017-08-06 22:57:52 +02:00
Thomas Patzke 98f99cebc0 Added author attribute 2017-08-05 23:56:13 +02:00
Thomas Patzke f58c1b768b Django security errors 2017-08-05 00:56:05 +02:00
Thomas Patzke 4578756cfd Merge remote-tracking branch 'origin/master' 2017-08-05 00:35:24 +02:00
Thomas Patzke 03985288f6 Removed 'last' from timeframe 2017-08-05 00:32:24 +02:00
Florian Roth edb52e098a Extended hh.exe in Office Shell detection 
https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
 2017-08-04 09:18:55 +02:00
Thomas Patzke d17604d007 Merge branch 'master' into travis-test 2017-08-03 00:11:08 +02:00
Thomas Patzke 36212fd5c2 Merge branch 'devel-sigmac' 2017-08-03 00:10:37 +02:00
Thomas Patzke 5706361464 Parsing of "near ... within" aggregation operator 
* Operator is only parsed. No processing or passing of parsed data to
  backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
 2017-08-03 00:05:48 +02:00
Thomas Patzke 7706067540 Merge branch 'master' into travis-test 2017-08-02 23:32:40 +02:00
Thomas Patzke 27e5d0c2b4 Fixed further parse error 2017-08-02 23:32:00 +02:00
Thomas Patzke 167b1f0191 Merge branch 'master' into travis-test 2017-08-02 22:53:52 +02:00
Thomas Patzke f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke bfcc119a7f Merge branch 'master' into travis-test 2017-08-02 00:37:07 +02:00
Thomas Patzke b82a6fdc51 Added wildcards to windows/builtin/win_susp_rundll32_activity.yml 2017-08-02 00:09:34 +02:00
Thomas Patzke 84418d2045 Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-02 00:04:28 +02:00
Thomas Patzke c350a90b21 Merge branch 'master' into rules-juju4 2017-08-01 23:55:53 +02:00
juju4 5b778c9833 yamllint: quote twitter-formatted nickname 2017-07-30 11:42:25 -04:00
juju4 5b42c64fcd Merge remote-tracking branch 'upstream/master' 2017-07-30 11:12:03 -04:00
juju4 31b033d492 suspicious rundll32 activity rules 2017-07-30 11:11:45 -04:00
juju4 3a8946a3ac suspicious phantom dll rules 2017-07-30 11:11:17 -04:00
juju4 fbbf29fd80 suspicious cli escape character rules 2017-07-30 11:10:43 -04:00
juju4 83fa83aa43 suspicious certutil activity rules 2017-07-30 11:09:51 -04:00
juju4 f487451c45 more suspicious cli process 2017-07-30 11:09:24 -04:00
Florian Roth d1cdb3c480 Certutil duplicate entry and "-ping" command 2017-07-23 14:51:57 -06:00
Florian Roth 433293ea40 'ruler' User Agent 
https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
 2017-07-22 09:24:45 -06:00
Florian Roth cdf0894e6a Corrected error in certutil rules (-f means force overwrite, not file) 
> the -urlcache is the relevant command
 2017-07-20 12:54:55 -06:00
Florian Roth 3a55b31da2 certutil file download - more generic approach 2017-07-20 12:48:47 -06:00
Florian Roth b85d96e458 certutil detections (renamed, extended) 
see https://twitter.com/subTee/status/888102593838362624
 2017-07-20 12:38:10 -06:00
Florian Roth 061d3bea27 ZxShell 2017-07-20 12:36:24 -06:00
Florian Roth 4bff14acd1 User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00
Florian Roth eeb31964da User-Agent Rules 2017-07-08 08:37:44 -06:00
Florian Roth cf42847b74 Suspicious User Agent strings 2017-07-07 20:53:22 -06:00
Florian Roth cec48ece04 Suspicious User-Agent Strings, starting with empty value 2017-07-07 18:38:32 -06:00
Florian Roth fc4cd4036e Linux: Suspicious VSFTPD errors 2017-07-05 18:59:51 -06:00
Florian Roth ead63fbf75 Linux: Suspicious SSHD errors 2017-06-30 08:47:56 +02:00
Florian Roth 950a00f33e Updated Petya rule 2017-06-28 12:52:58 +02:00
Florian Roth ece1d7e3a8 Added perfc.dat keyword to NotPetya rule 2017-06-28 10:35:42 +02:00
Florian Roth a3e0e37163 NotPetya Title Fixed 2017-06-28 09:12:39 +02:00
Florian Roth 8c437de970 NotPetya Sigma Rule for Sysmon Events 2017-06-28 09:09:12 +02:00
Florian Roth 8f525d2f01 Wannacry Rules Reorg and Renaming 2017-06-28 09:08:53 +02:00