security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,171 Commits 1 Branch 57 Tags
0575fa8d811813bb8e6daec2ffbc59301ef58639
Commit Graph

587 Commits

Author SHA1 Message Date
ecco 0575fa8d81 fix CVE 2020-1048 rule 2020-05-15 07:25:05 -04:00
Florian Roth cc26b26377 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/sysmon/sysmon_cve-2020-1048.yml
 2020-05-15 12:09:47 +02:00
Florian Roth 8e7caf0e4d rule: CVE-2020-1048 2020-05-15 12:08:31 +02:00
Florian Roth 5854cc4677 fix: small bug in new CVE-2020-1048 rule 2020-05-15 11:37:46 +02:00
Tran Trung Hieu e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu 443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu 97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Tran Trung Hieu d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu 3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
Florian Roth 1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth f96c3a5fd4 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2020-05-11 10:44:19 +02:00
Florian Roth 514bd8657b Merge pull request #704 from Iveco/master 
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
 2020-04-14 14:11:27 +02:00
Florian Roth 3175a48bdc Casing 2020-04-14 13:40:34 +02:00
Florian Roth ecdec93800 Casing 2020-04-14 13:39:58 +02:00
Maxime Thiebaut 86c6891427 Add Windows Registry Persistence COM Search Order Hijacking 2020-04-14 12:59:29 +02:00
Iveco c5211eb94a Update sysmon_susp_service_installed.yml 
CI
 2020-04-08 18:54:46 +02:00
Iveco 4520082ef7 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
CI
 2020-04-08 18:54:37 +02:00
Iveco 6d85650390 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed Author
 2020-04-08 18:41:33 +02:00
Iveco fc1febdebe Update sysmon_susp_service_installed.yml 
Fixed Author
 2020-04-08 18:41:25 +02:00
Iveco 3280a1dfb0 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed CI
 2020-04-08 18:23:29 +02:00
Iveco 5e724a0a54 Update sysmon_susp_service_installed.yml 
Fixed CI
 2020-04-08 18:22:51 +02:00
iveco e87f2705a7 Detect Ghost-In-The-Logs (disabling/bypassing ETW) 2020-04-08 18:01:04 +02:00
Chris O'Brien fe5dbece3d Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Clément Notin 18cdddb09e Small typo 2020-03-31 15:22:00 +02:00
Florian Roth 8ea6b12eed Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini 
Add "Suspicious desktop.ini Action" rule
 2020-03-28 13:34:01 +01:00
Florian Roth fe5b5a7782 Merge pull request #673 from j91321/rules-minor-fixes 
Minor fixes to several rules
 2020-03-28 13:27:05 +01:00
Florian Roth e2b90220a2 Update sysmon_susp_desktop_ini.yml 2020-03-28 13:19:10 +01:00
Iveco 55258e1799 Title capitalized 2020-03-26 17:04:08 +01:00
Iveco 68c20dca20 Fixed title length 2020-03-26 16:56:46 +01:00
iveco ddacde9e6b add LDAPFragger detections 2020-03-26 15:13:36 +01:00
Florian Roth 35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
j91321 78bfa950d7 Add WinPrvSE.exe to detection 2020-03-24 19:47:10 +01:00
Maxime Thiebaut dce18b23b7 Add "Suspicious desktop.ini Action" rule 2020-03-19 21:43:03 +01:00
ecco 2489b8534c sysmon registry events fix 2020-03-09 12:02:04 -04:00
Florian Roth 7e8b59abe6 Merge pull request #643 from grumo35/patch-2 
Update sysmon_cred_dump_tools_dropped_files.yml
 2020-03-07 10:39:35 +01:00
ecco b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth 7139bfb0cb fix: avoiding FPs with Citrix software 
writing C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_r23phtye.jsp.ps1
 2020-03-03 11:01:42 +01:00
Florian Roth fdcba84fc8 fix: escaped backslash 2020-02-29 10:12:59 +01:00
grumo35 0d932810b5 Update sysmon_cred_dump_tools_dropped_files.yml 
Adding sysinternal's procdump utility more about this on : https://en.hackndo.com/remote-lsass-dump-passwords/
 2020-02-28 15:16:18 +01:00
Florian Roth f88225dd2a Merge pull request #640 from Neo23x0/devel 
fix: broader exclusion for rule - OneDrive false positives
 2020-02-26 18:41:52 +01:00
Florian Roth 6bbd80a8ee fix: broader exclusion for rule - OneDrive false positives 2020-02-26 18:31:58 +01:00
Florian Roth 0ba6874645 Merge pull request #638 from Neo23x0/devel 
Several false positives with new rules
 2020-02-26 09:46:02 +01:00
Florian Roth 4f3e3166d3 fixing false positives 2020-02-26 09:33:55 +01:00
Florian Roth 82d2b1e6f0 Merge branch 'master' into devel 
# Conflicts:
#	rules/windows/process_creation/win_susp_squirrel_lolbin.yml
 2020-02-26 09:27:48 +01:00
Florian Roth e7aff17e72 FP: OneDrive setup 2020-02-26 09:26:19 +01:00
Florian Roth a152853ac3 Merge pull request #624 from Antonlovesdnb/master 
New rules for Macro Detections
 2020-02-25 15:44:31 +01:00
Antonlovesdnb e8b861bff4 Update sysmon_susp_winword_vbadll_load.yml 2020-02-25 09:24:29 -05:00
Antonlovesdnb 4c5d489428 Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-25 09:23:52 -05:00