security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
577 Commits 1 Branch 57 Tags
058d719e2ba465db00a96ac7bc4859aad13bb084
Commit Graph

325 Commits

Author SHA1 Message Date
Florian Roth 058d719e2b Rule update: Proxy UA > Loki Bot 2018-02-12 10:08:32 +01:00
Florian Roth fa4dbc0f2e Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
Florian Roth 0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
Florian Roth 1382edb5e3 Cosmetics 2018-02-09 10:13:39 +01:00
Florian Roth 34e0352a21 Rule: Proxy UAs - malware - Ghost419 
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
 2018-02-03 14:47:04 +01:00
Florian Roth 635d052fcc Renamed rule - not APT32 related 2018-01-31 23:52:24 +01:00
Florian Roth 4152442bfa Changed reference to references in Elise rule 2018-01-31 23:13:00 +01:00
Florian Roth f1b339504e Rule: APT32 Elise 2018-01-31 23:12:00 +01:00
SherifEldeeb 348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb 48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb 112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth 0f2e1c5934 Bugfix: Missing wildcard in IIS module install rule 2018-01-27 16:15:25 +01:00
Florian Roth d93d7d8e7b Rule: IIS nativ-code module command line installation 2018-01-27 11:13:13 +01:00
Florian Roth aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth f31ed7177e Added status 'experimental' to newly created auditd rules 2018-01-23 11:15:02 +01:00
Florian Roth fe80ae7885 Rule: Linux auditd 'program execution in suspicious folders' 2018-01-23 11:13:23 +01:00
Florian Roth 228ca1b765 Rule: Linux auditd 'suspicious commands' 2018-01-23 11:13:23 +01:00
Florian Roth 379b2dd207 New recon activity rule 2017-12-11 09:31:54 +01:00
Florian Roth 8e2aef035c Removed commands - false positive reduction 2017-12-11 09:31:54 +01:00
Florian Roth 1464ab4ab8 Renamed rule: recon activity > net recon activity - to be more specific 2017-12-11 09:31:54 +01:00
Florian Roth 285f5bab4f Removed duplicate string 2017-12-11 09:31:54 +01:00
Thomas Patzke 9adaf4c411 Cleanup 2017-12-07 16:21:02 +01:00
Björn Kimminich 8a8387c43e SQL Injection error message patterns 
Rule file that detects error messages from different DB providers that would occur during SQL Injection probing
 2017-11-27 22:52:17 +01:00
Florian Roth 78854b79c4 Rule: System File Execution Location Anomaly 2017-11-27 14:09:22 +01:00
Florian Roth 93fbc63691 Rule to detect droppers exploiting CVE-2017-11882 2017-11-23 00:58:31 +01:00
Thomas Patzke 2ec5919b9e Fixed win_disable_event_logging by multiline description 2017-11-19 22:49:40 +01:00
Nate Guagenti a796ff329e Create win_disable_event_logging 2017-11-15 21:56:30 -05:00
Florian Roth 3a378f08ea Bugfix in Adwind rule - typo in typo 2017-11-10 12:51:54 +01:00
Florian Roth 6e4e857456 Improved Adwind Sigma rule 2017-11-10 12:39:08 +01:00
Florian Roth 57d56dddb7 Improved Adwind RAT rule 2017-11-09 18:53:46 +01:00
Florian Roth b558f5914e Added reference to Tom Ueltschie's slides 2017-11-09 18:30:50 +01:00
Florian Roth 781db7404e Updated Adwind RAT rule 2017-11-09 18:28:27 +01:00
Florian Roth 970f01f9f2 Renamed file for consistency 2017-11-09 15:43:32 +01:00
Florian Roth a042105aa1 Rule: Adwind RAT / JRAT javaw.exe process starts in AppData folder 2017-11-09 15:43:32 +01:00
Florian Roth a0ac61229c Rule: Detect plugged USB devices 2017-11-09 08:40:46 +01:00
Florian Roth fd801a61a5 Bronze Butler Daserf malware User Agents in Proxy Logs 2017-11-08 12:52:11 +01:00
Florian Roth e5383be163 Rule: Proxy suspicious downloads from Dyndns hosts 2017-11-08 11:32:30 +01:00
Florian Roth 4540088aa9 Rule: Extended proxy suspicious TLD white list rule 2017-11-08 00:38:26 +01:00
Florian Roth ad53cc7cc2 Rule: Sysmon Turla Commands 2017-11-08 00:33:17 +01:00
Florian Roth acc430c4b6 Rule: Proxy download from blacklisted TLDs 2017-11-07 14:03:16 +01:00
Florian Roth 58f20d3cfb Rule: Proxy download whitelist bugfix and improvements 2017-11-07 14:02:56 +01:00
Florian Roth 59e5b3b999 Sysmon: Named Pipe detection for APT malware 2017-11-06 14:24:42 +01:00
Florian Roth ea840632f3 Sysmon: Named Pipe detection for Turla malware by @markus_neis 2017-11-06 14:22:09 +01:00
Florian Roth 37cea85072 Rundll32.exe suspicious network connections 2017-11-04 14:44:30 +01:00
Thomas Patzke 5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Thomas Patzke f3a809eb00 Improved admin logon rules and removed duplicates 2017-11-01 21:33:01 +01:00
Thomas Patzke 0055eedb83 Merge pull request #54 from juju4/CAR-2016-04-005b 
Admin user remote login
 2017-11-01 21:22:09 +01:00
Thomas Patzke 613f922976 Merge pull request #43 from juju4/master 
New rules
 2017-11-01 21:21:30 +01:00
Thomas Patzke 118e8af738 Simplified rule collection 2017-11-01 10:00:35 +01:00