security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
270 Commits 1 Branch 57 Tags
059cfbf15aad8aaf7dfdffd3f4d214b591bb14b6
Commit Graph

128 Commits

Author SHA1 Message Date
Florian Roth 059cfbf15a Removed duplicate 2017-04-13 01:21:46 +02:00
Florian Roth c2ed7bd9df MSHTA Rule v1 2017-04-13 01:08:37 +02:00
Florian Roth 64caa8aedc Merge pull request #31 from neu5ron/patch-4 
Create win_alert_ad_user_backdoors.yml
 2017-04-13 01:07:41 +02:00
Florian Roth 1e4d563a4d Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving 
improved win_pass_the_hash.yml rule
 2017-04-13 01:05:09 +02:00
Nate Guagenti 53313d45be Create win_alert_ad_user_backdoors.yml 2017-04-12 16:15:41 -04:00
Florian Roth a5297b1f29 Equation Group Script/Tool Commands 2017-04-09 20:11:56 +02:00
Florian Roth abb01cc264 Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00
Florian Roth 44bedf9e17 Rule: Cloud Hopper WmiExec VBS 2017-04-07 17:41:53 +02:00
Florian Roth 92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
yugoslavskiy f83d0e36b8 improved win_pass_the_hash.yml rule 
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]

[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
 2017-04-04 02:57:58 +03:00
Nate Guagenti 2bb7d7e6eb Create win_alert_active_directory_user_control.yml 2017-04-03 15:58:23 -04:00
Nate Guagenti 85b4efabed Update win_alert_enable_weak_encryption.yml 2017-04-03 09:15:52 -04:00
Nate Guagenti bd63d74776 Create win_alert_enable_weak_encryption.yml 
kerberoast and enabling weak encryption for password/hash cracking
 2017-04-03 09:12:58 -04:00
Florian Roth 0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth d9e6913c03 APT 29 - tor / google update service 2017-04-01 10:30:36 +02:00
Florian Roth 43d907791c Rule: APT29 Google Update service install 2017-03-31 19:31:13 +02:00
Florian Roth 2657ff7db8 Rule: Carbon Paper Framework Service (Turla) 
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 2017-03-31 19:25:41 +02:00
Florian Roth 919a04666c Improved StoneDrill Rule 2017-03-31 19:25:10 +02:00
Florian Roth fa90fb2fed Improved WMIC process call create rule 2017-03-29 22:11:05 +02:00
Florian Roth e6a81623a8 PowerShell Combo - False Positive with MOM 2017-03-29 22:10:28 +02:00
Florian Roth f91f813b3f Improved certutil.exe rules 2017-03-27 22:30:26 +02:00
Florian Roth 078eaa1180 Updated Windows suspicious activity 2017-03-27 17:27:04 +02:00
Florian Roth 67d9c44bb3 Improved linux suspicious activity rule 2017-03-27 15:21:39 +02:00
Florian Roth 707e5a948f Rules: Password dumper activity and lateral movement 2017-03-27 15:20:50 +02:00
Florian Roth c5323ac1c2 Changes to Linux suspicious activity rule 2017-03-27 10:29:57 +02:00
Florian Roth 125bf4f3f2 Rule adjustment 
Added wilcards cause the field can contain a full path
 2017-03-26 23:41:38 +02:00
Florian Roth 53cc80c8f4 Windows Supicious Process Creation 
- Bugfix in selection name
- New keyword expressions
 2017-03-26 23:25:47 +02:00
Florian Roth b0c8ffb051 Combined vssadmin rule 2017-03-26 01:27:26 +01:00
Florian Roth 800262a738 Renamed and double removed 2017-03-26 01:27:08 +01:00
Florian Roth c1a6a542db Rule: Windows 4688 process creation rule 2017-03-26 01:26:34 +01:00
Florian Roth 5c4a13af71 Rules: Linux commands and log entries of interest 2017-03-25 19:59:45 +01:00
Florian Roth c8cc857b7c Improved the linux suspicious keywords rule 2017-03-25 19:23:10 +01:00
Michael Haag 5ea6fad999 net.exe and wmic.exe 
Suspicious execution of net and wmic
 2017-03-25 06:48:23 -07:00
Florian Roth 699c638ee2 Bugfix: Wrong Event ID and extended description 2017-03-23 11:50:30 +01:00
Florian Roth d377884972 Rule: Rare scheduled tasks creations 2017-03-23 11:45:10 +01:00
Florian Roth 10ee36f26c Updated Eventvwr UAC evasion 2017-03-22 14:40:55 +01:00
Florian Roth fa37f5afcf Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:46 +01:00
Florian Roth 3bfa9ed121 Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 10:44:53 +01:00
Florian Roth b1da8c5b32 Bugfix: Fixed UAC bypass rules 2017-03-21 10:42:22 +01:00
Florian Roth 7ce958a3ed Bugfixes and improvements 2017-03-21 10:24:20 +01:00
Florian Roth f9be5b99ad Rule: Suspicious task creation description changed 2017-03-21 10:23:53 +01:00
Florian Roth 6932fcec65 Rule: Linux shell more suspicious keywords 2017-03-21 10:23:12 +01:00
Florian Roth 055992eb05 Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00
Florian Roth 6f38a44ec1 Broader definition certutil.exe rule 2017-03-20 22:07:04 +01:00
Florian Roth 2817ea2605 Bugfix in UAC Rule 2017-03-19 19:46:19 +01:00
Florian Roth b2c15c2cf7 Rule: UAC bypass via eventvwr, minor changes 2017-03-19 19:34:06 +01:00
Florian Roth c82da0dc5c Rules: Suspicious locations and back connect ports 2017-03-19 15:22:27 +01:00
Thomas Patzke 889315c960 Changed values with placeholders to quoted strings 
Values beginning with % cause YAML parse error
 2017-03-18 23:05:16 +01:00
Thomas Patzke 56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel d3bd73aefb Create sysmon_sdclt_uac_bypass.yml 
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
 2017-03-17 14:31:26 -04:00