security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
3,328 Commits 1 Branch 57 Tags
0744107fbb3fcf2444d00a8d3539dd1a2ce6bbd4
Commit Graph

3328 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Furkan ÇALIŞKAN 0744107fbb Deleted EventID part 2020-06-04 18:19:08 +03:00
Furkan ÇALIŞKAN 1c677aa172 Fix title as in guideline 
Fix title error as in guideline and other cosmetic changes
 2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN bafd6bde5f Convert to process_creation 
Convert to process_creation
 2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN 09afae1e66 Create sysmon_apt_muddywater_dnstunnel.yml 
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
 2020-06-04 14:27:19 +03:00
Florian Roth d97d2ced82 Merge pull request #725 from WilliamBruneau/fix_null_list 
Move null values out from list in rules
 2020-06-03 15:53:55 +02:00
William Bruneau 84dd8c39c4 Move null values out from list in rules 2020-06-03 13:57:22 +02:00
Florian Roth 022d73f842 Merge pull request #811 from svnscha/fix/field-TargetFileName-to-TargetFilename 
All Rules use 'TargetFilename' instead of 'TargetFileName'.
 2020-06-03 10:48:05 +02:00
Sven Scharmentke 4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'. 
This commit fixes the incorrect spelling.
 2020-06-03 09:00:59 +02:00
Florian Roth 0cbc099def Merge pull request #807 from forensicanalysis/master 
Add sqlite backend
 2020-05-30 09:31:45 +02:00
Jonas Plum 3a6ac5bd5c Remove unused function 2020-05-30 01:57:06 +02:00
Jonas Plum 5cc82d0f05 Move testcase 2020-05-30 00:56:06 +02:00
Jonas Plum 4a8ab88ade Fix test path 2020-05-30 00:15:38 +02:00
Jonas Plum 70935d26ce Add license header 2020-05-29 23:56:05 +02:00
Florian Roth 74e16fdccd Merge pull request #803 from gamma37/clear_cmd_history 
Edit Clear Command History
 2020-05-29 17:32:43 +02:00
Florian Roth e20b58c421 Merge pull request #806 from SanWieb/sysmon_creation_system_file 
Fixed wrong field & Improve rule
 2020-05-29 17:32:27 +02:00
Sander Wiebing a00f7f19a1 Add tagg Endswith 
Prevent the trigger of {}.exe.log
 2020-05-29 16:25:54 +02:00
Sander Wiebing 38afd8b5de Fixed wrong field 2020-05-28 21:52:17 +02:00
Florian Roth 7f2fa05ed3 Merge pull request #802 from Neo23x0/rule-devel 
ComRAT and KazuarRAT
 2020-05-28 11:16:44 +02:00
gamma37 537bda4417 Update lnx_shell_clear_cmd_history.yml 2020-05-28 10:56:35 +02:00
gamma37 5a48934822 Edit Clear Command History 
I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line.
 2020-05-28 10:52:17 +02:00
Florian Roth 39b41b5582 rule: moved DebugView rule to process creation category 2020-05-28 10:13:38 +02:00
Florian Roth 76dcc1a16f rule: renamed debugview 2020-05-28 09:22:25 +02:00
Florian Roth ec313b6c8a Merge pull request #801 from SanWieb/sysmon_creation_system_file 
Rule: sysmon_creation_system_file
 2020-05-27 08:49:20 +02:00
Sander Wiebing d44fc43c54 Add extension 2020-05-26 19:10:11 +02:00
Sander Wiebing f6ec724d51 Rule: sysmon_creation_system_file 2020-05-26 18:53:54 +02:00
Florian Roth 5bb6770f53 Merge pull request #800 from SanWieb/win_system_exe_anomaly 
Extended Windows processes: win_system_exe_anomaly
 2020-05-26 14:28:47 +02:00
Florian Roth 4ca81b896d rule: Turla ComRAT report 2020-05-26 14:19:22 +02:00
Sander Wiebing 3681b8cb56 Extended Windows processes 2020-05-26 13:56:51 +02:00
Florian Roth 0b398c5bf0 Merge pull request #798 from Neo23x0/rule-devel 
rule: confluence exploit CVE-2019-3398 & Turla ComRAT
 2020-05-26 13:31:57 +02:00
Florian Roth c1f4787566 Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048 
Changes to sysmon_cve-2020-1048
 2020-05-26 13:21:04 +02:00
Florian Roth ce1f46346f Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access 
Add 'Add-Content' to powershell_ntfs_ads_access
 2020-05-26 13:20:40 +02:00
Florian Roth e131f3476e Merge pull request #796 from EccoTheFlintstone/fp 
add more false positives
 2020-05-26 13:20:23 +02:00
Florian Roth 30861b558c Merge pull request #799 from SanWieb/susp_file_characteristics 
Susp file characteristics: Reduce FP of legitime processes
 2020-05-26 13:20:07 +02:00
Florian Roth b648998fd0 rule: Turla ComRAT 2020-05-26 13:18:50 +02:00
Sander Wiebing f9f814f3b3 Shortened title 2020-05-26 13:06:27 +02:00
Sander Wiebing a241792e10 Reduce FP of legitime processes 
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe

All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.

Python 2.7, 3.3 and 3.7 does not have any file characteristics.

So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
 2020-05-26 12:58:15 +02:00
Florian Roth cdf1ade625 fix: typo in selection 2020-05-26 12:27:16 +02:00
Sander Wiebing 91b4ee8d56 Merge pull request #2 from Neo23x0/master 
Update repository
 2020-05-26 12:24:21 +02:00
Florian Roth 828484d7c6 rule: confluence exploit CVE-2019-3398 2020-05-26 12:09:41 +02:00
Remco Hofman 48c5f2ed09 Update to sysmon_cve-2020-1048 
Added .com executables to detection
Second TargetObject should have been Details
 2020-05-26 11:20:21 +02:00
Jonas Hagg abf1a2c6d7 Adjusted Makefile 2020-05-25 11:58:55 +02:00
Jonas Hagg dedfb65d63 Implemented Aggregation for SQL, Added SQLite FullTextSearch 2020-05-25 11:58:55 +02:00
ecco 7037e77569 add more FP 2020-05-25 04:50:22 -04:00
Florian Roth a962bd1bc1 Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source 
Fix 'source' value for win_susp_backup_delete
 2020-05-25 10:48:36 +02:00
Florian Roth 0afe0623af Merge pull request #757 from tliffick/master 
added rule for Blue Mockingbird (cryptominer)
 2020-05-25 10:47:23 +02:00
Florian Roth 92d0aa8654 Merge pull request #795 from SanWieb/Rule-improvement-Netsh-program-allowed 
Rule improvement: netsh Application or Port allowed
 2020-05-25 10:46:39 +02:00
Sander Wiebing 6fcf3f9ebf Update win_netsh_fw_add.yml 2020-05-25 10:13:26 +02:00
Sander Wiebing 28652e4648 Add Windows Server 2008 and Windows Vista support 
It did not support the command `netsh advfirewall firewall add`
 2020-05-25 10:02:13 +02:00
Sander Wiebing 2678cd1d3e Create win_netsh_fw_add_susp_image.yml 
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. 

Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
 2020-05-25 09:50:47 +02:00
Sander Wiebing 4cd7c39e9d Merge pull request #1 from Neo23x0/master 
Update repository
 2020-05-25 08:48:16 +02:00