security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
983 Commits 1 Branch 57 Tags
0c729d1eeaa90aa1e7df5f768f5fbcaec742bf39
Commit Graph

547 Commits

Author SHA1 Message Date
Florian Roth 0c729d1eea Already used in different rule 2018-08-22 17:02:03 +02:00
yt0ng 5bb6f566ba ::Merge remote-tracking branch 'upstream/master' 2018-08-17 18:39:36 +02:00
yt0ng 8ecf167e85 Powershell AMSI Bypass via .NET Reflection 
[Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
 2018-08-17 18:26:04 +02:00
yt0ng 07e411fe6b Oilrig Information gathering 
whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1
 2018-08-15 14:29:59 +02:00
Florian Roth 4e91462838 fix: Bugfix in Adwind rule 2018-08-15 12:33:03 +02:00
Florian Roth 92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Florian Roth 7c05b85bcd rule: Added malware UA 2018-08-15 12:33:03 +02:00
Thomas Patzke 2c0e76be3d Escaped * where required 2018-08-10 13:53:08 +02:00
Lurkkeli 7cdc13ef11 Update 2018-08-08 17:05:51 +02:00
Lurkkeli 392351af25 Adding ATT&CK tag 2018-08-08 16:43:54 +02:00
Lurkkeli 4d721f1803 Updating fps 2018-08-08 16:42:26 +02:00
Lurkkeli b9f433414d hiding files with attrib.exe 2018-08-08 16:19:39 +02:00
Thomas Patzke 01215a645e Merge pull request #145 from yt0ng/master 
DNS TXT Answer with possible execution strings
 2018-08-08 15:58:34 +02:00
Thomas Patzke 58afccb2f3 Fixed ATT&CK tagging 2018-08-08 15:58:19 +02:00
yt0ng e44b4f450e DNS TXT Answer with possible execution strings 
https://twitter.com/stvemillertime/status/1024707932447854592
 2018-08-08 15:51:56 +02:00
Thomas Patzke 92c0e0321a Merge pull request #144 from samsson/patch-7 
Added att&ck tags
 2018-08-07 11:19:36 +02:00
Lurkkeli a245820519 added att&ck tag 2018-08-07 08:54:53 +02:00
Lurkkeli 294677a2cc added att&ck tag 2018-08-07 08:50:01 +02:00
Lurkkeli a57e87b345 added att&ck tag 2018-08-07 08:49:05 +02:00
Lurkkeli 99253763af added att&ck tag 2018-08-07 08:45:58 +02:00
Lurkkeli 0bff27ec21 added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:37:51 +02:00
Lurkkeli 198cb63182 added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:36:53 +02:00
Thomas Patzke 518e21fcd2 Merge pull request #134 from nikseetharaman/sysmon_cmstp_com_object_access 
Add CMSTP UAC Bypass via COM Object Access
 2018-08-07 08:33:33 +02:00
Thomas Patzke b9fdf07926 Extended tagging 2018-08-07 08:33:18 +02:00
Lurkkeli b50c13dd1f Update att&ck tag 2018-08-07 08:27:24 +02:00
Thomas Patzke 5d5d42eb9b Merge pull request #140 from yt0ng/master 
Possible Shim Database Persistence via sdbinst.exe
 2018-08-07 08:22:32 +02:00
Thomas Patzke 80eaedab8b Fixed tag and date 2018-08-07 08:22:11 +02:00
Thomas Patzke 3509fbd201 Merge pull request #142 from samsson/patch-5 
Added ATT&CK tag
 2018-08-07 08:20:22 +02:00
Thomas Patzke b049210641 Fixed tags 2018-08-07 08:20:09 +02:00
Lurkkeli 3456f9a74d Update sysmon_susp_wmi_execution.yml 2018-08-07 08:19:58 +02:00
Thomas Patzke 64fa3b162d Tag fixes 2018-08-07 08:18:16 +02:00
Lurkkeli 6472be5e19 Update sysmon_uac_bypass_sdclt.yml 2018-08-07 08:08:53 +02:00
Lurkkeli 21bee17ffd Update sysmon_uac_bypass_eventvwr.yml 2018-08-07 08:07:49 +02:00
yt0ng fc091fe3d7 Added ATTCK Mapping 2018-08-05 14:00:22 +02:00
yt0ng b65cb5eaca Possible Shim Database Persistence via sdbinst.exe 2018-08-05 13:55:04 +02:00
Thomas Patzke 0e986cae4d Fixed log source and field names 2018-08-04 22:58:19 +02:00
Florian Roth acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth 1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Nik Seetharaman b938fdb0a3 Add CMSTP UAC Bypass via COM Object Access 2018-07-27 02:28:28 -05:00
James Dickenson 5fc118dcac added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
Florian Roth a9fcecab88 Merge pull request #130 from samsson/patch-4 
Fixed typo / Created a rule
 2018-07-26 22:34:46 +02:00
Florian Roth 016b15a2a9 Added quotation marks 
I've added quotation marks to make it clearer (leading dash looks weird)
 2018-07-26 18:10:21 +02:00
Lurkkeli 7796492c2b Update powershell_NTFS_Alternate_Data_Streams 2018-07-26 08:54:08 -07:00
Thomas Patzke 5e3211928f Merge pull request #132 from dspautz/master 
Add tags to APT rules
 2018-07-25 09:57:35 +02:00
David Spautz f039f95f4d Add tags to APT rules 2018-07-25 09:50:01 +02:00
Florian Roth 089498b0b3 Merge pull request #131 from yt0ng/master 
Possible SafetyKatz Dump of debug.bin
 2018-07-25 07:41:38 +02:00
Florian Roth dd857c4470 Cosmetics 
If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
 2018-07-25 07:37:17 +02:00
Florian Roth cf7f5c7473 Changes 
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? 
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
 2018-07-25 07:35:59 +02:00
yt0ng b415fc8d42 Possible SafetyKatz Dump of debug.bin 
https://github.com/GhostPack/SafetyKatz
 2018-07-24 23:51:46 +02:00
Lurkkeli db82322d17 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00