security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,332 Commits 1 Branch 57 Tags
0fa5ba925ee06b62b4e58d5e7d9eb5b0890dc06c
Commit Graph

318 Commits

Author SHA1 Message Date
Florian Roth 0fa5ba925e rule :improved bloodhound rule 2019-12-20 17:23:40 +01:00
Florian Roth 0e82dce2a0 fix: fixed wrong condition 2019-12-20 16:11:39 +01:00
Florian Roth 0000257371 rule: improved bloodhound rule 2019-12-20 16:08:26 +01:00
Florian Roth 3a933c38f2 rule: changed level of BloodHound rule 2019-12-20 15:37:58 +01:00
Florian Roth 68efeb909d rule: false positive condition for BloodHound rule 2019-12-20 15:35:13 +01:00
Florian Roth 708c17e2bc rule: Bloodhound 2019-12-20 14:59:36 +01:00
Florian Roth ab038d1ac7 style: minor changes 2019-12-20 14:59:26 +01:00
Florian Roth c8b6b5c556 rule: updating csc.exe rule 2019-12-17 13:45:40 +01:00
Florian Roth 7a3041c593 rule: improved csc.exe rule 2019-12-17 11:05:43 +01:00
Florian Roth e8d92fab0c rule: ryuk ransomware 2019-12-16 20:33:12 +01:00
Florian Roth bbaa9df217 rule: better JAB rule 2019-12-16 19:08:51 +01:00
Florian Roth f83eb2268e rule: improved JAB expression 2019-12-16 19:04:05 +01:00
Florian Roth bd7c996588 rule: suspicious PS rule modified to cover newest malware campaigns 2019-12-16 19:02:57 +01:00
Florian Roth 9c59e3cf13 Merge branch 'master' into devel 2019-12-12 09:40:02 +01:00
Florian Roth c25b902add Merge pull request #558 from vburov/patch-7 
Added svchost.exe as a parent image
 2019-12-10 20:17:22 +01:00
Vasiliy Burov 977551c69d Added some suspicious locations 
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
 2019-12-10 20:17:40 +03:00
Vasiliy Burov 0dd4324aba Added svchost.exe as a parent image 
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
 2019-12-10 19:31:12 +03:00
Florian Roth e1244acf49 rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00
Florian Roth c1647ca4b7 Merge branch 'master' into devel 2019-12-06 13:38:29 +01:00
Florian Roth c8e29da7ec fix: simplified rule with RE 2019-12-03 11:24:06 +01:00
Florian Roth fc09533f56 style: fixed title 2019-12-03 11:24:06 +01:00
Florian Roth 39293d5f2b rule: another reference for CVE-2019-1388 rule 2019-11-20 15:09:30 +01:00
Florian Roth f9e6a929ba rule: made it more specific - command line must contain URL 2019-11-20 09:23:04 +01:00
Florian Roth 55e66b1843 rule: added status 2019-11-20 09:21:42 +01:00
Florian Roth 4022e3251b rule: changed title 2019-11-20 09:16:00 +01:00
Florian Roth 158f6b3065 rule: exploitation of CVE-2019-1388 2019-11-20 09:12:02 +01:00
Florian Roth da05c9bb82 fix: line break in description 2019-11-18 15:26:55 +01:00
Florian Roth ff3ed04405 rule: Exploiting SetupComplete.cmd CVE-2019-1378 2019-11-15 00:26:18 +01:00
Florian Roth 2b7699cc15 fix: fixed broken condition 2019-11-14 10:15:18 +01:00
Florian Roth 95a8563606 Rule: suspicious msiexec directory 2019-11-14 09:51:55 +01:00
Thomas Patzke 0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke 5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
Thomas Patzke 0065e2420f Merge branch 'oscd-qa' 2019-11-12 20:54:11 +01:00
Florian Roth b7c3f8da91 refactor: cleanup, single element lists, renamed files, level adjustments 2019-11-12 12:55:05 +01:00
Florian Roth 8cc16d252a fix: more FP reductions 2019-11-09 23:36:29 +01:00
Florian Roth be62fad5cc fix: fixed false positive in suspicious shell spawn rule 2019-11-09 10:45:46 +01:00
Thomas Patzke 8ae824f09f Improved rules 
Reduced false positives
 2019-11-08 23:56:14 +01:00
Thomas Patzke 6e2fe09d24 Removed invalid tags 2019-11-08 22:02:12 +01:00
yugoslavskiy b176339da8 Merge pull request #479 from alexpetrov12/master 
add rule
 2019-11-08 02:16:22 +03:00
yugoslavskiy 00fc6c62b4 Delete renamed_binary_description.yml 
agreed on improvements. will be added later
 2019-11-08 02:16:01 +03:00
yugoslavskiy 4443870577 Delete win_odbcconf_execution.yml 
merged with rules/windows/process_creation/win_odbcconf_execution.yml
 2019-11-08 01:36:03 +03:00
yugoslavskiy 3b34ed6150 add modifiers 2019-11-08 01:34:30 +03:00
yugoslavskiy 82b185db6a Update win_sysmon_driver_unload.yml 2019-11-07 04:11:26 +03:00
yugoslavskiy 404a6d9915 Update win_netsh_packet_capture.yml 2019-11-07 03:37:41 +03:00
yugoslavskiy ddf24819ed Update silenttrinity_stage_use.yml 2019-11-07 03:33:12 +03:00
yugoslavskiy 0d8c64da86 duplicate rule deleted 
this rule already present in Sigma repo — [./rules/windows/process_creation/win_susp_comsvcs_procdump.yml](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_comsvcs_procdump.yml)
 2019-11-07 03:21:09 +03:00
yugoslavskiy 5513687e63 Merge branch 'master' of https://github.com/Neo23x0/sigma into oscd 2019-11-07 03:03:35 +03:00
Florian Roth c60563e546 rule: add modified rule date 2019-11-05 11:24:52 +01:00
yugoslavskiy 82f23c5f63 Merge pull request #477 from zinint/oscd 
add 13 new rules:

- rules/linux/auditd/lnx_auditd_masquerading_crond.yml 
- rules/linux/auditd/lnx_auditd_user_discovery.yml 
- rules/linux/auditd/lnx_data_compressed.yml 
- rules/linux/auditd/lnx_network_sniffing.yml 
- rules/windows/powershell/powershell_data_compressed.yml 
- rules/windows/powershell/powershell_winlogon_helper_dll.yml 
- rules/windows/process_creation/win_change_default_file_association.yml 
- rules/windows/process_creation/win_data_compressed_with_rar.yml 
- rules/windows/process_creation/win_local_system_owner_account_discovery.yml 
- rules/windows/process_creation/win_network_sniffing.yml 
- rules/windows/process_creation/win_query_registry.yml 
- rules/windows/process_creation/win_service_execution.yml 
- rules/windows/process_creation/win_xsl_script_processing.yml 

modify 1 rule:

- rules/windows/process_creation/win_possible_applocker_bypass.yml
 2019-11-05 04:55:29 +03:00
yugoslavskiy cc7aebe9b6 Update win_service_execution.yml 2019-11-05 04:42:53 +03:00