security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,079 Commits 1 Branch 57 Tags
2bfd4ea654d0cfe77d5c2ec4e7cb8692e3cd08bb
Commit Graph

925 Commits

Author SHA1 Message Date
webhead404 2bfd4ea654 Added MITRE tags 2019-11-20 16:18:03 -06:00
webhead404 5c5d28acdc Create win_external_device 2019-11-20 16:07:29 -06:00
webhead404 f7a968e3d2 Update and add another selection for regsvr32 
Added cmd.exe to the detection after observing Atomic Red Team test 

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md#atomic-test-2---regsvr32-remote-com-scriptlet-execution
 2019-11-06 15:49:53 -06:00
Florian Roth c60563e546 rule: add modified rule date 2019-11-05 11:24:52 +01:00
Florian Roth 5786688f97 rule: Firewall disabled via Netsh 2019-11-04 16:10:10 +01:00
Thomas Patzke a5579fa8cd Merge pull request #513 from Karneades/fix-sysmon-rule 
fix: bound sysmon logon script rule to field
 2019-11-02 23:04:35 +01:00
Karneades 0117dac1db fix: bound sysmon logon script rule to field 
Fixed rule:
- rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
 2019-11-02 11:47:20 +01:00
Karneades 68fd20cb66 fix: bound windows event log rules to message field 
Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml
 2019-11-02 11:25:29 +01:00
Florian Roth 3107c0c268 rule: Formbook rule improved 2019-10-31 09:32:18 +01:00
Florian Roth 4741b6a4d6 rule: Mustang Panda dropper 2019-10-30 18:22:40 +01:00
Florian Roth d661771608 rule: another DTRACK reference 2019-10-30 18:22:25 +01:00
Florian Roth 3ac28f3eed rule: DTRACK process creation 2019-10-30 15:16:33 +01:00
Thomas Patzke 219f00e3fb Added command line parameter 
Implements #418
 2019-10-29 23:04:28 +01:00
Thomas Patzke f4e9690d6b Merge pull request #508 from Karneades/fixRule3 
fix: bound keywords to field in multiple PS rules
 2019-10-29 22:34:08 +01:00
Thomas Patzke 78d8ca2b41 Merge pull request #507 from Karneades/fixRule2 
fix: bound keywords to field in PS cred prompt rule
 2019-10-29 22:31:01 +01:00
Thomas Patzke 40df0d4534 Merge pull request #506 from Karneades/fixRule1 
fix: bound keywords to field in WMI persistence rule
 2019-10-29 22:30:27 +01:00
Thomas Patzke 6eb49fc1ce Merge pull request #509 from Karneades/fixRule4 
fix: change keyword and bound it to a field in PS rule
 2019-10-29 22:27:54 +01:00
Thomas Patzke b6403793c1 Fixed escaping in rule 2019-10-29 22:06:23 +01:00
Karneades ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
Karneades aafab2e936 fix: bound keywords to field in multiple PS rules 
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
 2019-10-29 19:53:18 +01:00
Karneades f31750e567 fix: bound keywords to field in PS cred prompt rule 2019-10-29 19:43:04 +01:00
Karneades cd20e4a3fc fix: bound keywords to field in WMI persistence rule 
See #501.
 2019-10-29 19:22:41 +01:00
Florian Roth 8ff85499c8 rule: svchost dll search order hijack 2019-10-28 12:03:03 +01:00
Florian Roth 1a3444d0ef docs: comment on rule expression 2019-10-28 12:02:46 +01:00
Florian Roth 42808b7eb8 rule: webshell detection improved 2019-10-26 09:14:54 +02:00
Florian Roth a5ec6722a1 rule: the actual changes to hwp rule 2019-10-24 15:35:13 +02:00
Florian Roth 86c1b4ae4b rule: hwp exploits 2019-10-24 11:46:56 +02:00
Florian Roth 3d4ce9d175 rule: another reference link for 'execution by ordinal' 2019-10-22 15:18:19 +02:00
Florian Roth b3654947bc rule: suspicious call by ordinal (rundll32) 2019-10-22 12:40:26 +02:00
Florian Roth 0f02f2bdfc rule: adjusted very noisy rule on AppLocker whitelist bypass 2019-10-22 12:32:37 +02:00
Florian Roth deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Florian Roth ab292a4029 rule: simplified Emotet rule 2019-10-16 15:29:42 +02:00
Florian Roth c396526f40 rule: LSASS DLL load via undocumented Registry key 
https://twitter.com/SBousseaden/status/1183745981189427200
 2019-10-16 13:18:44 +02:00
Florian Roth 5d143f4f22 rule: emotet rule references extended 2019-10-16 13:18:44 +02:00
Florian Roth d46154da5c rule: extending Emotet rule 2019-10-16 10:22:48 +02:00
Florian Roth 4ea469d138 rule: suspicious compression tool parameters 2019-10-15 16:38:53 +02:00
Florian Roth e870c86fb0 rule: keyboad layout preloads extended with ' 2019-10-15 15:11:00 +02:00
Florian Roth 52fef7ae10 Merge pull request #468 from 2d4d/lsass_without_exe 
remove .exe from lsass
 2019-10-14 18:03:13 +02:00
Florian Roth 8db1cac910 fix: made rule compatible with event id 4688 2019-10-14 18:01:24 +02:00
Florian Roth 0e2284a176 rule: modified the default 2019-10-14 17:50:48 +02:00
Florian Roth 312311494d rule: suspicious code page switch using chcp 2019-10-14 17:45:25 +02:00
2d4d cf5d7f11ad remove .exe from lsass 2019-10-14 17:26:33 +02:00
Florian Roth 7ee3974428 rule: suspicious keyboard layout load 2019-10-14 16:25:27 +02:00
Florian Roth 5583684efd rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00
Florian Roth 98f0d01b2e rule: mimikatz use extended 2019-10-11 18:50:33 +02:00
Florian Roth 60af1f5a4b rule: WMI Backdoor Exchange Transport Agent 2019-10-11 12:12:44 +02:00
Florian Roth ec5bb71049 fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00
Florian Roth 14971a7b9c fix: FPs with Mimikatz DC Sync rule 2019-10-08 17:44:00 +02:00
Thomas Patzke 60ef593a6f Fixed wrong backslash escaping of * 
Fixes issue #466
 2019-10-07 22:14:44 +02:00
Florian Roth d096ab0e21 rules: AV rules updated to reflect 1.7.2 auf AV cheat sheet 2019-10-04 16:17:34 +02:00