security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,838 Commits 1 Branch 57 Tags
2e6f87e2effd5f000df93c2f77e59e14f2fd17ea
Commit Graph

704 Commits

Author SHA1 Message Date
Florian Roth 2e6f87e2ef Update win_susp_ping_hex_ip.yml 2020-09-07 09:34:18 +02:00
503139 df74abc957 removed leading slash and allow for mult spaces 2020-09-04 13:33:31 -04:00
Florian Roth 22465037ac Update win_susp_mpcmdrun_download.yml 2020-09-04 16:50:57 +02:00
Florian Roth 3283e33cbc Update and rename win_lolbas_mpcmdrun.yml to win_susp_mpcmdrun_download.yml 2020-09-04 16:49:44 +02:00
Matthew Matchen df532be142 Added ID field using UUID generated value 2020-09-04 16:38:52 +02:00
Matthew Matchen 2c69815b7b Removed empty ID field 2020-09-04 16:32:41 +02:00
Matthew Matchen e0baa097a8 Initial creation 2020-09-04 16:00:23 +02:00
Florian Roth 720ac0d998 fix: syntax bug in rule 2020-09-03 09:18:28 +02:00
Florian Roth 198469bed3 Merge branch 'master' into rule-devel 2020-09-02 17:40:12 +02:00
Florian Roth 423f81c912 Update win_mouse_lock.yml 2020-09-02 14:49:37 +02:00
Florian Roth 73bc514f60 fix: 1 of them / one selection 2020-09-02 12:34:35 +02:00
Florian Roth 7d3a6293f5 rule: Snatch ransomware 2020-08-26 09:42:34 +02:00
Florian Roth bc74ac1f8a Update win_susp_rasdial_activity.yml 2020-08-18 14:40:37 +02:00
Florian Roth da54e89f30 Merge pull request #976 from diskurse/rule-devel 
Rule devel
 2020-08-17 15:02:31 +02:00
Florian Roth 8a02541b0a style: removed lists where unnecessary 2020-08-17 15:02:16 +02:00
Florian Roth 6dc8dbb6d8 style: removed lists where unnecessary 2020-08-17 15:01:52 +02:00
Bar Haim bd96b1c5ad Update win_susp_rasdial_activity.yml 
`rasdial` is an `exe`, and probably appear as `rasdial.exe`
`LIKE` is more fit in this case
 2020-08-16 16:17:49 +03:00
Cian Heasley b378b3d62b win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:09:07 +01:00
Cian Heasley d1e9f01d23 win_dnscat2_powershell_implementation.yml 
The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
 2020-08-13 12:06:48 +01:00
Thomas Patzke f827a557f2 Merge pull request #936 from rtkmokuka/typo_wmiprvse_spawning_process 
Change fitler typo from 'Username' to 'User' for Wmiprvse Spawning Process rule
 2020-08-05 23:26:14 +02:00
Florian Roth 4529e4cd52 Merge pull request #966 from Neo23x0/rule-devel 
rule: TAIDOOR malware load
 2020-08-04 14:54:24 +02:00
Florian Roth 052379a512 fix: tightened TAIDOOR rule 2020-08-04 14:37:18 +02:00
Florian Roth c4953409aa rule: TAIDOOR malware load 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 2020-08-04 14:31:29 +02:00
IPv777 a52583dc68 .002 = SMB/Windows Admin Shares 2020-08-03 17:43:14 +02:00
Florian Roth df3bfb1b37 rule: Winnti Pipemon 2020-07-30 18:55:47 +02:00
Florian Roth 5abf101c0b Merge pull request #954 from Neo23x0/rule-devel 
Rule devel
 2020-07-28 10:22:52 +02:00
Florian Roth 8970d03f6f Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00
Florian Roth 80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
IPv777 77a8ac59ef remove duplicate 2020-07-24 16:38:08 +02:00
Florian Roth 8a4b53eb3a fix: rule leads to FPs on systems that don't log the cmdline parameters 2020-07-23 17:04:16 +02:00
Daniel Masse 13cf0488ae Add 'contains' for the ps encoded chars rule 2020-07-22 10:49:22 -04:00
Florian Roth 769a9212a5 Merge pull request #943 from diskurse/rule-devel 
Webshell Recon Detection Via CommandLine & ProcessesAdd files via upload
 2020-07-22 13:02:44 +02:00
Cian Heasley 023bf76363 Add files via upload 
Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
 2020-07-22 09:05:50 +01:00
Aidan Bracher ff3f9fe9b3 Updated tags 2020-07-18 03:02:43 +01:00
Aidan Bracher 4ffe9cb042 Updated tags with sub-techniques 2020-07-18 02:53:46 +01:00
Aidan Bracher 3bd768e49b Updated tags with sub-techniques 2020-07-18 02:52:15 +01:00
Aidan Bracher 1442812681 Updated tags 2020-07-18 02:44:53 +01:00
Aidan Bracher 30bd591c96 Update win_apt_ke3chang to include sub-techniques 2020-07-18 02:37:56 +01:00
Marko Okuka 1d39b40fd1 Fixing typo in rule: Username to User 2020-07-16 10:09:29 -04:00
Florian Roth 3025d6850c Merge pull request #932 from rtkdmasse/rule-selection-typos 
Change the selection from Command to CommandLine in a couple of rules
 2020-07-16 09:10:15 +02:00
Florian Roth b1de627e94 Update win_apt_zxshell.yml 2020-07-16 08:47:24 +02:00
Daniel Masse 0489a50bd0 Change the selection from Command to CommandLine in a couple of rules 2020-07-15 15:55:26 -04:00
Florian Roth 8f66803ddf Merge pull request #927 from Neo23x0/rule-devel 
improved CVE-2020-1350 rule
 2020-07-15 12:06:31 +02:00
Florian Roth 1c103a749f fix: more FPs based on feedback 
https://twitter.com/GossiTheDog/status/1283341486680166400
 2020-07-15 12:05:50 +02:00
Florian Roth c2eb110fca fix: more exact patterns 2020-07-15 11:56:11 +02:00
Florian Roth ae7fbb9245 fix: false positive filters based on SOC Prime's rule 2020-07-15 11:49:20 +02:00
Florian Roth e5a34a965c Merge pull request #926 from Neo23x0/rule-devel 
rule: CVE-2020-1350
 2020-07-15 11:19:07 +02:00
Florian Roth 80639afd43 rule: CVE-2020-1350 2020-07-15 11:03:31 +02:00
Florian Roth c7e412788a Merge pull request #924 from Neo23x0/devel 
Live MITRE ATT&CK data from TAXI service in Test Scripts
 2020-07-14 18:15:29 +02:00
Florian Roth 38c29977ff Merge pull request #925 from Neo23x0/rule-devel 
fix: issue reported as https://github.com/Neo23x0/sigma/issues/923
 2020-07-14 18:14:51 +02:00