security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
3,496 Commits 1 Branch 57 Tags
34ea706e4fe91c8a2c7ae11b953407e1dd67a319
Commit Graph

633 Commits

Author SHA1 Message Date
Florian Roth 34ea706e4f fix: typo in systemroot 2020-07-03 10:24:58 +02:00
Florian Roth 0fa1c1525b fix: missing copy command 2020-07-03 10:17:34 +02:00
Florian Roth 1f0b1e58a9 fix: bugs in rule and title 2020-07-03 09:54:10 +02:00
Florian Roth 01ed87186f Copy From System Root rule 2020-07-03 09:45:58 +02:00
Florian Roth 33fef8bcf5 DesktopImgDownLdr rules 2020-07-03 09:45:48 +02:00
Florian Roth 9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth 154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Florian Roth eb3a6e86af Merge pull request #867 from HarishHary/suspicious_powershell_parent_process 
New Rule: Suspicious powershell parent process
 2020-06-30 10:00:28 +02:00
Harish SEGAR 9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR 5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Florian Roth 5a11ef90d0 rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR 1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Florian Roth bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
Furkan ÇALIŞKAN b091e3b1c4 Update for new method 
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 2020-06-22 01:06:34 +03:00
Florian Roth e1225784f7 fix: fixed indentation 2020-06-19 09:54:08 +02:00
Florian Roth 62632db818 refactor: added variant to IE rule 2020-06-19 09:53:35 +02:00
Florian Roth 5cb6f5da9d fix: title adjusted 2020-06-19 09:39:11 +02:00
Florian Roth b8a5cd4787 Disabled IE Security Features 2020-06-19 09:37:10 +02:00
Florian Roth da060bfb90 Ke3chang rule 2020-06-19 09:36:54 +02:00
Ivan Kirillov b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
Ivan Kirillov 5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth 87053502a3 Merge pull request #839 from rtkbkish/fix-double-backslash 
Fix match for double-backslash
 2020-06-15 20:19:56 +02:00
Florian Roth 46bd56a708 Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation 
Fix logsource field name from service->category
 2020-06-15 20:18:53 +02:00
Brad Kish f196046b3d Fix match for double-backslash 
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
 2020-06-15 13:39:50 -04:00
Brad Kish 422b2bffd7 Fix rules with incorrect escaping of wildcars 
A backslash before a wildcard needs to be escaped with another backslash.
 2020-06-15 13:38:18 -04:00
Brad Kish 8d58c8f5c8 Fix logsource field name from service->category 
The rule win_invoke_obfuscation_obfuscated_iex_commandline has the
wrong field name for the "process_creation" tag. Rename from "service"
to "category"
 2020-06-15 13:18:05 -04:00
Iveco 40f0fd989d - moved to "process_creation" folder instead of "sysmon" 
- renamed .yml file
 2020-06-11 19:21:17 +02:00
Florian Roth 97c45f9d46 Merge pull request #812 from tliffick/master 
added new rules for malware
 2020-06-10 17:37:19 +02:00
Florian Roth 96309d247b fix: cosmetic fault 2020-06-10 16:41:03 +02:00
Florian Roth 6e4aa01baa Cosmetics 2020-06-10 16:36:17 +02:00
Florian Roth 13c7d40a22 Cosmetics 2020-06-10 16:35:41 +02:00
Florian Roth 0c2f2fe6df Merge pull request #816 from Neo23x0/rule-devel 
merged Cyb3rWarD0g's rules
 2020-06-06 16:27:59 +02:00
Florian Roth d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth 72deaa98f5 Merge pull request #815 from Neo23x0/rule-devel 
Rule devel
 2020-06-06 14:19:37 +02:00
Florian Roth 2e77e65285 rule: Covenant launchers 2020-06-05 11:03:28 +02:00
Trent Liffick 6c8c0cd85d Removed incorrect technique 2020-06-03 17:51:57 -04:00
Trent Liffick a2ca199e7d added rules for Lazaurs and hhsgov 2020-06-03 17:38:03 -04:00
Sven Scharmentke 4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'. 
This commit fixes the incorrect spelling.
 2020-06-03 09:00:59 +02:00
Florian Roth 7f2fa05ed3 Merge pull request #802 from Neo23x0/rule-devel 
ComRAT and KazuarRAT
 2020-05-28 11:16:44 +02:00
Florian Roth 39b41b5582 rule: moved DebugView rule to process creation category 2020-05-28 10:13:38 +02:00
Florian Roth 4ca81b896d rule: Turla ComRAT report 2020-05-26 14:19:22 +02:00
Sander Wiebing 3681b8cb56 Extended Windows processes 2020-05-26 13:56:51 +02:00
Sander Wiebing f9f814f3b3 Shortened title 2020-05-26 13:06:27 +02:00
Sander Wiebing a241792e10 Reduce FP of legitime processes 
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe

All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.

Python 2.7, 3.3 and 3.7 does not have any file characteristics.

So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
 2020-05-26 12:58:15 +02:00
Sander Wiebing 6fcf3f9ebf Update win_netsh_fw_add.yml 2020-05-25 10:13:26 +02:00
Sander Wiebing 28652e4648 Add Windows Server 2008 and Windows Vista support 
It did not support the command `netsh advfirewall firewall add`
 2020-05-25 10:02:13 +02:00