security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,444 Commits 1 Branch 57 Tags
51363d8a87c8abe51ea84b1c720b7eacf3b2f91d
Commit Graph

1711 Commits

Author SHA1 Message Date
Florian Roth d24ec665fd Merge pull request #838 from rtkbkish/fix-identifier 
Identifiers shared between global document and rule gets overwritten
 2020-06-15 20:20:23 +02:00
Florian Roth 87053502a3 Merge pull request #839 from rtkbkish/fix-double-backslash 
Fix match for double-backslash
 2020-06-15 20:19:56 +02:00
Florian Roth 869162a5da Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id 
Rule lists extra Sysmon ID (11). Should just match registry events (1…
 2020-06-15 20:19:27 +02:00
Florian Roth 3482e048fb Merge pull request #841 from rtkbkish/fix-rule-match 
Rule needs endwith, not exact match.
 2020-06-15 20:19:12 +02:00
Florian Roth 46bd56a708 Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation 
Fix logsource field name from service->category
 2020-06-15 20:18:53 +02:00
Brad Kish dfae2a6df6 Rule needs endwith, not exact match. 
Fix ImageLoaded filter to match with endswith, rather than exact match.
 2020-06-15 13:54:02 -04:00
Brad Kish a9c6fa904f Rule lists extra Sysmon ID (11). Should just match registry events (12-14) 
Remove extraneous event ID 11. It will never match.
 2020-06-15 13:52:12 -04:00
Brad Kish f196046b3d Fix match for double-backslash 
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
 2020-06-15 13:39:50 -04:00
Brad Kish 422b2bffd7 Fix rules with incorrect escaping of wildcars 
A backslash before a wildcard needs to be escaped with another backslash.
 2020-06-15 13:38:18 -04:00
Brad Kish 8d58c8f5c8 Fix logsource field name from service->category 
The rule win_invoke_obfuscation_obfuscated_iex_commandline has the
wrong field name for the "process_creation" tag. Rename from "service"
to "category"
 2020-06-15 13:18:05 -04:00
Brad Kish f5aa871e5d Identifiers shared between global document and rule gets overwritten 
The global document defines a "selection" identifier which is also defined the
individual rules. The rule identifier is getting overwritten by the global identifier.
Fix by giving unique names to the global identifier.
 2020-06-15 13:14:31 -04:00
Iveco 40f0fd989d - moved to "process_creation" folder instead of "sysmon" 
- renamed .yml file
 2020-06-11 19:21:17 +02:00
Iveco 34d7ea2974 removed one field 2020-06-11 16:23:15 +02:00
Iveco 2081baafe5 updated to process_creation 2020-06-11 15:58:05 +02:00
Iveco f56e2599b1 Cmd.exe Path Traversal Detection 2020-06-11 15:48:48 +02:00
Florian Roth 97c45f9d46 Merge pull request #812 from tliffick/master 
added new rules for malware
 2020-06-10 17:37:19 +02:00
Florian Roth 96309d247b fix: cosmetic fault 2020-06-10 16:41:03 +02:00
Florian Roth 6e4aa01baa Cosmetics 2020-06-10 16:36:17 +02:00
Florian Roth 13c7d40a22 Cosmetics 2020-06-10 16:35:41 +02:00
Florian Roth f553fb2e33 Cosmetics 2020-06-10 16:35:14 +02:00
Florian Roth 48e4e31713 Merge pull request #826 from NVISO-BE/sysmon_susp_fax_dll 
Fax Service DLL search order hijacking detection
 2020-06-10 16:33:12 +02:00
Florian Roth 1a9da23611 Merge pull request #825 from NVISO-BE/sysmon_office_persistence 
Office persistence by addin detection
 2020-06-10 16:32:50 +02:00
Remco Hofman 8adaa2d672 Fixed bad indentation 2020-06-10 15:02:41 +02:00
Remco Hofman 83a6e25bcb Fax Service DLL search order hijacking 2020-06-10 15:01:07 +02:00
Remco Hofman cb8e478ac1 Sigma rule to detect Office persistence via addin. 2020-06-10 14:52:13 +02:00
Florian Roth 5c835cf1f2 Merge pull request #813 from ozirus/patch-1 
Create sysmon_apt_muddywater_dnstunnel.yml
 2020-06-09 18:44:45 +02:00
Florian Roth 7a334a8d8a fix: missed line 2020-06-09 17:30:54 +02:00
Florian Roth 04913a4b95 Aligned indentation 2020-06-09 17:20:25 +02:00
Florian Roth 9b8f8b7e09 Merge pull request #822 from NVISO-BE/win_mal_flowcloud 
TA410 FlowCloud malware detection
 2020-06-09 17:18:39 +02:00
Remco Hofman a9bf22750a Fixed bad indentation 2020-06-09 16:30:17 +02:00
Remco Hofman 4ce3ea735e TA410 FlowCloud malware detection 2020-06-09 16:21:46 +02:00
Remco Hofman d14d391761 Octopus Scanner malware rule 2020-06-09 16:12:05 +02:00
Florian Roth 0c2f2fe6df Merge pull request #816 from Neo23x0/rule-devel 
merged Cyb3rWarD0g's rules
 2020-06-06 16:27:59 +02:00
Florian Roth d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth 72deaa98f5 Merge pull request #815 from Neo23x0/rule-devel 
Rule devel
 2020-06-06 14:19:37 +02:00
Florian Roth 3697186281 fix: fixed title 2020-06-06 14:04:40 +02:00
Florian Roth 246a95557b fix: description over multiple lines 2020-06-06 13:56:48 +02:00
Florian Roth d54209dcc5 rule: ETW disabled 2020-06-06 13:56:19 +02:00
Florian Roth 2e77e65285 rule: Covenant launchers 2020-06-05 11:03:28 +02:00
Furkan ÇALIŞKAN 082696ee84 Added UUID 2020-06-04 18:38:42 +03:00
Furkan ÇALIŞKAN e958a6a939 Date added 2020-06-04 18:34:44 +03:00
Furkan ÇALIŞKAN 5e373153eb Title fix 2020-06-04 18:28:37 +03:00
Furkan ÇALIŞKAN 0744107fbb Deleted EventID part 2020-06-04 18:19:08 +03:00
Furkan ÇALIŞKAN 1c677aa172 Fix title as in guideline 
Fix title error as in guideline and other cosmetic changes
 2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN bafd6bde5f Convert to process_creation 
Convert to process_creation
 2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN 09afae1e66 Create sysmon_apt_muddywater_dnstunnel.yml 
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
 2020-06-04 14:27:19 +03:00
Trent Liffick 6c8c0cd85d Removed incorrect technique 2020-06-03 17:51:57 -04:00
Trent Liffick 3c89f46899 removed unwanted file 2020-06-03 17:43:12 -04:00
Trent Liffick 2af501c9f5 added rule for zLoader & Office 
detects changes to Office macro settings & ZLoader malware
 2020-06-03 17:40:05 -04:00
Trent Liffick a2ca199e7d added rules for Lazaurs and hhsgov 2020-06-03 17:38:03 -04:00