security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,444 Commits 1 Branch 57 Tags
51363d8a87c8abe51ea84b1c720b7eacf3b2f91d
Commit Graph

650 Commits

Author SHA1 Message Date
Florian Roth 869162a5da Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id 
Rule lists extra Sysmon ID (11). Should just match registry events (1…
 2020-06-15 20:19:27 +02:00
Florian Roth 3482e048fb Merge pull request #841 from rtkbkish/fix-rule-match 
Rule needs endwith, not exact match.
 2020-06-15 20:19:12 +02:00
Brad Kish dfae2a6df6 Rule needs endwith, not exact match. 
Fix ImageLoaded filter to match with endswith, rather than exact match.
 2020-06-15 13:54:02 -04:00
Brad Kish a9c6fa904f Rule lists extra Sysmon ID (11). Should just match registry events (12-14) 
Remove extraneous event ID 11. It will never match.
 2020-06-15 13:52:12 -04:00
Brad Kish 422b2bffd7 Fix rules with incorrect escaping of wildcars 
A backslash before a wildcard needs to be escaped with another backslash.
 2020-06-15 13:38:18 -04:00
Florian Roth 97c45f9d46 Merge pull request #812 from tliffick/master 
added new rules for malware
 2020-06-10 17:37:19 +02:00
Florian Roth f553fb2e33 Cosmetics 2020-06-10 16:35:14 +02:00
Florian Roth 48e4e31713 Merge pull request #826 from NVISO-BE/sysmon_susp_fax_dll 
Fax Service DLL search order hijacking detection
 2020-06-10 16:33:12 +02:00
Florian Roth 1a9da23611 Merge pull request #825 from NVISO-BE/sysmon_office_persistence 
Office persistence by addin detection
 2020-06-10 16:32:50 +02:00
Remco Hofman 8adaa2d672 Fixed bad indentation 2020-06-10 15:02:41 +02:00
Remco Hofman 83a6e25bcb Fax Service DLL search order hijacking 2020-06-10 15:01:07 +02:00
Remco Hofman cb8e478ac1 Sigma rule to detect Office persistence via addin. 2020-06-10 14:52:13 +02:00
Florian Roth 5c835cf1f2 Merge pull request #813 from ozirus/patch-1 
Create sysmon_apt_muddywater_dnstunnel.yml
 2020-06-09 18:44:45 +02:00
Florian Roth 7a334a8d8a fix: missed line 2020-06-09 17:30:54 +02:00
Florian Roth 04913a4b95 Aligned indentation 2020-06-09 17:20:25 +02:00
Florian Roth 0c2f2fe6df Merge pull request #816 from Neo23x0/rule-devel 
merged Cyb3rWarD0g's rules
 2020-06-06 16:27:59 +02:00
Florian Roth d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth 72deaa98f5 Merge pull request #815 from Neo23x0/rule-devel 
Rule devel
 2020-06-06 14:19:37 +02:00
Florian Roth 3697186281 fix: fixed title 2020-06-06 14:04:40 +02:00
Florian Roth 246a95557b fix: description over multiple lines 2020-06-06 13:56:48 +02:00
Florian Roth d54209dcc5 rule: ETW disabled 2020-06-06 13:56:19 +02:00
Furkan ÇALIŞKAN 082696ee84 Added UUID 2020-06-04 18:38:42 +03:00
Furkan ÇALIŞKAN e958a6a939 Date added 2020-06-04 18:34:44 +03:00
Furkan ÇALIŞKAN 5e373153eb Title fix 2020-06-04 18:28:37 +03:00
Furkan ÇALIŞKAN 0744107fbb Deleted EventID part 2020-06-04 18:19:08 +03:00
Furkan ÇALIŞKAN 1c677aa172 Fix title as in guideline 
Fix title error as in guideline and other cosmetic changes
 2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN bafd6bde5f Convert to process_creation 
Convert to process_creation
 2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN 09afae1e66 Create sysmon_apt_muddywater_dnstunnel.yml 
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
 2020-06-04 14:27:19 +03:00
Trent Liffick 3c89f46899 removed unwanted file 2020-06-03 17:43:12 -04:00
Trent Liffick 2af501c9f5 added rule for zLoader & Office 
detects changes to Office macro settings & ZLoader malware
 2020-06-03 17:40:05 -04:00
William Bruneau 84dd8c39c4 Move null values out from list in rules 2020-06-03 13:57:22 +02:00
Sven Scharmentke 4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'. 
This commit fixes the incorrect spelling.
 2020-06-03 09:00:59 +02:00
Florian Roth e20b58c421 Merge pull request #806 from SanWieb/sysmon_creation_system_file 
Fixed wrong field & Improve rule
 2020-05-29 17:32:27 +02:00
Sander Wiebing a00f7f19a1 Add tagg Endswith 
Prevent the trigger of {}.exe.log
 2020-05-29 16:25:54 +02:00
Sander Wiebing 38afd8b5de Fixed wrong field 2020-05-28 21:52:17 +02:00
Florian Roth 39b41b5582 rule: moved DebugView rule to process creation category 2020-05-28 10:13:38 +02:00
Florian Roth 76dcc1a16f rule: renamed debugview 2020-05-28 09:22:25 +02:00
Florian Roth ec313b6c8a Merge pull request #801 from SanWieb/sysmon_creation_system_file 
Rule: sysmon_creation_system_file
 2020-05-27 08:49:20 +02:00
Sander Wiebing d44fc43c54 Add extension 2020-05-26 19:10:11 +02:00
Sander Wiebing f6ec724d51 Rule: sysmon_creation_system_file 2020-05-26 18:53:54 +02:00
Florian Roth c1f4787566 Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048 
Changes to sysmon_cve-2020-1048
 2020-05-26 13:21:04 +02:00
Remco Hofman 48c5f2ed09 Update to sysmon_cve-2020-1048 
Added .com executables to detection
Second TargetObject should have been Details
 2020-05-26 11:20:21 +02:00
ecco 7037e77569 add more FP 2020-05-25 04:50:22 -04:00
Sander Wiebing b8ee736f44 Remove AppData folder as suspicious folder 
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)

Too many to whitelist them all
 2020-05-24 15:16:07 +02:00
ecco f970d28f10 add more false positives 2020-05-23 15:06:15 -04:00
ecco 67faf4bd41 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml 2020-05-23 10:56:23 -04:00
ecco 10ca3006f5 move rule where needed 2020-05-23 10:07:55 -04:00
ecco d9bc09c38c fix test 2020-05-23 10:02:58 -04:00
ecco 78a7852a43 renamed dbghelp rule with new ID and comment and removed a false positive 2020-05-23 09:16:40 -04:00
ecco 75ba5f989c add 1 more FP to wmi load 2020-05-23 07:44:45 -04:00