security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,617 Commits 1 Branch 57 Tags
56ffa9ec0edb454d43dacfdee535e1efad2e2e2b
Commit Graph

455 Commits

Author SHA1 Message Date
Antonlovesdnb 56ffa9ec0e Update sysmon_registry_trust_record_modification.yml 2020-02-19 14:50:09 -05:00
Antonlovesdnb 397cdecb94 5 Rules covering various macro techniques 
- Rule to look for GAC DLL loaded by an Office Product
- Rule to look for any DLL in C:\Windows\assembly loaded by an Office Product
- Rule to look for clr.dll loaded by an Office Product
- Rule to look for directory services parsing dll loaded by an Office Product
- Rule to look for kerberos dll loaded by an Office Product
 2020-02-19 14:43:13 -05:00
Antonlovesdnb f8be92dae0 Add files via upload 2020-02-19 10:13:44 -05:00
Florian Roth bf98d286f9 Merge pull request #615 from Neo23x0/devel 
fix: dumpert rule with wrong sysmon event id
 2020-02-08 20:03:28 +01:00
Florian Roth be9b80d6ab fix: dumpert rule with wrong sysmon event id 2020-02-07 13:14:18 +01:00
Florian Roth 1a80b180fd Merge pull request #613 from Neo23x0/devel 
rule: dumpert process dump tool
 2020-02-04 23:07:07 +01:00
Florian Roth 10490a6cee rule: reworked dumpert rule 2020-02-04 22:56:04 +01:00
Florian Roth 1f44969afd rule: avoiding build issues with sysmon event id 1 2020-02-04 22:50:46 +01:00
Florian Roth 535e2d149b rule: improved dumpert rule 2020-02-04 22:46:16 +01:00
Florian Roth 8f8b977c85 rule: dumpert process dump tool 2020-02-04 22:38:06 +01:00
Florian Roth aa8a0f5e1f Merge pull request #606 from Neo23x0/devel 
refactor: moved rues from 'apt' folder in respective folders
 2020-02-01 18:25:19 +01:00
Florian Roth 03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth 8c4aadb423 Merge branch 'master' into Renamed_Files 2020-01-31 08:49:10 +01:00
Florian Roth 190afcac88 Missing ID, wrong tag 2020-01-31 07:32:28 +01:00
Florian Roth 033ab26d5e Added date 2020-01-31 07:21:02 +01:00
Florian Roth 82cae6d63c Merge pull request #604 from Neo23x0/devel 
New tests, colorized test output and rule cleanup
 2020-01-31 07:07:13 +01:00
Florian Roth d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth 376092cfd3 Merge pull request #565 from RiccardoAncarani/master 
Add Covenant default named pipe
 2020-01-29 20:28:00 +01:00
Florian Roth d48fc9d1ff fix: multiple false positive conditions 2020-01-28 10:11:09 +01:00
Tim Burrell (MSTIC) c24bbdcf81 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-24 15:31:06 +01:00
msec1203 4f29556a01 Update win_susp_winword_wmidll_load.yml 
Update x2
 2020-01-24 15:31:06 +01:00
msec1203 48a071ad4e Update win_susp_winword_wmidll_load.yml 
Fix to error on incorrect mitre tags used.
 2020-01-24 15:31:06 +01:00
msec1203 4260d01ff0 Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
 2020-01-24 15:31:06 +01:00
Thomas Patzke b34bf98c61 Fixed rule: added condition 2020-01-07 15:20:16 +01:00
Florian Roth fd28a64591 rule: WCE 2019-12-31 09:27:38 +01:00
Riccardo Ancarani 8b70cb6761 Add Covenant default named pipe 
Covenant (https://github.com/cobbr/Covenant) can use named pipes for peer to peer communication.
The default named pipe name is "\gruntsvc".
References: https://posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456
 2019-12-18 15:19:47 +00:00
Florian Roth 98aa4d4ecb fix: fixed typo in rule for renamed procdump 2019-11-19 15:59:07 +01:00
Florian Roth 2c855be9d3 fix: casing fix in renamed procdump rule 2019-11-18 15:57:14 +01:00
Florian Roth 93f890b31d rule: renamed procdump 2019-11-18 15:27:04 +01:00
Thomas Patzke 0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke 5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
Thomas Patzke d42cc78509 Converted rules Sysmon/1 parts to generic process_creation 2019-11-12 21:06:24 +01:00
Thomas Patzke 0065e2420f Merge branch 'oscd-qa' 2019-11-12 20:54:11 +01:00
Florian Roth b7c3f8da91 refactor: cleanup, single element lists, renamed files, level adjustments 2019-11-12 12:55:05 +01:00
Florian Roth 038f205f0f fix: FPs with UserInitMprLogonScript rule 2019-11-09 23:32:53 +01:00
Florian Roth fbe138ed90 rule: reduced level of rule to medium due to FPs 2019-11-09 23:24:31 +01:00
yugoslavskiy b176339da8 Merge pull request #479 from alexpetrov12/master 
add rule
 2019-11-08 02:16:22 +03:00
yugoslavskiy 98f32e9098 Delete sysmon_mimikatz_сreds_dump.yml 
merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml
 2019-11-08 02:06:31 +03:00
yugoslavskiy 6d61401b12 Delete sysmon_сreds_dump.yml 
merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml
 2019-11-08 02:06:20 +03:00
yugoslavskiy 562e07de38 Delete cobalt_execute_assembly.yml 
merged with existing [sysmon_cobaltstrike_process_injection.yml](https://github.com/Neo23x0/sigma/blob/oscd/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml)
 2019-11-08 01:42:42 +03:00
yugoslavskiy 52d099a6e3 improve sysmon_cobaltstrike_process_injection.yml 2019-11-08 01:41:26 +03:00
yugoslavskiy 6083d70975 Update sysmon_registry_persistence_key_linking.yml 2019-11-07 04:23:20 +03:00
yugoslavskiy ce849a1184 Merge branch 'master' into oscd 2019-11-04 20:48:19 +03:00
yugoslavskiy 1f1fd68331 Merge pull request #472 from feedb/oscd 
add 11 new rules:

- rules/linux/auditd/lnx_auditd_web_rce.yml
- rules/windows/process_creation/process_creation_susp_bginfo.yml
- rules/windows/process_creation/process_creation_susp_cdb.yml
- rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml
- rules/windows/process_creation/process_creation_susp_dnx.yml
- rules/windows/process_creation/process_creation_susp_dxcap.yml
- rules/windows/process_creation/process_creation_susp_msoffice.yml
- rules/windows/process_creation/process_creation_susp_odbcconf.yml
- rules/windows/process_creation/process_creation_susp_openwith.yml
- rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml
- rules/windows/sysmon/sysmon_webshell_creation_detect.yml
 2019-11-04 20:40:58 +03:00
yugoslavskiy 19396fd274 Update sysmon_webshell_creation_detect.yml 2019-11-04 19:23:52 +03:00
Karneades 0117dac1db fix: bound sysmon logon script rule to field 
Fixed rule:
- rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
 2019-11-02 11:47:20 +01:00
Florian Roth 8ff85499c8 rule: svchost dll search order hijack 2019-10-28 12:03:03 +01:00
alexpetrov12 7aa804fe90 added new rules 
Packet capture Windows command prompt, ODBCCONF execution dll, Windows Registry Persistence - COM key linking
 2019-10-25 18:01:36 +03:00
alexpetrov12 cc998aa667 fix 2019-10-24 00:48:43 +03:00