security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
885 Commits 1 Branch 57 Tags
58afccb2f3ccb7c59ea5fd01a32c26fd57efb64e
Commit Graph

198 Commits

Author SHA1 Message Date
Thomas Patzke 80eaedab8b Fixed tag and date 2018-08-07 08:22:11 +02:00
yt0ng fc091fe3d7 Added ATTCK Mapping 2018-08-05 14:00:22 +02:00
yt0ng b65cb5eaca Possible Shim Database Persistence via sdbinst.exe 2018-08-05 13:55:04 +02:00
Florian Roth dd857c4470 Cosmetics 
If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
 2018-07-25 07:37:17 +02:00
yt0ng b415fc8d42 Possible SafetyKatz Dump of debug.bin 
https://github.com/GhostPack/SafetyKatz
 2018-07-24 23:51:46 +02:00
Suleyman Ozarslan e6cbc17c12 ATT&CK tagging of Scheduled Task Creation 2018-07-22 15:56:47 +03:00
Suleyman Ozarslan 8d9b12be07 ATT&CK tagging of Default PowerSploit Schtasks Persistence 2018-07-22 15:53:56 +03:00
Suleyman Ozarslan 080892b5ab ATT&CK tagging of MSHTA Spawning Windows Shell 2018-07-20 09:53:55 +03:00
Suleyman Ozarslan 76f277d5fe ATT&CK tagging of Malicious Named Pipe rule 2018-07-20 09:41:54 +03:00
Suleyman Ozarslan 7e74527344 ATT&CK software tag is added to Bitsadmin Download rule 2018-07-20 09:35:35 +03:00
Florian Roth 1e61adfad1 rule: Changed Registry persistence Explorer RUN key rule 2018-07-19 16:27:19 -06:00
Florian Roth 83d6f12ce3 rule: Registry persistence in Explorer RUN key pointing to suspicious folder 2018-07-19 16:27:19 -06:00
Thomas Patzke f98158f5ad Further ATT&CK tagging 2018-07-19 23:36:13 +02:00
Suleyman Ozarslan 05b91847cd ATT&CK tagging of Suspicious Certutil Command rule 2018-07-19 16:42:39 +03:00
Thomas Patzke bdea097b80 ATT&CK tagging 2018-07-17 23:58:11 +02:00
Florian Roth 9e92b97661 Merge pull request #111 from nikseetharaman/cmstp_execution 
Add sysmon_cmstp_execution
 2018-07-17 14:39:56 -06:00
Florian Roth 3f0040b983 Removed duplicate status field 2018-07-16 15:55:31 -06:00
Florian Roth 429474b6d6 Merge pull request #113 from megan201296/patch-9 
fixed typo
 2018-07-16 15:38:52 -06:00
megan201296 02ea2cf923 fixed typo 2018-07-16 16:20:33 -05:00
megan201296 60310e94c6 fixed typo 2018-07-16 16:13:24 -05:00
Nik Seetharaman 3630386230 Add sysmon_cmstp_execution 2018-07-16 02:53:41 +03:00
Florian Roth 70ab83eb65 Merge pull request #109 from megan201296/patch-6 
Fixed typo
 2018-07-14 18:31:21 -06:00
megan201296 be7a3b0774 Update sysmon_susp_mmc_source.yml 2018-07-13 18:49:08 -05:00
megan201296 a6455cc612 typo fix 2018-07-13 18:48:36 -05:00
megan201296 8944be1efd Update sysmon_susp_driver_load.yml 2018-07-13 18:36:12 -05:00
Florian Roth 57727d2397 Merge pull request #107 from megan201296/typo-fixes 
Typo fixes
 2018-07-10 10:29:10 -06:00
megan201296 24d2d0b258 Fixed typo 2018-07-10 09:14:37 -05:00
megan201296 d6ea0a49fc Fixed typoes 2018-07-10 09:14:07 -05:00
megan201296 3ec67393cd Fixed typo 2018-07-10 09:13:41 -05:00
megan201296 b0bc3b66ed Fixed typo 2018-07-09 13:32:16 -05:00
megan201296 120479abb7 removed duplicates 2018-07-09 12:32:41 -05:00
megan201296 c4bd267151 Fixed typo 2018-07-09 12:02:42 -05:00
megan201296 a7ccfcb50d Fixed spelling mistake 2018-07-09 09:13:31 -05:00
Florian Roth c8fef4d093 fix: removed unnecessary lists 2018-07-07 15:43:56 -06:00
Florian Roth dea019f89d fix: some threat levels adjusted 2018-07-07 13:00:23 -06:00
yt0ng 6a014a3dc8 MSHTA spwaned by SVCHOST as seen in LethalHTA 
"Furthermore it can be detected by an mshta.exe process spawned by svchost.exe."
 2018-07-06 19:52:58 +02:00
Florian Roth ed470feb21 Merge pull request #99 from yt0ng/master 
Detects ImageLoad by uncommon Image
 2018-07-06 10:11:02 -06:00
yt0ng b21afc3bc8 user subTee was removed from Twitter 2018-07-04 17:29:05 +02:00
yt0ng f84c33d005 Known powershell scripts names for exploitation 
Detects the creation of known powershell scripts for exploitation
 2018-07-04 17:24:18 +02:00
Florian Roth 7867838540 fix: typo in rule description 2018-07-03 05:05:44 -06:00
Florian Roth e7465d299f fix: false positive with MsMpEng.exe and svchost.exe as child process 2018-07-03 05:05:44 -06:00
yt0ng 42941ee105 Detects ImageLoad by uncommon Image 
Process Hollowing Described by SubTee using notepad https://twitter.com/subTee/status/1012657434702123008
 2018-07-01 15:47:17 +02:00
Florian Roth 9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
Florian Roth a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth fc72bd16af Fixed bugs 2018-06-27 09:20:41 +02:00
Florian Roth f4b150def8 Rule: Powershell remote thread creation in Rundll32 2018-06-25 15:23:19 +02:00
Florian Roth 1a1011b0ad Merge pull request #96 from yt0ng/master 
Detects the creation of a schtask via PowerSploit Default Configuration
 2018-06-23 17:15:14 +02:00
yt0ng c59d0c7dca Added additional options 2018-06-23 15:54:31 +02:00
yt0ng cc3fd9f5d0 Detects the creation of a schtask via PowerSploit Default Configuration 
https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
 2018-06-23 15:45:58 +02:00
Florian Roth d1d4473505 Rule: ADS with executable 
https://twitter.com/0xrawsec/status/1002478725605273600
 2018-06-03 02:08:57 +02:00