security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,661 Commits 1 Branch 57 Tags
58b68758b4e5c8fcaec8d8b6b95b5e1f273df481
Commit Graph

653 Commits

Author SHA1 Message Date
Florian Roth 58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Florian Roth 437a567e4f Merge pull request #917 from Neo23x0/rule-devel 
New Empire Rules and Updates
 2020-07-13 16:37:59 +02:00
Florian Roth 557e8b0faf rule: improved Empire detection 2020-07-13 15:47:53 +02:00
Florian Roth 7e8aa7b12b Merge pull request #915 from Neo23x0/rule-devel 
rule: regsvr32 flags anomaly
 2020-07-13 12:16:05 +02:00
Florian Roth 7a63fd56da rule: regsvr32 flags anomaly 2020-07-13 11:59:44 +02:00
Florian Roth 168952840b Merge pull request #910 from Neo23x0/rule-devel 
Rule devel
 2020-07-10 14:17:22 +02:00
Florian Roth 268a28daed rule: Evilnum Golden Chicken rule OCX 2020-07-10 13:02:52 +02:00
Florian Roth 7949729fa4 rule: PowerShell encoded character syntax 2020-07-09 08:52:32 +02:00
Thomas Patzke 3e17cc1900 Merge pull request #894 from caliskanfurkan/master 
ditsnap, a credential access tool used in ransomware attacks
 2020-07-07 23:21:36 +02:00
Furkan CALISKAN 8ef82e48eb ditsnap 2020-07-04 23:21:52 +03:00
Florian Roth 11517edbd7 rule: suspicious curl usage 2020-07-03 18:55:44 +02:00
Florian Roth c4267a4614 rule: suspicious curl file upload 2020-07-03 18:20:44 +02:00
Florian Roth 4d9e2e8c16 fix: trailing white space 2020-07-03 17:59:50 +02:00
Florian Roth 4dc818aafd fix: rar flags rule caused too many FPs 2020-07-03 13:20:24 +02:00
Florian Roth abf5f799d6 docs: more references 2020-07-03 13:19:44 +02:00
Florian Roth 5f04fcccf5 fix: broken links 2020-07-03 11:22:06 +02:00
Florian Roth 3111ab8396 refactor: new way to write that rule 2020-07-03 11:20:36 +02:00
Florian Roth d12b8347dc fix: bug in cmstp rule 
https://github.com/Neo23x0/sigma/issues/876
 2020-07-03 11:19:11 +02:00
Florian Roth 0bbf40fb14 refactor: include xcopy 2020-07-03 11:03:45 +02:00
Florian Roth 3bea08edfc refactor: copy from/to system32 rule 2020-07-03 10:56:26 +02:00
Florian Roth 34ea706e4f fix: typo in systemroot 2020-07-03 10:24:58 +02:00
Florian Roth 0fa1c1525b fix: missing copy command 2020-07-03 10:17:34 +02:00
Florian Roth 1f0b1e58a9 fix: bugs in rule and title 2020-07-03 09:54:10 +02:00
Florian Roth 01ed87186f Copy From System Root rule 2020-07-03 09:45:58 +02:00
Florian Roth 33fef8bcf5 DesktopImgDownLdr rules 2020-07-03 09:45:48 +02:00
Florian Roth 9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth 154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Florian Roth eb3a6e86af Merge pull request #867 from HarishHary/suspicious_powershell_parent_process 
New Rule: Suspicious powershell parent process
 2020-06-30 10:00:28 +02:00
Harish SEGAR 9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR 5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Florian Roth 5a11ef90d0 rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR 1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Florian Roth bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
Furkan ÇALIŞKAN b091e3b1c4 Update for new method 
Update for method mentioned in https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 2020-06-22 01:06:34 +03:00
Florian Roth e1225784f7 fix: fixed indentation 2020-06-19 09:54:08 +02:00
Florian Roth 62632db818 refactor: added variant to IE rule 2020-06-19 09:53:35 +02:00
Florian Roth 5cb6f5da9d fix: title adjusted 2020-06-19 09:39:11 +02:00
Florian Roth b8a5cd4787 Disabled IE Security Features 2020-06-19 09:37:10 +02:00
Florian Roth da060bfb90 Ke3chang rule 2020-06-19 09:36:54 +02:00
Ivan Kirillov b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
Ivan Kirillov 5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth 87053502a3 Merge pull request #839 from rtkbkish/fix-double-backslash 
Fix match for double-backslash
 2020-06-15 20:19:56 +02:00
Florian Roth 46bd56a708 Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation 
Fix logsource field name from service->category
 2020-06-15 20:18:53 +02:00
Brad Kish f196046b3d Fix match for double-backslash 
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
 2020-06-15 13:39:50 -04:00
Brad Kish 422b2bffd7 Fix rules with incorrect escaping of wildcars 
A backslash before a wildcard needs to be escaped with another backslash.
 2020-06-15 13:38:18 -04:00
Brad Kish 8d58c8f5c8 Fix logsource field name from service->category 
The rule win_invoke_obfuscation_obfuscated_iex_commandline has the
wrong field name for the "process_creation" tag. Rename from "service"
to "category"
 2020-06-15 13:18:05 -04:00