security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,370 Commits 1 Branch 57 Tags
62bd2cc3ab201cca4eee58dfbbf0c2a49ab7c600
Commit Graph

1120 Commits

Author SHA1 Message Date
Alessio Dalla Piazza f45587074b Add the ability to detect PowerUp - Invoke-AllChecks 
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
 2019-12-23 11:50:57 +01:00
Florian Roth fc8607bbea rule: whoami as local system 2019-12-22 18:50:26 +01:00
Florian Roth fb76f2b9ac rule: CreateMiniDump 2019-12-22 08:29:12 +01:00
Florian Roth 511229c0b6 rule: modified Bloodhound rule 2019-12-21 21:22:13 +01:00
Florian Roth 1fd4c26005 Merge pull request #569 from Neo23x0/devel 
rule: improved bloodhound rule
 2019-12-20 17:32:21 +01:00
Florian Roth 0fa5ba925e rule :improved bloodhound rule 2019-12-20 17:23:40 +01:00
Florian Roth cbebaf637f Merge pull request #568 from Neo23x0/devel 
Devel
 2019-12-20 16:22:29 +01:00
Florian Roth 0e82dce2a0 fix: fixed wrong condition 2019-12-20 16:11:39 +01:00
Florian Roth 0000257371 rule: improved bloodhound rule 2019-12-20 16:08:26 +01:00
Florian Roth 3a933c38f2 rule: changed level of BloodHound rule 2019-12-20 15:37:58 +01:00
Florian Roth 68efeb909d rule: false positive condition for BloodHound rule 2019-12-20 15:35:13 +01:00
Florian Roth 825b1edb0f Merge pull request #567 from Neo23x0/devel 
Devel
 2019-12-20 15:32:56 +01:00
Florian Roth 708c17e2bc rule: Bloodhound 2019-12-20 14:59:36 +01:00
Florian Roth ab038d1ac7 style: minor changes 2019-12-20 14:59:26 +01:00
Florian Roth 0a26184286 Merge pull request #563 from Neo23x0/devel 
Devel
 2019-12-17 14:48:07 +01:00
Florian Roth c8b6b5c556 rule: updating csc.exe rule 2019-12-17 13:45:40 +01:00
Florian Roth 7a3041c593 rule: improved csc.exe rule 2019-12-17 11:05:43 +01:00
Florian Roth e8d92fab0c rule: ryuk ransomware 2019-12-16 20:33:12 +01:00
Florian Roth da06e5bc1c Merge pull request #562 from Neo23x0/devel 
Improved PowerShell Encoded Command Rule
 2019-12-16 19:31:15 +01:00
Florian Roth bbaa9df217 rule: better JAB rule 2019-12-16 19:08:51 +01:00
Florian Roth f83eb2268e rule: improved JAB expression 2019-12-16 19:04:05 +01:00
Florian Roth bd7c996588 rule: suspicious PS rule modified to cover newest malware campaigns 2019-12-16 19:02:57 +01:00
Florian Roth 7acfecbe66 Merge pull request #530 from bartblaze/master 
Add scriptlets
 2019-12-14 11:24:51 +01:00
Thomas Patzke 1369b3a2dc Merge pull request #537 from webhead404/webhead404-contrib-sigma 
Added sigma rule to detect external devices or USB drive
 2019-12-13 21:50:01 +01:00
Thomas Patzke 7a280ae092 Merge pull request #557 from robrankin/fix_dupe_rule_name 
Elastalert error, duplicate rule titles
 2019-12-13 21:46:58 +01:00
Florian Roth 9c59e3cf13 Merge branch 'master' into devel 2019-12-12 09:40:02 +01:00
Florian Roth c25b902add Merge pull request #558 from vburov/patch-7 
Added svchost.exe as a parent image
 2019-12-10 20:17:22 +01:00
Vasiliy Burov 977551c69d Added some suspicious locations 
Added 'C:\Windows\Tasks' and 'C:\Windows\System32\Tasks' as suspicious locations accordingly article: https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
 2019-12-10 20:17:40 +03:00
Vasiliy Burov 0dd4324aba Added svchost.exe as a parent image 
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
 2019-12-10 19:31:12 +03:00
Rob Rankin e251568760 Data Compressed duplciate titles 2019-12-09 16:24:10 +00:00
Rob Rankin b771dd3d3b Rule name conflicts in Elastalert output 2019-12-09 16:14:28 +00:00
Florian Roth e1244acf49 rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00
Florian Roth c1647ca4b7 Merge branch 'master' into devel 2019-12-06 13:38:29 +01:00
Thomas Patzke ad7d5d2a39 Added WMI login rule 2019-12-04 11:13:04 +01:00
Thomas Patzke e8c1c97f3e Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00
Thomas Patzke c47af5169c Increased SID history rule severity 2019-12-03 14:28:46 +01:00
Thomas Patzke 76578927e8 Added domain trust rule 2019-12-03 14:28:20 +01:00
Florian Roth c8e29da7ec fix: simplified rule with RE 2019-12-03 11:24:06 +01:00
Florian Roth fc09533f56 style: fixed title 2019-12-03 11:24:06 +01:00
webhead404 21ef152e3a Update win_external_device.yml 2019-11-20 16:19:45 -06:00
webhead404 2bfd4ea654 Added MITRE tags 2019-11-20 16:18:03 -06:00
webhead404 5c5d28acdc Create win_external_device 2019-11-20 16:07:29 -06:00
Florian Roth 39293d5f2b rule: another reference for CVE-2019-1388 rule 2019-11-20 15:09:30 +01:00
Florian Roth f9e6a929ba rule: made it more specific - command line must contain URL 2019-11-20 09:23:04 +01:00
Florian Roth 55e66b1843 rule: added status 2019-11-20 09:21:42 +01:00
Florian Roth 4022e3251b rule: changed title 2019-11-20 09:16:00 +01:00
Florian Roth 158f6b3065 rule: exploitation of CVE-2019-1388 2019-11-20 09:12:02 +01:00
Florian Roth 98aa4d4ecb fix: fixed typo in rule for renamed procdump 2019-11-19 15:59:07 +01:00
Florian Roth 2c855be9d3 fix: casing fix in renamed procdump rule 2019-11-18 15:57:14 +01:00
Florian Roth 93f890b31d rule: renamed procdump 2019-11-18 15:27:04 +01:00