security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
268 Commits 1 Branch 57 Tags
64caa8aedc7500d5c94de356a0d2da233a6c1070
Commit Graph

268 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 64caa8aedc Merge pull request #31 from neu5ron/patch-4 
Create win_alert_ad_user_backdoors.yml
 2017-04-13 01:07:41 +02:00
Florian Roth 1e4d563a4d Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving 
improved win_pass_the_hash.yml rule
 2017-04-13 01:05:09 +02:00
Florian Roth 75a0a2c4bb Merge pull request #27 from benno001/patch-1 
Added field mappings for events with logins
 2017-04-13 01:04:20 +02:00
Nate Guagenti 53313d45be Create win_alert_ad_user_backdoors.yml 2017-04-12 16:15:41 -04:00
Florian Roth a5297b1f29 Equation Group Script/Tool Commands 2017-04-09 20:11:56 +02:00
Florian Roth abb01cc264 Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00
Florian Roth 44bedf9e17 Rule: Cloud Hopper WmiExec VBS 2017-04-07 17:41:53 +02:00
Florian Roth 92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
Florian Roth 875c187425 Merge pull request #29 from neu5ron/patch-2 
Create win_alert_active_directory_user_control.yml
 2017-04-04 18:56:19 +02:00
yugoslavskiy f83d0e36b8 improved win_pass_the_hash.yml rule 
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]

[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
 2017-04-04 02:57:58 +03:00
Nate Guagenti 2bb7d7e6eb Create win_alert_active_directory_user_control.yml 2017-04-03 15:58:23 -04:00
Florian Roth c5b19d5661 Merge pull request #28 from neu5ron/patch-1 
Create win_alert_enable_weak_encryption.yml
 2017-04-03 21:27:20 +02:00
Nate Guagenti 85b4efabed Update win_alert_enable_weak_encryption.yml 2017-04-03 09:15:52 -04:00
Nate Guagenti bd63d74776 Create win_alert_enable_weak_encryption.yml 
kerberoast and enabling weak encryption for password/hash cracking
 2017-04-03 09:12:58 -04:00
Florian Roth 0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth d9e6913c03 APT 29 - tor / google update service 2017-04-01 10:30:36 +02:00
Florian Roth 43d907791c Rule: APT29 Google Update service install 2017-03-31 19:31:13 +02:00
Florian Roth 2657ff7db8 Rule: Carbon Paper Framework Service (Turla) 
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 2017-03-31 19:25:41 +02:00
Florian Roth 919a04666c Improved StoneDrill Rule 2017-03-31 19:25:10 +02:00
Ben de Haan dddb83393d Added field mappings for events with logins 2017-03-30 10:49:36 +02:00
Thomas Patzke f174d861bf Merge pull request #26 from benno001/patch-1 
Added LogPoint conditional username mapping
 2017-03-30 10:46:18 +02:00
Ben de Haan cb9a9bc2ff Added LogPoint conditional username mapping 
Conditional mapping of SubjectAccountName based on EventID. Not a comprehensive list, but should include most relevant Event IDs.
 2017-03-30 09:51:32 +02:00
Thomas Patzke 298f3413f0 Merge branch 'devel-sigmac' 2017-03-29 23:34:52 +02:00
Thomas Patzke c43166d5b9 Fixed log source configuration matching 2017-03-29 23:33:26 +02:00
Thomas Patzke a22fe58ac9 Aggregation support for Splunk backend 2017-03-29 23:18:47 +02:00
Thomas Patzke b62de742d7 Aggregation expression parsing 2017-03-29 23:17:43 +02:00
Thomas Patzke ae5ae8f763 Verbose mode prints tokens if parsing failed 2017-03-29 22:21:40 +02:00
Florian Roth fa90fb2fed Improved WMIC process call create rule 2017-03-29 22:11:05 +02:00
Florian Roth e6a81623a8 PowerShell Combo - False Positive with MOM 2017-03-29 22:10:28 +02:00
Florian Roth f91f813b3f Improved certutil.exe rules 2017-03-27 22:30:26 +02:00
Florian Roth 078eaa1180 Updated Windows suspicious activity 2017-03-27 17:27:04 +02:00
Florian Roth 67d9c44bb3 Improved linux suspicious activity rule 2017-03-27 15:21:39 +02:00
Florian Roth 707e5a948f Rules: Password dumper activity and lateral movement 2017-03-27 15:20:50 +02:00
Florian Roth adbeff505d Brought README up-to-date with the newest devs 2017-03-27 10:46:43 +02:00
Florian Roth c5323ac1c2 Changes to Linux suspicious activity rule 2017-03-27 10:29:57 +02:00
Florian Roth 125bf4f3f2 Rule adjustment 
Added wilcards cause the field can contain a full path
 2017-03-26 23:41:38 +02:00
Florian Roth 53cc80c8f4 Windows Supicious Process Creation 
- Bugfix in selection name
- New keyword expressions
 2017-03-26 23:25:47 +02:00
Florian Roth b0c8ffb051 Combined vssadmin rule 2017-03-26 01:27:26 +01:00
Florian Roth 800262a738 Renamed and double removed 2017-03-26 01:27:08 +01:00
Florian Roth c1a6a542db Rule: Windows 4688 process creation rule 2017-03-26 01:26:34 +01:00
Florian Roth 5c4a13af71 Rules: Linux commands and log entries of interest 2017-03-25 19:59:45 +01:00
Florian Roth c8cc857b7c Improved the linux suspicious keywords rule 2017-03-25 19:23:10 +01:00
Florian Roth 1a5ae7a0e2 Merge pull request #23 from MHaggis/master 
wmic and net
 2017-03-25 17:46:17 +01:00
Michael Haag 5ea6fad999 net.exe and wmic.exe 
Suspicious execution of net and wmic
 2017-03-25 06:48:23 -07:00
Michael Haag 5f6f8f3313 Merge remote-tracking branch 'Neo23x0/master' 2017-03-25 06:21:09 -07:00
Thomas Patzke 9698e8fdf7 Changed Logpoint SubjectAccountName mapping to conditional mapping 2017-03-25 00:27:29 +01:00
Thomas Patzke c978e19d88 Conditional field mappings 2017-03-25 00:21:44 +01:00
Thomas Patzke a4465ce844 Added 1:n field mapping 
MultiFieldMapping
 2017-03-24 00:58:11 +01:00
Thomas Patzke 5009794591 Changes to field mappings 
* Introduced field mapping objects
* moved mapping from backends into parse tree generation
  (SigmaParser.parse_definition)
 2017-03-24 00:48:32 +01:00
Florian Roth 699c638ee2 Bugfix: Wrong Event ID and extended description 2017-03-23 11:50:30 +01:00