security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
268 Commits 1 Branch 57 Tags
64caa8aedc7500d5c94de356a0d2da233a6c1070
Commit Graph

100 Commits

Author SHA1 Message Date
Florian Roth 64caa8aedc Merge pull request #31 from neu5ron/patch-4 
Create win_alert_ad_user_backdoors.yml
 2017-04-13 01:07:41 +02:00
Florian Roth 1e4d563a4d Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving 
improved win_pass_the_hash.yml rule
 2017-04-13 01:05:09 +02:00
Nate Guagenti 53313d45be Create win_alert_ad_user_backdoors.yml 2017-04-12 16:15:41 -04:00
Florian Roth abb01cc264 Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00
Florian Roth 92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
yugoslavskiy f83d0e36b8 improved win_pass_the_hash.yml rule 
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]

[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
 2017-04-04 02:57:58 +03:00
Nate Guagenti 2bb7d7e6eb Create win_alert_active_directory_user_control.yml 2017-04-03 15:58:23 -04:00
Nate Guagenti 85b4efabed Update win_alert_enable_weak_encryption.yml 2017-04-03 09:15:52 -04:00
Nate Guagenti bd63d74776 Create win_alert_enable_weak_encryption.yml 
kerberoast and enabling weak encryption for password/hash cracking
 2017-04-03 09:12:58 -04:00
Florian Roth 0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth fa90fb2fed Improved WMIC process call create rule 2017-03-29 22:11:05 +02:00
Florian Roth e6a81623a8 PowerShell Combo - False Positive with MOM 2017-03-29 22:10:28 +02:00
Florian Roth f91f813b3f Improved certutil.exe rules 2017-03-27 22:30:26 +02:00
Florian Roth 078eaa1180 Updated Windows suspicious activity 2017-03-27 17:27:04 +02:00
Florian Roth 707e5a948f Rules: Password dumper activity and lateral movement 2017-03-27 15:20:50 +02:00
Florian Roth 125bf4f3f2 Rule adjustment 
Added wilcards cause the field can contain a full path
 2017-03-26 23:41:38 +02:00
Florian Roth 53cc80c8f4 Windows Supicious Process Creation 
- Bugfix in selection name
- New keyword expressions
 2017-03-26 23:25:47 +02:00
Florian Roth b0c8ffb051 Combined vssadmin rule 2017-03-26 01:27:26 +01:00
Florian Roth 800262a738 Renamed and double removed 2017-03-26 01:27:08 +01:00
Florian Roth c1a6a542db Rule: Windows 4688 process creation rule 2017-03-26 01:26:34 +01:00
Michael Haag 5ea6fad999 net.exe and wmic.exe 
Suspicious execution of net and wmic
 2017-03-25 06:48:23 -07:00
Florian Roth 699c638ee2 Bugfix: Wrong Event ID and extended description 2017-03-23 11:50:30 +01:00
Florian Roth d377884972 Rule: Rare scheduled tasks creations 2017-03-23 11:45:10 +01:00
Florian Roth 10ee36f26c Updated Eventvwr UAC evasion 2017-03-22 14:40:55 +01:00
Florian Roth fa37f5afcf Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:46 +01:00
Florian Roth 3bfa9ed121 Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 10:44:53 +01:00
Florian Roth b1da8c5b32 Bugfix: Fixed UAC bypass rules 2017-03-21 10:42:22 +01:00
Florian Roth 7ce958a3ed Bugfixes and improvements 2017-03-21 10:24:20 +01:00
Florian Roth f9be5b99ad Rule: Suspicious task creation description changed 2017-03-21 10:23:53 +01:00
Florian Roth 055992eb05 Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00
Florian Roth 6f38a44ec1 Broader definition certutil.exe rule 2017-03-20 22:07:04 +01:00
Florian Roth 2817ea2605 Bugfix in UAC Rule 2017-03-19 19:46:19 +01:00
Florian Roth b2c15c2cf7 Rule: UAC bypass via eventvwr, minor changes 2017-03-19 19:34:06 +01:00
Florian Roth c82da0dc5c Rules: Suspicious locations and back connect ports 2017-03-19 15:22:27 +01:00
Thomas Patzke 889315c960 Changed values with placeholders to quoted strings 
Values beginning with % cause YAML parse error
 2017-03-18 23:05:16 +01:00
Thomas Patzke 56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel d3bd73aefb Create sysmon_sdclt_uac_bypass.yml 
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
 2017-03-17 14:31:26 -04:00
Florian Roth 59499f926e Bugfix: Taskscheduler log source definition 2017-03-17 16:09:31 +01:00
Florian Roth dd81b18d6e Rule: Suspicious interactive console logons to servers 2017-03-17 09:44:24 +01:00
Florian Roth bcc250e1c7 Added missing description 2017-03-17 08:43:21 +01:00
Florian Roth e46ecd2aff Rule: Rare scheduled task installs 2017-03-17 08:41:27 +01:00
Florian Roth 3a7652fff9 Added references to rule 2017-03-17 00:25:54 +01:00
Florian Roth c6843d41bc Rule: Vssadmin / NTDS.dit activity 2017-03-17 00:23:55 +01:00
Florian Roth d00bbd9fb5 Rule: Windows recon activity 2017-03-16 18:59:17 +01:00
Florian Roth 140141b7a2 Rule: Suspicious PowerShell parent image combination 2017-03-16 18:58:59 +01:00
Florian Roth 091bb8fab7 Renamed and removed double space 2017-03-16 18:58:32 +01:00
Florian Roth dd558e941c Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00
Florian Roth 3eae1f2710 Bug and typo fixes 2017-03-14 14:52:28 +01:00
Florian Roth 2e32e1bb43 Rule: User account added to local Administrators 2017-03-14 12:51:50 +01:00
Florian Roth cb683a6b56 Rule: Suspicious executions in web folders / non-exe folders 2017-03-13 23:56:06 +01:00