security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
268 Commits 1 Branch 57 Tags
64caa8aedc7500d5c94de356a0d2da233a6c1070
Commit Graph

54 Commits

Author SHA1 Message Date
Florian Roth 92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
Florian Roth 0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth fa90fb2fed Improved WMIC process call create rule 2017-03-29 22:11:05 +02:00
Florian Roth e6a81623a8 PowerShell Combo - False Positive with MOM 2017-03-29 22:10:28 +02:00
Florian Roth f91f813b3f Improved certutil.exe rules 2017-03-27 22:30:26 +02:00
Florian Roth b0c8ffb051 Combined vssadmin rule 2017-03-26 01:27:26 +01:00
Florian Roth 800262a738 Renamed and double removed 2017-03-26 01:27:08 +01:00
Michael Haag 5ea6fad999 net.exe and wmic.exe 
Suspicious execution of net and wmic
 2017-03-25 06:48:23 -07:00
Florian Roth 10ee36f26c Updated Eventvwr UAC evasion 2017-03-22 14:40:55 +01:00
Florian Roth 3bfa9ed121 Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 10:44:53 +01:00
Florian Roth b1da8c5b32 Bugfix: Fixed UAC bypass rules 2017-03-21 10:42:22 +01:00
Florian Roth f9be5b99ad Rule: Suspicious task creation description changed 2017-03-21 10:23:53 +01:00
Florian Roth 6f38a44ec1 Broader definition certutil.exe rule 2017-03-20 22:07:04 +01:00
Florian Roth 2817ea2605 Bugfix in UAC Rule 2017-03-19 19:46:19 +01:00
Florian Roth b2c15c2cf7 Rule: UAC bypass via eventvwr, minor changes 2017-03-19 19:34:06 +01:00
Florian Roth c82da0dc5c Rules: Suspicious locations and back connect ports 2017-03-19 15:22:27 +01:00
Thomas Patzke 56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel d3bd73aefb Create sysmon_sdclt_uac_bypass.yml 
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
 2017-03-17 14:31:26 -04:00
Florian Roth 3a7652fff9 Added references to rule 2017-03-17 00:25:54 +01:00
Florian Roth c6843d41bc Rule: Vssadmin / NTDS.dit activity 2017-03-17 00:23:55 +01:00
Florian Roth d00bbd9fb5 Rule: Windows recon activity 2017-03-16 18:59:17 +01:00
Florian Roth 140141b7a2 Rule: Suspicious PowerShell parent image combination 2017-03-16 18:58:59 +01:00
Florian Roth 091bb8fab7 Renamed and removed double space 2017-03-16 18:58:32 +01:00
Florian Roth cb683a6b56 Rule: Suspicious executions in web folders / non-exe folders 2017-03-13 23:56:06 +01:00
Florian Roth c571848e9b Rule: Scheduled task creation 2017-03-13 20:45:28 +01:00
Florian Roth de46c8c0a0 Reduced to user accounts 2017-03-13 19:09:29 +01:00
Florian Roth 36c941d5d8 Restrict rule to non-private IP ranges only 2017-03-13 18:45:15 +01:00
Florian Roth 8d36e2a1b5 Rule: Suspicious PowerShell Parameter Substring 2017-03-13 17:23:25 +01:00
Florian Roth 85c298c43c Bugfix in rule 2017-03-13 15:09:48 +01:00
Florian Roth 606d74546a Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00
Florian Roth a0047f7c67 Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00
Florian Roth 4470c2f893 PowerShell Suspicious Invocation > Sysmon 2017-03-12 17:11:05 +01:00
Florian Roth d6957f1c2e Merge pull request #10 from MHaggis/master 
Sysmon
 2017-03-09 08:05:22 +01:00
Michael Haag c5f05dd829 bitsadmin & VSSAdmin 
+Bitsadmin download
+VSSAdmin delete
 2017-03-08 22:49:35 -08:00
Florian Roth 7b815ef3e5 Sysmon PowerShell - Suspicious Param Combination 2017-03-05 23:51:39 +01:00
Florian Roth 12535417d9 Typo 2017-03-05 01:47:37 +01:00
Michael Haag a3cd7123a8 wscript/cscript 
WSF, JSE, JS, VBA and VBE file execution
 2017-03-04 14:40:34 -08:00
Michael Haag 4ac5d86479 mshta shells 
🐚 for all!
 2017-03-04 14:33:09 -08:00
Michael Haag 1317fe9df2 Modifications 
+ Added Sysmon detection of Office binaries spawning Windows shells
+ Additional web servers added for webshell detection
 2017-03-04 14:22:44 -08:00
Florian Roth a9d6295791 Rule: Sysmon Malware Shellcode in Verclsid Process 2017-03-04 10:38:23 +01:00
Florian Roth 15e61a9681 Rule: Certutil Decode in AppData 2017-03-02 11:28:34 +01:00
Florian Roth b6459a00ab Two new Sysmon rules for Office Macro/PS detection 2017-03-02 11:06:53 +01:00
Florian Roth 8559837aab Removed Sysmon EventLog from selection > via 'logsource' 2017-03-02 11:06:20 +01:00
Florian Roth b4f2a74371 Proposed changes to mimimkatz-inmemory aggregation 2017-03-01 10:16:43 +01:00
Thomas Patzke 15c6f9411b Rule review 
* Typos
* Added false positive descriptions
 2017-02-24 23:44:42 +01:00
Florian Roth 52d04e52ac Removed lists from log source section 2017-02-19 11:08:40 +01:00
Florian Roth 166f207dc0 Sysmon rules 'logsource' change 2017-02-19 09:19:06 +01:00
Florian Roth cd6e24c5ff Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00
Florian Roth 18fd63f6b7 Levels to low, medium, high, critical 2017-02-16 18:06:22 +01:00
Thomas Patzke 88270fcf2d Rule review and cleanup 
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
  OR linkage would cause wrong result.
 2017-02-15 23:53:08 +01:00