security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,295 Commits 1 Branch 57 Tags
6e349030d9ffbc4fb89e27dfd2d3897f7b620b3d
Commit Graph

587 Commits

Author SHA1 Message Date
Florian Roth d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth 2e77e65285 rule: Covenant launchers 2020-06-05 11:03:28 +02:00
Florian Roth 39b41b5582 rule: moved DebugView rule to process creation category 2020-05-28 10:13:38 +02:00
Florian Roth 4ca81b896d rule: Turla ComRAT report 2020-05-26 14:19:22 +02:00
Sander Wiebing 6fcf3f9ebf Update win_netsh_fw_add.yml 2020-05-25 10:13:26 +02:00
Sander Wiebing 28652e4648 Add Windows Server 2008 and Windows Vista support 
It did not support the command `netsh advfirewall firewall add`
 2020-05-25 10:02:13 +02:00
Sander Wiebing 2678cd1d3e Create win_netsh_fw_add_susp_image.yml 
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. 

Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
 2020-05-25 09:50:47 +02:00
Florian Roth 9cd9a301c2 Merge pull request #791 from SanWieb/master 
added rule for Netsh RDP port opening
 2020-05-23 16:50:31 +02:00
ecco 10ca3006f5 move rule where needed 2020-05-23 10:07:55 -04:00
Sander Wiebing d310805ed9 rule: Netsh RDP port opening 2020-05-23 14:19:52 +02:00
ecco 9a7f462d79 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) 2020-05-23 07:17:56 -04:00
Florian Roth 12e1aeaf9f Merge pull request #788 from Neo23x0/rule-devel 
refactor: split up rule for CVE-2020-1048 into 2 rules
 2020-05-23 09:54:43 +02:00
Florian Roth 34006d0794 refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 09:16:19 +02:00
Florian Roth 57c8e63acd refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 09:09:58 +02:00
Thomas Patzke 96fae4be68 Added CrachMapExec rules 2020-05-22 00:50:37 +02:00
Florian Roth 64e0e7ca72 Merge pull request #784 from Neo23x0/rule-devel 
refactor: slightly improved Greenbug rule
 2020-05-21 14:19:09 +02:00
Florian Roth 91c4c4ecc5 refactor: slightly improved Greenbug rule 2020-05-21 13:38:11 +02:00
Florian Roth bbf78374b6 Merge pull request #783 from Neo23x0/rule-devel 
Greenbug Rule
 2020-05-21 09:55:46 +02:00
Florian Roth 9a3b6c1c77 docs: added MITRE ATT&CK group tag 2020-05-21 09:44:11 +02:00
Florian Roth 344eb713c5 rule: Greenbug campaign 2020-05-21 09:39:57 +02:00
ZikyHD 8963c0a65e Remove duplicate 'CommandLine' in fields 2020-05-20 11:54:47 +02:00
ecco fd386fe8eb standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine 2020-05-15 12:35:32 -04:00
Florian Roth 8e082283f0 Merge pull request #754 from Neo23x0/rule-devel 
Rule devel
 2020-05-15 12:07:04 +02:00
ecco 54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
Florian Roth ab950fb89d fix: removed rules missing in master 2020-05-14 15:53:09 +02:00
Florian Roth 7652813c2c Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives 
Widen the search as it gives too many false negatives
 2020-05-13 21:02:12 +02:00
zaphod 78a5c743f2 Widen the search as it gives too many false negatives 2020-05-13 16:20:23 +02:00
Florian Roth 78a8266a1b Merge pull request #749 from teddy-ROxPin/patch-6 
Create win_advanced_ip_scanner.yml
 2020-05-13 14:09:12 +02:00
Florian Roth 220a14f31c fix: typo in contains 2020-05-13 12:38:54 +02:00
Florian Roth a1856c5743 Update win_advanced_ip_scanner.yml 2020-05-13 11:56:25 +02:00
zaphod a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00
teddy_ROxPin bb17fd74ee Create win_advanced_ip_scanner.yml 
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
 2020-05-12 21:43:01 -06:00
Florian Roth 1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth 2b18b66c16 Merge branch 'master' into rule-devel 2020-05-11 10:50:10 +02:00
Florian Roth 4366a95024 rule: Maze ransomware 2020-05-11 10:46:26 +02:00
Florian Roth f96c3a5fd4 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2020-05-11 10:44:19 +02:00
Remco Verhoef 2d38cb7b52 fix incorrect use of global 2020-05-06 23:00:45 +02:00
Florian Roth c71e10a7f3 Merge pull request #717 from Karneades/renamedbinary 
Add netsh to renamed binary rule
 2020-05-02 14:12:34 +02:00
Florian Roth b4b9b0155f Merge pull request #716 from Karneades/patch-1 
Add rule to detect wifi creds harvesting using netsh
 2020-05-02 14:12:10 +02:00
Maxime Thiebaut 4600bf73dc Update rules to follow the Sigma state specification 
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following:

> Declares the status of the rule:
>  - stable: the rule is considered as stable and may be used in production systems or dashboards.
>  - test: an almost stable rule that possibly could require some fine tuning.
>  - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.

However the Sigma Rx YAML specification states the following:

> ```yaml
> status:
>     type: //any
>     of:
>         - type: //str
>           value: stable
>         - type: //str
>           value: testing
>         - type: //str
>           value: experimental
> ```

The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
 - [`sigma/sigma-schema.rx.yml`](https://github.com/Neo23x0/sigma/blob/a805d18bbae60d3e4f291c8a18304104ed2e71c7/sigma-schema.rx.yml#L49)
 - [`sigma/tools/sigma/filter.py`](https://github.com/Neo23x0/sigma/blob/f3c60a63099f80296c8750aaba667e98ac71a4f7/tools/sigma/filter.py#L26)
 - [`sigma/tools/sigmac`](https://github.com/Neo23x0/sigma/blob/4e42bebb3480720966a59528cd8482c6271e603c/tools/sigmac#L98)

Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
 2020-04-24 20:50:31 +02:00
Andreas Hunkeler 7d437c2969 Add netsh to renamed binary rule 2020-04-20 17:12:25 +02:00
Andreas Hunkeler d4e9606266 Improve netsh wifi rule another time due to arg shortcut 2020-04-20 16:40:03 +02:00
Andreas Hunkeler af498d8a8c Improve rule to detect argument shortcut in netsh wlan rule 2020-04-20 16:32:25 +02:00
Andreas Hunkeler ba541c3952 Fix title for new netsh wifi rule 2020-04-20 16:20:45 +02:00
Andreas Hunkeler d9e5274c9e Add rule to detect wifi creds harvesting using netsh 2020-04-20 16:14:44 +02:00
vesche 3889be6255 Replace reference link for win_susp_netsh_dll_persistence 2020-04-10 01:05:10 -05:00
vesche 82db80bee6 Remove wrong mitre technique 2020-04-10 01:02:43 -05:00
vesche 72b821e046 Update win_susp_netsh_dll_persistence.yml 2020-04-09 11:16:18 -05:00
Thomas Patzke 551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Florian Roth 4e3985866b Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml 2020-04-03 16:50:48 +02:00