security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

678 Commits

Author SHA1 Message Date
Tran Trung Hieu 3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
Florian Roth 1104044f53 fix: delete duplicate rules 2020-05-11 10:55:02 +02:00
Florian Roth f96c3a5fd4 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/proxy/proxy_ua_suspicious.yml
#	rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2020-05-11 10:44:19 +02:00
Florian Roth 514bd8657b Merge pull request #704 from Iveco/master 
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
 2020-04-14 14:11:27 +02:00
Florian Roth 3175a48bdc Casing 2020-04-14 13:40:34 +02:00
Florian Roth ecdec93800 Casing 2020-04-14 13:39:58 +02:00
Maxime Thiebaut 86c6891427 Add Windows Registry Persistence COM Search Order Hijacking 2020-04-14 12:59:29 +02:00
Iveco c5211eb94a Update sysmon_susp_service_installed.yml 
CI
 2020-04-08 18:54:46 +02:00
Iveco 4520082ef7 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
CI
 2020-04-08 18:54:37 +02:00
Iveco 6d85650390 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed Author
 2020-04-08 18:41:33 +02:00
Iveco fc1febdebe Update sysmon_susp_service_installed.yml 
Fixed Author
 2020-04-08 18:41:25 +02:00
Iveco 3280a1dfb0 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed CI
 2020-04-08 18:23:29 +02:00
Iveco 5e724a0a54 Update sysmon_susp_service_installed.yml 
Fixed CI
 2020-04-08 18:22:51 +02:00
iveco e87f2705a7 Detect Ghost-In-The-Logs (disabling/bypassing ETW) 2020-04-08 18:01:04 +02:00
Chris O'Brien fe5dbece3d Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Clément Notin 18cdddb09e Small typo 2020-03-31 15:22:00 +02:00
Florian Roth 8ea6b12eed Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini 
Add "Suspicious desktop.ini Action" rule
 2020-03-28 13:34:01 +01:00
Florian Roth fe5b5a7782 Merge pull request #673 from j91321/rules-minor-fixes 
Minor fixes to several rules
 2020-03-28 13:27:05 +01:00
Florian Roth e2b90220a2 Update sysmon_susp_desktop_ini.yml 2020-03-28 13:19:10 +01:00
Iveco 55258e1799 Title capitalized 2020-03-26 17:04:08 +01:00
Iveco 68c20dca20 Fixed title length 2020-03-26 16:56:46 +01:00
iveco ddacde9e6b add LDAPFragger detections 2020-03-26 15:13:36 +01:00
Florian Roth 35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00
j91321 78bfa950d7 Add WinPrvSE.exe to detection 2020-03-24 19:47:10 +01:00
Maxime Thiebaut dce18b23b7 Add "Suspicious desktop.ini Action" rule 2020-03-19 21:43:03 +01:00
ecco 2489b8534c sysmon registry events fix 2020-03-09 12:02:04 -04:00
Florian Roth 7e8b59abe6 Merge pull request #643 from grumo35/patch-2 
Update sysmon_cred_dump_tools_dropped_files.yml
 2020-03-07 10:39:35 +01:00
ecco b9e4734087 fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon 2020-03-04 12:47:42 -05:00
Florian Roth f98ad7a8df fix: wrong identifier 2020-03-03 11:25:02 +01:00
Florian Roth 7139bfb0cb fix: avoiding FPs with Citrix software 
writing C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_r23phtye.jsp.ps1
 2020-03-03 11:01:42 +01:00
Florian Roth fdcba84fc8 fix: escaped backslash 2020-02-29 10:12:59 +01:00
grumo35 0d932810b5 Update sysmon_cred_dump_tools_dropped_files.yml 
Adding sysinternal's procdump utility more about this on : https://en.hackndo.com/remote-lsass-dump-passwords/
 2020-02-28 15:16:18 +01:00
Florian Roth f88225dd2a Merge pull request #640 from Neo23x0/devel 
fix: broader exclusion for rule - OneDrive false positives
 2020-02-26 18:41:52 +01:00
Florian Roth 6bbd80a8ee fix: broader exclusion for rule - OneDrive false positives 2020-02-26 18:31:58 +01:00
Florian Roth 0ba6874645 Merge pull request #638 from Neo23x0/devel 
Several false positives with new rules
 2020-02-26 09:46:02 +01:00
Florian Roth 4f3e3166d3 fixing false positives 2020-02-26 09:33:55 +01:00
Florian Roth 82d2b1e6f0 Merge branch 'master' into devel 
# Conflicts:
#	rules/windows/process_creation/win_susp_squirrel_lolbin.yml
 2020-02-26 09:27:48 +01:00
Florian Roth e7aff17e72 FP: OneDrive setup 2020-02-26 09:26:19 +01:00
Florian Roth a152853ac3 Merge pull request #624 from Antonlovesdnb/master 
New rules for Macro Detections
 2020-02-25 15:44:31 +01:00
Antonlovesdnb e8b861bff4 Update sysmon_susp_winword_vbadll_load.yml 2020-02-25 09:24:29 -05:00
Antonlovesdnb 4c5d489428 Update sysmon_susp_office_kerberos_dll_load.yml 2020-02-25 09:23:52 -05:00
Antonlovesdnb f92e2f2b18 Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-25 09:23:22 -05:00
Antonlovesdnb 8141b1ae90 Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-25 09:22:56 -05:00
Antonlovesdnb 45e4a585bf Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-25 09:22:37 -05:00
Antonlovesdnb c5b42aeaed Update sysmon_susp_office_dotnet_clr_dll_load.yml 2020-02-25 09:19:03 -05:00
Antonlovesdnb bb1eecfe14 Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-25 09:17:33 -05:00
Florian Roth 950fa18418 fix: changed titles to avoid duplicates 2020-02-25 11:12:47 +01:00
Thomas Patzke 48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke 373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Antonlovesdnb 9625a94d0b Update sysmon_susp_office_dotnet_assembly_dll_load.yml 2020-02-19 14:52:31 -05:00