security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

678 Commits

Author SHA1 Message Date
Florian Roth 2c855be9d3 fix: casing fix in renamed procdump rule 2019-11-18 15:57:14 +01:00
Florian Roth 93f890b31d rule: renamed procdump 2019-11-18 15:27:04 +01:00
yugoslavskiy ac21810d7a Merge pull request #516 from yugoslavskiy/oscd_task_#2_credentials_dumping 
oscd task #2 completed
 2019-11-14 01:03:27 +03:00
yugoslavskiy 01ed5a7135 Update sysmon_unsigned_image_loaded_into_lsass.yml 2019-11-14 00:58:39 +03:00
yugoslavskiy 20a5c9498c Update sysmon_raw_disk_access_using_illegitimate_tools.yml 2019-11-14 00:58:00 +03:00
yugoslavskiy 4b8873b706 Update sysmon_lsass_memory_dump_file_creation.yml 2019-11-14 00:55:20 +03:00
yugoslavskiy f0cce60a2c Update sysmon_cred_dump_tools_dropped_files.yml 2019-11-14 00:53:25 +03:00
yugoslavskiy cd69111522 Merge branch 'oscd' into master 2019-11-14 00:36:34 +03:00
yugoslavskiy 3cd1abd0a1 Update sysmon_suspicious_remote_thread.yml 2019-11-14 00:34:09 +03:00
yugoslavskiy 1e75979a2a Update sysmon_minidumwritedump_lsass.yml 2019-11-14 00:32:06 +03:00
yugoslavskiy c8ee6e9631 Merge pull request #504 from yugoslavskiy/oscd_ilyas_ochkov 
[OSCD] Ilyas Ochkov contribution
 2019-11-14 00:22:48 +03:00
yugoslavskiy b47748399d Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml 2019-11-14 00:19:30 +03:00
yugoslavskiy 1fe7f55d47 Update sysmon_suspicious_outbound_kerberos_connection.yml 2019-11-14 00:10:05 +03:00
yugoslavskiy 07ad11f3ae Update sysmon_possible_dns_rebinding.yml 2019-11-14 00:08:50 +03:00
yugoslavskiy ded75d033a Update sysmon_new_dll_added_to_appinit_dlls_registry_key.yml 2019-11-13 23:47:24 +03:00
yugoslavskiy 0cb1d4fdbd Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml 2019-11-13 23:44:03 +03:00
yugoslavskiy bba360212a Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml 2019-11-13 23:43:45 +03:00
yugoslavskiy e6e308ef51 Update sysmon_disable_security_events_logging_adding_reg_key_minint.yml 2019-11-13 23:40:29 +03:00
Thomas Patzke 0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke 5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
Thomas Patzke d42cc78509 Converted rules Sysmon/1 parts to generic process_creation 2019-11-12 21:06:24 +01:00
Thomas Patzke 0065e2420f Merge branch 'oscd-qa' 2019-11-12 20:54:11 +01:00
Florian Roth b7c3f8da91 refactor: cleanup, single element lists, renamed files, level adjustments 2019-11-12 12:55:05 +01:00
yugoslavskiy 385ebac502 Merge pull request #497 from Heirhabarov/master 
OSCD Task 1 - Privilege Escalation
 2019-11-11 01:33:28 +03:00
yugoslavskiy 8adc51d4aa Update sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml 2019-11-11 01:30:19 +03:00
yugoslavskiy 69a99bc2c3 Merge pull request #493 from alx1m1k/oscd 
[OSCD] rules from Jet CSIRT team
 2019-11-10 23:11:24 +03:00
yugoslavskiy 1f5a31f0e7 fix logsource for remote_powershell_session_process.yml 2019-11-10 23:10:24 +03:00
yugoslavskiy fcde35d6ab Update sysmon_regsvr32_network_activity.yml 2019-11-10 22:51:53 +03:00
yugoslavskiy 0beeaadb6f Update sysmon_narrator_feedback_persistance.yml 2019-11-10 22:47:48 +03:00
yugoslavskiy 5756df1922 rename file 2019-11-10 21:56:34 +03:00
yugoslavskiy e5e44e2ade Merge pull request #488 from stvetro/oscd 
[OSCD][ART] Task 7: T1060, T1031
 2019-11-10 21:39:32 +03:00
yugoslavskiy f2f1628506 Update and rename sysmon_runkey_from_powershell.yml to sysmon_asep_regirstry_modification.yml 2019-11-10 21:36:21 +03:00
yugoslavskiy 0db5436778 add tieto dns exfil rules 2019-11-10 20:27:21 +03:00
yugoslavskiy bdac415fea Merge pull request #486 from yugoslavskiy/tieto_oscd 
[OSCD] Tieto DNS exfiltration rules
 2019-11-10 19:36:02 +03:00
yugoslavskiy 4fa928866f oscd task #6 done. 
add 25 new rules:

- win_ad_replication_non_machine_account.yml
- win_dpapi_domain_backupkey_extraction.yml
- win_protected_storage_service_access.yml
- win_dpapi_domain_masterkey_backup_attempt.yml
- win_sam_registry_hive_handle_request.yml
- win_sam_registry_hive_dump_via_reg_utility.yml
- win_lsass_access_non_system_account.yml
- win_ad_object_writedac_access.yml
- powershell_alternate_powershell_hosts.yml
- sysmon_remote_powershell_session_network.yml
- win_remote_powershell_session.yml
- win_scm_database_handle_failure.yml
- win_scm_database_privileged_operation.yml
- sysmon_wmi_module_load.yml
- sysmon_remote_powershell_session_process.yml
- sysmon_rdp_registry_modification.yml
- sysmon_powershell_execution_pipe.yml
- sysmon_alternate_powershell_hosts_pipe.yml
- sysmon_powershell_execution_moduleload.yml
- sysmon_createremotethread_loadlibrary.yml
- sysmon_alternate_powershell_hosts_moduleload.yml
- powershell_remote_powershell_session.yml
- win_non_interactive_powershell.yml
- win_syskey_registry_access.yml
- win_wmiprvse_spawning_process.yml

improve 1 rule:

- rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
 2019-11-10 18:43:41 +03:00
yugoslavskiy c0ac9b8fb9 fix conflict 2019-11-10 17:31:33 +03:00
yugoslavskiy 127335a0ec Merge pull request #482 from yugoslavskiy/master 
[OSCD][The ThreatHunter-Playbook] Task 6: DONE
 2019-11-10 17:27:54 +03:00
yugoslavskiy a59d4fdd33 Merge branch 'master' of https://github.com/Neo23x0/sigma into oscd 2019-11-10 14:47:27 +03:00
Florian Roth 038f205f0f fix: FPs with UserInitMprLogonScript rule 2019-11-09 23:32:53 +01:00
Florian Roth fbe138ed90 rule: reduced level of rule to medium due to FPs 2019-11-09 23:24:31 +01:00
yugoslavskiy b176339da8 Merge pull request #479 from alexpetrov12/master 
add rule
 2019-11-08 02:16:22 +03:00
yugoslavskiy 98f32e9098 Delete sysmon_mimikatz_сreds_dump.yml 
merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml
 2019-11-08 02:06:31 +03:00
yugoslavskiy 6d61401b12 Delete sysmon_сreds_dump.yml 
merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml
 2019-11-08 02:06:20 +03:00
yugoslavskiy 6b98c37910 Update and rename sysmon_mimikatz_detection_lsass.yml to sysmon_cred_dump_lsass_access.yml 2019-11-08 02:05:34 +03:00
yugoslavskiy 562e07de38 Delete cobalt_execute_assembly.yml 
merged with existing [sysmon_cobaltstrike_process_injection.yml](https://github.com/Neo23x0/sigma/blob/oscd/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml)
 2019-11-08 01:42:42 +03:00
yugoslavskiy 52d099a6e3 improve sysmon_cobaltstrike_process_injection.yml 2019-11-08 01:41:26 +03:00
yugoslavskiy 8164e1e096 Update sysmon_mimikatz_detection_lsass.yml 2019-11-07 04:50:22 +03:00
yugoslavskiy 7affc09c19 Update sysmon_mimikatz_detection_lsass.yml 2019-11-07 04:33:40 +03:00
yugoslavskiy 6083d70975 Update sysmon_registry_persistence_key_linking.yml 2019-11-07 04:23:20 +03:00
yugoslavskiy ce849a1184 Merge branch 'master' into oscd 2019-11-04 20:48:19 +03:00