security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

678 Commits

Author SHA1 Message Date
yugoslavskiy 1f1fd68331 Merge pull request #472 from feedb/oscd 
add 11 new rules:

- rules/linux/auditd/lnx_auditd_web_rce.yml
- rules/windows/process_creation/process_creation_susp_bginfo.yml
- rules/windows/process_creation/process_creation_susp_cdb.yml
- rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml
- rules/windows/process_creation/process_creation_susp_dnx.yml
- rules/windows/process_creation/process_creation_susp_dxcap.yml
- rules/windows/process_creation/process_creation_susp_msoffice.yml
- rules/windows/process_creation/process_creation_susp_odbcconf.yml
- rules/windows/process_creation/process_creation_susp_openwith.yml
- rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml
- rules/windows/sysmon/sysmon_webshell_creation_detect.yml
 2019-11-04 20:40:58 +03:00
yugoslavskiy 19396fd274 Update sysmon_webshell_creation_detect.yml 2019-11-04 19:23:52 +03:00
darkquasar 5f027e97c2 fixing as as per comment on rule 
https://github.com/Neo23x0/sigma/pull/505#discussion_r340790327
 2019-11-03 20:35:58 -08:00
yugoslavskiy 701e7f7cc6 oscd task #2 completed 
- new rules:

	+ rules/windows/builtin/win_susp_lsass_dump_generic.yml
	+
rules/windows/builtin/win_transferring_files_with_credential_data_via_ne
twork_shares.yml
	+
rules/windows/builtin/win_remote_registry_management_using_reg_utility.y
ml
	+ rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
	+ rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
	+
rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_creation.y
ml
	+
rules/windows/process_creation/process_creation_shadow_copies_deletion.y
ml
	+
rules/windows/process_creation/process_creation_copying_sensitive_files_
with_credential_data.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_access_sym
link.yml
	+
rules/windows/process_creation/process_creation_grabbing_sensitive_hives
_via_reg.yml
	+
rules/windows/process_creation/process_creation_mimikatz_command_line.ym
l
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml
.yml

- updated rules:

	+ rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
	+ rules/windows/builtin/win_mal_creddumper.yml
	+ rules/windows/builtin/win_mal_service_installs.yml
	+ rules/windows/process_creation/win_susp_process_creations.yml
	+ rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
	+ rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

- deprecated rules:

	+ rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
 2019-11-04 04:26:34 +03:00
Karneades 0117dac1db fix: bound sysmon logon script rule to field 
Fixed rule:
- rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
 2019-11-02 11:47:20 +01:00
darkquasar 96643b5446 New rule Suspicious Remote Thread Created 2019-10-28 22:12:57 -07:00
darkquasar 551d3d653c Dumping Lsass.exe memory with MiniDumpWriteDump API 2019-10-28 22:11:55 -07:00
darkquasar a6b24da6dd Adding rule Suspicious In-Memory Module Execution 2019-10-28 22:07:26 -07:00
Yugoslavskiy Daniil fd606cb376 spaces fix 2019-10-29 03:59:07 +03:00
Yugoslavskiy Daniil 4251d9f490 ilyas ochkov contribution 2019-10-29 03:44:22 +03:00
Yugoslavskiy Daniil 3376cf4dd8 fix some typos and remove redundand references 2019-10-29 01:40:06 +03:00
Florian Roth 8ff85499c8 rule: svchost dll search order hijack 2019-10-28 12:03:03 +01:00
Teimur Kheirkhabarov 2fb40acfe6 Fix mistake in possible_privilege_escalation_via_service_registry_permissions_weakness 2019-10-28 09:30:26 +03:00
Teimur Kheirkhabarov fde949174d OSCD Task 1 - Privilege Escalation 2019-10-27 20:54:07 +03:00
alexpetrov12 7aa804fe90 added new rules 
Packet capture Windows command prompt, ODBCCONF execution dll, Windows Registry Persistence - COM key linking
 2019-10-25 18:01:36 +03:00
Mikhail Larin 334301c185 OSCD event rules from Jet CSIRT team 2019-10-25 17:57:56 +03:00
stvetro dcaacd07bf 4 rules to cover ART 2019-10-25 15:38:47 +04:00
yugoslavskiy 5eb484a062 add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00
yugoslavskiy 4fb9821b49 added: 
win_non_interactive_powershell.yml
	win_remote_powershell_session.yml
	win_wmiprvse_spawning_process.yml
	powershell_alternate_powershell_hosts.yml
	powershell_remote_powershell_session.yml
	sysmon_alternate_powershell_hosts_moduleload.yml
	sysmon_alternate_powershell_hosts_pipe.yml
	sysmon_non_interactive_powershell_execution.yml
	sysmon_powershell_execution_moduleload.yml
	sysmon_powershell_execution_pipe.yml
	sysmon_remote_powershell_session_network.yml
	sysmon_remote_powershell_session_process.yml
	sysmon_wmi_module_load.yml
	sysmon_wmiprvse_spawning_process.yml
 2019-10-24 15:48:38 +02:00
yugoslavskiy 3934f6c756 add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00
alexpetrov12 cc998aa667 fix 2019-10-24 00:48:43 +03:00
alexpetrov12 f1ccf296f4 fix 2019-10-24 00:40:58 +03:00
alexpetrov12 d3715a508b fix 2019-10-23 18:15:46 +03:00
alexpetrov12 4c84412944 added new rule 
silenttrinity_stage_ use, sysmon_mimikatz_сreds_dump, sysmon_registry_persistence_key_linking, sysmon_сreds_dump
 2019-10-23 18:08:30 +03:00
alexpetrov12 e38540a37f fix 2019-10-23 13:28:04 +03:00
alexpetrov12 c1cfbacd24 fix 2019-10-23 13:18:57 +03:00
alexpetrov12 ad9b98541c fix 2019-10-23 13:05:38 +03:00
alexpetrov12 fa4a8c974d fix 2019-10-23 12:45:06 +03:00
alexpetrov12 f4ea01217e fix 2019-10-23 02:47:04 +03:00
alexpetrov12 ebe4fe0377 fix 2019-10-23 02:42:37 +03:00
alexpetrov12 6c4f4ce309 fix 2019-10-23 02:25:04 +03:00
alexpetrov12 8d0c89b598 added new rules 
add rule MiniDumpWriteDump via COM+, renamed_binary_description, cobalt_execute_assembly, win_sysmon_driver_onload
 2019-10-23 01:55:03 +03:00
root 2bd9d8a9d8 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:56:37 +02:00
root fb53855ae5 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:50:49 +02:00
Florian Roth deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Florian Roth c396526f40 rule: LSASS DLL load via undocumented Registry key 
https://twitter.com/SBousseaden/status/1183745981189427200
 2019-10-16 13:18:44 +02:00
Florian Roth e870c86fb0 rule: keyboad layout preloads extended with ' 2019-10-15 15:11:00 +02:00
Florian Roth 7ee3974428 rule: suspicious keyboard layout load 2019-10-14 16:25:27 +02:00
Florian Roth e0009bfb4a fix: merged duplicate rules 2019-10-01 16:14:38 +02:00
Florian Roth d8af435827 rule: RUN key pointing to suspicious folders 2019-10-01 16:08:31 +02:00
Florian Roth c44f940fb6 rule: suspicious RUN key created by exe in temp/download folders 2019-10-01 16:08:13 +02:00
Florian Roth de3a843bea Merge pull request #457 from EccoTheFlintstone/sysmon_eventid3 
sysmon eventid 3: filter on outgoing connections (initiated: true) to…
 2019-09-28 10:16:02 +02:00
ecco 7a1d48cccd fix: PsExec false positives 2019-09-26 04:50:43 -04:00
ecco 4c54e8322a sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives 2019-09-25 11:11:22 -04:00
ecco 0c96777f6a sysmon rules cleanup and move to process_creation 2019-09-11 10:24:43 -04:00
Florian Roth 038900e2fe fix: renamed powershell rule 2019-09-06 17:33:56 +02:00
Florian Roth 7f1b6eb311 fix: duplicate rule 2019-09-06 10:30:47 +02:00
Florian Roth fcbae16cc8 rule: image debugger 2019-09-06 10:28:20 +02:00
Florian Roth e9fc8d3d09 rule: split up registry debugger registration rule into two 2019-09-06 10:13:21 +02:00
Florian Roth 27f875755f rule: debugger registration 2019-09-06 10:08:09 +02:00