security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

1988 Commits

Author SHA1 Message Date
4A616D6573 d174e172b0 Create win_susp_local_anon_logon_created.yml 2019-10-31 21:44:47 +11:00
Florian Roth 3107c0c268 rule: Formbook rule improved 2019-10-31 09:32:18 +01:00
zinint 60bf34e220 T1042 2019-10-30 23:30:56 +03:00
zinint 12ef86fcbe t1040 2019-10-30 23:18:37 +03:00
zinint b3b203e5b1 t1040 2019-10-30 23:15:19 +03:00
Florian Roth 4741b6a4d6 rule: Mustang Panda dropper 2019-10-30 18:22:40 +01:00
Florian Roth d661771608 rule: another DTRACK reference 2019-10-30 18:22:25 +01:00
Florian Roth 3ac28f3eed rule: DTRACK process creation 2019-10-30 15:16:33 +01:00
Thomas Patzke 219f00e3fb Added command line parameter 
Implements #418
 2019-10-29 23:04:28 +01:00
Thomas Patzke f4e9690d6b Merge pull request #508 from Karneades/fixRule3 
fix: bound keywords to field in multiple PS rules
 2019-10-29 22:34:08 +01:00
Thomas Patzke 78d8ca2b41 Merge pull request #507 from Karneades/fixRule2 
fix: bound keywords to field in PS cred prompt rule
 2019-10-29 22:31:01 +01:00
Thomas Patzke 40df0d4534 Merge pull request #506 from Karneades/fixRule1 
fix: bound keywords to field in WMI persistence rule
 2019-10-29 22:30:27 +01:00
Thomas Patzke 6eb49fc1ce Merge pull request #509 from Karneades/fixRule4 
fix: change keyword and bound it to a field in PS rule
 2019-10-29 22:27:54 +01:00
Thomas Patzke b6403793c1 Fixed escaping in rule 2019-10-29 22:06:23 +01:00
Karneades ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
Karneades aafab2e936 fix: bound keywords to field in multiple PS rules 
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
 2019-10-29 19:53:18 +01:00
Karneades f31750e567 fix: bound keywords to field in PS cred prompt rule 2019-10-29 19:43:04 +01:00
Karneades cd20e4a3fc fix: bound keywords to field in WMI persistence rule 
See #501.
 2019-10-29 19:22:41 +01:00
zinint c243c4e210 T1035 2019-10-29 20:58:52 +03:00
booberry46 36fe748c2e Update win_rdp_reverse_tunnel.yml 
With the recent example for the evtx. RDP Tunneling can happen not only from port 3389. So I tune it to fit in general.

Changed the obsolete twitter status with linkage to the evtx from Samir Bousseaden
 2019-10-29 17:25:37 +08:00
darkquasar cb6eb35913 adding some more suspicious PS keywords 
found in multiple internally analyzed malicious scripts (in the wild and as result of engagements)
 2019-10-28 22:14:14 -07:00
darkquasar 96643b5446 New rule Suspicious Remote Thread Created 2019-10-28 22:12:57 -07:00
darkquasar 551d3d653c Dumping Lsass.exe memory with MiniDumpWriteDump API 2019-10-28 22:11:55 -07:00
darkquasar a6b24da6dd Adding rule Suspicious In-Memory Module Execution 2019-10-28 22:07:26 -07:00
Yugoslavskiy Daniil fd606cb376 spaces fix 2019-10-29 03:59:07 +03:00
Yugoslavskiy Daniil 4251d9f490 ilyas ochkov contribution 2019-10-29 03:44:22 +03:00
Yugoslavskiy Daniil 3376cf4dd8 fix some typos and remove redundand references 2019-10-29 01:40:06 +03:00
Florian Roth 8ff85499c8 rule: svchost dll search order hijack 2019-10-28 12:03:03 +01:00
Florian Roth 1a3444d0ef docs: comment on rule expression 2019-10-28 12:02:46 +01:00
RRRabbit becfca6b41 Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00
Teimur Kheirkhabarov 59c6250282 Delete rules/windows/.DS_Store 2019-10-28 09:38:17 +03:00
Teimur Kheirkhabarov 2fb40acfe6 Fix mistake in possible_privilege_escalation_via_service_registry_permissions_weakness 2019-10-28 09:30:26 +03:00
Teimur Kheirkhabarov 32b0a3987e Several mistakes were fixed 2019-10-28 08:43:58 +03:00
Teimur Kheirkhabarov 3125b39239 Change incorrect MITRE Tags for some rules 2019-10-28 07:56:15 +03:00
zinint 87c8326133 T1033 2019-10-27 23:49:07 +03:00
zinint 55eaae1cea Rename win_app_windows_descovery.yml to win_app_windows_discovery.yml 2019-10-27 23:15:10 +03:00
zinint 93b867024c T1012 2019-10-27 23:13:03 +03:00
Teimur Kheirkhabarov fde949174d OSCD Task 1 - Privilege Escalation 2019-10-27 20:54:07 +03:00
4A616D6573 ca819d8707 Update win_susp_net_execution.yml 
Updated tags to pass Travis CI checks.
 2019-10-27 14:06:52 +11:00
root 717e40e8ed modified win_susp_dxcap.yml 2019-10-26 20:27:32 +02:00
root 9bf0150100 modified win_susp_dnx.yml 2019-10-26 20:20:21 +02:00
root 3b70f2edd6 modified win_susp_dnx.yml 2019-10-26 20:16:40 +02:00
root 3528afeef7 modified win_susp_dnx.yml 2019-10-26 20:13:53 +02:00
root 1dca0456ee modified win_susp_dxcap.yml 2019-10-26 20:09:25 +02:00
root cbe0d73ce8 add win_susp_dxcap.yml 2019-10-26 20:06:02 +02:00
root aaf63d2238 add win_susp_dxcap.yml 2019-10-26 20:02:25 +02:00
root 0616c2c39d add win_susp_dnx.yml 2019-10-26 19:58:45 +02:00
root ee21888e67 add win_susp_cdb.yml 2019-10-26 19:49:45 +02:00
booberry46 b7fe52133d Update win_defender_bypass.yml 2019-10-27 00:07:56 +08:00
booberry46 3f1fc9a507 Add files via upload 2019-10-27 00:06:49 +08:00