security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

1988 Commits

Author SHA1 Message Date
alexpetrov12 ebe4fe0377 fix 2019-10-23 02:42:37 +03:00
alexpetrov12 29cd7fed3e fix 2019-10-23 02:39:40 +03:00
alexpetrov12 5a260db459 fix 2019-10-23 02:27:14 +03:00
alexpetrov12 6c4f4ce309 fix 2019-10-23 02:25:04 +03:00
alexpetrov12 8d0c89b598 added new rules 
add rule MiniDumpWriteDump via COM+, renamed_binary_description, cobalt_execute_assembly, win_sysmon_driver_onload
 2019-10-23 01:55:03 +03:00
Florian Roth 3d4ce9d175 rule: another reference link for 'execution by ordinal' 2019-10-22 15:18:19 +02:00
zinint 49f9b797a7 Update sysmon_xsl_script_processing.yml 2019-10-22 15:20:15 +03:00
zinint a8bd2c8e78 Update win_data_compressed.yml 2019-10-22 14:57:53 +03:00
zinint 74d1fef8b8 Update win_data_compressed.yml 2019-10-22 14:53:43 +03:00
zinint cc6d4b05ac OSCD Task 7 : ART T1002 Exfiltration With Rar 
OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar
 2019-10-22 14:00:52 +03:00
Florian Roth b3654947bc rule: suspicious call by ordinal (rundll32) 2019-10-22 12:40:26 +02:00
Florian Roth 0f02f2bdfc rule: adjusted very noisy rule on AppLocker whitelist bypass 2019-10-22 12:32:37 +02:00
root 00a757959e add rule win_susp_capture_screenshots.yml 2019-10-22 06:06:07 +02:00
root 2bd9d8a9d8 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:56:37 +02:00
root fb53855ae5 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:50:49 +02:00
zinint daf1034621 Update win_possible_applocker_bypass.yml 2019-10-22 00:54:29 +03:00
zinint 789782ef59 Update sysmon_xsl_script_processing.yml 2019-10-22 00:08:46 +03:00
zinint 56f807cb44 Update sysmon_xsl_script_processing.yml 2019-10-22 00:06:54 +03:00
zinint 0d8eff0d86 Update sysmon_xsl_script_processing.yml 2019-10-22 00:06:10 +03:00
zinint a1d72f20c8 Update sysmon_xsl_script_processing.yml 2019-10-21 23:51:39 +03:00
zinint 5248f83fb3 Update sysmon_xsl_script_processing.yml 2019-10-21 23:46:11 +03:00
zinint a685c9c3be Update sysmon_xsl_script_processing.yml 2019-10-21 23:39:33 +03:00
zinint 784d7138ca OSCD Task 7 ART T1220 
OSCD Task 7 ART T1220 rule add
 2019-10-21 22:22:55 +03:00
Florian Roth deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Florian Roth ab292a4029 rule: simplified Emotet rule 2019-10-16 15:29:42 +02:00
Florian Roth c396526f40 rule: LSASS DLL load via undocumented Registry key 
https://twitter.com/SBousseaden/status/1183745981189427200
 2019-10-16 13:18:44 +02:00
Florian Roth 5d143f4f22 rule: emotet rule references extended 2019-10-16 13:18:44 +02:00
Florian Roth d46154da5c rule: extending Emotet rule 2019-10-16 10:22:48 +02:00
Florian Roth 4ea469d138 rule: suspicious compression tool parameters 2019-10-15 16:38:53 +02:00
Florian Roth e870c86fb0 rule: keyboad layout preloads extended with ' 2019-10-15 15:11:00 +02:00
Florian Roth 52fef7ae10 Merge pull request #468 from 2d4d/lsass_without_exe 
remove .exe from lsass
 2019-10-14 18:03:13 +02:00
Florian Roth 8db1cac910 fix: made rule compatible with event id 4688 2019-10-14 18:01:24 +02:00
Florian Roth 0e2284a176 rule: modified the default 2019-10-14 17:50:48 +02:00
Florian Roth 312311494d rule: suspicious code page switch using chcp 2019-10-14 17:45:25 +02:00
2d4d cf5d7f11ad remove .exe from lsass 2019-10-14 17:26:33 +02:00
Florian Roth 7ee3974428 rule: suspicious keyboard layout load 2019-10-14 16:25:27 +02:00
Florian Roth 5583684efd rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00
Florian Roth 98f0d01b2e rule: mimikatz use extended 2019-10-11 18:50:33 +02:00
Florian Roth 60af1f5a4b rule: WMI Backdoor Exchange Transport Agent 2019-10-11 12:12:44 +02:00
Florian Roth ec5bb71049 fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00
Florian Roth 14971a7b9c fix: FPs with Mimikatz DC Sync rule 2019-10-08 17:44:00 +02:00
Thomas Patzke 60ef593a6f Fixed wrong backslash escaping of * 
Fixes issue #466
 2019-10-07 22:14:44 +02:00
Florian Roth d096ab0e21 rules: AV rules updated to reflect 1.7.2 auf AV cheat sheet 2019-10-04 16:17:34 +02:00
Florian Roth 3eaf4d6e94 fix: fixed typo in bluemashroom rule 2019-10-02 15:45:55 +02:00
Florian Roth 6d78a5fede rule: extended the command line in bluemashroom rule 2019-10-02 14:03:34 +02:00
Florian Roth 7423fe2072 fix: fixed typo in APT group name 2019-10-02 14:02:07 +02:00
Florian Roth e993ef46f0 rule: APT blue mushroom 2019-10-02 13:57:14 +02:00
Florian Roth 4bc7f6ea52 rule: QBot process creation 2019-10-01 17:25:04 +02:00
Florian Roth e0009bfb4a fix: merged duplicate rules 2019-10-01 16:14:38 +02:00
Florian Roth d8af435827 rule: RUN key pointing to suspicious folders 2019-10-01 16:08:31 +02:00