security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

1988 Commits

Author SHA1 Message Date
Florian Roth 32ecb81630 Merge pull request #845 from ikiril01/att&ck_subtechniques_v2 
ATT&CK subtechniques v2
 2020-06-18 09:10:09 +02:00
Ivan Kirillov b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
ecco 99bfa14ae0 add 1 more FP 2020-06-17 12:49:27 -04:00
Florian Roth 0022705373 fix: filter not functional 
since `UsrLogon.cmd` does appear only in `C:\Windows\system32\cmd.exe /c UsrLogon.cmd` command line
 2020-06-17 16:09:44 +02:00
Ivan Kirillov 5c0bb0e94f Fixed indentation 2020-06-16 15:01:13 -06:00
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth d24ec665fd Merge pull request #838 from rtkbkish/fix-identifier 
Identifiers shared between global document and rule gets overwritten
 2020-06-15 20:20:23 +02:00
Florian Roth 87053502a3 Merge pull request #839 from rtkbkish/fix-double-backslash 
Fix match for double-backslash
 2020-06-15 20:19:56 +02:00
Florian Roth 869162a5da Merge pull request #840 from rtkbkish/remove-wrong-sysmon-id 
Rule lists extra Sysmon ID (11). Should just match registry events (1…
 2020-06-15 20:19:27 +02:00
Florian Roth 3482e048fb Merge pull request #841 from rtkbkish/fix-rule-match 
Rule needs endwith, not exact match.
 2020-06-15 20:19:12 +02:00
Florian Roth 46bd56a708 Merge pull request #837 from rtkbkish/fix-win-invoke-obfuscation 
Fix logsource field name from service->category
 2020-06-15 20:18:53 +02:00
Brad Kish dfae2a6df6 Rule needs endwith, not exact match. 
Fix ImageLoaded filter to match with endswith, rather than exact match.
 2020-06-15 13:54:02 -04:00
Brad Kish a9c6fa904f Rule lists extra Sysmon ID (11). Should just match registry events (12-14) 
Remove extraneous event ID 11. It will never match.
 2020-06-15 13:52:12 -04:00
Brad Kish f196046b3d Fix match for double-backslash 
To match a double-backslash you actually need three backslashes, since two
backslashes gets reduced to one.
 2020-06-15 13:39:50 -04:00
Brad Kish 422b2bffd7 Fix rules with incorrect escaping of wildcars 
A backslash before a wildcard needs to be escaped with another backslash.
 2020-06-15 13:38:18 -04:00
Brad Kish 8d58c8f5c8 Fix logsource field name from service->category 
The rule win_invoke_obfuscation_obfuscated_iex_commandline has the
wrong field name for the "process_creation" tag. Rename from "service"
to "category"
 2020-06-15 13:18:05 -04:00
Brad Kish f5aa871e5d Identifiers shared between global document and rule gets overwritten 
The global document defines a "selection" identifier which is also defined the
individual rules. The rule identifier is getting overwritten by the global identifier.
Fix by giving unique names to the global identifier.
 2020-06-15 13:14:31 -04:00
Iveco 40f0fd989d - moved to "process_creation" folder instead of "sysmon" 
- renamed .yml file
 2020-06-11 19:21:17 +02:00
Iveco 34d7ea2974 removed one field 2020-06-11 16:23:15 +02:00
Iveco 2081baafe5 updated to process_creation 2020-06-11 15:58:05 +02:00
Iveco f56e2599b1 Cmd.exe Path Traversal Detection 2020-06-11 15:48:48 +02:00
Florian Roth a7136481f1 Update win_pcap_drivers.yml 2020-06-11 11:14:43 +02:00
Florian Roth 97c45f9d46 Merge pull request #812 from tliffick/master 
added new rules for malware
 2020-06-10 17:37:19 +02:00
Cian Heasley 9835c6d67d add win_pcap_drivers.yml 2020-06-10 15:53:22 +01:00
Florian Roth 96309d247b fix: cosmetic fault 2020-06-10 16:41:03 +02:00
Florian Roth 6e4aa01baa Cosmetics 2020-06-10 16:36:17 +02:00
Florian Roth 13c7d40a22 Cosmetics 2020-06-10 16:35:41 +02:00
Florian Roth f553fb2e33 Cosmetics 2020-06-10 16:35:14 +02:00
Florian Roth 48e4e31713 Merge pull request #826 from NVISO-BE/sysmon_susp_fax_dll 
Fax Service DLL search order hijacking detection
 2020-06-10 16:33:12 +02:00
Florian Roth 1a9da23611 Merge pull request #825 from NVISO-BE/sysmon_office_persistence 
Office persistence by addin detection
 2020-06-10 16:32:50 +02:00
Steven Goossens e5f36dd146 Added rules files split into folders 2020-06-10 16:32:30 +02:00
Remco Hofman 8adaa2d672 Fixed bad indentation 2020-06-10 15:02:41 +02:00
Remco Hofman 83a6e25bcb Fax Service DLL search order hijacking 2020-06-10 15:01:07 +02:00
Remco Hofman cb8e478ac1 Sigma rule to detect Office persistence via addin. 2020-06-10 14:52:13 +02:00
Florian Roth 5c835cf1f2 Merge pull request #813 from ozirus/patch-1 
Create sysmon_apt_muddywater_dnstunnel.yml
 2020-06-09 18:44:45 +02:00
Florian Roth 7a334a8d8a fix: missed line 2020-06-09 17:30:54 +02:00
Florian Roth 04913a4b95 Aligned indentation 2020-06-09 17:20:25 +02:00
Florian Roth 9b8f8b7e09 Merge pull request #822 from NVISO-BE/win_mal_flowcloud 
TA410 FlowCloud malware detection
 2020-06-09 17:18:39 +02:00
Remco Hofman a9bf22750a Fixed bad indentation 2020-06-09 16:30:17 +02:00
Remco Hofman 4ce3ea735e TA410 FlowCloud malware detection 2020-06-09 16:21:46 +02:00
Remco Hofman d14d391761 Octopus Scanner malware rule 2020-06-09 16:12:05 +02:00
Florian Roth 6e349030d9 rule: suspicious camera and mic access 2020-06-08 10:18:44 +02:00
Florian Roth 0c2f2fe6df Merge pull request #816 from Neo23x0/rule-devel 
merged Cyb3rWarD0g's rules
 2020-06-06 16:27:59 +02:00
Florian Roth d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth 72deaa98f5 Merge pull request #815 from Neo23x0/rule-devel 
Rule devel
 2020-06-06 14:19:37 +02:00
Florian Roth 3697186281 fix: fixed title 2020-06-06 14:04:40 +02:00
Florian Roth 246a95557b fix: description over multiple lines 2020-06-06 13:56:48 +02:00
Florian Roth d54209dcc5 rule: ETW disabled 2020-06-06 13:56:19 +02:00
Florian Roth 2e77e65285 rule: Covenant launchers 2020-06-05 11:03:28 +02:00
Furkan ÇALIŞKAN 082696ee84 Added UUID 2020-06-04 18:38:42 +03:00