security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

1988 Commits

Author SHA1 Message Date
ecco cfde0625f5 fix false positive matching on every powershell process not run by SYSTEM account 2020-05-23 07:05:09 -04:00
Florian Roth 12e1aeaf9f Merge pull request #788 from Neo23x0/rule-devel 
refactor: split up rule for CVE-2020-1048 into 2 rules
 2020-05-23 09:54:43 +02:00
Florian Roth 34006d0794 refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 09:16:19 +02:00
Florian Roth 57c8e63acd refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 09:09:58 +02:00
ecco ec17c2ab56 filter on createkey only when needed 2020-05-22 10:37:00 -04:00
4A616D6573 879ad6f206 Update win_susp_ntlm_rdp.yml 2020-05-22 13:32:02 +10:00
4A616D6573 daa3c5e053 Update win_susp_ntlm_rdp.yml 2020-05-22 13:28:56 +10:00
4A616D6573 0f8f5fb29c Create win_susp_ntlm_rdp.yml 2020-05-22 13:24:27 +10:00
Florian Roth 91c4c4ecc5 refactor: slightly improved Greenbug rule 2020-05-21 13:38:11 +02:00
Florian Roth 9a3b6c1c77 docs: added MITRE ATT&CK group tag 2020-05-21 09:44:11 +02:00
Florian Roth 344eb713c5 rule: Greenbug campaign 2020-05-21 09:39:57 +02:00
ecco 0dd089db47 various rules cleaning 2020-05-18 20:29:53 -04:00
Thomas Patzke 96fae4be68 Added CrachMapExec rules 2020-05-22 00:50:37 +02:00
Florian Roth 64e0e7ca72 Merge pull request #784 from Neo23x0/rule-devel 
refactor: slightly improved Greenbug rule
 2020-05-21 14:19:09 +02:00
Florian Roth bbf78374b6 Merge pull request #783 from Neo23x0/rule-devel 
Greenbug Rule
 2020-05-21 09:55:46 +02:00
Florian Roth e7980bb434 Merge pull request #782 from ZikyHD/patch-1 
Remove duplicate 'CommandLine' in fields
 2020-05-20 12:55:41 +02:00
ZikyHD 8963c0a65e Remove duplicate 'CommandLine' in fields 2020-05-20 11:54:47 +02:00
Florian Roth 9ab65cd1c7 Update win_alert_ad_user_backdoors.yml 2020-05-19 14:50:22 +02:00
Tatsuya Ito c815773b1a enhancement rule 2020-05-19 18:05:51 +09:00
Tatsuya Ito 49f68a327a enhancement rule 2020-05-19 18:00:50 +09:00
ecco 1aa97fe577 flake 8 2020-05-18 10:03:18 -04:00
ecco 088800cd18 fix rule due to sigmac bug? 2020-05-18 09:39:48 -04:00
ecco e89613aee0 add some false positives checks 2020-05-18 07:19:06 -04:00
Florian Roth 8154ca355a Merge pull request #768 from maximelb/master 
Remove "condition" from global rule in CVE-2020-1048.
 2020-05-18 12:52:49 +02:00
Maxime Lamothe-Brassard 25d3a5a893 Remove "condition" from global rule. 
The condition field in this rule was in the global section which overwrote the condition in sub-rules and generated FPs. For example, once Sigma read the rule, the bottom sub-rule's "condition" was overwritten with "1 of them".
 2020-05-17 12:44:57 -07:00
Florian Roth a46e357874 Merge branch 'master' into rule-devel 2020-05-16 08:59:34 +02:00
Florian Roth d5e7d4e302 fix: missing condition in CVE-2020-1048 rule 2020-05-16 08:59:05 +02:00
ecco fd386fe8eb standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine 2020-05-15 12:35:32 -04:00
ecco 0575fa8d81 fix CVE 2020-1048 rule 2020-05-15 07:25:05 -04:00
Florian Roth cc26b26377 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/sysmon/sysmon_cve-2020-1048.yml
 2020-05-15 12:09:47 +02:00
Florian Roth 8e7caf0e4d rule: CVE-2020-1048 2020-05-15 12:08:31 +02:00
Florian Roth 8e082283f0 Merge pull request #754 from Neo23x0/rule-devel 
Rule devel
 2020-05-15 12:07:04 +02:00
Florian Roth beb62dc163 fix: condition location 2020-05-15 12:06:34 +02:00
Florian Roth 5854cc4677 fix: small bug in new CVE-2020-1048 rule 2020-05-15 11:37:46 +02:00
Florian Roth 2282432b6f Merge pull request #753 from hieuttmmo/master 
New Sigma rule to detect possible CVE-2020-1048 exploitation and Suspicious network connection from Notepad
 2020-05-15 11:35:12 +02:00
Florian Roth 28dc2a2267 Minor changes 
hints: 
- contains doesn't require wildcards in the strings
- we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day)
- we can use "1 of them" to say that 1 of the conditions has to match
 2020-05-15 11:33:36 +02:00
ecco 54cf535dbc remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike) 2020-05-15 04:45:25 -04:00
Trent Liffick 40ab1b7247 added 'action: global' 2020-05-14 23:33:08 -04:00
Trent Liffick 56a2747a70 Corrected missing condition 
learning! fail fast & forward
 2020-05-14 23:18:33 -04:00
Trent Liffick fb1d8d7a76 Corrected typo 2020-05-14 23:04:14 -04:00
Trent Liffick 8aff6b412e added rule for Blue Mockingbird (cryptominer) 2020-05-14 22:58:23 -04:00
Florian Roth ab950fb89d fix: removed rules missing in master 2020-05-14 15:53:09 +02:00
Tran Trung Hieu e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu 443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu 97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Florian Roth 7652813c2c Merge pull request #752 from zaphodef/fix/win_susp_script_execution_false_negatives 
Widen the search as it gives too many false negatives
 2020-05-13 21:02:12 +02:00
Tran Trung Hieu d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu 3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
zaphod 78a5c743f2 Widen the search as it gives too many false negatives 2020-05-13 16:20:23 +02:00