security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

2542 Commits

Author SHA1 Message Date
Florian Roth 4ad71c44bc chore: moved network device rules to the 'network' folder 2020-01-30 14:30:26 +01:00
Florian Roth 5130072b04 Merge pull request #529 from c2defense/master 
Network Device Analytics
 2020-01-30 14:28:44 +01:00
Florian Roth 30d872f98f Merge pull request #492 from booberry46/master 
Bypass Windows Defender
 2020-01-30 14:27:30 +01:00
Florian Roth 598b750f48 Minor change 2020-01-30 10:31:16 +01:00
Florian Roth 8cef4b2941 fix: missing id 2020-01-30 10:14:18 +01:00
Florian Roth bf81ff90a8 fix: using a specific field 2020-01-30 10:13:33 +01:00
Florian Roth 0207eeece4 fix: hyphen 2020-01-30 10:10:03 +01:00
Florian Roth 2f1890b5e8 Update win_rdp_reverse_tunnel.yml 2020-01-30 10:09:41 +01:00
Florian Roth 8ec0060938 fix: fixing bug 2020-01-30 10:09:22 +01:00
Florian Roth 6ca100cabf reverted changes 2020-01-30 10:08:25 +01:00
Florian Roth 0a4d32c7c7 fix: fixing issues 2020-01-30 10:07:24 +01:00
Florian Roth 9828d7f81d re-added old reference 2020-01-30 10:03:09 +01:00
Florian Roth d90ea6d267 improved rule 2020-01-30 09:58:32 +01:00
Florian Roth d2122b6b83 Merge pull request #594 from sreemanshanker/master 
Sigma rule to Monitor for writing of malicious files to system32 and syswow64 folders
 2020-01-30 09:14:58 +01:00
Florian Roth 6adc732d79 Merge pull request #603 from Neo23x0/devel 
Colorized Testing
 2020-01-30 09:14:25 +01:00
Florian Roth 2c38c53829 fix: removed test rule 2020-01-30 08:52:33 +01:00
Florian Roth fe6c30fa59 feat: colorized output in test 2020-01-30 08:37:47 +01:00
Florian Roth a01773681a fix: filename 2020-01-30 08:18:29 +01:00
Florian Roth 529e95e3a5 Fixed everything 
This rule had a lot of errors and problems. 
- title
- file name 
- status stable > experimental
- field order
- indentation
- unnecessary use of regular expressions
- interesting fields incomplete
- missing date
- missing id
- reference not as list
 2020-01-30 08:17:46 +01:00
Florian Roth 4c90e636b1 changed file name 2020-01-30 08:07:56 +01:00
Florian Roth a935cea665 fix: condition 2020-01-30 08:06:53 +01:00
sreemanshanker d5c7b4795d Add files via upload 2020-01-30 11:29:01 +08:00
Florian Roth 647d98ac71 Merge pull request #599 from vitaliy0x1/master 
Detection Rules for AWS events
 2020-01-29 21:01:20 +01:00
Florian Roth 376092cfd3 Merge pull request #565 from RiccardoAncarani/master 
Add Covenant default named pipe
 2020-01-29 20:28:00 +01:00
Florian Roth 05d7448a9a Minor Changes 2020-01-29 20:25:46 +01:00
Florian Roth d1357ddc50 Minor changes 2020-01-29 20:25:14 +01:00
Florian Roth 8a4f9ad7f8 Minor changes 2020-01-29 20:24:31 +01:00
Florian Roth a6d7af270d Added date 2020-01-29 20:23:40 +01:00
Florian Roth 56e1e6b13d Lower case service name 2020-01-29 20:23:12 +01:00
Florian Roth f1ce6ba6ad Lowering level 
Lowering level to medium for events that can have a legitimate cause
 2020-01-29 20:22:34 +01:00
Florian Roth eac484092c fix: changed hashes field to sha1 for better consistency 2020-01-29 19:52:24 +01:00
Florian Roth a816f4775f rule: FromBase64String command line 2020-01-29 16:05:12 +01:00
Florian Roth 7786edac29 rule: dctask64.exe evasion techniques 
https://twitter.com/gN3mes1s/status/1222088214581825540
 2020-01-28 11:29:24 +01:00
Florian Roth d48fc9d1ff fix: multiple false positive conditions 2020-01-28 10:11:09 +01:00
Florian Roth 240b764660 rule: reduced level of system time mod rule 2020-01-27 14:30:09 +01:00
Florian Roth 5f0589b787 rule: mstsc shadowing 2020-01-24 16:18:19 +01:00
Florian Roth e24ea159f3 rule: split up renamed binary rule 2020-01-24 15:31:07 +01:00
2d4d bace799f07 complete_cve_2019-19781 2020-01-24 15:31:06 +01:00
Florian Roth 4066ae6371 rule: added a reference 2020-01-24 15:31:06 +01:00
Florian Roth 11607a8621 rule: windows audit cve 2020-01-24 15:31:06 +01:00
Florian Roth f40a7aab3d rule: changes at Shitrix rule 2020-01-24 15:31:06 +01:00
sbousseaden a4e62fcb1b Update win_lm_namedpipe.yml 2020-01-24 15:31:06 +01:00
2d4d 341ed340a3 add newbm.pl 2020-01-24 15:31:06 +01:00
Florian Roth 4e07a786a7 rule: updated netscaler rule 2020-01-24 15:31:06 +01:00
Florian Roth c22f7b0b65 fix: shortened path in Citrix Netscaler rule 2020-01-24 15:31:06 +01:00
2d4d d0230f0024 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
2d4d 0bde8b5f00 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC) a371cf1057 fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC) c24bbdcf81 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-24 15:31:06 +01:00
msec1203 4f29556a01 Update win_susp_winword_wmidll_load.yml 
Update x2
 2020-01-24 15:31:06 +01:00