security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

2542 Commits

Author SHA1 Message Date
zinint d1cf80d9b6 Update lnx_auditd_user_discovery.yml 2019-10-28 00:00:06 +03:00
zinint 68b4541274 t1033 2019-10-27 23:59:16 +03:00
zinint 87c8326133 T1033 2019-10-27 23:49:07 +03:00
zinint 55eaae1cea Rename win_app_windows_descovery.yml to win_app_windows_discovery.yml 2019-10-27 23:15:10 +03:00
zinint 93b867024c T1012 2019-10-27 23:13:03 +03:00
Teimur Kheirkhabarov fde949174d OSCD Task 1 - Privilege Escalation 2019-10-27 20:54:07 +03:00
Mikhail Larin 1f6aec8060 removed unsupported rule from oscd branch 2019-10-27 15:33:38 +03:00
4A616D6573 ca819d8707 Update win_susp_net_execution.yml 
Updated tags to pass Travis CI checks.
 2019-10-27 14:06:52 +11:00
root 717e40e8ed modified win_susp_dxcap.yml 2019-10-26 20:27:32 +02:00
root 9bf0150100 modified win_susp_dnx.yml 2019-10-26 20:20:21 +02:00
root 3b70f2edd6 modified win_susp_dnx.yml 2019-10-26 20:16:40 +02:00
root 3528afeef7 modified win_susp_dnx.yml 2019-10-26 20:13:53 +02:00
root 1dca0456ee modified win_susp_dxcap.yml 2019-10-26 20:09:25 +02:00
root cbe0d73ce8 add win_susp_dxcap.yml 2019-10-26 20:06:02 +02:00
root aaf63d2238 add win_susp_dxcap.yml 2019-10-26 20:02:25 +02:00
root 0616c2c39d add win_susp_dnx.yml 2019-10-26 19:58:45 +02:00
root ee21888e67 add win_susp_cdb.yml 2019-10-26 19:49:45 +02:00
booberry46 b7fe52133d Update win_defender_bypass.yml 2019-10-27 00:07:56 +08:00
booberry46 3f1fc9a507 Add files via upload 2019-10-27 00:06:49 +08:00
Florian Roth 66a32549f1 rule: proxy malware ua - Zebrocy 2019-10-26 14:20:29 +02:00
Florian Roth 42808b7eb8 rule: webshell detection improved 2019-10-26 09:14:54 +02:00
root 844d55c781 add win_susp_bginfo.yml 2019-10-26 08:18:37 +02:00
root 5bb5938e86 add win_susp_bginfo.yml 2019-10-26 08:16:08 +02:00
root 01c4c7cdbd modifed win_susp_msoffice.yml 2019-10-26 08:11:09 +02:00
root bea2daac45 modifed win_susp_msoffice.yml 2019-10-26 07:55:44 +02:00
root fc7f8ecea3 add win_susp_msoffice.yml 2019-10-26 07:48:38 +02:00
root 611c193826 modifed win_susp_odbcconf.yml 2019-10-26 07:45:53 +02:00
root aa9a22e662 add win_susp_odbcconf.yml 2019-10-25 19:02:17 +02:00
alexpetrov12 8c2b7e9f85 fix 2019-10-25 18:30:40 +03:00
alexpetrov12 7aa804fe90 added new rules 
Packet capture Windows command prompt, ODBCCONF execution dll, Windows Registry Persistence - COM key linking
 2019-10-25 18:01:36 +03:00
Mikhail Larin 334301c185 OSCD event rules from Jet CSIRT team 2019-10-25 17:57:56 +03:00
zinint 6e94e798be t1010 2019-10-25 16:12:51 +03:00
stvetro dcaacd07bf 4 rules to cover ART 2019-10-25 15:38:47 +04:00
hieuttmmo 0c07c5ea16 convention 2019-10-25 11:00:05 +07:00
hieuttmmo e86ab608f2 Update powershell_suspicious_profile_create.yml 2019-10-25 10:53:21 +07:00
yugoslavskiy 5eb484a062 add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00
4A616D6573 5678357f4e Update win_susp_net_execution.yml 
Added tag for:

References:

https://attack.mitre.org/techniques/T1077/
https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
 2019-10-25 12:20:47 +11:00
4A616D6573 a7a753862c Update win_susp_net_execution.yml 
Added:

1. Additional tags for techniques as defined by Atomic Blue.
2. Detection for OriginalFileName as net.exe can easily be renamed.

Part of oscd.community effort.
 2019-10-25 12:06:32 +11:00
4A616D6573 c248842995 Revert "Update win_susp_net_execution.yml" 
This reverts commit f7e26b1e0b.
 2019-10-25 12:03:23 +11:00
4A616D6573 f7e26b1e0b Update win_susp_net_execution.yml 
Added:

1. Additional tags for techniques as defined by Atomic Blue.
2. Detection for OriginalFileName as net.exe can easily be renamed.

Part of oscd.community effort.
 2019-10-25 11:53:56 +11:00
hieuttmmo edb698c7f7 Update powershell_suspicious_profile_create.yml 2019-10-25 00:28:11 +07:00
hieuttmmo 73b10807d8 Rename powershell_susp_profile_create.yml to powershell_suspicious_profile_create.yml 2019-10-25 00:14:39 +07:00
hieuttmmo 0e4cd397ef Create new rules for T1502 2019-10-25 00:14:21 +07:00
yugoslavskiy 4fb9821b49 added: 
win_non_interactive_powershell.yml
	win_remote_powershell_session.yml
	win_wmiprvse_spawning_process.yml
	powershell_alternate_powershell_hosts.yml
	powershell_remote_powershell_session.yml
	sysmon_alternate_powershell_hosts_moduleload.yml
	sysmon_alternate_powershell_hosts_pipe.yml
	sysmon_non_interactive_powershell_execution.yml
	sysmon_powershell_execution_moduleload.yml
	sysmon_powershell_execution_pipe.yml
	sysmon_remote_powershell_session_network.yml
	sysmon_remote_powershell_session_process.yml
	sysmon_wmi_module_load.yml
	sysmon_wmiprvse_spawning_process.yml
 2019-10-24 15:48:38 +02:00
zinint aef5fa3c2b Rename powershell_winlogon_helper_dll.yaml to powershell_winlogon_helper_dll.yml 2019-10-24 16:37:38 +03:00
Florian Roth a5ec6722a1 rule: the actual changes to hwp rule 2019-10-24 15:35:13 +02:00
zinint 5a98fdbbbd ART t1004 2019-10-24 16:33:29 +03:00
zinint 317e9d3df9 PS Data Compressed attack.t1002 
PS Data Compressed attack.t1002
 2019-10-24 15:43:46 +03:00
yugoslavskiy 3934f6c756 add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00
zinint 7c5dc0ca01 Update win_data_compressed.yml 2019-10-24 15:34:13 +03:00