security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

2542 Commits

Author SHA1 Message Date
Florian Roth 9457f01c29 Update proxy_ios_implant.yml 2019-10-21 11:20:11 +02:00
Florian Roth f8d8eb7948 Update proxy_chafer_malware.yml 2019-10-21 11:19:59 +02:00
root ac8308dfc9 add rule lnx_auditd_web_rce.yml 2019-10-21 11:14:24 +02:00
Florian Roth 454ba2b576 rule: modified sudo vuln rule to be most generic 2019-10-20 14:02:10 +02:00
Florian Roth 08ff2f38bc Revert "rule: modified sudo vuln rule to be most generic" 
This reverts commit ef6a25d109.
 2019-10-20 14:01:14 +02:00
Florian Roth ef6a25d109 rule: modified sudo vuln rule to be most generic 2019-10-20 10:37:05 +02:00
a2tf a2753ba5a6 rule: changed two proxy rules from uri-query to url 2019-10-18 14:15:39 +00:00
Thomas Patzke 522f021ef1 Merge pull request #461 from Galapag0s/patch-2 
Added Additional history clearing options
 2019-10-16 22:35:41 +02:00
Florian Roth deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Florian Roth ab292a4029 rule: simplified Emotet rule 2019-10-16 15:29:42 +02:00
Florian Roth 36f678930d rule: updated sudo vuln rule to detect 0-padding part 2 
https://twitter.com/joshbressers/status/1184455759620378627
 2019-10-16 15:10:44 +02:00
Florian Roth 5374d18e4b rule: updated sudo vuln rule to detect 0-padding 
https://twitter.com/taviso/status/1184238670343065600
 2019-10-16 15:03:28 +02:00
Florian Roth c396526f40 rule: LSASS DLL load via undocumented Registry key 
https://twitter.com/SBousseaden/status/1183745981189427200
 2019-10-16 13:18:44 +02:00
Florian Roth 5d143f4f22 rule: emotet rule references extended 2019-10-16 13:18:44 +02:00
Florian Roth d46154da5c rule: extending Emotet rule 2019-10-16 10:22:48 +02:00
Florian Roth 4ea469d138 rule: suspicious compression tool parameters 2019-10-15 16:38:53 +02:00
Florian Roth e870c86fb0 rule: keyboad layout preloads extended with ' 2019-10-15 15:11:00 +02:00
Florian Roth 921a39f1e3 rule: extended sudo rule with variant for USER field 2019-10-15 14:55:09 +02:00
Florian Roth 96d77447d2 rule: added reference and mitre tags 2019-10-15 09:44:17 +02:00
Florian Roth 49ed76004c rule: sudo priv esc vuln CVE-2019-14287 2019-10-15 09:39:08 +02:00
Florian Roth 52fef7ae10 Merge pull request #468 from 2d4d/lsass_without_exe 
remove .exe from lsass
 2019-10-14 18:03:13 +02:00
Florian Roth 8db1cac910 fix: made rule compatible with event id 4688 2019-10-14 18:01:24 +02:00
Florian Roth 0e2284a176 rule: modified the default 2019-10-14 17:50:48 +02:00
Florian Roth 312311494d rule: suspicious code page switch using chcp 2019-10-14 17:45:25 +02:00
2d4d cf5d7f11ad remove .exe from lsass 2019-10-14 17:26:33 +02:00
Florian Roth 7ee3974428 rule: suspicious keyboard layout load 2019-10-14 16:25:27 +02:00
Florian Roth 5583684efd rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00
Florian Roth 98f0d01b2e rule: mimikatz use extended 2019-10-11 18:50:33 +02:00
Florian Roth 60af1f5a4b rule: WMI Backdoor Exchange Transport Agent 2019-10-11 12:12:44 +02:00
Florian Roth ec5bb71049 fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00
Florian Roth 14971a7b9c fix: FPs with Mimikatz DC Sync rule 2019-10-08 17:44:00 +02:00
Thomas Patzke 60ef593a6f Fixed wrong backslash escaping of * 
Fixes issue #466
 2019-10-07 22:14:44 +02:00
Florian Roth d096ab0e21 rules: AV rules updated to reflect 1.7.2 auf AV cheat sheet 2019-10-04 16:17:34 +02:00
Florian Roth 3eaf4d6e94 fix: fixed typo in bluemashroom rule 2019-10-02 15:45:55 +02:00
Florian Roth 6d78a5fede rule: extended the command line in bluemashroom rule 2019-10-02 14:03:34 +02:00
Florian Roth 7423fe2072 fix: fixed typo in APT group name 2019-10-02 14:02:07 +02:00
Florian Roth e993ef46f0 rule: APT blue mushroom 2019-10-02 13:57:14 +02:00
Florian Roth 4bc7f6ea52 rule: QBot process creation 2019-10-01 17:25:04 +02:00
Florian Roth e0009bfb4a fix: merged duplicate rules 2019-10-01 16:14:38 +02:00
Florian Roth d8af435827 rule: RUN key pointing to suspicious folders 2019-10-01 16:08:31 +02:00
Florian Roth c44f940fb6 rule: suspicious RUN key created by exe in temp/download folders 2019-10-01 16:08:13 +02:00
Florian Roth 52df9e9f44 rule: execution in Outlook temp folder 2019-10-01 16:07:43 +02:00
Florian Roth 9a7ef0e3c2 fix: fixed rule warning 2019-09-30 19:38:40 +02:00
Florian Roth 2fbd35053e rule: improved formbook detection rule 2019-09-30 19:01:40 +02:00
Florian Roth 38831a05ae rule: formbook malware process creation 2019-09-30 18:57:58 +02:00
Florian Roth 05ca684962 rule: improved emotet rule 2019-09-30 17:17:23 +02:00
Florian Roth 66cbdbfff5 rule: emotet process creation 2019-09-30 15:53:29 +02:00
Florian Roth 93227e1eec Merge pull request #436 from EccoTheFlintstone/master 
rule: impacket framework lateralization detection
 2019-09-28 11:37:07 +02:00
Florian Roth ad59c90b29 Capitalization in Title 2019-09-28 10:30:16 +02:00
Florian Roth 0eb5fd75e1 Merge pull request #446 from EccoTheFlintstone/eventclear 
move wevtutil / fsutil events from ransomware to dedicated rules
 2019-09-28 10:29:03 +02:00