security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

2542 Commits

Author SHA1 Message Date
yugoslavskiy a295334355 win_susp_dhcp_config_failed fixed 2019-07-17 07:01:58 +03:00
yugoslavskiy bb1c040b1b rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved 2019-07-17 06:19:18 +03:00
yugoslavskiy 803f2d4074 changed logic to detect events related to sid history adding 2019-07-17 04:28:21 +03:00
yugoslavskiy 310e3b7a44 rules/windows/builtin/win_susp_add_sid_history.yml improved 2019-07-17 03:55:02 +03:00
Nate Guagenti e2050404bc prevent EventID collision for dhcp 
This prevents EventID collision for this rule with other sources/logs that share the same EventIDs.
specifically a lot with Microsoft-Windows-Security-SPP
 2019-07-16 15:30:52 -04:00
Tareq AlKhatib d08a993159 Fixed commandline to detect any shim install from any location 2019-07-08 12:31:18 +03:00
Christophe Tafani-Dereeper 5bc10a4855 Include Github raw URLs in suspicious downloads detection rule 2019-07-05 09:01:35 +00:00
Florian Roth 0b883a90b6 fix: null value in separate expression 2019-07-02 20:14:45 +02:00
Florian Roth f5a8a81ff7 fix: linux cmds rule 2019-07-02 15:22:26 +02:00
Florian Roth ce43d600e3 fix: added null value / application to 4688 problem 2019-07-02 10:51:48 +02:00
Tareq AlKhatib 15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Vasiliy Burov 2f123f64a7 Added command that stops services. 2019-06-28 19:46:34 +03:00
Vasiliy Burov 3813d277a6 Ryuk Ransomware commands from real case 2019-06-28 19:26:05 +03:00
Florian Roth ad386474bf fix: removed unusable extensions in proc exec context 2019-06-26 17:03:01 +02:00
Florian Roth 708f3ef002 fix: fixed duplicate element in new double extension rule 2019-06-26 16:00:58 +02:00
Florian Roth 41dc076959 Rule: suspicious double extension 2019-06-26 15:57:25 +02:00
Florian Roth 39b5eddfc7 Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00
Florian Roth 26036e0d35 fix: fixed image in taskmgr rule 2019-06-21 17:15:53 +02:00
Thomas Patzke ff7128209e Adjusted level 2019-06-20 00:03:48 +02:00
Thomas Patzke 0f8849a652 Rule fixes 
* tagging
* removed spaces
* converted to generic log source
* typos/case
 2019-06-20 00:01:56 +02:00
Thomas Patzke f4c86f15b8 Merge branch 'master' of https://github.com/mgreen27/sigma into mgreen27-master 2019-06-19 23:49:20 +02:00
Thomas Patzke 429c29ed5a Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing 
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
 2019-06-19 23:43:10 +02:00
Thomas Patzke 960cd69d50 Merge branch 'patch-4' of https://github.com/dvas0004/sigma into dvas0004-patch-4 2019-06-19 23:34:25 +02:00
Thomas Patzke e4e8ebbf95 Merge pull request #368 from JayPowerUser/web-source-code-enumeration 
Web Source Code Enumeration via .git
 2019-06-19 23:27:37 +02:00
Thomas Patzke dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Thomas Patzke d14f5c3436 Merge pull request #371 from savvyspoon/issue285 
CAR tagging
 2019-06-19 23:21:43 +02:00
Thomas Patzke d82df83ef1 Merge pull request #369 from TareqAlKhatib/refactors 
Refactors
 2019-06-19 23:16:19 +02:00
Florian Roth a47ec859a8 List for field 'AllowedToDelegateTo' 2019-06-19 08:20:41 +02:00
mgreen27 07e2ee474c sigma/Add sysmon_renamed_binary 2019-06-15 20:20:52 +10:00
mgreen27 1d26708887 sigma/Add sysmon_renamed_binary 2019-06-15 20:19:35 +10:00
David Vassallo d7443d71a4 Create win_pass_the_hash_2.yml 
alternative detection methods
 2019-06-14 18:08:36 +03:00
Michael Wade f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Sherif Eldeeb 2d22a3fe02 Add detection for recent Mimikatz versions 
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
 2019-06-12 12:13:31 +03:00
Thomas Patzke a23f15d42b Converted rule to generic log source 2019-06-11 13:20:15 +02:00
Thomas Patzke 5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
Tareq AlKhatib 3bcfc53905 Corrected Typo 2019-06-10 09:54:37 +03:00
Tareq AlKhatib fce2a45dac Corrected Typo 2019-06-10 09:51:34 +03:00
James Ahearn eae7e3ab10 Web Source Code Enumeration via .git 2019-06-08 22:40:28 -04:00
Thomas Patzke 407d8214f7 Added APT40 Dropbox exfiltration proxy rule 2019-06-07 14:03:41 +02:00
David Vassallo 41f5ebc403 Update win_alert_ad_user_backdoors.yml 
the original rule generates false positives if the "AllowedToDelegateTo" is set to "-". This seems to be a common occurrence, hence my proposed addition
 2019-06-07 13:29:45 +03:00
Unknown 7b0ecde334 Renamed jusched 
https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
 2019-06-06 14:03:02 +02:00
t0x1c-1 7b9a73fb1f Improved Rule 
Removed complex CommandLine
 2019-06-06 13:45:21 +02:00
yugoslavskiy 5827165c2d event id deleted 2019-06-03 15:51:54 +02:00
yugoslavskiy cf947e3720 changed to process_creation category 2019-06-03 15:47:24 +02:00
yugoslavskiy 6a39b4fb41 date added 2019-06-03 15:42:02 +02:00
yugoslavskiy 10db09c596 rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing 2019-06-03 15:37:41 +02:00
Florian Roth a0c9f1594e Rule: renamed file - name was too generic 2019-06-02 10:57:44 +02:00
Florian Roth 491c519d1f Rule: added wmic SHADOWCOPY DELETE 2019-06-02 10:56:13 +02:00
Florian Roth 80560dc12f Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2019-06-02 09:52:18 +02:00
Florian Roth 5e7ae0590c Rule: Split up WanaCry rule into two separate rules 2019-06-02 09:52:18 +02:00