security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

2542 Commits

Author SHA1 Message Date
Florian Roth e7465d299f fix: false positive with MsMpEng.exe and svchost.exe as child process 2018-07-03 05:05:44 -06:00
yt0ng 42941ee105 Detects ImageLoad by uncommon Image 
Process Hollowing Described by SubTee using notepad https://twitter.com/subTee/status/1012657434702123008
 2018-07-01 15:47:17 +02:00
Florian Roth 48582a1c93 Bugfix in Flash Downloader Rule 2018-06-30 23:39:38 +02:00
Florian Roth c3bf968462 High FP Rule 2018-06-29 16:01:46 +02:00
Florian Roth c26c3ee426 Trying to fix rule 2018-06-28 16:39:47 +02:00
Florian Roth 9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
scherma 19ba5df207 False positive circumstance 2018-06-27 21:14:38 +01:00
Florian Roth 86e6518764 Changed (any) statements to (not null) to comply with the newest specs 2018-06-27 20:57:58 +02:00
Florian Roth a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth 9705366060 Adjusted some rules 2018-06-27 16:54:44 +02:00
Florian Roth fc72bd16af Fixed bugs 2018-06-27 09:20:41 +02:00
Florian Roth f4b150def8 Rule: Powershell remote thread creation in Rundll32 2018-06-25 15:23:19 +02:00
Florian Roth 1a1011b0ad Merge pull request #96 from yt0ng/master 
Detects the creation of a schtask via PowerSploit Default Configuration
 2018-06-23 17:15:14 +02:00
yt0ng c59d0c7dca Added additional options 2018-06-23 15:54:31 +02:00
yt0ng cc3fd9f5d0 Detects the creation of a schtask via PowerSploit Default Configuration 
https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
 2018-06-23 15:45:58 +02:00
Florian Roth 28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke 7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Florian Roth b05856eae1 Rule: Update suspicious TLD downloads 2018-06-13 00:08:46 +02:00
Florian Roth 946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth f6f718c54f Cosmetics 2018-06-10 10:28:59 +02:00
yt0ng 3166bf5b05 Update proxy_ua_apt.yml 
user Agent seen in https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
 2018-06-10 10:17:02 +02:00
Florian Roth bd61f223ee Sofacy Zebrocy samples 2018-06-06 23:24:18 +02:00
Florian Roth 667b3b4935 Rule: Added 2 more Sofacy User-Agents 2018-06-06 22:38:50 +02:00
Florian Roth 9640806678 Rules: Telegram Bot API access 2018-06-05 16:25:43 +02:00
Florian Roth 9c817a493b Rule: DCSync 2018-06-03 16:00:57 +02:00
Florian Roth d1d4473505 Rule: ADS with executable 
https://twitter.com/0xrawsec/status/1002478725605273600
 2018-06-03 02:08:57 +02:00
Florian Roth 8e500d2caa Bugfix in rule 2018-05-29 14:11:12 +02:00
Alexandre ZANNI 74da324d8f remove old public_html 
remove old public_html
 2018-05-29 11:44:38 +02:00
Alexandre ZANNI a1de770b64 enhance web server paths 
- specify when it is apache only
- add Per-user path
- add archlinux paths
 2018-05-29 11:41:36 +02:00
Florian Roth 51c6d0a767 Rule: Proxy User-Agent VPNFilter 2018-05-24 00:34:07 +02:00
Florian Roth 2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke 079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Matthew Green 16365b7793 Update_WebDAV 
Made the name a bit generic as WebDAV can be used by several download cradles.
Added in HttpMethod as a select as GET requests makes for a great filter point with much less false positives.
 2018-05-16 13:05:15 +10:00
Thomas Patzke 6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth 1aaed07dd7 Rule: Suspicious base64 encoded part of DNS query 2018-05-10 14:08:52 +02:00
Florian Roth 62b490396d Rule: Cobalt Strike DNS Beaconing 2018-05-10 14:08:52 +02:00
Thomas Patzke de2ed08695 Merge branch 'ci-es' 2018-05-01 00:34:11 +02:00
Florian Roth ae6df590a9 Delphi downloader https://goo.gl/rMVUSM 2018-04-24 23:23:21 +02:00
Florian Roth 49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth 3c1c9d2b31 Merge pull request #81 from yt0ng/sigma-yt0ng 
added SquiblyTwo Detection
 2018-04-18 16:39:37 +02:00
Florian Roth 8420d3174a Reordered 2018-04-18 16:34:16 +02:00
yt0ng c637c2e590 Adding Detections for renamed wmic and format 
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
 2018-04-18 15:02:52 +02:00
Florian Roth 9b8df865b1 Extended rule 2018-04-18 12:13:45 +02:00
yt0ng a4fb39a336 also for http 2018-04-18 08:19:47 +02:00
yt0ng 169a4404c2 added SquiblyTwo Detection 2018-04-17 21:33:26 +02:00
Markus Härnvi cf237cf658 "author" should be a string and not a list, according to the specification 2018-04-16 23:42:51 +02:00
Florian Roth d8bbf26f2c Added msiexec to rule in order to cover new threats 
https://twitter.com/DissectMalware/status/984252467474026497
 2018-04-12 09:12:50 +02:00
Florian Roth 58517907ad Improved rule to provide support for for old sysmon \REGISTRY syntax 2018-04-11 20:15:17 +02:00