security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

2542 Commits

Author SHA1 Message Date
Florian Roth 0ffd226293 Moved new rule to sysmon folder 2018-04-11 20:11:54 +02:00
Florian Roth 52d405bb1b Improved shell spawning rule 2018-04-11 20:09:42 +02:00
Florian Roth b065c2c35c Simplified rule 2018-04-11 19:03:35 +02:00
Karneades fa6677a41d Remove @ in author 
Be nice to Travis: "error    syntax error: found character '@' that cannot start any token"
 2018-04-11 15:21:42 +02:00
Karneades be3c27981f Add rule for Windows registry persistence mechanisms 2018-04-11 15:13:00 +02:00
Thomas Patzke 788111f174 Fixes for Elasticsearch query correctness CI tests 
* Quoting in rule
* Reading queries without special processing of backslashes

Unfortunately, backslashes still cause breaks caused by Bash handling of
them.
 2018-04-09 22:33:29 +02:00
Florian Roth 56172ae174 Corrected CrackMapExec rule 2018-04-09 08:40:03 +02:00
Florian Roth a9c7fe202e Rule: Windows shell spawning suspicious program 2018-04-09 08:37:30 +02:00
Florian Roth 8ddd40e18e PowerShell Cradle - WebDAV UA 2018-04-09 08:37:30 +02:00
Florian Roth e53826e167 Extended Sysmon Office Shell rule 2018-04-09 08:37:30 +02:00
Florian Roth 6eb8cdfeab TSCookie UA 2018-04-09 08:37:30 +02:00
Thomas Patzke f113832c04 Merge pull request #69 from jmallette/rules 
Create cmdkey recon rule
 2018-04-08 23:23:30 +02:00
root 69671733a8 added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 17:10:00 +02:00
Thomas Patzke a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke b1bfa64231 Removed redundant 'EventLog' conditions 2018-03-26 00:36:40 +02:00
Thomas Patzke f68af2a5da Added reference to Kerberos RC4 rule 2018-03-25 23:19:01 +02:00
Thomas Patzke dacc6ae3d3 Fieldname case: Commandline -> CommandLine 2018-03-25 23:08:28 +02:00
Florian Roth e141a834ff Rule: Ping hex IP address 
https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
 2018-03-23 17:00:00 +01:00
Florian Roth c10da5b734 Improved Chafer activity rule 2018-03-23 10:50:40 +01:00
Florian Roth a797a281ac Rule: Chafer / OilRig activity Mar 18 
https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 2018-03-23 08:59:16 +01:00
Florian Roth f220e61adc Fixed second selection in rule 2018-03-21 10:47:14 +01:00
Florian Roth 70c2f973a3 Rule: Smbexec.py Service Installation 2018-03-21 10:44:37 +01:00
Florian Roth 3c968d4ec6 Fixed rule for any ControlSets 2018-03-21 10:44:37 +01:00
Florian Roth 97204d8dc0 Renamed rule 2018-03-20 15:04:11 +01:00
Florian Roth e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth a7eb4d3e34 Renamed rule 2018-03-20 11:12:35 +01:00
Florian Roth b84bbd327b Rule: NetNTLM Downgrade Attack 
https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 2018-03-20 11:07:21 +01:00
Florian Roth a6d293e31d Improved tscon rule 2018-03-20 10:54:04 +01:00
Florian Roth 8fb6bc7a8a Rule: Suspicious taskmgr as LOCAL_SYSTEM 2018-03-19 16:36:39 +01:00
Florian Roth af8be8f064 Several rule updates 2018-03-19 16:36:15 +01:00
Florian Roth 648ac5a52e Rules: tscon.exe anomalies 
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 2018-03-17 19:14:13 +01:00
Karneades 49c12f1df8 Add missing binaries 2018-03-16 10:52:43 +01:00
Florian Roth a257b7d9d7 Rule: Stickykey improved 2018-03-16 09:10:07 +01:00
Florian Roth 8b31767d31 Rule: PsExec usage 2018-03-15 19:54:22 +01:00
Florian Roth 0460e7f18a Rule: Suspicious process started from taskmgr 2018-03-15 19:54:03 +01:00
Florian Roth f5494c6f5f Rule: StickyKey-ike backdoor usage 2018-03-15 19:53:34 +01:00
Florian Roth d9d27fec74 Improved EquationGroup dll load rule 2018-03-11 01:22:04 +01:00
Florian Roth 74c2f91a7d Extended the Slingshot APT rule 2018-03-10 16:44:18 +01:00
Florian Roth 66d52cfeef Rule: Defrag deactivation 2018-03-10 15:49:50 +01:00
Florian Roth ef75f2a248 Minor adjustment in: EquationGroup dll_u load 2018-03-10 12:24:49 +01:00
Florian Roth e9d16bfae1 Bugfix in: EquationGroup dll_u load 2018-03-10 12:22:53 +01:00
Florian Roth 5ae5c9de19 Rule: Outlook spawning shells to detect Turla like C&C via Outlook 2018-03-10 09:04:11 +01:00
Florian Roth 6a65a7a1bf EquationGroup dll_u load 2018-03-10 09:04:11 +01:00
jmallette aff46be8a3 Create cmdkey recon rule 2018-03-08 13:25:05 -05:00
Thomas Patzke ada1ca94ea JPCERT rules 
* Addition of ntdsutil.exe rule
* Added new link to existing rules
 2018-03-08 00:10:19 +01:00
Thomas Patzke 8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke 3b8b04fe09 Merge branch 'devel-sigmac' 2018-03-06 23:19:45 +01:00
Thomas Patzke 8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00
Thomas Patzke 84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Florian Roth 1ecfd83a6a Missing separator 2018-03-05 11:30:01 +01:00