security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,256 Commits 1 Branch 57 Tags
7f0ad710fdf41e357d4ed3cc47c2fca5d7b454cb
Commit Graph

2078 Commits

Author SHA1 Message Date
Austin Songer 18d65387b5 Create process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:15:03 -05:00
frack113 ed1a1caa2e Merge pull request #2098 from frack113/fix_tags 
fix tags in win_susp_mpcmdrun_download.yml
 2021-09-29 17:06:18 +02:00
neonprimetime security (Justin C Miller) 2ae2c35a7f mispelled 'mshta.exe' in selection_base 
it said 'mhsta.exe' and it should say 'mshta.exe'
 2021-09-29 07:47:12 -05:00
frack113 4a66ea04bd fix tags 2021-09-29 08:26:05 +02:00
zaicurity a2418e4d2c Added alternative command parameter 
Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. 
Tested on Windows 10.0.19042
Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
 2021-09-28 17:39:21 +02:00
frack113 c3222945ef Merge pull request #2093 from austinsonger/win_sysmon_driver_unload.yml 
win_sysmon_driver_unload.yml
 2021-09-28 16:22:43 +02:00
Austin Songer 3e7b3073cf Update win_sysmon_driver_unload.yml 2021-09-27 23:30:30 -05:00
Florian Roth b227f8459d fix: typo in filename 2021-09-27 22:37:20 +02:00
Florian Roth ada966c5be Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-09-27 22:34:30 +02:00
Florian Roth cee44e6688 renamed files: lowercase 2021-09-27 22:33:30 +02:00
kidrek 267da51745 The issues have been fixed 2021-09-24 22:18:00 +02:00
kidrek ecd4719a20 add new rule win_process_dump_rdrleakdiag 2021-09-24 18:22:06 +02:00
frack113 c59b0eb543 Merge pull request #2063 from frack113/last_global 
Split Last Global Rules
 2021-09-23 13:54:57 +02:00
Florian Roth 3107ede1c4 Merge branch 'pr/2065' 2021-09-23 09:18:15 +02:00
Austin Songer ab613af365 Update sysmon_atlassian_confluence_cve_2021_26084_exploit.yml 2021-09-22 22:24:24 -05:00
frack113 6e6d57b019 fix filename 2021-09-22 18:45:08 +02:00
unknown 9924cc3946 win-apt-greenbug-fix amend b64 value of /server= as seen in IOC 2021-09-22 10:33:04 -04:00
frack113 ab5f5f95bc fix filename 2021-09-22 16:27:05 +02:00
frack113 3c906b52a0 fix filename 2021-09-22 16:21:07 +02:00
unknown 3ace73f9fd win-apt-greenbug-fix - change modified date as well 2021-09-21 16:59:32 -04:00
unknown 993bf46550 win-apt-greenbug-fix small change to B64encoded value of '/server=' in detection criteria 2021-09-21 16:56:01 -04:00
frack113 8c13bd23b9 split global win_powershell_web_request 2021-09-21 13:44:19 +02:00
frack113 ba3c7a020a split global win_root_certificate_installed.yml 2021-09-21 13:34:32 +02:00
frack113 6368a88ad3 split global win_software_discovery.yml 2021-09-21 13:28:47 +02:00
frack113 4718f914e9 split global sysmon_hack_dumpert.yml 2021-09-21 10:43:42 +02:00
frack113 318f8b714e split global win_tool_psexec.yml 2021-09-21 10:10:48 +02:00
Florian Roth 8909eefb90 Merge pull request #2052 from phantinuss/pr 
xwizard dll sideloading
 2021-09-20 12:35:42 +02:00
phantinuss 25a407e24f Update win_dll_sideload_xwizard.yml 2021-09-20 10:56:37 +02:00
Florian Roth 6c630502dc Update win_dll_sideload_xwizard.yml 2021-09-20 10:54:53 +02:00
phantinuss 4e794fe3e7 xwizard dll sideloading 2021-09-20 10:39:31 +02:00
frack113 d5108502a2 split win_apt_chafer_mar18.yml 2021-09-19 11:48:20 +02:00
frack113 faff9e6db7 spli win_apt_slingshot.yml 2021-09-19 11:36:40 +02:00
frack113 e69ec4624a split win_apt_gallium.yml 2021-09-19 11:24:17 +02:00
frack113 c43c12e557 split win_apt_turla_commands.yml 2021-09-19 11:17:50 +02:00
frack113 b576ad115b split win_apt_unidentified_nov_18.yml 2021-09-19 11:11:04 +02:00
frack113 06de91c92a split win_apt_wocao.yml 2021-09-19 11:07:24 +02:00
frack113 dc8ad15d1a split win_exchange_transportagent.yml 2021-09-19 11:03:16 +02:00
frack113 deb0ad5f58 split win_hktl_createminidump.yml 2021-09-19 10:19:34 +02:00
frack113 18e7e16005 split win_mal_adwind.yml 2021-09-19 10:12:03 +02:00
frack113 416b0556b1 split win_silenttrinity_stage_use.yml 2021-09-19 10:02:05 +02:00
frack113 7d000f2b1d split win_susp_winrm_AWL_bypass.yml 2021-09-19 09:41:17 +02:00
frack113 6dd4315f36 Merge pull request #2035 from frack113/fix_bad_category 
Fix bad category in possible_privilege_escalation_via_service_registry_permissions
 2021-09-17 06:35:29 +02:00
frack113 8a847e0538 Update process_creation_possible_privilege_escalation_via_service_registry_permissions.yml 2021-09-15 19:05:31 +02:00
frack113 973e0666ac Merge pull request #2020 from frack113/pc_global 
Split some global process_creation rules
 2021-09-15 19:03:30 +02:00
frack113 3b8282c221 fix detection 2021-09-15 16:21:30 +02:00
frack113 437ea3408b split sysmon_stickykey_like_backdoor.yml 2021-09-12 09:58:43 +02:00
frack113 81c2b2731c split sysmon_dns_serverlevelplugindll.yml 2021-09-12 09:53:20 +02:00
frack113 f3ad5953d5 split sysmon_apt_pandemic 2021-09-12 09:42:11 +02:00
frack113 3db427873a split sysinternals eula and uac bypass 2021-09-12 09:38:05 +02:00
frack113 830c0c9f22 Update process_creation_advanced_ip_scanner.yml 2021-09-12 08:53:10 +02:00