security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

517 Commits

Author SHA1 Message Date
Thomas Patzke ad7d5d2a39 Added WMI login rule 2019-12-04 11:13:04 +01:00
Thomas Patzke e8c1c97f3e Added rule for failed code integrity checks 2019-12-03 15:08:26 +01:00
Thomas Patzke c47af5169c Increased SID history rule severity 2019-12-03 14:28:46 +01:00
Thomas Patzke 76578927e8 Added domain trust rule 2019-12-03 14:28:20 +01:00
yugoslavskiy d5722979ea add rules by Daniel Bohannon 2019-11-27 00:02:45 +01:00
webhead404 21ef152e3a Update win_external_device.yml 2019-11-20 16:19:45 -06:00
webhead404 2bfd4ea654 Added MITRE tags 2019-11-20 16:18:03 -06:00
webhead404 5c5d28acdc Create win_external_device 2019-11-20 16:07:29 -06:00
yugoslavskiy efc404fbae resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml 2019-11-19 02:11:19 +01:00
Florian Roth 04288771a1 fix: bugfix in RottenPotato rule - wrong identifier 2019-11-15 11:50:03 +01:00
Florian Roth 7e6031705e rule: RottenPotato attack pattern 2019-11-15 11:44:18 +01:00
yugoslavskiy ac21810d7a Merge pull request #516 from yugoslavskiy/oscd_task_#2_credentials_dumping 
oscd task #2 completed
 2019-11-14 01:03:27 +03:00
yugoslavskiy c7c29a39b6 Update win_susp_lsass_dump_generic.yml 2019-11-14 00:45:47 +03:00
yugoslavskiy 633c6db254 Update win_remote_registry_management_using_reg_utility.yml 2019-11-14 00:44:47 +03:00
yugoslavskiy cd31354df2 Update win_quarkspwdump_clearing_hive_access_history.yml 2019-11-14 00:43:56 +03:00
yugoslavskiy 334626168c Update win_mal_service_installs.yml 2019-11-14 00:43:03 +03:00
yugoslavskiy c8ee6e9631 Merge pull request #504 from yugoslavskiy/oscd_ilyas_ochkov 
[OSCD] Ilyas Ochkov contribution
 2019-11-14 00:22:48 +03:00
yugoslavskiy d8447946d6 Update win_suspicious_outbound_kerberos_connection.yml 2019-11-13 23:37:25 +03:00
yugoslavskiy 7f01a5b1bb Update win_new_or_renamed_user_account_with_dollar_sign.yml 2019-11-13 23:35:59 +03:00
yugoslavskiy 26479485e6 Update win_new_or_renamed_user_account_with_dollar_sign.yml 2019-11-13 23:34:46 +03:00
Thomas Patzke 0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke 5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
yugoslavskiy 385ebac502 Merge pull request #497 from Heirhabarov/master 
OSCD Task 1 - Privilege Escalation
 2019-11-11 01:33:28 +03:00
yugoslavskiy a69d9d9980 Update win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml 2019-11-11 01:04:01 +03:00
yugoslavskiy 0db5436778 add tieto dns exfil rules 2019-11-10 20:27:21 +03:00
yugoslavskiy 4fa928866f oscd task #6 done. 
add 25 new rules:

- win_ad_replication_non_machine_account.yml
- win_dpapi_domain_backupkey_extraction.yml
- win_protected_storage_service_access.yml
- win_dpapi_domain_masterkey_backup_attempt.yml
- win_sam_registry_hive_handle_request.yml
- win_sam_registry_hive_dump_via_reg_utility.yml
- win_lsass_access_non_system_account.yml
- win_ad_object_writedac_access.yml
- powershell_alternate_powershell_hosts.yml
- sysmon_remote_powershell_session_network.yml
- win_remote_powershell_session.yml
- win_scm_database_handle_failure.yml
- win_scm_database_privileged_operation.yml
- sysmon_wmi_module_load.yml
- sysmon_remote_powershell_session_process.yml
- sysmon_rdp_registry_modification.yml
- sysmon_powershell_execution_pipe.yml
- sysmon_alternate_powershell_hosts_pipe.yml
- sysmon_powershell_execution_moduleload.yml
- sysmon_createremotethread_loadlibrary.yml
- sysmon_alternate_powershell_hosts_moduleload.yml
- powershell_remote_powershell_session.yml
- win_non_interactive_powershell.yml
- win_syskey_registry_access.yml
- win_wmiprvse_spawning_process.yml

improve 1 rule:

- rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
 2019-11-10 18:43:41 +03:00
yugoslavskiy c0ac9b8fb9 fix conflict 2019-11-10 17:31:33 +03:00
yugoslavskiy 127335a0ec Merge pull request #482 from yugoslavskiy/master 
[OSCD][The ThreatHunter-Playbook] Task 6: DONE
 2019-11-10 17:27:54 +03:00
Florian Roth 9835950f04 rule: SID to AD object rule level adjusted 2019-11-09 12:49:54 +01:00
yugoslavskiy 92e09db9ab Update win_susp_lsass_dump_generic.yml 2019-11-07 04:27:53 +03:00
yugoslavskiy 1f7b3bc9a2 add rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml 2019-11-04 05:05:57 +03:00
yugoslavskiy 701e7f7cc6 oscd task #2 completed 
- new rules:

	+ rules/windows/builtin/win_susp_lsass_dump_generic.yml
	+
rules/windows/builtin/win_transferring_files_with_credential_data_via_ne
twork_shares.yml
	+
rules/windows/builtin/win_remote_registry_management_using_reg_utility.y
ml
	+ rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
	+ rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
	+
rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_creation.y
ml
	+
rules/windows/process_creation/process_creation_shadow_copies_deletion.y
ml
	+
rules/windows/process_creation/process_creation_copying_sensitive_files_
with_credential_data.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_access_sym
link.yml
	+
rules/windows/process_creation/process_creation_grabbing_sensitive_hives
_via_reg.yml
	+
rules/windows/process_creation/process_creation_mimikatz_command_line.ym
l
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml
.yml

- updated rules:

	+ rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
	+ rules/windows/builtin/win_mal_creddumper.yml
	+ rules/windows/builtin/win_mal_service_installs.yml
	+ rules/windows/process_creation/win_susp_process_creations.yml
	+ rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
	+ rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

- deprecated rules:

	+ rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
 2019-11-04 04:26:34 +03:00
Karneades 68fd20cb66 fix: bound windows event log rules to message field 
Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml
 2019-11-02 11:25:29 +01:00
4A616D6573 013d862afd Create win_susp_local_anon_logon_created.yml 2019-10-31 21:56:30 +11:00
booberry46 36fe748c2e Update win_rdp_reverse_tunnel.yml 
With the recent example for the evtx. RDP Tunneling can happen not only from port 3389. So I tune it to fit in general.

Changed the obsolete twitter status with linkage to the evtx from Samir Bousseaden
 2019-10-29 17:25:37 +08:00
Yugoslavskiy Daniil fd606cb376 spaces fix 2019-10-29 03:59:07 +03:00
Yugoslavskiy Daniil 4251d9f490 ilyas ochkov contribution 2019-10-29 03:44:22 +03:00
Teimur Kheirkhabarov 32b0a3987e Several mistakes were fixed 2019-10-28 08:43:58 +03:00
Teimur Kheirkhabarov fde949174d OSCD Task 1 - Privilege Escalation 2019-10-27 20:54:07 +03:00
yugoslavskiy 4fb9821b49 added: 
win_non_interactive_powershell.yml
	win_remote_powershell_session.yml
	win_wmiprvse_spawning_process.yml
	powershell_alternate_powershell_hosts.yml
	powershell_remote_powershell_session.yml
	sysmon_alternate_powershell_hosts_moduleload.yml
	sysmon_alternate_powershell_hosts_pipe.yml
	sysmon_non_interactive_powershell_execution.yml
	sysmon_powershell_execution_moduleload.yml
	sysmon_powershell_execution_pipe.yml
	sysmon_remote_powershell_session_network.yml
	sysmon_remote_powershell_session_process.yml
	sysmon_wmi_module_load.yml
	sysmon_wmiprvse_spawning_process.yml
 2019-10-24 15:48:38 +02:00
yugoslavskiy 3934f6c756 add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00
Yugoslavskiy Daniil 7cfd47be7c add win_scm_database_handle_failure.yml, win_scm_database_privileged_operation.yml, win_syskey_registry_access.yml 2019-10-24 02:40:11 +02:00
Florian Roth 98f0d01b2e rule: mimikatz use extended 2019-10-11 18:50:33 +02:00
Florian Roth ec5bb71049 fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00
Florian Roth 14971a7b9c fix: FPs with Mimikatz DC Sync rule 2019-10-08 17:44:00 +02:00
Thomas Patzke 60ef593a6f Fixed wrong backslash escaping of * 
Fixes issue #466
 2019-10-07 22:14:44 +02:00
Florian Roth 36bcd1c54e Merge pull request #443 from EccoTheFlintstone/aduserbck 
fix FP : field null value can be '-'
 2019-09-25 17:43:22 +02:00
Florian Roth 3d333290a9 Merge pull request #445 from EccoTheFlintstone/localadmin 
rule: user added to local administrator: handle non english systems b…
 2019-09-25 17:29:41 +02:00
Florian Roth 596140543d Merge pull request #455 from EccoTheFlintstone/ruler_fix 
Ruler fix
 2019-09-25 17:26:55 +02:00
ecco a644b938a0 fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0) 2019-09-23 05:44:26 -04:00