security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

517 Commits

Author SHA1 Message Date
Florian Roth 92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Florian Roth acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth 1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Thomas Patzke 0d8bc922a3 Merge branch 'master' into master 2018-07-24 08:23:37 +02:00
David Spautz e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
James Dickenson c4edc26267 windows builtin mitre attack tags 2018-07-23 21:34:20 -07:00
megan201296 a169723005 fixed typo 2018-07-13 13:53:21 -05:00
Thomas Patzke 2dc5295abf Removed redundant attribute from rule 2018-07-10 22:50:02 +02:00
Florian Roth dea019f89d fix: some threat levels adjusted 2018-07-07 13:00:23 -06:00
Florian Roth c3bf968462 High FP Rule 2018-06-29 16:01:46 +02:00
Florian Roth c26c3ee426 Trying to fix rule 2018-06-28 16:39:47 +02:00
Florian Roth 9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
scherma 19ba5df207 False positive circumstance 2018-06-27 21:14:38 +01:00
Florian Roth 86e6518764 Changed (any) statements to (not null) to comply with the newest specs 2018-06-27 20:57:58 +02:00
Florian Roth a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth 9705366060 Adjusted some rules 2018-06-27 16:54:44 +02:00
Florian Roth 28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke 7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Florian Roth 946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth 9c817a493b Rule: DCSync 2018-06-03 16:00:57 +02:00
Florian Roth 8e500d2caa Bugfix in rule 2018-05-29 14:11:12 +02:00
Florian Roth 2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke 079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Thomas Patzke 6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth 49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth 8420d3174a Reordered 2018-04-18 16:34:16 +02:00
yt0ng c637c2e590 Adding Detections for renamed wmic and format 
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
 2018-04-18 15:02:52 +02:00
Florian Roth 9b8df865b1 Extended rule 2018-04-18 12:13:45 +02:00
yt0ng a4fb39a336 also for http 2018-04-18 08:19:47 +02:00
yt0ng 169a4404c2 added SquiblyTwo Detection 2018-04-17 21:33:26 +02:00
Thomas Patzke a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke b1bfa64231 Removed redundant 'EventLog' conditions 2018-03-26 00:36:40 +02:00
Thomas Patzke f68af2a5da Added reference to Kerberos RC4 rule 2018-03-25 23:19:01 +02:00
Florian Roth f220e61adc Fixed second selection in rule 2018-03-21 10:47:14 +01:00
Florian Roth 70c2f973a3 Rule: Smbexec.py Service Installation 2018-03-21 10:44:37 +01:00
Florian Roth 3c968d4ec6 Fixed rule for any ControlSets 2018-03-21 10:44:37 +01:00
Florian Roth e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth 8b31767d31 Rule: PsExec usage 2018-03-15 19:54:22 +01:00
Thomas Patzke ada1ca94ea JPCERT rules 
* Addition of ntdsutil.exe rule
* Added new link to existing rules
 2018-03-08 00:10:19 +01:00
Thomas Patzke 8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke 84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Dominik Schaudel cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth 0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
SherifEldeeb 348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb 48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb 112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00