security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

517 Commits

Author SHA1 Message Date
Florian Roth 0f2e1c5934 Bugfix: Missing wildcard in IIS module install rule 2018-01-27 16:15:25 +01:00
Florian Roth d93d7d8e7b Rule: IIS nativ-code module command line installation 2018-01-27 11:13:13 +01:00
Florian Roth aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth 379b2dd207 New recon activity rule 2017-12-11 09:31:54 +01:00
Florian Roth 8e2aef035c Removed commands - false positive reduction 2017-12-11 09:31:54 +01:00
Florian Roth 1464ab4ab8 Renamed rule: recon activity > net recon activity - to be more specific 2017-12-11 09:31:54 +01:00
Thomas Patzke 2ec5919b9e Fixed win_disable_event_logging by multiline description 2017-11-19 22:49:40 +01:00
Nate Guagenti a796ff329e Create win_disable_event_logging 2017-11-15 21:56:30 -05:00
Florian Roth a0ac61229c Rule: Detect plugged USB devices 2017-11-09 08:40:46 +01:00
Thomas Patzke 5035c9c490 Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00
Thomas Patzke f3a809eb00 Improved admin logon rules and removed duplicates 2017-11-01 21:33:01 +01:00
Thomas Patzke 0055eedb83 Merge pull request #54 from juju4/CAR-2016-04-005b 
Admin user remote login
 2017-11-01 21:22:09 +01:00
Thomas Patzke 613f922976 Merge pull request #43 from juju4/master 
New rules
 2017-11-01 21:21:30 +01:00
Thomas Patzke 118e8af738 Simplified rule collection 2017-11-01 10:00:35 +01:00
Thomas Patzke 732f01878f Sigma rule collection YAML action documents 2017-11-01 00:17:55 +01:00
Thomas Patzke d0b2bd9875 Multiple rules per file 
* New wrapper class SigmaCollectionParser parses all YAML documents
  contained in file and handles multiple SigmaParser instantiation.
* Exemplary extended one security/4688 rule to security/4688 + sysmon/1
 2017-10-31 23:06:18 +01:00
Thomas Patzke 9d96a998d7 Merge pull request #56 from juju4/CAR-2013-05-002b 
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
 2017-10-30 00:27:56 +01:00
Thomas Patzke 720c992573 Dropped within keyword 
Covered by timeframe attribute.

Fixes issue #26.
 2017-10-30 00:25:56 +01:00
Thomas Patzke c865b0e9a8 Removed within keyword in rule 2017-10-30 00:15:01 +01:00
juju4 4b64fc1704 double quotes = escape 2017-10-29 14:42:40 -04:00
juju4 07185247cb double quotes = escape 2017-10-29 14:32:52 -04:00
juju4 f5f20c3f75 Admin user remote login 2017-10-29 14:30:11 -04:00
juju4 19dd69140b Detects Suspicious Run Locations - MITRE CAR-2013-05-002 2017-10-29 14:27:01 -04:00
juju4 ad27a0a117 Detects Quick execution of a series of suspicious commands - MITRE CAR-2013-04-002 2017-10-29 14:24:53 -04:00
juju4 e2213347ad Merge remote-tracking branch 'upstream/master' 2017-09-09 11:33:18 -04:00
Florian Roth e06cf6c43f Service install - net user persistence 2017-08-16 15:16:57 +02:00
juju4 b109a1277e Detects suspicious process related to rasdial.exe 2017-08-13 16:20:25 -04:00
juju4 012ed4cd7d Detects execution of executables that can be used to bypass Applocker whitelisting 2017-08-13 16:20:01 -04:00
juju4 f861969e95 tentative rule to detect admin users remote login 2017-08-13 16:19:24 -04:00
juju4 d2ae98b0de tentative rule to detect admin users interactive login 2017-08-13 16:18:58 -04:00
juju4 21b1c52d1e forfiles, bash detection 2017-08-13 16:18:13 -04:00
Thomas Patzke 0217cd5b1d Merge branch 'master' into travis-test-working 2017-08-02 23:03:03 +02:00
Thomas Patzke f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke 6f5b9e183c Merge branch 'master' into travis-test-working 2017-08-02 00:32:52 +02:00
Thomas Patzke b82a6fdc51 Added wildcards to windows/builtin/win_susp_rundll32_activity.yml 2017-08-02 00:09:34 +02:00
Thomas Patzke 84418d2045 Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-02 00:04:28 +02:00
Thomas Patzke c350a90b21 Merge branch 'master' into rules-juju4 2017-08-01 23:55:53 +02:00
juju4 5b778c9833 yamllint: quote twitter-formatted nickname 2017-07-30 11:42:25 -04:00
juju4 5b42c64fcd Merge remote-tracking branch 'upstream/master' 2017-07-30 11:12:03 -04:00
juju4 31b033d492 suspicious rundll32 activity rules 2017-07-30 11:11:45 -04:00
juju4 3a8946a3ac suspicious phantom dll rules 2017-07-30 11:11:17 -04:00
juju4 fbbf29fd80 suspicious cli escape character rules 2017-07-30 11:10:43 -04:00
juju4 83fa83aa43 suspicious certutil activity rules 2017-07-30 11:09:51 -04:00
juju4 f487451c45 more suspicious cli process 2017-07-30 11:09:24 -04:00
Florian Roth d1cdb3c480 Certutil duplicate entry and "-ping" command 2017-07-23 14:51:57 -06:00
Florian Roth cdf0894e6a Corrected error in certutil rules (-f means force overwrite, not file) 
> the -urlcache is the relevant command
 2017-07-20 12:54:55 -06:00
Florian Roth 3a55b31da2 certutil file download - more generic approach 2017-07-20 12:48:47 -06:00
Florian Roth b85d96e458 certutil detections (renamed, extended) 
see https://twitter.com/subTee/status/888102593838362624
 2017-07-20 12:38:10 -06:00
Florian Roth 8f525d2f01 Wannacry Rules Reorg and Renaming 2017-06-28 09:08:53 +02:00
Florian Roth 3f245d27f8 Eventlog cleared ID 104 2017-06-27 17:29:39 +02:00