security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

2645 Commits

Author SHA1 Message Date
Florian Roth d54209dcc5 rule: ETW disabled 2020-06-06 13:56:19 +02:00
Florian Roth 2e77e65285 rule: Covenant launchers 2020-06-05 11:03:28 +02:00
Furkan ÇALIŞKAN 082696ee84 Added UUID 2020-06-04 18:38:42 +03:00
Furkan ÇALIŞKAN e958a6a939 Date added 2020-06-04 18:34:44 +03:00
Furkan ÇALIŞKAN 5e373153eb Title fix 2020-06-04 18:28:37 +03:00
Furkan ÇALIŞKAN 0744107fbb Deleted EventID part 2020-06-04 18:19:08 +03:00
Furkan ÇALIŞKAN 1c677aa172 Fix title as in guideline 
Fix title error as in guideline and other cosmetic changes
 2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN bafd6bde5f Convert to process_creation 
Convert to process_creation
 2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN 09afae1e66 Create sysmon_apt_muddywater_dnstunnel.yml 
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
 2020-06-04 14:27:19 +03:00
Trent Liffick 6c8c0cd85d Removed incorrect technique 2020-06-03 17:51:57 -04:00
Trent Liffick 3c89f46899 removed unwanted file 2020-06-03 17:43:12 -04:00
Trent Liffick 2af501c9f5 added rule for zLoader & Office 
detects changes to Office macro settings & ZLoader malware
 2020-06-03 17:40:05 -04:00
Trent Liffick a2ca199e7d added rules for Lazaurs and hhsgov 2020-06-03 17:38:03 -04:00
William Bruneau 84dd8c39c4 Move null values out from list in rules 2020-06-03 13:57:22 +02:00
Sven Scharmentke 4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'. 
This commit fixes the incorrect spelling.
 2020-06-03 09:00:59 +02:00
ecco b1c11cc345 add WMI module load false positive 2020-06-01 03:30:27 -04:00
Florian Roth 74e16fdccd Merge pull request #803 from gamma37/clear_cmd_history 
Edit Clear Command History
 2020-05-29 17:32:43 +02:00
Florian Roth e20b58c421 Merge pull request #806 from SanWieb/sysmon_creation_system_file 
Fixed wrong field & Improve rule
 2020-05-29 17:32:27 +02:00
Sander Wiebing a00f7f19a1 Add tagg Endswith 
Prevent the trigger of {}.exe.log
 2020-05-29 16:25:54 +02:00
Sander Wiebing 38afd8b5de Fixed wrong field 2020-05-28 21:52:17 +02:00
Florian Roth 7f2fa05ed3 Merge pull request #802 from Neo23x0/rule-devel 
ComRAT and KazuarRAT
 2020-05-28 11:16:44 +02:00
gamma37 537bda4417 Update lnx_shell_clear_cmd_history.yml 2020-05-28 10:56:35 +02:00
gamma37 5a48934822 Edit Clear Command History 
I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line.
 2020-05-28 10:52:17 +02:00
Florian Roth 39b41b5582 rule: moved DebugView rule to process creation category 2020-05-28 10:13:38 +02:00
Florian Roth 76dcc1a16f rule: renamed debugview 2020-05-28 09:22:25 +02:00
Florian Roth ec313b6c8a Merge pull request #801 from SanWieb/sysmon_creation_system_file 
Rule: sysmon_creation_system_file
 2020-05-27 08:49:20 +02:00
Sander Wiebing d44fc43c54 Add extension 2020-05-26 19:10:11 +02:00
Sander Wiebing f6ec724d51 Rule: sysmon_creation_system_file 2020-05-26 18:53:54 +02:00
Florian Roth 5bb6770f53 Merge pull request #800 from SanWieb/win_system_exe_anomaly 
Extended Windows processes: win_system_exe_anomaly
 2020-05-26 14:28:47 +02:00
Florian Roth 4ca81b896d rule: Turla ComRAT report 2020-05-26 14:19:22 +02:00
Sander Wiebing 3681b8cb56 Extended Windows processes 2020-05-26 13:56:51 +02:00
Florian Roth 0b398c5bf0 Merge pull request #798 from Neo23x0/rule-devel 
rule: confluence exploit CVE-2019-3398 & Turla ComRAT
 2020-05-26 13:31:57 +02:00
Florian Roth c1f4787566 Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048 
Changes to sysmon_cve-2020-1048
 2020-05-26 13:21:04 +02:00
Florian Roth ce1f46346f Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access 
Add 'Add-Content' to powershell_ntfs_ads_access
 2020-05-26 13:20:40 +02:00
Florian Roth e131f3476e Merge pull request #796 from EccoTheFlintstone/fp 
add more false positives
 2020-05-26 13:20:23 +02:00
Florian Roth b648998fd0 rule: Turla ComRAT 2020-05-26 13:18:50 +02:00
Sander Wiebing f9f814f3b3 Shortened title 2020-05-26 13:06:27 +02:00
Sander Wiebing a241792e10 Reduce FP of legitime processes 
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe

All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.

Python 2.7, 3.3 and 3.7 does not have any file characteristics.

So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
 2020-05-26 12:58:15 +02:00
Florian Roth cdf1ade625 fix: typo in selection 2020-05-26 12:27:16 +02:00
Florian Roth 828484d7c6 rule: confluence exploit CVE-2019-3398 2020-05-26 12:09:41 +02:00
Remco Hofman 48c5f2ed09 Update to sysmon_cve-2020-1048 
Added .com executables to detection
Second TargetObject should have been Details
 2020-05-26 11:20:21 +02:00
ecco 7037e77569 add more FP 2020-05-25 04:50:22 -04:00
Florian Roth a962bd1bc1 Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source 
Fix 'source' value for win_susp_backup_delete
 2020-05-25 10:48:36 +02:00
Florian Roth 0afe0623af Merge pull request #757 from tliffick/master 
added rule for Blue Mockingbird (cryptominer)
 2020-05-25 10:47:23 +02:00
Sander Wiebing 6fcf3f9ebf Update win_netsh_fw_add.yml 2020-05-25 10:13:26 +02:00
Sander Wiebing 28652e4648 Add Windows Server 2008 and Windows Vista support 
It did not support the command `netsh advfirewall firewall add`
 2020-05-25 10:02:13 +02:00
Sander Wiebing 2678cd1d3e Create win_netsh_fw_add_susp_image.yml 
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. 

Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
 2020-05-25 09:50:47 +02:00
Sander Wiebing b8ee736f44 Remove AppData folder as suspicious folder 
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)

Too many to whitelist them all
 2020-05-24 15:16:07 +02:00
Florian Roth 6fbfa9dfdd Merge pull request #793 from Neo23x0/rule-devel 
Esentutl rule and StrongPity Loader UA
 2020-05-23 23:47:12 +02:00
ecco f970d28f10 add more false positives 2020-05-23 15:06:15 -04:00