security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

2645 Commits

Author SHA1 Message Date
Florian Roth 3028a27055 fix: buggy rule 2020-05-23 18:32:02 +02:00
Florian Roth df715386b6 rule: suspicious esentutl use 2020-05-23 18:27:36 +02:00
Florian Roth d0da2810c1 Merge pull request #792 from EccoTheFlintstone/fff 
fix FP + remove powershell rule redundant with sysmon_in_memory_power…
 2020-05-23 18:13:16 +02:00
Florian Roth 8321cc7ee1 Merge pull request #772 from gamma37/suspicious_activities 
Create a rule for "suspicious activities"
 2020-05-23 18:11:32 +02:00
Florian Roth d1a5471d21 rule: Strong Pity loader UA 2020-05-23 17:38:10 +02:00
ecco 67faf4bd41 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml 2020-05-23 10:56:23 -04:00
Florian Roth 9cd9a301c2 Merge pull request #791 from SanWieb/master 
added rule for Netsh RDP port opening
 2020-05-23 16:50:31 +02:00
Florian Roth e1a05dfc1c Update lnx_auditd_susp_C2_commands.yml 2020-05-23 16:49:03 +02:00
Florian Roth ee1ca77fad Merge pull request #771 from gamma37/new_rules 
Create a new rule to detect "Create Account"
 2020-05-23 16:47:46 +02:00
ecco 10ca3006f5 move rule where needed 2020-05-23 10:07:55 -04:00
ecco d9bc09c38c fix test 2020-05-23 10:02:58 -04:00
ecco 78a7852a43 renamed dbghelp rule with new ID and comment and removed a false positive 2020-05-23 09:16:40 -04:00
Sander Wiebing d310805ed9 rule: Netsh RDP port opening 2020-05-23 14:19:52 +02:00
ecco 75ba5f989c add 1 more FP to wmi load 2020-05-23 07:44:45 -04:00
ecco 9a7f462d79 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) 2020-05-23 07:17:56 -04:00
ecco cfde0625f5 fix false positive matching on every powershell process not run by SYSTEM account 2020-05-23 07:05:09 -04:00
Florian Roth 12e1aeaf9f Merge pull request #788 from Neo23x0/rule-devel 
refactor: split up rule for CVE-2020-1048 into 2 rules
 2020-05-23 09:54:43 +02:00
Florian Roth 34006d0794 refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 09:16:19 +02:00
Florian Roth 57c8e63acd refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 09:09:58 +02:00
ecco ec17c2ab56 filter on createkey only when needed 2020-05-22 10:37:00 -04:00
4A616D6573 879ad6f206 Update win_susp_ntlm_rdp.yml 2020-05-22 13:32:02 +10:00
4A616D6573 daa3c5e053 Update win_susp_ntlm_rdp.yml 2020-05-22 13:28:56 +10:00
4A616D6573 0f8f5fb29c Create win_susp_ntlm_rdp.yml 2020-05-22 13:24:27 +10:00
Florian Roth 91c4c4ecc5 refactor: slightly improved Greenbug rule 2020-05-21 13:38:11 +02:00
Florian Roth 9a3b6c1c77 docs: added MITRE ATT&CK group tag 2020-05-21 09:44:11 +02:00
Florian Roth 344eb713c5 rule: Greenbug campaign 2020-05-21 09:39:57 +02:00
ecco 0dd089db47 various rules cleaning 2020-05-18 20:29:53 -04:00
Thomas Patzke 96fae4be68 Added CrachMapExec rules 2020-05-22 00:50:37 +02:00
Florian Roth 64e0e7ca72 Merge pull request #784 from Neo23x0/rule-devel 
refactor: slightly improved Greenbug rule
 2020-05-21 14:19:09 +02:00
Florian Roth bbf78374b6 Merge pull request #783 from Neo23x0/rule-devel 
Greenbug Rule
 2020-05-21 09:55:46 +02:00
Thomas Patzke 8d9b706d6a Merge pull request #727 from 3CORESec/master 
Override Features
 2020-05-20 19:11:56 +02:00
Florian Roth e7980bb434 Merge pull request #782 from ZikyHD/patch-1 
Remove duplicate 'CommandLine' in fields
 2020-05-20 12:55:41 +02:00
Florian Roth af92a5bd2c Merge pull request #780 from tatsu-i/master 
Null field check to eliminate false positives
 2020-05-20 12:55:29 +02:00
ZikyHD 8963c0a65e Remove duplicate 'CommandLine' in fields 2020-05-20 11:54:47 +02:00
Florian Roth 9ab65cd1c7 Update win_alert_ad_user_backdoors.yml 2020-05-19 14:50:22 +02:00
neu5ron 7c3dea22b8 small T, big T 2020-05-19 05:13:48 -04:00
neu5ron 602c8917ef domain user enumeration via zeek rpc (dce_rpc) log. 2020-05-19 05:08:26 -04:00
Tatsuya Ito c815773b1a enhancement rule 2020-05-19 18:05:51 +09:00
Tatsuya Ito 49f68a327a enhancement rule 2020-05-19 18:00:50 +09:00
neu5ron effb2a8337 add exe webdav download 2020-05-19 04:41:00 -04:00
neu5ron 858ebcd3d3 author typo update 2020-05-19 04:35:47 -04:00
neu5ron 2fc8d513d6 zeek, swap path and name 2020-05-19 04:35:30 -04:00
ecco 1aa97fe577 flake 8 2020-05-18 10:03:18 -04:00
ecco 088800cd18 fix rule due to sigmac bug? 2020-05-18 09:39:48 -04:00
ecco e89613aee0 add some false positives checks 2020-05-18 07:19:06 -04:00
Florian Roth 8154ca355a Merge pull request #768 from maximelb/master 
Remove "condition" from global rule in CVE-2020-1048.
 2020-05-18 12:52:49 +02:00
gamma37 71c507d8a9 remove space bedore colon 2020-05-18 11:34:53 +02:00
gamma37 55eec46932 Create a rule for "suspicious activities" 2020-05-18 11:25:18 +02:00
gamma37 cbf06b1e43 lowercased tag 2020-05-18 10:11:32 +02:00
gamma37 904716771a Create a new rule to detect "Create Account" 2020-05-18 10:03:34 +02:00