security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

2645 Commits

Author SHA1 Message Date
ecco de4810233c remove false positives in Windows being too broad and add specific keys looked at + add keys from wow64 2020-08-18 05:28:37 -04:00
Florian Roth da54e89f30 Merge pull request #976 from diskurse/rule-devel 
Rule devel
 2020-08-17 15:02:31 +02:00
Florian Roth 8a02541b0a style: removed lists where unnecessary 2020-08-17 15:02:16 +02:00
Florian Roth 6dc8dbb6d8 style: removed lists where unnecessary 2020-08-17 15:01:52 +02:00
Bar Haim bd96b1c5ad Update win_susp_rasdial_activity.yml 
`rasdial` is an `exe`, and probably appear as `rasdial.exe`
`LIKE` is more fit in this case
 2020-08-16 16:17:49 +03:00
Bar Haim c7dc9df87e Update sysmon_apt_muddywater_dnstunnel.yml 2020-08-16 12:39:04 +03:00
Bar Haim 4168f1e430 Update win_new_service_creation.yml 2020-08-16 11:44:40 +03:00
Cian Heasley b378b3d62b win_mouse_lock.yml 
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
 2020-08-13 12:09:07 +01:00
Cian Heasley d1e9f01d23 win_dnscat2_powershell_implementation.yml 
The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
 2020-08-13 12:06:48 +01:00
Florian Roth 2e29c07e83 Merge pull request #928 from duzvik/master 
Create sysmon_abusing_azure_browser_sso.yml
 2020-08-12 17:15:27 +02:00
Florian Roth 61a05ee054 reordered fields, changed indentation 2020-08-12 16:44:37 +02:00
Thomas Patzke d73447c111 Merge pull request #939 from ktecv2000/master 
add wmi persistence script event consumer false positive
 2020-08-05 23:28:26 +02:00
Thomas Patzke f827a557f2 Merge pull request #936 from rtkmokuka/typo_wmiprvse_spawning_process 
Change fitler typo from 'Username' to 'User' for Wmiprvse Spawning Process rule
 2020-08-05 23:26:14 +02:00
Timur Zinniatullin 72fdf0da45 Update lnx_auditd_susp_cmds.yml 2020-08-04 20:00:30 +03:00
Timur Zinniatullin 4e688233d7 ATT&CK mapping update suggestions for \linux\ 2020-08-04 19:48:18 +03:00
Florian Roth 4529e4cd52 Merge pull request #966 from Neo23x0/rule-devel 
rule: TAIDOOR malware load
 2020-08-04 14:54:24 +02:00
Florian Roth 052379a512 fix: tightened TAIDOOR rule 2020-08-04 14:37:18 +02:00
Florian Roth c4953409aa rule: TAIDOOR malware load 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 2020-08-04 14:31:29 +02:00
IPv777 a52583dc68 .002 = SMB/Windows Admin Shares 2020-08-03 17:43:14 +02:00
Florian Roth 5625f471d7 Merge pull request #963 from diskurse/rule-devel 
win_webshell_regeorg.yml
 2020-08-03 13:51:16 +02:00
Florian Roth 3abc3d0a76 docs: add FP condition 2020-08-03 13:50:47 +02:00
Florian Roth 6f7aecbe06 fix: preventive change to avoid FPs 2020-08-03 13:49:52 +02:00
Cian Heasley de33b953ba Add files via upload 
Webshell ReGeorg Detection Via Web Logs
 2020-08-03 12:20:04 +01:00
Florian Roth df3bfb1b37 rule: Winnti Pipemon 2020-07-30 18:55:47 +02:00
Florian Roth 5abf101c0b Merge pull request #954 from Neo23x0/rule-devel 
Rule devel
 2020-07-28 10:22:52 +02:00
Florian Roth 8970d03f6f Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00
Florian Roth 80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
IPv777 77a8ac59ef remove duplicate 2020-07-24 16:38:08 +02:00
Ryan Plas aa548ba1a9 Add quotes due to a colon in the falsepositives string 2020-07-23 23:33:36 -04:00
Ryan Plas e52489aaf6 Change production status to stable 2020-07-23 23:33:36 -04:00
Florian Roth 8a4b53eb3a fix: rule leads to FPs on systems that don't log the cmdline parameters 2020-07-23 17:04:16 +02:00
Florian Roth 951c6fee8b Update sysmon_password_dumper_lsass.yml 2020-07-23 14:31:21 +02:00
Daniel Masse 13cf0488ae Add 'contains' for the ps encoded chars rule 2020-07-22 10:49:22 -04:00
Florian Roth db98fe79b0 Revert "rule: update - MATA framework UserAgent" 
This reverts commit 81ef0137c5.
 2020-07-22 14:02:51 +02:00
Florian Roth 81ef0137c5 rule: update - MATA framework UserAgent 2020-07-22 14:02:13 +02:00
Florian Roth 769a9212a5 Merge pull request #943 from diskurse/rule-devel 
Webshell Recon Detection Via CommandLine & ProcessesAdd files via upload
 2020-07-22 13:02:44 +02:00
Cian Heasley 023bf76363 Add files via upload 
Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
 2020-07-22 09:05:50 +01:00
Poming huang 2b2bf34a64 add wmi persistence script event consumer false positive 2020-07-20 12:27:16 +08:00
Aidan Bracher ff3f9fe9b3 Updated tags 2020-07-18 03:02:43 +01:00
Aidan Bracher 1fd73a23b2 Updated tags with sub-techniques 2020-07-18 03:01:34 +01:00
Aidan Bracher 4ac1058ab5 Updated tags 2020-07-18 03:01:11 +01:00
Aidan Bracher 4ffe9cb042 Updated tags with sub-techniques 2020-07-18 02:53:46 +01:00
Aidan Bracher 3bd768e49b Updated tags with sub-techniques 2020-07-18 02:52:15 +01:00
Aidan Bracher dcf20e580d Updated tags to include sub-techniques 2020-07-18 02:50:57 +01:00
Aidan Bracher 1442812681 Updated tags 2020-07-18 02:44:53 +01:00
Aidan Bracher b61527d0b2 Added ATT&CK tactic 2020-07-18 02:42:10 +01:00
Aidan Bracher 161829a4c0 Added ATT&CK tactic 2020-07-18 02:41:48 +01:00
Aidan Bracher 147fd46157 Added ATT&CK tactic 2020-07-18 02:41:10 +01:00
Aidan Bracher 2d227a08c5 Updated suspicious service with sub-techniques 2020-07-18 02:40:22 +01:00
Aidan Bracher 97452a9df3 Update to include sub-technique mapping 2020-07-18 02:38:47 +01:00