security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
610 Commits 1 Branch 57 Tags
8ee24bf150ce0d586d2d3cc5e00c00e8dd3ff5ea
Commit Graph

346 Commits

Author SHA1 Message Date
Thomas Patzke 8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke 3b8b04fe09 Merge branch 'devel-sigmac' 2018-03-06 23:19:45 +01:00
Thomas Patzke 8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00
Thomas Patzke 84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Florian Roth 1ecfd83a6a Missing separator 2018-03-05 11:30:01 +01:00
Thomas Patzke 59eff939f2 Merge branch 'devel-sigmac' 2018-03-04 22:59:41 +01:00
Thomas Patzke 4792700726 Fixed rule 2018-03-04 22:07:01 +01:00
Thomas Patzke 01f38adbdb Fixed condition 2018-03-04 20:07:02 +01:00
Florian Roth 6e0cc193c7 Rule: Pony / Fareit UA 2018-03-01 09:28:04 +01:00
Florian Roth 69274d7782 Rule: Sofacy Trojan Loader 2018-03-01 09:27:46 +01:00
Florian Roth 6c6dac4cbb Changed Elise backdoor rule 2018-02-25 17:25:04 +01:00
Florian Roth f2057f0c77 Hurricane Panda activity 
https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
 2018-02-25 17:24:00 +01:00
Florian Roth 1001afb038 Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
Florian Roth 25dc3e78be Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
Florian Roth 9020a9aa32 Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
Florian Roth 5d763581fa Adding status "experimental" to that rule 2018-02-22 13:28:01 +01:00
Florian Roth 0be687d245 Rule: Detect CVE-2017-0261 exploitation 2018-02-22 13:27:20 +01:00
Florian Roth b88a81a9e1 Rule: Linux > named > suspicious activity 2018-02-20 14:56:28 +01:00
Florian Roth ef0cd4c110 Rules: Extended and fixed (*) sshd rules 2018-02-20 13:44:06 +01:00
Dominik Schaudel cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth 058d719e2b Rule update: Proxy UA > Loki Bot 2018-02-12 10:08:32 +01:00
Florian Roth fa4dbc0f2e Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
Florian Roth 0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
Florian Roth 1382edb5e3 Cosmetics 2018-02-09 10:13:39 +01:00
Florian Roth 34e0352a21 Rule: Proxy UAs - malware - Ghost419 
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
 2018-02-03 14:47:04 +01:00
Florian Roth 635d052fcc Renamed rule - not APT32 related 2018-01-31 23:52:24 +01:00
Florian Roth 4152442bfa Changed reference to references in Elise rule 2018-01-31 23:13:00 +01:00
Florian Roth f1b339504e Rule: APT32 Elise 2018-01-31 23:12:00 +01:00
SherifEldeeb 348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb 48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb 112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth 0f2e1c5934 Bugfix: Missing wildcard in IIS module install rule 2018-01-27 16:15:25 +01:00
Florian Roth d93d7d8e7b Rule: IIS nativ-code module command line installation 2018-01-27 11:13:13 +01:00
Florian Roth aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth f31ed7177e Added status 'experimental' to newly created auditd rules 2018-01-23 11:15:02 +01:00
Florian Roth fe80ae7885 Rule: Linux auditd 'program execution in suspicious folders' 2018-01-23 11:13:23 +01:00
Florian Roth 228ca1b765 Rule: Linux auditd 'suspicious commands' 2018-01-23 11:13:23 +01:00
Florian Roth 379b2dd207 New recon activity rule 2017-12-11 09:31:54 +01:00
Florian Roth 8e2aef035c Removed commands - false positive reduction 2017-12-11 09:31:54 +01:00
Florian Roth 1464ab4ab8 Renamed rule: recon activity > net recon activity - to be more specific 2017-12-11 09:31:54 +01:00
Florian Roth 285f5bab4f Removed duplicate string 2017-12-11 09:31:54 +01:00
Thomas Patzke 9adaf4c411 Cleanup 2017-12-07 16:21:02 +01:00
Björn Kimminich 8a8387c43e SQL Injection error message patterns 
Rule file that detects error messages from different DB providers that would occur during SQL Injection probing
 2017-11-27 22:52:17 +01:00
Florian Roth 78854b79c4 Rule: System File Execution Location Anomaly 2017-11-27 14:09:22 +01:00
Florian Roth 93fbc63691 Rule to detect droppers exploiting CVE-2017-11882 2017-11-23 00:58:31 +01:00
Thomas Patzke 2ec5919b9e Fixed win_disable_event_logging by multiline description 2017-11-19 22:49:40 +01:00
Nate Guagenti a796ff329e Create win_disable_event_logging 2017-11-15 21:56:30 -05:00
Florian Roth 3a378f08ea Bugfix in Adwind rule - typo in typo 2017-11-10 12:51:54 +01:00