security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
472 Commits 1 Branch 57 Tags
9d968de337b3e7da50eebfbd57d32bd382a9df74
Commit Graph

201 Commits

Author SHA1 Message Date
juju4 9d968de337 Merge remote-tracking branch 'upstream/master' 2017-10-29 14:14:47 -04:00
Florian Roth b7e8000ccb Improved Office Shell rule > added 'schtasks.exe' 2017-10-25 23:53:45 +02:00
Florian Roth d9f933fec9 Fixed the fixed PSAttack rule 2017-10-19 09:52:40 +02:00
Florian Roth 0b0435bf7a Fixed PSAttack rule 2017-10-18 21:49:38 +02:00
Thomas Patzke d7c659128c Removed unneeded array 2017-10-18 15:12:29 +02:00
Florian Roth deea224421 Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 16:19:56 +02:00
juju4 e6661059c2 Merge remote-tracking branch 'upstream/master' 2017-10-15 11:58:01 -04:00
Florian Roth 00baa4ed40 Executables Started in Suspicious Folder 2017-10-14 23:23:04 +02:00
Florian Roth 358d1ffba0 Executables Started in Suspicious Folder 2017-10-14 23:22:20 +02:00
juju4 cbde0ee5e5 Merge remote-tracking branch 'upstream/master' 2017-09-16 10:03:18 -04:00
Florian Roth 20f9dbb31c CVE-2017-8759 - Winword.exe > csc.exe 2017-09-15 15:49:56 +02:00
Thomas Patzke 986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Thomas Patzke 68cb5e8921 Merge pull request #45 from secman-pl/patch-1 
Update sysmon_susp_regsvr32_anomalies to detect wscript child process
 2017-09-10 22:52:37 +02:00
juju4 e2213347ad Merge remote-tracking branch 'upstream/master' 2017-09-09 11:33:18 -04:00
Florian Roth bfe8378455 Rule: Suspicious svchost.exe process 2017-08-31 11:07:45 +02:00
secman-pl 9768f275d0 Update sysmon_susp_regsvr32_anomalies 
Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe. 
example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
SCT script code:
var objShell = new ActiveXObject("WScript.shell");
 2017-08-29 12:21:47 +02:00
Florian Roth f3f2c14b3a Added reference to regsvr32 rule 2017-08-29 08:45:29 +02:00
Florian Roth 55f4c37e22 Rule: Microsoft Binary Github Communication 2017-08-24 18:27:40 +02:00
Florian Roth f46e86fbb1 WMI persistence modified 2017-08-24 18:27:40 +02:00
Hans-Martin Münch 09e754a8f9 Small Typo fix 2017-08-22 10:56:25 +02:00
Florian Roth 59821d1bcb Office Shell: Reference added to new entry 2017-08-22 10:04:22 +02:00
Florian Roth 332f7d27da Win WMI Persistence 
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
https://twitter.com/mattifestation/status/899646620148539397
 2017-08-22 10:02:54 +02:00
Florian Roth 8f4a780c3b Added regsvr32.exe to suspicious child processes 2017-08-20 23:14:41 +02:00
Florian Roth e06cf6c43f Service install - net user persistence 2017-08-16 15:16:57 +02:00
juju4 b109a1277e Detects suspicious process related to rasdial.exe 2017-08-13 16:20:25 -04:00
juju4 012ed4cd7d Detects execution of executables that can be used to bypass Applocker whitelisting 2017-08-13 16:20:01 -04:00
juju4 f861969e95 tentative rule to detect admin users remote login 2017-08-13 16:19:24 -04:00
juju4 d2ae98b0de tentative rule to detect admin users interactive login 2017-08-13 16:18:58 -04:00
juju4 21b1c52d1e forfiles, bash detection 2017-08-13 16:18:13 -04:00
Thomas Patzke 4578756cfd Merge remote-tracking branch 'origin/master' 2017-08-05 00:35:24 +02:00
Thomas Patzke 03985288f6 Removed 'last' from timeframe 2017-08-05 00:32:24 +02:00
Florian Roth edb52e098a Extended hh.exe in Office Shell detection 
https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
 2017-08-04 09:18:55 +02:00
Thomas Patzke d17604d007 Merge branch 'master' into travis-test 2017-08-03 00:11:08 +02:00
Thomas Patzke 5706361464 Parsing of "near ... within" aggregation operator 
* Operator is only parsed. No processing or passing of parsed data to
  backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
 2017-08-03 00:05:48 +02:00
Thomas Patzke 167b1f0191 Merge branch 'master' into travis-test 2017-08-02 22:53:52 +02:00
Thomas Patzke f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke bfcc119a7f Merge branch 'master' into travis-test 2017-08-02 00:37:07 +02:00
Thomas Patzke b82a6fdc51 Added wildcards to windows/builtin/win_susp_rundll32_activity.yml 2017-08-02 00:09:34 +02:00
Thomas Patzke 84418d2045 Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-02 00:04:28 +02:00
Thomas Patzke c350a90b21 Merge branch 'master' into rules-juju4 2017-08-01 23:55:53 +02:00
juju4 5b778c9833 yamllint: quote twitter-formatted nickname 2017-07-30 11:42:25 -04:00
juju4 5b42c64fcd Merge remote-tracking branch 'upstream/master' 2017-07-30 11:12:03 -04:00
juju4 31b033d492 suspicious rundll32 activity rules 2017-07-30 11:11:45 -04:00
juju4 3a8946a3ac suspicious phantom dll rules 2017-07-30 11:11:17 -04:00
juju4 fbbf29fd80 suspicious cli escape character rules 2017-07-30 11:10:43 -04:00
juju4 83fa83aa43 suspicious certutil activity rules 2017-07-30 11:09:51 -04:00
juju4 f487451c45 more suspicious cli process 2017-07-30 11:09:24 -04:00
Florian Roth d1cdb3c480 Certutil duplicate entry and "-ping" command 2017-07-23 14:51:57 -06:00
Florian Roth cdf0894e6a Corrected error in certutil rules (-f means force overwrite, not file) 
> the -urlcache is the relevant command
 2017-07-20 12:54:55 -06:00
Florian Roth 3a55b31da2 certutil file download - more generic approach 2017-07-20 12:48:47 -06:00