security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

340 Commits

Author SHA1 Message Date
Florian Roth 86c1b4ae4b rule: hwp exploits 2019-10-24 11:46:56 +02:00
alexpetrov12 cc998aa667 fix 2019-10-24 00:48:43 +03:00
alexpetrov12 4c84412944 added new rule 
silenttrinity_stage_ use, sysmon_mimikatz_сreds_dump, sysmon_registry_persistence_key_linking, sysmon_сreds_dump
 2019-10-23 18:08:30 +03:00
alexpetrov12 bc943343df update win_sysmon_driver_unload 2019-10-23 15:41:14 +03:00
alexpetrov12 215e500894 fix 2019-10-23 14:43:01 +03:00
alexpetrov12 193c95a11a add new rule1 2019-10-23 14:27:52 +03:00
root edcbc49ce8 add rule win_susp_open with_execution.yml win_susp_devt oolslauncher_execution.yml 2019-10-23 13:00:21 +02:00
alexpetrov12 043e3f7ca6 fix 2019-10-23 13:48:44 +03:00
alexpetrov12 e38540a37f fix 2019-10-23 13:28:04 +03:00
alexpetrov12 c1cfbacd24 fix 2019-10-23 13:18:57 +03:00
alexpetrov12 ad9b98541c fix 2019-10-23 13:05:38 +03:00
alexpetrov12 fa4a8c974d fix 2019-10-23 12:45:06 +03:00
alexpetrov12 f4ea01217e fix 2019-10-23 02:47:04 +03:00
alexpetrov12 ebe4fe0377 fix 2019-10-23 02:42:37 +03:00
alexpetrov12 29cd7fed3e fix 2019-10-23 02:39:40 +03:00
alexpetrov12 5a260db459 fix 2019-10-23 02:27:14 +03:00
alexpetrov12 6c4f4ce309 fix 2019-10-23 02:25:04 +03:00
alexpetrov12 8d0c89b598 added new rules 
add rule MiniDumpWriteDump via COM+, renamed_binary_description, cobalt_execute_assembly, win_sysmon_driver_onload
 2019-10-23 01:55:03 +03:00
Florian Roth 3d4ce9d175 rule: another reference link for 'execution by ordinal' 2019-10-22 15:18:19 +02:00
zinint a8bd2c8e78 Update win_data_compressed.yml 2019-10-22 14:57:53 +03:00
zinint 74d1fef8b8 Update win_data_compressed.yml 2019-10-22 14:53:43 +03:00
zinint cc6d4b05ac OSCD Task 7 : ART T1002 Exfiltration With Rar 
OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar
 2019-10-22 14:00:52 +03:00
Florian Roth b3654947bc rule: suspicious call by ordinal (rundll32) 2019-10-22 12:40:26 +02:00
Florian Roth 0f02f2bdfc rule: adjusted very noisy rule on AppLocker whitelist bypass 2019-10-22 12:32:37 +02:00
root 00a757959e add rule win_susp_capture_screenshots.yml 2019-10-22 06:06:07 +02:00
zinint daf1034621 Update win_possible_applocker_bypass.yml 2019-10-22 00:54:29 +03:00
Florian Roth ab292a4029 rule: simplified Emotet rule 2019-10-16 15:29:42 +02:00
Florian Roth 5d143f4f22 rule: emotet rule references extended 2019-10-16 13:18:44 +02:00
Florian Roth d46154da5c rule: extending Emotet rule 2019-10-16 10:22:48 +02:00
Florian Roth 4ea469d138 rule: suspicious compression tool parameters 2019-10-15 16:38:53 +02:00
Florian Roth 52fef7ae10 Merge pull request #468 from 2d4d/lsass_without_exe 
remove .exe from lsass
 2019-10-14 18:03:13 +02:00
Florian Roth 8db1cac910 fix: made rule compatible with event id 4688 2019-10-14 18:01:24 +02:00
Florian Roth 0e2284a176 rule: modified the default 2019-10-14 17:50:48 +02:00
Florian Roth 312311494d rule: suspicious code page switch using chcp 2019-10-14 17:45:25 +02:00
2d4d cf5d7f11ad remove .exe from lsass 2019-10-14 17:26:33 +02:00
Florian Roth 5583684efd rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00
Florian Roth 60af1f5a4b rule: WMI Backdoor Exchange Transport Agent 2019-10-11 12:12:44 +02:00
Thomas Patzke 60ef593a6f Fixed wrong backslash escaping of * 
Fixes issue #466
 2019-10-07 22:14:44 +02:00
Florian Roth 3eaf4d6e94 fix: fixed typo in bluemashroom rule 2019-10-02 15:45:55 +02:00
Florian Roth 6d78a5fede rule: extended the command line in bluemashroom rule 2019-10-02 14:03:34 +02:00
Florian Roth 7423fe2072 fix: fixed typo in APT group name 2019-10-02 14:02:07 +02:00
Florian Roth e993ef46f0 rule: APT blue mushroom 2019-10-02 13:57:14 +02:00
Florian Roth 4bc7f6ea52 rule: QBot process creation 2019-10-01 17:25:04 +02:00
Florian Roth 52df9e9f44 rule: execution in Outlook temp folder 2019-10-01 16:07:43 +02:00
Florian Roth 9a7ef0e3c2 fix: fixed rule warning 2019-09-30 19:38:40 +02:00
Florian Roth 2fbd35053e rule: improved formbook detection rule 2019-09-30 19:01:40 +02:00
Florian Roth 38831a05ae rule: formbook malware process creation 2019-09-30 18:57:58 +02:00
Florian Roth 05ca684962 rule: improved emotet rule 2019-09-30 17:17:23 +02:00
Florian Roth 66cbdbfff5 rule: emotet process creation 2019-09-30 15:53:29 +02:00
Florian Roth 93227e1eec Merge pull request #436 from EccoTheFlintstone/master 
rule: impacket framework lateralization detection
 2019-09-28 11:37:07 +02:00