security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

430 Commits

Author SHA1 Message Date
Florian Roth 99f773dcf6 Rule: false positive reduction in rule 2018-12-17 10:02:55 +01:00
Florian Roth b0cb0abc01 Bugfix: wrong field for 4688 process creation events 2018-12-11 16:10:15 +01:00
Florian Roth b5d78835b6 Removed overlapping rule with sysmon_office_shell.yml 2018-12-11 13:37:47 +01:00
Roberto Rodriguez 8c577a329f Improve Rule & Updated HELK SIGMA Standardization Config 
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.

SIGMA HELK standardization config updated to match latest HELK Common Information Model
 2018-12-08 11:30:21 +03:00
Roberto Rodriguez 87ce07088f Update sysmon_plugx_susp_exe_locations.yml 
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Executable+used+by+PlugX+in+Uncommon+Location&unscoped_q=Executable+used+by+PlugX+in+Uncommon+Location

This impats Elastalert integration since you cannot have two rules with the same name
 2018-12-05 07:58:13 +03:00
Thomas Patzke 900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Florian Roth a805d18bba Merge pull request #198 from kpolley/consistent_filetype 
changed .yaml files to .yml for consistency
 2018-12-03 09:00:14 +01:00
Florian Roth 2ebbdebe46 rule: Cobalt Strike beacon detection via Remote Threat Creation 
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
 2018-11-30 10:25:05 +01:00
Kyle Polley 60538e2e12 changed .yaml files to .yml for consistency 2018-11-20 21:07:36 -08:00
Sherif Eldeeb 23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Thomas Patzke 732de3458f Merge pull request #186 from megan201296/patch-15 
Update sysmon_cmstp_com_object_access.yml
 2018-10-18 15:49:06 +02:00
Thomas Patzke fdd0823e07 Merge pull request #187 from megan201296/patch-16 
Additional MITRE ATT&CK Tagging
 2018-10-18 15:38:11 +02:00
Florian Roth fd34437575 fix: fixed date in rule 2018-10-10 15:27:58 +02:00
megan201296 fdd264d946 Update sysmon_susp_powershell_rundll32.yml 2018-10-09 19:11:47 -05:00
megan201296 440b0ddffe Update sysmon_susp_powershell_parent_combo.yml 2018-10-09 19:11:17 -05:00
megan201296 b0983047eb Update sysmon_powersploit_schtasks.yml 2018-10-09 19:10:37 -05:00
megan201296 2f533c54b3 Update sysmon_powershell_network_connection.yml 2018-10-09 19:10:17 -05:00
megan201296 1b92a158b5 Add MITRE ATT&CK Tagging 2018-10-09 19:09:19 -05:00
megan201296 ffbb968fcd Update sysmon_cmstp_com_object_access.yml 
Edit tule logic for `and` instead of `or
 2018-10-09 19:03:30 -05:00
megan201296 7997cb3001 Remove duplicate value 2018-10-08 13:00:59 -05:00
Florian Roth 19e2bad96e Delete sysmon_powershell_DLL_execution.yml 2018-10-02 08:56:09 +02:00
Florian Roth daddec9217 Delete sysmon_powershell_AMSI_bypass.yml 2018-10-02 08:55:48 +02:00
Florian Roth aafe9c6dae Delete sysmon_lethalHTA.yml 2018-10-02 08:55:19 +02:00
Ensar Şamil dec7568d4c Rule simplification 
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
 2018-09-28 10:58:50 +03:00
Florian Roth edf8dde958 Include cases in which certutil.exe is used 2018-09-23 20:57:34 +02:00
Karneades c73a9e4164 Fix CommandLine in rule sysmon/sysmon_susp_certutil_command 
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.

We could also use both the Image path and the Command Line.

Message     : Process Create:
              Image: C:\Windows\SysWOW64\certutil.exe
              CommandLine: certutil  xx -decode xxx
              Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
              ParentImage: C:\Windows\System32\cmd.exe
              ParentCommandLine: "C:\Windows\system32\cmd.exe"
 2018-09-23 20:28:56 +02:00
Thomas Patzke 81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth 6f5a73b2e2 style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
Florian Roth 49f7da6412 style: changed title casing and minor fixes 2018-09-04 16:15:41 +02:00
Florian Roth 7a3890ad76 Rule: SysInternals EULA accept improved and renamed 2018-08-30 13:16:28 +02:00
Florian Roth d83f124f5f Rule: Suspicious communication endpoints 2018-08-30 10:12:12 +02:00
Florian Roth e70395744b Rule: Improved Github communication rule 2018-08-30 10:12:12 +02:00
Thomas Patzke d17cc5c07d Merge pull request #157 from yt0ng/development 
Added Detection of Sysinternals Tools via eulaaccepted registry key
 2018-08-28 22:37:00 +02:00
Unknown 75d72344ca Added Detection of Sysinternals Tools via eulaaccepted registry key 2018-08-28 17:36:22 +02:00
Thomas Patzke 6e7208553a Revert "removing for new pull request" 
This reverts commit ca7e8d6468.
 2018-08-27 23:39:29 +02:00
Thomas Patzke 87e39b8768 Fixed rules 2018-08-26 22:30:47 +02:00
yt0ng df9f6688eb Added Deskop Location, RunOnce and ATTCK 
Added C:\Users\tst01\Desktop\unprotected.vbs as seen by FIN7
 2018-08-25 17:32:34 +02:00
yt0ng eda6f3b9ca rules/windows/sysmon/sysmon_powershell_DLL_execution.yml 2018-08-25 16:33:54 +02:00
yt0ng c7d4b4853d removing sysmon_powershell_AMSI_bypass.yml 2018-08-23 10:17:19 +02:00
Thomas Patzke 49af499353 Merge pull request #151 from nikseetharaman/workflow_compiler 
Add Microsoft Workflow Compiler Sysmon Detection
 2018-08-23 08:24:35 +02:00
Thomas Patzke 9235175e26 Fixed rule 
* Added condition
* Replaced Description wirh Image attribute and improved search pattern
 2018-08-23 08:20:28 +02:00
Thomas Patzke 73535e58a5 Merge pull request #153 from megan201296/patch-10 
Add ATT&CK Matrix tags
 2018-08-23 08:06:58 +02:00
Thomas Patzke d647a7de07 Merge pull request #154 from megan201296/patch-11 
Add MITRE ATT&CK tagging
 2018-08-23 08:06:39 +02:00
Florian Roth 040ba0338d fix: Added Event ID in second selection 2018-08-22 17:03:13 +02:00
megan201296 3f5c32c6da Add MITRE ATT&CK tagging 2018-08-22 09:35:06 -05:00
megan201296 76aabe7e05 Add ATT&CK Matrix tags 2018-08-22 09:30:55 -05:00
Nik Seetharaman e371d945ed Add Microsoft Workflow Compiler Sysmon Detection 2018-08-18 00:53:28 -05:00
yt0ng ca7e8d6468 removing for new pull request 2018-08-17 18:42:10 +02:00
yt0ng 5bb6f566ba ::Merge remote-tracking branch 'upstream/master' 2018-08-17 18:39:36 +02:00
yt0ng 8ecf167e85 Powershell AMSI Bypass via .NET Reflection 
[Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
 2018-08-17 18:26:04 +02:00