security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

430 Commits

Author SHA1 Message Date
megan201296 02ea2cf923 fixed typo 2018-07-16 16:20:33 -05:00
megan201296 60310e94c6 fixed typo 2018-07-16 16:13:24 -05:00
Nik Seetharaman 3630386230 Add sysmon_cmstp_execution 2018-07-16 02:53:41 +03:00
Florian Roth 70ab83eb65 Merge pull request #109 from megan201296/patch-6 
Fixed typo
 2018-07-14 18:31:21 -06:00
megan201296 be7a3b0774 Update sysmon_susp_mmc_source.yml 2018-07-13 18:49:08 -05:00
megan201296 a6455cc612 typo fix 2018-07-13 18:48:36 -05:00
megan201296 8944be1efd Update sysmon_susp_driver_load.yml 2018-07-13 18:36:12 -05:00
Florian Roth 57727d2397 Merge pull request #107 from megan201296/typo-fixes 
Typo fixes
 2018-07-10 10:29:10 -06:00
megan201296 24d2d0b258 Fixed typo 2018-07-10 09:14:37 -05:00
megan201296 d6ea0a49fc Fixed typoes 2018-07-10 09:14:07 -05:00
megan201296 3ec67393cd Fixed typo 2018-07-10 09:13:41 -05:00
megan201296 b0bc3b66ed Fixed typo 2018-07-09 13:32:16 -05:00
megan201296 120479abb7 removed duplicates 2018-07-09 12:32:41 -05:00
megan201296 c4bd267151 Fixed typo 2018-07-09 12:02:42 -05:00
megan201296 a7ccfcb50d Fixed spelling mistake 2018-07-09 09:13:31 -05:00
Florian Roth c8fef4d093 fix: removed unnecessary lists 2018-07-07 15:43:56 -06:00
Florian Roth dea019f89d fix: some threat levels adjusted 2018-07-07 13:00:23 -06:00
yt0ng 6a014a3dc8 MSHTA spwaned by SVCHOST as seen in LethalHTA 
"Furthermore it can be detected by an mshta.exe process spawned by svchost.exe."
 2018-07-06 19:52:58 +02:00
Florian Roth ed470feb21 Merge pull request #99 from yt0ng/master 
Detects ImageLoad by uncommon Image
 2018-07-06 10:11:02 -06:00
yt0ng b21afc3bc8 user subTee was removed from Twitter 2018-07-04 17:29:05 +02:00
yt0ng f84c33d005 Known powershell scripts names for exploitation 
Detects the creation of known powershell scripts for exploitation
 2018-07-04 17:24:18 +02:00
Florian Roth 7867838540 fix: typo in rule description 2018-07-03 05:05:44 -06:00
Florian Roth e7465d299f fix: false positive with MsMpEng.exe and svchost.exe as child process 2018-07-03 05:05:44 -06:00
yt0ng 42941ee105 Detects ImageLoad by uncommon Image 
Process Hollowing Described by SubTee using notepad https://twitter.com/subTee/status/1012657434702123008
 2018-07-01 15:47:17 +02:00
Florian Roth 9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
Florian Roth a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth fc72bd16af Fixed bugs 2018-06-27 09:20:41 +02:00
Florian Roth f4b150def8 Rule: Powershell remote thread creation in Rundll32 2018-06-25 15:23:19 +02:00
Florian Roth 1a1011b0ad Merge pull request #96 from yt0ng/master 
Detects the creation of a schtask via PowerSploit Default Configuration
 2018-06-23 17:15:14 +02:00
yt0ng c59d0c7dca Added additional options 2018-06-23 15:54:31 +02:00
yt0ng cc3fd9f5d0 Detects the creation of a schtask via PowerSploit Default Configuration 
https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
 2018-06-23 15:45:58 +02:00
Florian Roth d1d4473505 Rule: ADS with executable 
https://twitter.com/0xrawsec/status/1002478725605273600
 2018-06-03 02:08:57 +02:00
Florian Roth 49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Markus Härnvi cf237cf658 "author" should be a string and not a list, according to the specification 2018-04-16 23:42:51 +02:00
Florian Roth d8bbf26f2c Added msiexec to rule in order to cover new threats 
https://twitter.com/DissectMalware/status/984252467474026497
 2018-04-12 09:12:50 +02:00
Florian Roth 58517907ad Improved rule to provide support for for old sysmon \REGISTRY syntax 2018-04-11 20:15:17 +02:00
Florian Roth 0ffd226293 Moved new rule to sysmon folder 2018-04-11 20:11:54 +02:00
Florian Roth 52d405bb1b Improved shell spawning rule 2018-04-11 20:09:42 +02:00
Florian Roth a9c7fe202e Rule: Windows shell spawning suspicious program 2018-04-09 08:37:30 +02:00
Florian Roth e53826e167 Extended Sysmon Office Shell rule 2018-04-09 08:37:30 +02:00
Thomas Patzke f113832c04 Merge pull request #69 from jmallette/rules 
Create cmdkey recon rule
 2018-04-08 23:23:30 +02:00
Thomas Patzke a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke dacc6ae3d3 Fieldname case: Commandline -> CommandLine 2018-03-25 23:08:28 +02:00
Florian Roth e141a834ff Rule: Ping hex IP address 
https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
 2018-03-23 17:00:00 +01:00
Florian Roth 97204d8dc0 Renamed rule 2018-03-20 15:04:11 +01:00
Florian Roth e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth a7eb4d3e34 Renamed rule 2018-03-20 11:12:35 +01:00
Florian Roth b84bbd327b Rule: NetNTLM Downgrade Attack 
https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 2018-03-20 11:07:21 +01:00
Florian Roth a6d293e31d Improved tscon rule 2018-03-20 10:54:04 +01:00
Florian Roth 8fb6bc7a8a Rule: Suspicious taskmgr as LOCAL_SYSTEM 2018-03-19 16:36:39 +01:00