security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

430 Commits

Author SHA1 Message Date
Florian Roth af8be8f064 Several rule updates 2018-03-19 16:36:15 +01:00
Florian Roth 648ac5a52e Rules: tscon.exe anomalies 
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 2018-03-17 19:14:13 +01:00
Karneades 49c12f1df8 Add missing binaries 2018-03-16 10:52:43 +01:00
Florian Roth a257b7d9d7 Rule: Stickykey improved 2018-03-16 09:10:07 +01:00
Florian Roth 0460e7f18a Rule: Suspicious process started from taskmgr 2018-03-15 19:54:03 +01:00
Florian Roth f5494c6f5f Rule: StickyKey-ike backdoor usage 2018-03-15 19:53:34 +01:00
Florian Roth 5ae5c9de19 Rule: Outlook spawning shells to detect Turla like C&C via Outlook 2018-03-10 09:04:11 +01:00
jmallette aff46be8a3 Create cmdkey recon rule 2018-03-08 13:25:05 -05:00
Thomas Patzke 8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke 8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00
Thomas Patzke 84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Florian Roth 1001afb038 Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
Florian Roth 25dc3e78be Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
Florian Roth 9020a9aa32 Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
Florian Roth 5d763581fa Adding status "experimental" to that rule 2018-02-22 13:28:01 +01:00
Florian Roth 0be687d245 Rule: Detect CVE-2017-0261 exploitation 2018-02-22 13:27:20 +01:00
Florian Roth fa4dbc0f2e Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
SherifEldeeb 348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb 48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb 112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth 285f5bab4f Removed duplicate string 2017-12-11 09:31:54 +01:00
Florian Roth 78854b79c4 Rule: System File Execution Location Anomaly 2017-11-27 14:09:22 +01:00
Florian Roth 93fbc63691 Rule to detect droppers exploiting CVE-2017-11882 2017-11-23 00:58:31 +01:00
Florian Roth 59e5b3b999 Sysmon: Named Pipe detection for APT malware 2017-11-06 14:24:42 +01:00
Florian Roth 37cea85072 Rundll32.exe suspicious network connections 2017-11-04 14:44:30 +01:00
Thomas Patzke 720c992573 Dropped within keyword 
Covered by timeframe attribute.

Fixes issue #26.
 2017-10-30 00:25:56 +01:00
Thomas Patzke 27227855b5 Merge branch 'devel-sigmac' 2017-10-29 23:59:49 +01:00
Thomas Patzke 012cb6227f Added proper handling of null/not null values 
Fixes issue #25
 2017-10-29 23:57:39 +01:00
Florian Roth b7e8000ccb Improved Office Shell rule > added 'schtasks.exe' 2017-10-25 23:53:45 +02:00
Thomas Patzke d7c659128c Removed unneeded array 2017-10-18 15:12:29 +02:00
Florian Roth deea224421 Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 16:19:56 +02:00
Florian Roth 00baa4ed40 Executables Started in Suspicious Folder 2017-10-14 23:23:04 +02:00
Florian Roth 358d1ffba0 Executables Started in Suspicious Folder 2017-10-14 23:22:20 +02:00
Florian Roth 20f9dbb31c CVE-2017-8759 - Winword.exe > csc.exe 2017-09-15 15:49:56 +02:00
Thomas Patzke 986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Thomas Patzke 68cb5e8921 Merge pull request #45 from secman-pl/patch-1 
Update sysmon_susp_regsvr32_anomalies to detect wscript child process
 2017-09-10 22:52:37 +02:00
Florian Roth bfe8378455 Rule: Suspicious svchost.exe process 2017-08-31 11:07:45 +02:00
secman-pl 9768f275d0 Update sysmon_susp_regsvr32_anomalies 
Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe. 
example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
SCT script code:
var objShell = new ActiveXObject("WScript.shell");
 2017-08-29 12:21:47 +02:00
Florian Roth f3f2c14b3a Added reference to regsvr32 rule 2017-08-29 08:45:29 +02:00
Florian Roth 55f4c37e22 Rule: Microsoft Binary Github Communication 2017-08-24 18:27:40 +02:00
Hans-Martin Münch 09e754a8f9 Small Typo fix 2017-08-22 10:56:25 +02:00
Florian Roth 59821d1bcb Office Shell: Reference added to new entry 2017-08-22 10:04:22 +02:00
Florian Roth 8f4a780c3b Added regsvr32.exe to suspicious child processes 2017-08-20 23:14:41 +02:00
Thomas Patzke 4578756cfd Merge remote-tracking branch 'origin/master' 2017-08-05 00:35:24 +02:00
Thomas Patzke 03985288f6 Removed 'last' from timeframe 2017-08-05 00:32:24 +02:00
Florian Roth edb52e098a Extended hh.exe in Office Shell detection 
https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
 2017-08-04 09:18:55 +02:00
Thomas Patzke 5706361464 Parsing of "near ... within" aggregation operator 
* Operator is only parsed. No processing or passing of parsed data to
  backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
 2017-08-03 00:05:48 +02:00
Thomas Patzke f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke 84418d2045 Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-02 00:04:28 +02:00