security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1135 Commits

Author SHA1 Message Date
Jason Lynch 89fb726875 added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7 2019-04-09 09:45:07 -04:00
Jason Lynch f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
Karneades 97376c00de Fix condition 2019-04-04 22:33:32 +02:00
Karneades 766b8b8d18 Fix condition 2019-04-04 22:32:47 +02:00
Karneades 788e75ef1b Fix condition 2019-04-04 22:32:21 +02:00
Karneades 840eb2f519 Remove too loose filter in notepad updater rule 2019-04-04 22:25:05 +02:00
Karneades eb690d8902 Remove too loose filter in mshta rule 2019-04-04 22:16:24 +02:00
Karneades 1915561351 Remove to loose wildcard from wmi spwns powershell rule 2019-04-04 22:12:28 +02:00
Florian Roth 81693d81b6 Merge pull request #295 from sbousseaden/master 
Create win_atsvc_task.yml
 2019-04-04 18:32:13 +02:00
sbousseaden c4b8f75940 Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
sbousseaden 22958c45a3 Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden b4ac9a432f Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden 353e457104 Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden d5818a417b Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden 9c5575d003 Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden edb98f2781 Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
Florian Roth 13f86e9333 Merge pull request #296 from Karneades/patch-1 
Remove backslashes in CommandLine for sticky key rule
 2019-04-03 19:44:02 +02:00
yt0ng e0459cec1c renamed file 2019-04-03 17:39:17 +02:00
t0x1c-1 7e058e611c WMI spawning PowerShell seen in various attacks 2019-04-03 16:56:45 +02:00
Unknown 9ada22b8e0 adjusted link 2019-04-03 16:40:18 +02:00
Unknown d2e605fc5c Auto stash before rebase of "Neo23x0/master" 2019-04-03 16:25:18 +02:00
Karneades 865d971704 Remove backslashes in CommandLine for sticky key rule 
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
 2019-04-03 16:16:18 +02:00
sbousseaden eda5298457 Create win_account_backdoor_dcsync_rights.yml 2019-04-03 16:16:05 +02:00
sbousseaden 0756b00cdf Create win_susp_psexec.yml 2019-04-03 15:59:46 +02:00
sbousseaden 9c1a5a5264 Create win_lm_namedpipe.yml 2019-04-03 15:48:42 +02:00
sbousseaden 56b68a0266 Create win_GPO_scheduledtasks.yml 2019-04-03 15:36:24 +02:00
sbousseaden b941f6411f Create win_impacket_secretdump.yml 2019-04-03 15:18:42 +02:00
sbousseaden 516c8f3ea1 Create win_account_discovery.yml 2019-04-03 14:41:11 +02:00
sbousseaden 3d69727332 Create sysmon_rdp_settings_hijack.yml 2019-04-03 14:16:25 +02:00
sbousseaden 016261cacf Update sysmon_lsass_memdump.yml 2019-04-03 14:06:49 +02:00
sbousseaden a85c668f6f Update sysmon_lsass_memdump.yml 2019-04-03 14:00:51 +02:00
sbousseaden d62bc41bfb Create win_svcctl_remote_service.yml 2019-04-03 13:58:20 +02:00
sbousseaden 32c6b34746 Create sysmon_lsass_memdump.yml 2019-04-03 13:51:59 +02:00
sbousseaden 548145ce10 Create win_susp_raccess_sensitive_fext.yml 2019-04-03 13:22:42 +02:00
sbousseaden ddb2d92a98 Create sysmon_tsclient_filewrite_startup.yml 2019-04-03 13:19:59 +02:00
sbousseaden e3f99c323b Create win_atsvc_task.yml 2019-04-03 13:08:12 +02:00
Thomas Patzke 8e854b06f6 Specified source to prevent EventID collisions 
Issue #263
 2019-04-01 23:45:55 +02:00
Florian Roth e473efb7c3 Trying to fix ATT&CK framework tag 2019-04-01 10:36:35 +02:00
Florian Roth 3f2ce4b71f Lowered level to medium 2019-04-01 09:47:14 +02:00
t0x1c-1 51c42a15a7 Allow Incoming Connections by Port or Application on Windows Firewall 2019-04-01 08:16:56 +02:00
Nate Guagenti 60c4fed2e0 Create win_etw_trace_evasion.yml 
there are two versions of clear and two variations of set that can be used with something like wevtutil
`wevtutil cl | wevtutil clear-log | wevtutil sl | wevtutil set-log `

Also, I am adding a `*` match at the end, because there are other parameters that could be placed on the end -- so unless this was used on a general search on a text/analyzed field then the `*` is necessary.

example `wevtutil set-log Microsoft-Windows-WMI-Activity/Trace /e:disable /q:true`
 2019-03-22 11:36:55 -04:00
Florian Roth ffac77fb37 Rule: extended LockerGoga description 2019-03-22 11:03:48 +01:00
Florian Roth 1adb040e0b Rule: LockerGoga 2019-03-22 10:59:31 +01:00
Florian Roth 2ad2ba9589 fix: rule field fix in proc_creation rule 2019-03-22 10:59:18 +01:00
Thomas Patzke be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00
Thomas Patzke 8512417de0 Incorporated MITRE CAR mapping from #55 2019-03-16 00:03:27 +01:00
yugoslavskiy 33db032a16 added missed service 2019-03-14 00:44:26 +01:00
Florian Roth 95b47972f0 fix: transformed rule to new proc_creation format 2019-03-12 09:03:30 +01:00
Florian Roth c4003ff410 Merge pull request #264 from darkquasar/master 
adding rule win-susp-mshta-execution.yml
 2019-03-11 23:50:56 +01:00
Yugoslavskiy Daniil 5d54e9c8a1 nbstat.exe -> nbtstat.exe 2019-03-11 19:28:29 +01:00