security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1135 Commits

Author SHA1 Message Date
Florian Roth acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth 1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Nik Seetharaman b938fdb0a3 Add CMSTP UAC Bypass via COM Object Access 2018-07-27 02:28:28 -05:00
James Dickenson 5fc118dcac added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
Florian Roth a9fcecab88 Merge pull request #130 from samsson/patch-4 
Fixed typo / Created a rule
 2018-07-26 22:34:46 +02:00
Florian Roth 016b15a2a9 Added quotation marks 
I've added quotation marks to make it clearer (leading dash looks weird)
 2018-07-26 18:10:21 +02:00
Lurkkeli 7796492c2b Update powershell_NTFS_Alternate_Data_Streams 2018-07-26 08:54:08 -07:00
Florian Roth 089498b0b3 Merge pull request #131 from yt0ng/master 
Possible SafetyKatz Dump of debug.bin
 2018-07-25 07:41:38 +02:00
Florian Roth dd857c4470 Cosmetics 
If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
 2018-07-25 07:37:17 +02:00
Florian Roth cf7f5c7473 Changes 
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? 
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
 2018-07-25 07:35:59 +02:00
yt0ng b415fc8d42 Possible SafetyKatz Dump of debug.bin 
https://github.com/GhostPack/SafetyKatz
 2018-07-24 23:51:46 +02:00
Lurkkeli db82322d17 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00
Lurkkeli 0e9c5bb14a Update sysmon_rundll32_net_connections.yml 2018-07-24 20:01:47 +02:00
Lurkkeli fd8c5c5bf6 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:00:21 +02:00
Lurkkeli ad580635ea Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00
ntim c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Thomas Patzke 0d8bc922a3 Merge branch 'master' into master 2018-07-24 08:23:37 +02:00
Thomas Patzke 1601b00862 Merge pull request #125 from james0d0a/attack_tags 
windows builtin mitre attack tags
 2018-07-24 08:18:47 +02:00
Thomas Patzke 01e7675e24 Merge pull request #124 from samsson/patch-1 
ATT&CK tagging
 2018-07-24 07:58:50 +02:00
Thomas Patzke 30d255ab6f Fixed tag 2018-07-24 07:58:25 +02:00
David Spautz e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
James Dickenson c4edc26267 windows builtin mitre attack tags 2018-07-23 21:34:20 -07:00
Lurkkeli 1898157df5 ATT&CK tagging 
Added tag for technique t1015
 2018-07-23 23:57:15 +02:00
yt0ng 16160dfc80 added additional binaries and attack tactics/techniques 2018-07-23 15:47:56 +02:00
Suleyman Ozarslan e6cbc17c12 ATT&CK tagging of Scheduled Task Creation 2018-07-22 15:56:47 +03:00
Suleyman Ozarslan 8d9b12be07 ATT&CK tagging of Default PowerSploit Schtasks Persistence 2018-07-22 15:53:56 +03:00
Suleyman Ozarslan 080892b5ab ATT&CK tagging of MSHTA Spawning Windows Shell 2018-07-20 09:53:55 +03:00
Suleyman Ozarslan 76f277d5fe ATT&CK tagging of Malicious Named Pipe rule 2018-07-20 09:41:54 +03:00
Suleyman Ozarslan 7e74527344 ATT&CK software tag is added to Bitsadmin Download rule 2018-07-20 09:35:35 +03:00
Florian Roth 1e61adfad1 rule: Changed Registry persistence Explorer RUN key rule 2018-07-19 16:27:19 -06:00
Florian Roth 83d6f12ce3 rule: Registry persistence in Explorer RUN key pointing to suspicious folder 2018-07-19 16:27:19 -06:00
Thomas Patzke f98158f5ad Further ATT&CK tagging 2018-07-19 23:36:13 +02:00
Suleyman Ozarslan 05b91847cd ATT&CK tagging of Suspicious Certutil Command rule 2018-07-19 16:42:39 +03:00
Thomas Patzke bdea097b80 ATT&CK tagging 2018-07-17 23:58:11 +02:00
Florian Roth 9e92b97661 Merge pull request #111 from nikseetharaman/cmstp_execution 
Add sysmon_cmstp_execution
 2018-07-17 14:39:56 -06:00
Florian Roth 3f0040b983 Removed duplicate status field 2018-07-16 15:55:31 -06:00
Florian Roth 429474b6d6 Merge pull request #113 from megan201296/patch-9 
fixed typo
 2018-07-16 15:38:52 -06:00
megan201296 02ea2cf923 fixed typo 2018-07-16 16:20:33 -05:00
megan201296 60310e94c6 fixed typo 2018-07-16 16:13:24 -05:00
Nik Seetharaman 3630386230 Add sysmon_cmstp_execution 2018-07-16 02:53:41 +03:00
Florian Roth 7a031709bb Merge pull request #108 from megan201296/patch-5 
fixed typo
 2018-07-14 18:31:40 -06:00
Florian Roth 70ab83eb65 Merge pull request #109 from megan201296/patch-6 
Fixed typo
 2018-07-14 18:31:21 -06:00
megan201296 be7a3b0774 Update sysmon_susp_mmc_source.yml 2018-07-13 18:49:08 -05:00
megan201296 a6455cc612 typo fix 2018-07-13 18:48:36 -05:00
megan201296 8944be1efd Update sysmon_susp_driver_load.yml 2018-07-13 18:36:12 -05:00
megan201296 a169723005 fixed typo 2018-07-13 13:53:21 -05:00
Thomas Patzke 2dc5295abf Removed redundant attribute from rule 2018-07-10 22:50:02 +02:00
Florian Roth 57727d2397 Merge pull request #107 from megan201296/typo-fixes 
Typo fixes
 2018-07-10 10:29:10 -06:00
megan201296 24d2d0b258 Fixed typo 2018-07-10 09:14:37 -05:00
megan201296 d6ea0a49fc Fixed typoes 2018-07-10 09:14:07 -05:00