security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1135 Commits

Author SHA1 Message Date
megan201296 3ec67393cd Fixed typo 2018-07-10 09:13:41 -05:00
megan201296 b0bc3b66ed Fixed typo 2018-07-09 13:32:16 -05:00
megan201296 120479abb7 removed duplicates 2018-07-09 12:32:41 -05:00
megan201296 c4bd267151 Fixed typo 2018-07-09 12:02:42 -05:00
megan201296 a7ccfcb50d Fixed spelling mistake 2018-07-09 09:13:31 -05:00
Florian Roth c8fef4d093 fix: removed unnecessary lists 2018-07-07 15:43:56 -06:00
Florian Roth dea019f89d fix: some threat levels adjusted 2018-07-07 13:00:23 -06:00
yt0ng 6a014a3dc8 MSHTA spwaned by SVCHOST as seen in LethalHTA 
"Furthermore it can be detected by an mshta.exe process spawned by svchost.exe."
 2018-07-06 19:52:58 +02:00
Florian Roth ed470feb21 Merge pull request #99 from yt0ng/master 
Detects ImageLoad by uncommon Image
 2018-07-06 10:11:02 -06:00
yt0ng b21afc3bc8 user subTee was removed from Twitter 2018-07-04 17:29:05 +02:00
yt0ng f84c33d005 Known powershell scripts names for exploitation 
Detects the creation of known powershell scripts for exploitation
 2018-07-04 17:24:18 +02:00
Florian Roth 7867838540 fix: typo in rule description 2018-07-03 05:05:44 -06:00
Florian Roth e7465d299f fix: false positive with MsMpEng.exe and svchost.exe as child process 2018-07-03 05:05:44 -06:00
yt0ng 42941ee105 Detects ImageLoad by uncommon Image 
Process Hollowing Described by SubTee using notepad https://twitter.com/subTee/status/1012657434702123008
 2018-07-01 15:47:17 +02:00
Florian Roth c3bf968462 High FP Rule 2018-06-29 16:01:46 +02:00
Florian Roth c26c3ee426 Trying to fix rule 2018-06-28 16:39:47 +02:00
Florian Roth 9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
scherma 19ba5df207 False positive circumstance 2018-06-27 21:14:38 +01:00
Florian Roth 86e6518764 Changed (any) statements to (not null) to comply with the newest specs 2018-06-27 20:57:58 +02:00
Florian Roth a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth 9705366060 Adjusted some rules 2018-06-27 16:54:44 +02:00
Florian Roth fc72bd16af Fixed bugs 2018-06-27 09:20:41 +02:00
Florian Roth f4b150def8 Rule: Powershell remote thread creation in Rundll32 2018-06-25 15:23:19 +02:00
Florian Roth 1a1011b0ad Merge pull request #96 from yt0ng/master 
Detects the creation of a schtask via PowerSploit Default Configuration
 2018-06-23 17:15:14 +02:00
yt0ng c59d0c7dca Added additional options 2018-06-23 15:54:31 +02:00
yt0ng cc3fd9f5d0 Detects the creation of a schtask via PowerSploit Default Configuration 
https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
 2018-06-23 15:45:58 +02:00
Florian Roth 28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke 7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Florian Roth 946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth 9c817a493b Rule: DCSync 2018-06-03 16:00:57 +02:00
Florian Roth d1d4473505 Rule: ADS with executable 
https://twitter.com/0xrawsec/status/1002478725605273600
 2018-06-03 02:08:57 +02:00
Florian Roth 8e500d2caa Bugfix in rule 2018-05-29 14:11:12 +02:00
Florian Roth 2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke 079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Thomas Patzke 6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth 49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth 3c1c9d2b31 Merge pull request #81 from yt0ng/sigma-yt0ng 
added SquiblyTwo Detection
 2018-04-18 16:39:37 +02:00
Florian Roth 8420d3174a Reordered 2018-04-18 16:34:16 +02:00
yt0ng c637c2e590 Adding Detections for renamed wmic and format 
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
 2018-04-18 15:02:52 +02:00
Florian Roth 9b8df865b1 Extended rule 2018-04-18 12:13:45 +02:00
yt0ng a4fb39a336 also for http 2018-04-18 08:19:47 +02:00
yt0ng 169a4404c2 added SquiblyTwo Detection 2018-04-17 21:33:26 +02:00
Markus Härnvi cf237cf658 "author" should be a string and not a list, according to the specification 2018-04-16 23:42:51 +02:00
Florian Roth d8bbf26f2c Added msiexec to rule in order to cover new threats 
https://twitter.com/DissectMalware/status/984252467474026497
 2018-04-12 09:12:50 +02:00
Florian Roth 58517907ad Improved rule to provide support for for old sysmon \REGISTRY syntax 2018-04-11 20:15:17 +02:00
Florian Roth 0ffd226293 Moved new rule to sysmon folder 2018-04-11 20:11:54 +02:00
Florian Roth 52d405bb1b Improved shell spawning rule 2018-04-11 20:09:42 +02:00
Florian Roth b065c2c35c Simplified rule 2018-04-11 19:03:35 +02:00