security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1135 Commits

Author SHA1 Message Date
Florian Roth 371b41acd9 Improved regsvr32.exe whitelisting bypass rule 
thanks to Nick Carr https://twitter.com/ItsReallyNick/status/872409920938946560
 2017-06-07 13:46:36 +02:00
Florian Roth e5ad1b2f84 Improved regsvr32 whitelisting bypass rule 2017-06-07 12:02:55 +02:00
Florian Roth 1fd7a92e87 Regsvr32.exe anomalies (bugfix and new selection) 2017-06-07 11:43:25 +02:00
Florian Roth 5dd3d4dd57 Generic Hacktool Use Rule 2017-05-31 08:42:35 +02:00
Florian Roth 0c222134b9 Extended malware script dropper rule 2017-05-25 14:59:16 +02:00
Florian Roth 0685e297c8 Improved Suspicious Net.exe Execution Rule 2017-05-25 12:44:56 +02:00
Florian Roth ae4cab6783 Corrected - no lists needed 2017-05-25 12:07:11 +02:00
Florian Roth 6ad5f82248 Corrected rule 2017-05-25 12:06:23 +02:00
dimi 0b8c82b75b 1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading 
2) correct typo in dns server rule
 2017-05-15 20:58:31 +02:00
Florian Roth 01e1d3a3d7 WannaCry Service Install 2017-05-15 16:06:16 +02:00
Florian Roth 75e55d647b Fixed and added strings 2017-05-13 18:33:51 +02:00
Florian Roth 46643324a8 Wannacrypt Update 2017-05-13 10:40:41 +02:00
Florian Roth c40c592fb5 Changed rule as "m.vbs" isn't stable 2017-05-13 08:32:30 +02:00
Florian Roth 7c56992de5 Reference in WannaCrypt rule 2017-05-12 23:02:13 +02:00
Florian Roth d35b6c0353 Backup catalog deletion rule 2017-05-12 23:00:56 +02:00
Florian Roth b7837d4cdb Fixed WannaCrypt rule 2017-05-12 22:32:40 +02:00
Florian Roth 1ab3c746c1 Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-05-12 21:59:43 +02:00
Florian Roth 5cdb2b013b WannaCrypt Ransomware 2017-05-12 21:57:53 +02:00
Florian Roth 0b541b2689 Suspicious Windows Process Creations Update 2017-05-12 21:55:30 +02:00
Thomas Patzke 300dbe8f3e Fixed condition 
AND has higher precedence than OR.
 2017-05-09 23:12:02 +02:00
Florian Roth 565c51e5be Removed "1 of" expression (no bug, but cleaner) 2017-05-09 22:58:42 +02:00
Florian Roth a6678e199b Microsoft Malware Protection Engine Crash - ref CVE-2017-0290 2017-05-09 22:46:57 +02:00
Florian Roth 96deef7d34 Updated sigma signature 2017-05-08 21:25:07 +02:00
Florian Roth 16ac2337a4 Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 13:39:50 +02:00
Florian Roth 75e58b8142 Bugfix and date 2017-05-08 13:10:40 +02:00
Florian Roth 263c98a2c8 Suspicious DNS Server Config Error - ServerLevelPluginDLL issue 2017-05-08 13:09:50 +02:00
Florian Roth c7cc2a00d3 WScript/CScript Dropper 2017-05-05 17:30:46 +02:00
Florian Roth dc4ae35be1 Schtasks frequency - minute 2017-04-28 17:03:35 +02:00
Florian Roth a5c3f424c1 regsvr32 Anomalies 2017-04-16 12:02:29 +02:00
Florian Roth 769156a83b Minor fix > list to single value 2017-04-16 12:01:03 +02:00
Florian Roth 8363b25888 Suspicious Control Panel DLL Load 2017-04-15 23:32:26 +02:00
Florian Roth 89e43c1059 Improved MSHTA rule 2017-04-13 09:25:34 +02:00
Florian Roth d66c97921f Bugfix in rule 2017-04-13 01:22:03 +02:00
Florian Roth 059cfbf15a Removed duplicate 2017-04-13 01:21:46 +02:00
Florian Roth c2ed7bd9df MSHTA Rule v1 2017-04-13 01:08:37 +02:00
Florian Roth 64caa8aedc Merge pull request #31 from neu5ron/patch-4 
Create win_alert_ad_user_backdoors.yml
 2017-04-13 01:07:41 +02:00
Florian Roth 1e4d563a4d Merge pull request #30 from yugoslavskiy/win_pass_the_hash_improving 
improved win_pass_the_hash.yml rule
 2017-04-13 01:05:09 +02:00
Nate Guagenti 53313d45be Create win_alert_ad_user_backdoors.yml 2017-04-12 16:15:41 -04:00
Florian Roth abb01cc264 Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00
Florian Roth 92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
yugoslavskiy f83d0e36b8 improved win_pass_the_hash.yml rule 
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]

[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
 2017-04-04 02:57:58 +03:00
Nate Guagenti 2bb7d7e6eb Create win_alert_active_directory_user_control.yml 2017-04-03 15:58:23 -04:00
Nate Guagenti 85b4efabed Update win_alert_enable_weak_encryption.yml 2017-04-03 09:15:52 -04:00
Nate Guagenti bd63d74776 Create win_alert_enable_weak_encryption.yml 
kerberoast and enabling weak encryption for password/hash cracking
 2017-04-03 09:12:58 -04:00
Florian Roth 0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth fa90fb2fed Improved WMIC process call create rule 2017-03-29 22:11:05 +02:00
Florian Roth e6a81623a8 PowerShell Combo - False Positive with MOM 2017-03-29 22:10:28 +02:00
Florian Roth f91f813b3f Improved certutil.exe rules 2017-03-27 22:30:26 +02:00
Florian Roth 078eaa1180 Updated Windows suspicious activity 2017-03-27 17:27:04 +02:00
Florian Roth 707e5a948f Rules: Password dumper activity and lateral movement 2017-03-27 15:20:50 +02:00