security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1457 Commits

Author SHA1 Message Date
mikhail 40241c1fdf Fix 4 rules 2019-03-06 01:56:05 +03:00
mrblacyk 99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Tareq AlKhatib 879017818f More conversions to the new process_creation logsource 2019-03-05 09:46:53 +03:00
Tareq AlKhatib b2952b9f78 Fixing failed CI build - take 2 2019-03-04 16:51:39 +03:00
Tareq AlKhatib c8be6e649b Fixing failed CI build 2019-03-04 16:44:30 +03:00
Tareq AlKhatib 45458121c6 Updated to use the new process_creation logsource 2019-03-04 16:13:27 +03:00
Florian Roth ae1541242c New custom suspicious TLD in rule ".pw" 2019-03-03 10:58:12 +01:00
Tareq AlKhatib 58c61430a2 updated to use process_creation 2019-03-02 21:05:15 +03:00
Florian Roth 7b3d67ae66 fix: bugfix in new proc creation rule 2019-03-02 11:28:13 +01:00
Liam Sennitt bef5f03015 fix tagging in turla png dropper service rule 2019-03-02 09:01:00 +00:00
Florian Roth 1a583c158d fixed typo as in pull request by @m0jtaba 2019-03-02 08:16:25 +01:00
Florian Roth 2188001f98 Extended filter list provided by @Ov3rflow 2019-03-02 08:13:29 +01:00
Florian Roth bd4e61acd8 Merge pull request #271 from vburov/patch-4 
Update win_susp_failed_logon_reasons.yml
 2019-03-02 07:21:28 +01:00
Florian Roth f80cf52982 Expired happens too often 
Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
 2019-03-02 07:20:59 +01:00
Thomas Patzke 56a1ed1eac Merge branch 'project-1' 2019-03-02 00:26:10 +01:00
Thomas Patzke 7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
 2019-03-02 00:14:20 +01:00
Florian Roth 1aac9baaed Merge pull request #270 from LiamSennitt/master 
fix bug in chafer activity rule #269
 2019-03-01 17:13:04 +01:00
Vasiliy Burov 7bebedbac1 Update win_susp_failed_logon_reasons.yml 
Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon.
 2019-03-01 18:18:39 +03:00
Florian Roth af6a1ff26a Extended rule, modified timestamp 2019-03-01 13:36:54 +01:00
Florian Roth f560e83886 Added modified date 2019-03-01 12:07:31 +01:00
Florian Roth fc683ac7ee Added error code for denied logon type 2019-03-01 12:06:54 +01:00
Liam Sennitt 2345cbf7bd fix bug in chafer activity rule #269 2019-03-01 10:23:02 +00:00
Thomas Patzke 6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
darkquasar 155e273a1c adding rule win-susp-mshta-execution.yml 2019-02-27 15:55:39 +11:00
Florian Roth 8ce4b1530d Rule: added SAM export 2019-02-26 09:00:47 +01:00
Thomas Patzke c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Thomas Patzke 58a32f35d9 Merge pull request #246 from james0d0a/master 
Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml
 2019-02-24 16:53:49 +01:00
Florian Roth f278a00174 Rule: certutil encode 2019-02-24 14:10:40 +01:00
Florian Roth e7f5cbc22a Rule: BabyShark activity 2019-02-24 14:04:44 +01:00
Florian Roth a60b53a7df fix: bugfix in BEAR activity rule 2019-02-24 14:04:44 +01:00
Tareq AlKhatib 7d3d819ea5 Added a detection path through process spawn 2019-02-24 10:29:58 +03:00
Tareq AlKhatib a022333382 Added private IP filter to reduce FPs 2019-02-23 21:15:03 +03:00
Vasiliy Burov f0c89239d3 Added some unusual paths. 2019-02-23 17:45:08 +03:00
Florian Roth afa18245bf Merge pull request #254 from darkquasar/master 
adding MPreter as McAfee classifies it
 2019-02-23 07:34:04 +01:00
Thomas Patzke c17f9d172f Merge pull request #248 from megan201296/patch-17 
Create win_mal_ursnif.yml
 2019-02-22 21:30:49 +01:00
Thomas Patzke 02239fa288 Changed registry root key 
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete) it is abbreviated to HKU.
 2019-02-22 21:30:30 +01:00
Thomas Patzke 5c63ef17d2 Added further NirSoft tool parameters 2019-02-22 21:15:03 +01:00
vburov bdf44be077 Update win_susp_process_creations.yml 2019-02-22 22:46:57 +03:00
darkquasar 87994ca46b adding MPreter as McAfee classifies it 
McAfee classifies some Meterpreter events with the "Mpreter" keyword
 2019-02-22 15:22:10 +11:00
Florian Roth d3b623e92a Rule: suspicious pipes extended 
https://github.com/Neo23x0/sigma/issues/253
 2019-02-21 13:26:48 +01:00
Florian Roth 343a40ced7 Rule: extended exec location rule to support 4688 events 2019-02-21 13:26:48 +01:00
Florian Roth c8701ac6e9 Merge pull request #252 from keepwatch/patch-1 
Fixing yara condition
 2019-02-21 10:17:09 +01:00
Florian Roth 8ae37f5d64 BEAR activity - CrowdStrike GTR 2019 
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 2019-02-21 09:54:01 +01:00
Florian Roth 3a994d0d63 fix: bugfix in Judgement Panda rule 2019-02-21 09:50:49 +01:00
Florian Roth 5935eaa572 fix: added MITRE ATT&CK tags to APT rule 2019-02-21 09:27:59 +01:00
Florian Roth aca470961a fix: bugfix in Judgement Panda rule 2019-02-21 09:20:52 +01:00
Florian Roth c474bfcae5 Judgement Panda - Crowdstrike GTR 2019 
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 2019-02-21 09:20:52 +01:00
Keep Watcher 07dec06222 Fixing yara condition 2019-02-20 10:57:24 -05:00
Florian Roth eeae74e245 Merge pull request #249 from TareqAlKhatib/duplicate_filters 
Duplicate Detections
 2019-02-18 21:58:39 +01:00
Tareq AlKhatib 2e3a2b9ba6 Merged 'Eventlog Cleared' and 'Eventlog Cleared Experimental' 2019-02-18 21:03:53 +03:00