security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1457 Commits

Author SHA1 Message Date
Thomas Patzke d647a7de07 Merge pull request #154 from megan201296/patch-11 
Add MITRE ATT&CK tagging
 2018-08-23 08:06:39 +02:00
Florian Roth 5de3cd71a4 Merge pull request #149 from yt0ng/development 
Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
 2018-08-22 17:19:10 +02:00
Florian Roth 040ba0338d fix: Added Event ID in second selection 2018-08-22 17:03:13 +02:00
Florian Roth 0c729d1eea Already used in different rule 2018-08-22 17:02:03 +02:00
Florian Roth 6ee31f6cd1 Update win_susp_commands_recon_activity.yml 
Merged recon commands from @yt0ng's rule
 2018-08-22 17:00:00 +02:00
megan201296 3f5c32c6da Add MITRE ATT&CK tagging 2018-08-22 09:35:06 -05:00
megan201296 76aabe7e05 Add ATT&CK Matrix tags 2018-08-22 09:30:55 -05:00
Nik Seetharaman e371d945ed Add Microsoft Workflow Compiler Sysmon Detection 2018-08-18 00:53:28 -05:00
yt0ng ca7e8d6468 removing for new pull request 2018-08-17 18:42:10 +02:00
yt0ng 5bb6f566ba ::Merge remote-tracking branch 'upstream/master' 2018-08-17 18:39:36 +02:00
yt0ng 8ecf167e85 Powershell AMSI Bypass via .NET Reflection 
[Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
 2018-08-17 18:26:04 +02:00
yt0ng 07e411fe6b Oilrig Information gathering 
whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1
 2018-08-15 14:29:59 +02:00
Florian Roth 4e91462838 fix: Bugfix in Adwind rule 2018-08-15 12:33:03 +02:00
Florian Roth 92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Florian Roth 7c05b85bcd rule: Added malware UA 2018-08-15 12:33:03 +02:00
Thomas Patzke 2715c44173 Converted first Sysmon rule to generic process_execution rule 2018-08-14 21:34:54 +02:00
Thomas Patzke 2c0e76be3d Escaped * where required 2018-08-10 13:53:08 +02:00
Lurkkeli 7cdc13ef11 Update 2018-08-08 17:05:51 +02:00
Lurkkeli 392351af25 Adding ATT&CK tag 2018-08-08 16:43:54 +02:00
Lurkkeli 4d721f1803 Updating fps 2018-08-08 16:42:26 +02:00
Lurkkeli b9f433414d hiding files with attrib.exe 2018-08-08 16:19:39 +02:00
Thomas Patzke 01215a645e Merge pull request #145 from yt0ng/master 
DNS TXT Answer with possible execution strings
 2018-08-08 15:58:34 +02:00
Thomas Patzke 58afccb2f3 Fixed ATT&CK tagging 2018-08-08 15:58:19 +02:00
yt0ng e44b4f450e DNS TXT Answer with possible execution strings 
https://twitter.com/stvemillertime/status/1024707932447854592
 2018-08-08 15:51:56 +02:00
Thomas Patzke 92c0e0321a Merge pull request #144 from samsson/patch-7 
Added att&ck tags
 2018-08-07 11:19:36 +02:00
Lurkkeli a245820519 added att&ck tag 2018-08-07 08:54:53 +02:00
Lurkkeli 294677a2cc added att&ck tag 2018-08-07 08:50:01 +02:00
Lurkkeli a57e87b345 added att&ck tag 2018-08-07 08:49:05 +02:00
Lurkkeli 99253763af added att&ck tag 2018-08-07 08:45:58 +02:00
Lurkkeli 0bff27ec21 added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:37:51 +02:00
Lurkkeli 198cb63182 added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:36:53 +02:00
Thomas Patzke 518e21fcd2 Merge pull request #134 from nikseetharaman/sysmon_cmstp_com_object_access 
Add CMSTP UAC Bypass via COM Object Access
 2018-08-07 08:33:33 +02:00
Thomas Patzke b9fdf07926 Extended tagging 2018-08-07 08:33:18 +02:00
Lurkkeli b50c13dd1f Update att&ck tag 2018-08-07 08:27:24 +02:00
Thomas Patzke 5d5d42eb9b Merge pull request #140 from yt0ng/master 
Possible Shim Database Persistence via sdbinst.exe
 2018-08-07 08:22:32 +02:00
Thomas Patzke 80eaedab8b Fixed tag and date 2018-08-07 08:22:11 +02:00
Thomas Patzke 3509fbd201 Merge pull request #142 from samsson/patch-5 
Added ATT&CK tag
 2018-08-07 08:20:22 +02:00
Thomas Patzke b049210641 Fixed tags 2018-08-07 08:20:09 +02:00
Lurkkeli 3456f9a74d Update sysmon_susp_wmi_execution.yml 2018-08-07 08:19:58 +02:00
Thomas Patzke 64fa3b162d Tag fixes 2018-08-07 08:18:16 +02:00
Lurkkeli 6472be5e19 Update sysmon_uac_bypass_sdclt.yml 2018-08-07 08:08:53 +02:00
Lurkkeli 21bee17ffd Update sysmon_uac_bypass_eventvwr.yml 2018-08-07 08:07:49 +02:00
yt0ng fc091fe3d7 Added ATTCK Mapping 2018-08-05 14:00:22 +02:00
yt0ng b65cb5eaca Possible Shim Database Persistence via sdbinst.exe 2018-08-05 13:55:04 +02:00
Thomas Patzke 0e986cae4d Fixed log source and field names 2018-08-04 22:58:19 +02:00
Florian Roth acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth 1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Nik Seetharaman b938fdb0a3 Add CMSTP UAC Bypass via COM Object Access 2018-07-27 02:28:28 -05:00
James Dickenson 5fc118dcac added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
Florian Roth a9fcecab88 Merge pull request #130 from samsson/patch-4 
Fixed typo / Created a rule
 2018-07-26 22:34:46 +02:00