security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1457 Commits

Author SHA1 Message Date
Florian Roth 016b15a2a9 Added quotation marks 
I've added quotation marks to make it clearer (leading dash looks weird)
 2018-07-26 18:10:21 +02:00
Lurkkeli 7796492c2b Update powershell_NTFS_Alternate_Data_Streams 2018-07-26 08:54:08 -07:00
Thomas Patzke 5e3211928f Merge pull request #132 from dspautz/master 
Add tags to APT rules
 2018-07-25 09:57:35 +02:00
David Spautz f039f95f4d Add tags to APT rules 2018-07-25 09:50:01 +02:00
Florian Roth 089498b0b3 Merge pull request #131 from yt0ng/master 
Possible SafetyKatz Dump of debug.bin
 2018-07-25 07:41:38 +02:00
Florian Roth dd857c4470 Cosmetics 
If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
 2018-07-25 07:37:17 +02:00
Florian Roth cf7f5c7473 Changes 
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? 
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
 2018-07-25 07:35:59 +02:00
yt0ng b415fc8d42 Possible SafetyKatz Dump of debug.bin 
https://github.com/GhostPack/SafetyKatz
 2018-07-24 23:51:46 +02:00
Lurkkeli db82322d17 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00
Lurkkeli 0e9c5bb14a Update sysmon_rundll32_net_connections.yml 2018-07-24 20:01:47 +02:00
Lurkkeli fd8c5c5bf6 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:00:21 +02:00
Lurkkeli ad580635ea Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00
ntim c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Thomas Patzke 0d8bc922a3 Merge branch 'master' into master 2018-07-24 08:23:37 +02:00
Thomas Patzke 1601b00862 Merge pull request #125 from james0d0a/attack_tags 
windows builtin mitre attack tags
 2018-07-24 08:18:47 +02:00
Thomas Patzke 01e7675e24 Merge pull request #124 from samsson/patch-1 
ATT&CK tagging
 2018-07-24 07:58:50 +02:00
Thomas Patzke 30d255ab6f Fixed tag 2018-07-24 07:58:25 +02:00
Thomas Patzke baaf8006bc Merge pull request #123 from yt0ng/sysmon 
added additional binaries and attack tactics/techniques
 2018-07-24 07:57:30 +02:00
David Spautz e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
James Dickenson c4edc26267 windows builtin mitre attack tags 2018-07-23 21:34:20 -07:00
Lurkkeli 1898157df5 ATT&CK tagging 
Added tag for technique t1015
 2018-07-23 23:57:15 +02:00
yt0ng 16160dfc80 added additional binaries and attack tactics/techniques 2018-07-23 15:47:56 +02:00
Florian Roth 1134051fba Update web_cve_2018_2894_weblogic_exploit.yml 
Ah, we could do it this way *.js*
 2018-07-23 06:19:25 -06:00
Florian Roth 03a64cca74 Update web_cve_2018_2894_weblogic_exploit.yml 
We try to avoid false positives
 2018-07-23 06:18:38 -06:00
MATTHEW CARR dfb77e936d Update web_cve_2018_2894_weblogic_exploit.yml 
To detect all possible extensions .jspx, .jsw, .jsv, and .jspf
 2018-07-23 07:41:47 +02:00
Florian Roth 0f1b440b91 Rule: widened the CVE-2018-2894 WebLogic rule 
https://twitter.com/lo_security/status/1021148314308358144
 2018-07-22 20:36:10 -06:00
Florian Roth ffb0cf5ed5 Rule: CVE-2018-2894 Oracle WebLogic exploit and webshell drop 2018-07-22 15:09:45 -06:00
Suleyman Ozarslan e6cbc17c12 ATT&CK tagging of Scheduled Task Creation 2018-07-22 15:56:47 +03:00
Suleyman Ozarslan 8d9b12be07 ATT&CK tagging of Default PowerSploit Schtasks Persistence 2018-07-22 15:53:56 +03:00
Suleyman Ozarslan 080892b5ab ATT&CK tagging of MSHTA Spawning Windows Shell 2018-07-20 09:53:55 +03:00
Suleyman Ozarslan 76f277d5fe ATT&CK tagging of Malicious Named Pipe rule 2018-07-20 09:41:54 +03:00
Suleyman Ozarslan 7e74527344 ATT&CK software tag is added to Bitsadmin Download rule 2018-07-20 09:35:35 +03:00
Florian Roth 1e61adfad1 rule: Changed Registry persistence Explorer RUN key rule 2018-07-19 16:27:19 -06:00
Florian Roth 83d6f12ce3 rule: Registry persistence in Explorer RUN key pointing to suspicious folder 2018-07-19 16:27:19 -06:00
Thomas Patzke f98158f5ad Further ATT&CK tagging 2018-07-19 23:36:13 +02:00
Suleyman Ozarslan 05b91847cd ATT&CK tagging of Suspicious Certutil Command rule 2018-07-19 16:42:39 +03:00
Thomas Patzke bdea097b80 ATT&CK tagging 2018-07-17 23:58:11 +02:00
Florian Roth 9e92b97661 Merge pull request #111 from nikseetharaman/cmstp_execution 
Add sysmon_cmstp_execution
 2018-07-17 14:39:56 -06:00
Florian Roth 3f0040b983 Removed duplicate status field 2018-07-16 15:55:31 -06:00
Florian Roth 429474b6d6 Merge pull request #113 from megan201296/patch-9 
fixed typo
 2018-07-16 15:38:52 -06:00
megan201296 02ea2cf923 fixed typo 2018-07-16 16:20:33 -05:00
megan201296 60310e94c6 fixed typo 2018-07-16 16:13:24 -05:00
Nik Seetharaman 3630386230 Add sysmon_cmstp_execution 2018-07-16 02:53:41 +03:00
Florian Roth 7a031709bb Merge pull request #108 from megan201296/patch-5 
fixed typo
 2018-07-14 18:31:40 -06:00
Florian Roth 70ab83eb65 Merge pull request #109 from megan201296/patch-6 
Fixed typo
 2018-07-14 18:31:21 -06:00
megan201296 be7a3b0774 Update sysmon_susp_mmc_source.yml 2018-07-13 18:49:08 -05:00
megan201296 a6455cc612 typo fix 2018-07-13 18:48:36 -05:00
megan201296 8944be1efd Update sysmon_susp_driver_load.yml 2018-07-13 18:36:12 -05:00
megan201296 a169723005 fixed typo 2018-07-13 13:53:21 -05:00
Thomas Patzke 2dc5295abf Removed redundant attribute from rule 2018-07-10 22:50:02 +02:00