security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1457 Commits

Author SHA1 Message Date
Florian Roth f5494c6f5f Rule: StickyKey-ike backdoor usage 2018-03-15 19:53:34 +01:00
Florian Roth d9d27fec74 Improved EquationGroup dll load rule 2018-03-11 01:22:04 +01:00
Florian Roth 74c2f91a7d Extended the Slingshot APT rule 2018-03-10 16:44:18 +01:00
Florian Roth 66d52cfeef Rule: Defrag deactivation 2018-03-10 15:49:50 +01:00
Florian Roth ef75f2a248 Minor adjustment in: EquationGroup dll_u load 2018-03-10 12:24:49 +01:00
Florian Roth e9d16bfae1 Bugfix in: EquationGroup dll_u load 2018-03-10 12:22:53 +01:00
Florian Roth 5ae5c9de19 Rule: Outlook spawning shells to detect Turla like C&C via Outlook 2018-03-10 09:04:11 +01:00
Florian Roth 6a65a7a1bf EquationGroup dll_u load 2018-03-10 09:04:11 +01:00
jmallette aff46be8a3 Create cmdkey recon rule 2018-03-08 13:25:05 -05:00
Thomas Patzke ada1ca94ea JPCERT rules 
* Addition of ntdsutil.exe rule
* Added new link to existing rules
 2018-03-08 00:10:19 +01:00
Thomas Patzke 8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke 3b8b04fe09 Merge branch 'devel-sigmac' 2018-03-06 23:19:45 +01:00
Thomas Patzke 8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00
Thomas Patzke 84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Florian Roth 1ecfd83a6a Missing separator 2018-03-05 11:30:01 +01:00
Thomas Patzke 59eff939f2 Merge branch 'devel-sigmac' 2018-03-04 22:59:41 +01:00
Thomas Patzke 4792700726 Fixed rule 2018-03-04 22:07:01 +01:00
Thomas Patzke 01f38adbdb Fixed condition 2018-03-04 20:07:02 +01:00
Florian Roth 6e0cc193c7 Rule: Pony / Fareit UA 2018-03-01 09:28:04 +01:00
Florian Roth 69274d7782 Rule: Sofacy Trojan Loader 2018-03-01 09:27:46 +01:00
Florian Roth 6c6dac4cbb Changed Elise backdoor rule 2018-02-25 17:25:04 +01:00
Florian Roth f2057f0c77 Hurricane Panda activity 
https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
 2018-02-25 17:24:00 +01:00
Florian Roth 1001afb038 Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
Florian Roth 25dc3e78be Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
Florian Roth 9020a9aa32 Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
Florian Roth 5d763581fa Adding status "experimental" to that rule 2018-02-22 13:28:01 +01:00
Florian Roth 0be687d245 Rule: Detect CVE-2017-0261 exploitation 2018-02-22 13:27:20 +01:00
Florian Roth b88a81a9e1 Rule: Linux > named > suspicious activity 2018-02-20 14:56:28 +01:00
Florian Roth ef0cd4c110 Rules: Extended and fixed (*) sshd rules 2018-02-20 13:44:06 +01:00
Dominik Schaudel cea48d9010 Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 21:57:22 +01:00
Florian Roth d6d031fc23 Rule update: Olympic destroyer detection 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 15:35:47 +01:00
Florian Roth 058d719e2b Rule update: Proxy UA > Loki Bot 2018-02-12 10:08:32 +01:00
Florian Roth fa4dbc0f2e Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
Florian Roth 0a1c600d7d Rule: Changed msiexec web install rule 2018-02-10 15:25:08 +01:00
Florian Roth a4e6b3003f Rule: Msiexec web install 2018-02-09 10:13:39 +01:00
Florian Roth 1382edb5e3 Cosmetics 2018-02-09 10:13:39 +01:00
Florian Roth 34e0352a21 Rule: Proxy UAs - malware - Ghost419 
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
 2018-02-03 14:47:04 +01:00
Florian Roth 635d052fcc Renamed rule - not APT32 related 2018-01-31 23:52:24 +01:00
Florian Roth 4152442bfa Changed reference to references in Elise rule 2018-01-31 23:13:00 +01:00
Florian Roth f1b339504e Rule: APT32 Elise 2018-01-31 23:12:00 +01:00
Sherif Eldeeb 376d0414d8 Condition is a str, not a list 
To be consistent with schema and all the other rules:
- `condition` should be a `str`
- if an `or` condition needs to be applied, use parentheses and literal `or` instead of a `list`
 2018-01-28 16:16:00 +03:00
SherifEldeeb 348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb 48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb 112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth 0f2e1c5934 Bugfix: Missing wildcard in IIS module install rule 2018-01-27 16:15:25 +01:00
Florian Roth d93d7d8e7b Rule: IIS nativ-code module command line installation 2018-01-27 11:13:13 +01:00
Florian Roth aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth f31ed7177e Added status 'experimental' to newly created auditd rules 2018-01-23 11:15:02 +01:00
Florian Roth fe80ae7885 Rule: Linux auditd 'program execution in suspicious folders' 2018-01-23 11:13:23 +01:00
Florian Roth 228ca1b765 Rule: Linux auditd 'suspicious commands' 2018-01-23 11:13:23 +01:00