security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

1457 Commits

Author SHA1 Message Date
Florian Roth 078eaa1180 Updated Windows suspicious activity 2017-03-27 17:27:04 +02:00
Florian Roth 67d9c44bb3 Improved linux suspicious activity rule 2017-03-27 15:21:39 +02:00
Florian Roth 707e5a948f Rules: Password dumper activity and lateral movement 2017-03-27 15:20:50 +02:00
Florian Roth c5323ac1c2 Changes to Linux suspicious activity rule 2017-03-27 10:29:57 +02:00
Florian Roth 125bf4f3f2 Rule adjustment 
Added wilcards cause the field can contain a full path
 2017-03-26 23:41:38 +02:00
Florian Roth 53cc80c8f4 Windows Supicious Process Creation 
- Bugfix in selection name
- New keyword expressions
 2017-03-26 23:25:47 +02:00
Florian Roth b0c8ffb051 Combined vssadmin rule 2017-03-26 01:27:26 +01:00
Florian Roth 800262a738 Renamed and double removed 2017-03-26 01:27:08 +01:00
Florian Roth c1a6a542db Rule: Windows 4688 process creation rule 2017-03-26 01:26:34 +01:00
Florian Roth 5c4a13af71 Rules: Linux commands and log entries of interest 2017-03-25 19:59:45 +01:00
Florian Roth c8cc857b7c Improved the linux suspicious keywords rule 2017-03-25 19:23:10 +01:00
Michael Haag 5ea6fad999 net.exe and wmic.exe 
Suspicious execution of net and wmic
 2017-03-25 06:48:23 -07:00
Florian Roth 699c638ee2 Bugfix: Wrong Event ID and extended description 2017-03-23 11:50:30 +01:00
Florian Roth d377884972 Rule: Rare scheduled tasks creations 2017-03-23 11:45:10 +01:00
Florian Roth 10ee36f26c Updated Eventvwr UAC evasion 2017-03-22 14:40:55 +01:00
Florian Roth fa37f5afcf Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:46 +01:00
Florian Roth 3bfa9ed121 Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 10:44:53 +01:00
Florian Roth b1da8c5b32 Bugfix: Fixed UAC bypass rules 2017-03-21 10:42:22 +01:00
Florian Roth 7ce958a3ed Bugfixes and improvements 2017-03-21 10:24:20 +01:00
Florian Roth f9be5b99ad Rule: Suspicious task creation description changed 2017-03-21 10:23:53 +01:00
Florian Roth 6932fcec65 Rule: Linux shell more suspicious keywords 2017-03-21 10:23:12 +01:00
Florian Roth 055992eb05 Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00
Florian Roth 6f38a44ec1 Broader definition certutil.exe rule 2017-03-20 22:07:04 +01:00
Florian Roth 2817ea2605 Bugfix in UAC Rule 2017-03-19 19:46:19 +01:00
Florian Roth b2c15c2cf7 Rule: UAC bypass via eventvwr, minor changes 2017-03-19 19:34:06 +01:00
Florian Roth c82da0dc5c Rules: Suspicious locations and back connect ports 2017-03-19 15:22:27 +01:00
Thomas Patzke 889315c960 Changed values with placeholders to quoted strings 
Values beginning with % cause YAML parse error
 2017-03-18 23:05:16 +01:00
Thomas Patzke 56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel d3bd73aefb Create sysmon_sdclt_uac_bypass.yml 
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
 2017-03-17 14:31:26 -04:00
Florian Roth 59499f926e Bugfix: Taskscheduler log source definition 2017-03-17 16:09:31 +01:00
Florian Roth dd81b18d6e Rule: Suspicious interactive console logons to servers 2017-03-17 09:44:24 +01:00
Florian Roth bcc250e1c7 Added missing description 2017-03-17 08:43:21 +01:00
Florian Roth e46ecd2aff Rule: Rare scheduled task installs 2017-03-17 08:41:27 +01:00
Florian Roth 3a7652fff9 Added references to rule 2017-03-17 00:25:54 +01:00
Florian Roth c6843d41bc Rule: Vssadmin / NTDS.dit activity 2017-03-17 00:23:55 +01:00
Florian Roth d00bbd9fb5 Rule: Windows recon activity 2017-03-16 18:59:17 +01:00
Florian Roth 140141b7a2 Rule: Suspicious PowerShell parent image combination 2017-03-16 18:58:59 +01:00
Florian Roth 091bb8fab7 Renamed and removed double space 2017-03-16 18:58:32 +01:00
Florian Roth 789b3899df Improved Linux Shell Activity Rule 2017-03-15 09:07:59 +01:00
Florian Roth 9afa12f4a3 Further shell commands from MSF repo 2017-03-14 16:33:51 +01:00
Florian Roth daeb7c3693 Rule: Suspicious activity in shell commands 2017-03-14 14:54:08 +01:00
Florian Roth 546a587df7 Rule: Shellshock Regex detection 
http://rubular.com/r/zxBfjWfFYs
 2017-03-14 14:53:29 +01:00
Florian Roth dd558e941c Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00
Florian Roth 3eae1f2710 Bug and typo fixes 2017-03-14 14:52:28 +01:00
Florian Roth 2e32e1bb43 Rule: User account added to local Administrators 2017-03-14 12:51:50 +01:00
Florian Roth cb683a6b56 Rule: Suspicious executions in web folders / non-exe folders 2017-03-13 23:56:06 +01:00
Florian Roth c571848e9b Rule: Scheduled task creation 2017-03-13 20:45:28 +01:00
Florian Roth de46c8c0a0 Reduced to user accounts 2017-03-13 19:09:29 +01:00
Florian Roth 36c941d5d8 Restrict rule to non-private IP ranges only 2017-03-13 18:45:15 +01:00
Florian Roth 8d36e2a1b5 Rule: Suspicious PowerShell Parameter Substring 2017-03-13 17:23:25 +01:00