security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke 4559aa4e00 Fixed es-qs backend check 2019-04-23 00:05:36 +02:00
Thomas Patzke d0bd8a2a41 Mandatory configuration for most backends 2019-04-22 23:40:21 +02:00
Thomas Patzke 87abd20c0f Removed deprecated PyYAML API from rule test 2019-04-22 23:21:08 +02:00
Thomas Patzke 34c426a95b Moved error codes to constants defined centrally 2019-04-22 23:15:35 +02:00
Thomas Patzke f0b0f54500 Merge improved pull request #322 2019-04-21 23:56:36 +02:00
Thomas Patzke 765fe9dcd9 Further improved Windows user creation rule 
* Decreased level
* Fixed field names
* Added false positive possibility
 2019-04-21 23:54:18 +02:00
Florian Roth d0950bd077 fix: yaml.load() issue 
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
 2019-04-21 20:30:31 +02:00
Karneades b47900fbee Add default path to filter for explorer in exe anomaly rule 2019-04-21 17:42:47 +02:00
Florian Roth 38d548868d Merge pull request #324 from Neo23x0/revert-322-feature/win_user_creation 
Revert "New Sigma rule detecting local user creation"
 2019-04-21 09:20:48 +02:00
Florian Roth dd9648b31e Revert "New Sigma rule detecting local user creation" 2019-04-21 09:09:25 +02:00
Florian Roth a85acdfd02 Changed title and description 2019-04-21 08:54:56 +02:00
Florian Roth 0713360443 Fixed MITRE ATT&CK tags 2019-04-21 08:52:07 +02:00
Thomas Patzke 49beb5d1a8 Integrated PR from @P4T12ICK in existing rule 
PR #321
 2019-04-21 00:28:40 +02:00
Thomas Patzke bdd184a24c Merge pull request #322 from P4T12ICK/feature/win_user_creation 
New Sigma rule detecting local user creation
 2019-04-21 00:20:15 +02:00
Thomas Patzke 80f45349ed Modified rule 
* Adjusted ATT&CK tagging
* Set status
 2019-04-21 00:14:57 +02:00
Florian Roth aab3dbee4f Rule: Detect Empire PowerShell Default Cmdline Params 2019-04-20 09:38:41 +02:00
Florian Roth 03d8184990 Rule: Extended PowerShell Susp Cmdline Enc Commands 2019-04-20 09:38:41 +02:00
Florian Roth 5249279a66 Rule: another MSF payload user agent 2019-04-20 09:38:41 +02:00
Florian Roth d5fa51eab9 Merge pull request #305 from Karneades/patch-3 
Remove too loose filter in notepad++ updater rule
 2019-04-19 12:40:24 +02:00
Florian Roth e32708154f Merge pull request #304 from Karneades/patch-2 
Remove too loose filter in mshta rule
 2019-04-19 09:51:45 +02:00
Florian Roth 74dd008b10 FP note for HP software 2019-04-19 09:51:32 +02:00
Florian Roth 8a5ae01f0e Merge pull request #323 from Karneades/filterFix 
Restrict filter in system exe anomaly rule
 2019-04-19 09:17:16 +02:00
Karneades d75ea35295 Restrict whitelist filter in system exe anomaly rule 2019-04-18 22:06:12 +02:00
patrick 8609fc7ece New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00
Florian Roth f78413deab Merge pull request #309 from jmlynch/master 
added rules for renamed wscript, cscript and paexec. Added two direct…
 2019-04-17 23:59:27 +02:00
Florian Roth 4808f49e0d More exact path 2019-04-17 23:45:15 +02:00
Florian Roth 1a4a74b64b fix: dot mustn't be escaped 2019-04-17 23:44:36 +02:00
Florian Roth 76780ccce2 Too many different trusted cscript imphashes 2019-04-17 23:33:56 +02:00
Florian Roth 7c5f985f6f Modifications 2019-04-17 23:30:49 +02:00
Florian Roth 4298abffb7 Modifications 2019-04-17 23:29:29 +02:00
Florian Roth 615a802a8e Modifications 2019-04-17 23:26:20 +02:00
Florian Roth 0a960ed3cd Merge pull request #319 from Sam0x90/master 
Update win_susp_svchost rule
 2019-04-17 23:22:08 +02:00
Sam0x90 0e8a46aaf7 Update win_subp_svchost rule 
Adding rpcnet.exe as ParentImage
 2019-04-16 15:00:06 +02:00
christophetd 4e16bbafa8 Correct parenthesization for NOT expressions in the ES-QS backend 2019-04-16 10:30:18 +02:00
Florian Roth 17470d1545 Rule: extended parent list for legitimate svchost starts 
https://twitter.com/Sam0x90/status/1117768799816753153
 2019-04-15 14:54:35 +02:00
Florian Roth daaee558a1 Rule: added date to Tom's WMI rule 2019-04-15 09:06:53 +02:00
Florian Roth 612a7642d2 Added Local directory 2019-04-15 08:47:53 +02:00
Florian Roth 65b81dad32 Rule: Suspicious scripting in a WMI consumer 2019-04-15 08:13:35 +02:00
Florian Roth 1d3159bef0 Rule: Extended Office Shell rule 2019-04-15 08:13:35 +02:00
Karneades d872c52a43 Add restricted filters to notepad++ gup.exe rule 2019-04-15 08:12:12 +02:00
Thomas Patzke 5194e8778c Fail on missing target selection 2019-04-14 23:50:07 +02:00
Florian Roth 1e262f5055 Merge pull request #303 from Karneades/patch-1 
Remove too loose filter in wmi spwns powershell rule
 2019-04-14 23:11:57 +02:00
Florian Roth cb0a87e21e Merge pull request #316 from megan201296/patch-19 
Update win_mal_ursnif.yml
 2019-04-14 23:10:16 +02:00
Florian Roth 08ec8597a5 Merge pull request #317 from megan201296/patch-20 
Create apt_oceanlotus_registry.yml
 2019-04-14 23:09:42 +02:00
Thomas Patzke 5463128ea0 Merge pull request #314 from Karneades/patch-4 
Remove loose wildcard filter in powershell encoded cmd rule
 2019-04-14 23:02:42 +02:00
megan201296 74fce5f511 Create apt_oceanlotus_registry.yml 
Rule based on https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/. Based on OSINT, these keys are unique to the oceanlotus activity and not at all legitimate.
 2019-04-14 12:01:52 -05:00
megan201296 eb8a0636c5 Update win_mal_ursnif.yml 
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique.
 2019-04-14 11:51:13 -05:00
patrick 51d19b36cc Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:28:55 +02:00
patrick 4b43db2aac Add new Sigma Rule for C2 DNS Tunneling 2019-04-13 20:27:36 +02:00
Florian Roth 6351c5a350 Sigma ATT&CK coverage by @jmallette 2019-04-11 18:27:52 +02:00