security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 038918d2c0 Merge pull request #311 from jmallette/master 
ATT&CK Navigator Coverage Layer
 2019-04-11 18:18:16 +02:00
Karneades 75d36165fc Remove non-generic falsepositives 
There are tons of FPs for that... :)
 2019-04-11 12:55:24 +02:00
Karneades 51e65be98b Remove loose wildcard filter in powershell encoded cmd rule 2019-04-11 12:53:12 +02:00
Jon cd456a1d2b initial SIGMA ATTACK Navigator layer release 2019-04-09 22:49:28 -04:00
jmallette c775b7a033 Merge pull request #1 from Neo23x0/master 
update fork
 2019-04-09 22:43:32 -04:00
Jason Lynch 89fb726875 added win_office_spawn_exe_from_users_directory.yml. Detects executable in users directory started via office program. Helpful for adversaries that tend to drop and execute renamed binaries in this location such as fin7 2019-04-09 09:45:07 -04:00
Jason Lynch f0c8c428bb added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
juju4 152febcea2 sumologic: fixing non-pushed cleannode() 2019-04-07 13:04:15 -04:00
patrick ca4b710c01 Added Sigma Use Case detecting Privilege Escalation Preparation in Linux 2019-04-07 15:36:19 +02:00
Karneades 97376c00de Fix condition 2019-04-04 22:33:32 +02:00
Karneades 766b8b8d18 Fix condition 2019-04-04 22:32:47 +02:00
Karneades 788e75ef1b Fix condition 2019-04-04 22:32:21 +02:00
Karneades 840eb2f519 Remove too loose filter in notepad updater rule 2019-04-04 22:25:05 +02:00
Karneades eb690d8902 Remove too loose filter in mshta rule 2019-04-04 22:16:24 +02:00
Karneades 1915561351 Remove to loose wildcard from wmi spwns powershell rule 2019-04-04 22:12:28 +02:00
Florian Roth 81693d81b6 Merge pull request #295 from sbousseaden/master 
Create win_atsvc_task.yml
 2019-04-04 18:32:13 +02:00
sbousseaden c4b8f75940 Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
MadsRC 41b4d800c5 Update net_susp_dns_txt_exec_strings.yml 
Fixed my botched YAML syntax...
 2019-04-04 08:35:37 +02:00
sbousseaden 22958c45a3 Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden b4ac9a432f Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden 353e457104 Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden d5818a417b Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden 9c5575d003 Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden edb98f2781 Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
MadsRC d0d51b6601 Update net_susp_dns_txt_exec_strings.yml 
The references indicate that this rule should apply to TXT records, but without specifying that the "record_type" must be "TXT" there's the potential for a lot of false positives.

"record_type" was chosen as that fits with Splunks "Network Resolution (DNS)" datamodel.
 2019-04-03 20:31:31 +02:00
Florian Roth 2b814011cd Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature 
Add new signature for linux clear command history
 2019-04-03 19:45:06 +02:00
Florian Roth 13f86e9333 Merge pull request #296 from Karneades/patch-1 
Remove backslashes in CommandLine for sticky key rule
 2019-04-03 19:44:02 +02:00
Florian Roth b4b7d810fc Merge pull request #300 from yt0ng/development 
Sqirrel packages manager, EmpireMonkey, WMI Spawning PowerShel
 2019-04-03 19:20:46 +02:00
yt0ng e0459cec1c renamed file 2019-04-03 17:39:17 +02:00
christophetd d32e5c10b8 Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time 2019-04-03 17:22:58 +02:00
t0x1c-1 7e058e611c WMI spawning PowerShell seen in various attacks 2019-04-03 16:56:45 +02:00
Unknown 9ada22b8e0 adjusted link 2019-04-03 16:40:18 +02:00
Unknown d2e605fc5c Auto stash before rebase of "Neo23x0/master" 2019-04-03 16:25:18 +02:00
Karneades 865d971704 Remove backslashes in CommandLine for sticky key rule 
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
 2019-04-03 16:16:18 +02:00
sbousseaden eda5298457 Create win_account_backdoor_dcsync_rights.yml 2019-04-03 16:16:05 +02:00
sbousseaden 0756b00cdf Create win_susp_psexec.yml 2019-04-03 15:59:46 +02:00
sbousseaden 9c1a5a5264 Create win_lm_namedpipe.yml 2019-04-03 15:48:42 +02:00
sbousseaden 56b68a0266 Create win_GPO_scheduledtasks.yml 2019-04-03 15:36:24 +02:00
sbousseaden b941f6411f Create win_impacket_secretdump.yml 2019-04-03 15:18:42 +02:00
sbousseaden 516c8f3ea1 Create win_account_discovery.yml 2019-04-03 14:41:11 +02:00
sbousseaden 3d69727332 Create sysmon_rdp_settings_hijack.yml 2019-04-03 14:16:25 +02:00
sbousseaden 016261cacf Update sysmon_lsass_memdump.yml 2019-04-03 14:06:49 +02:00
sbousseaden a85c668f6f Update sysmon_lsass_memdump.yml 2019-04-03 14:00:51 +02:00
sbousseaden d62bc41bfb Create win_svcctl_remote_service.yml 2019-04-03 13:58:20 +02:00
sbousseaden 32c6b34746 Create sysmon_lsass_memdump.yml 2019-04-03 13:51:59 +02:00
sbousseaden 548145ce10 Create win_susp_raccess_sensitive_fext.yml 2019-04-03 13:22:42 +02:00
sbousseaden ddb2d92a98 Create sysmon_tsclient_filewrite_startup.yml 2019-04-03 13:19:59 +02:00
sbousseaden e3f99c323b Create win_atsvc_task.yml 2019-04-03 13:08:12 +02:00
Florian Roth 6cc1770351 Merge pull request #294 from Pr0t3an/patch-3 
Update lnx_shell_susp_rev_shells.yml
 2019-04-03 01:07:07 +02:00
Florian Roth b76925f838 Rule: extending rule with /dev/udp 2019-04-02 20:09:13 +02:00