security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
yt0ng eda6f3b9ca rules/windows/sysmon/sysmon_powershell_DLL_execution.yml 2018-08-25 16:33:54 +02:00
Florian Roth 6bde2cd08f Update lnx_buffer_overflows.yml 2018-08-25 00:20:34 +02:00
Florian Roth 234a48af19 rule: Linux SSHD exploit CVE-2018-15473 
https://github.com/Rhynorater/CVE-2018-15473-Exploit
 2018-08-24 16:40:41 +02:00
yt0ng c7d4b4853d removing sysmon_powershell_AMSI_bypass.yml 2018-08-23 10:17:19 +02:00
Florian Roth f47a5c2206 fix: Author list to string 2018-08-23 09:40:28 +02:00
Thomas Patzke 49af499353 Merge pull request #151 from nikseetharaman/workflow_compiler 
Add Microsoft Workflow Compiler Sysmon Detection
 2018-08-23 08:24:35 +02:00
Thomas Patzke 9235175e26 Fixed rule 
* Added condition
* Replaced Description wirh Image attribute and improved search pattern
 2018-08-23 08:20:28 +02:00
Thomas Patzke 96cedc31f9 Merge pull request #152 from james0d0a/master 
Qradar backend: added aggregation and AQL database flow support
 2018-08-23 08:14:56 +02:00
Thomas Patzke 73535e58a5 Merge pull request #153 from megan201296/patch-10 
Add ATT&CK Matrix tags
 2018-08-23 08:06:58 +02:00
Thomas Patzke d647a7de07 Merge pull request #154 from megan201296/patch-11 
Add MITRE ATT&CK tagging
 2018-08-23 08:06:39 +02:00
Florian Roth 5de3cd71a4 Merge pull request #149 from yt0ng/development 
Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
 2018-08-22 17:19:10 +02:00
Florian Roth 040ba0338d fix: Added Event ID in second selection 2018-08-22 17:03:13 +02:00
Florian Roth 0c729d1eea Already used in different rule 2018-08-22 17:02:03 +02:00
Florian Roth 6ee31f6cd1 Update win_susp_commands_recon_activity.yml 
Merged recon commands from @yt0ng's rule
 2018-08-22 17:00:00 +02:00
megan201296 3f5c32c6da Add MITRE ATT&CK tagging 2018-08-22 09:35:06 -05:00
megan201296 76aabe7e05 Add ATT&CK Matrix tags 2018-08-22 09:30:55 -05:00
James Dickenson 29bed766dd removed re-introduced output class from qradar backend. fixed list handling error. 2018-08-21 22:45:12 -07:00
James Dickenson 468f040c0a Merge branch 'qradar-dev' 2018-08-20 21:54:30 -07:00
Nik Seetharaman e371d945ed Add Microsoft Workflow Compiler Sysmon Detection 2018-08-18 00:53:28 -05:00
yt0ng ca7e8d6468 removing for new pull request 2018-08-17 18:42:10 +02:00
yt0ng 5bb6f566ba ::Merge remote-tracking branch 'upstream/master' 2018-08-17 18:39:36 +02:00
yt0ng 8ecf167e85 Powershell AMSI Bypass via .NET Reflection 
[Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
 2018-08-17 18:26:04 +02:00
James Dickenson 9a61f40cef added support flor flow data in qradar backend 2018-08-16 21:44:17 -07:00
yt0ng 07e411fe6b Oilrig Information gathering 
whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1
 2018-08-15 14:29:59 +02:00
Florian Roth 4e91462838 fix: Bugfix in Adwind rule 2018-08-15 12:33:03 +02:00
Florian Roth 92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Florian Roth 7c05b85bcd rule: Added malware UA 2018-08-15 12:33:03 +02:00
Thomas Patzke 320bb9f8c4 Added rewrite config to generic sysmon configuration 2018-08-14 21:34:54 +02:00
Thomas Patzke 430972231f Added generic sysmon configuration with process_execution config 2018-08-14 21:34:54 +02:00
Thomas Patzke 2715c44173 Converted first Sysmon rule to generic process_execution rule 2018-08-14 21:34:54 +02:00
James Dickenson a8d1831382 Added aggregation support for qradar backend 2018-08-13 23:04:10 -07:00
Thomas Patzke dce4b4825d Fixed aggregations without field name 
Generated query contained field name "None".
 2018-08-10 15:07:07 +02:00
Thomas Patzke 2c0e76be3d Escaped * where required 2018-08-10 13:53:08 +02:00
Thomas Patzke e0b3f91b2a Removed empty line 2018-08-08 23:15:13 +02:00
Thomas Patzke 5b02695b13 Merge pull request #146 from samsson/patch-8 
Hiding files with attrib.exe sysmon rule
 2018-08-08 22:57:30 +02:00
Lurkkeli 7cdc13ef11 Update 2018-08-08 17:05:51 +02:00
Lurkkeli 392351af25 Adding ATT&CK tag 2018-08-08 16:43:54 +02:00
Lurkkeli 4d721f1803 Updating fps 2018-08-08 16:42:26 +02:00
Lurkkeli b9f433414d hiding files with attrib.exe 2018-08-08 16:19:39 +02:00
Thomas Patzke 01215a645e Merge pull request #145 from yt0ng/master 
DNS TXT Answer with possible execution strings
 2018-08-08 15:58:34 +02:00
Thomas Patzke 58afccb2f3 Fixed ATT&CK tagging 2018-08-08 15:58:19 +02:00
yt0ng e44b4f450e DNS TXT Answer with possible execution strings 
https://twitter.com/stvemillertime/status/1024707932447854592
 2018-08-08 15:51:56 +02:00
Thomas Patzke 92c0e0321a Merge pull request #144 from samsson/patch-7 
Added att&ck tags
 2018-08-07 11:19:36 +02:00
Lurkkeli a245820519 added att&ck tag 2018-08-07 08:54:53 +02:00
Lurkkeli 294677a2cc added att&ck tag 2018-08-07 08:50:01 +02:00
Lurkkeli a57e87b345 added att&ck tag 2018-08-07 08:49:05 +02:00
Lurkkeli 99253763af added att&ck tag 2018-08-07 08:45:58 +02:00
Lurkkeli 0bff27ec21 added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:37:51 +02:00
Lurkkeli 198cb63182 added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:36:53 +02:00
Thomas Patzke 518e21fcd2 Merge pull request #134 from nikseetharaman/sysmon_cmstp_com_object_access 
Add CMSTP UAC Bypass via COM Object Access
 2018-08-07 08:33:33 +02:00