security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
juju4 45bf3f856b travis status inside README 2017-07-30 11:46:58 -04:00
juju4 5b778c9833 yamllint: quote twitter-formatted nickname 2017-07-30 11:42:25 -04:00
juju4 bbb730c719 yamllint starter configuration, bad path for sigmac 2017-07-30 11:36:33 -04:00
juju4 a5b2ed641a trigger travis 2017-07-30 11:30:17 -04:00
juju4 ead44ca2e4 basic travis test: lint + sigma convert 2017-07-30 11:29:24 -04:00
juju4 5b42c64fcd Merge remote-tracking branch 'upstream/master' 2017-07-30 11:12:03 -04:00
juju4 31b033d492 suspicious rundll32 activity rules 2017-07-30 11:11:45 -04:00
juju4 3a8946a3ac suspicious phantom dll rules 2017-07-30 11:11:17 -04:00
juju4 fbbf29fd80 suspicious cli escape character rules 2017-07-30 11:10:43 -04:00
juju4 83fa83aa43 suspicious certutil activity rules 2017-07-30 11:09:51 -04:00
juju4 f487451c45 more suspicious cli process 2017-07-30 11:09:24 -04:00
Florian Roth d1cdb3c480 Certutil duplicate entry and "-ping" command 2017-07-23 14:51:57 -06:00
Florian Roth 433293ea40 'ruler' User Agent 
https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
 2017-07-22 09:24:45 -06:00
Florian Roth cdf0894e6a Corrected error in certutil rules (-f means force overwrite, not file) 
> the -urlcache is the relevant command
 2017-07-20 12:54:55 -06:00
Florian Roth 3a55b31da2 certutil file download - more generic approach 2017-07-20 12:48:47 -06:00
Florian Roth b85d96e458 certutil detections (renamed, extended) 
see https://twitter.com/subTee/status/888102593838362624
 2017-07-20 12:38:10 -06:00
Florian Roth 061d3bea27 ZxShell 2017-07-20 12:36:24 -06:00
Florian Roth 4bff14acd1 User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00
Florian Roth eeb31964da User-Agent Rules 2017-07-08 08:37:44 -06:00
Florian Roth cf42847b74 Suspicious User Agent strings 2017-07-07 20:53:22 -06:00
Florian Roth cec48ece04 Suspicious User-Agent Strings, starting with empty value 2017-07-07 18:38:32 -06:00
Florian Roth fc4cd4036e Linux: Suspicious VSFTPD errors 2017-07-05 18:59:51 -06:00
Florian Roth ead63fbf75 Linux: Suspicious SSHD errors 2017-06-30 08:47:56 +02:00
Florian Roth 950a00f33e Updated Petya rule 2017-06-28 12:52:58 +02:00
Florian Roth ece1d7e3a8 Added perfc.dat keyword to NotPetya rule 2017-06-28 10:35:42 +02:00
Florian Roth a3e0e37163 NotPetya Title Fixed 2017-06-28 09:12:39 +02:00
Florian Roth 8c437de970 NotPetya Sigma Rule for Sysmon Events 2017-06-28 09:09:12 +02:00
Florian Roth 8f525d2f01 Wannacry Rules Reorg and Renaming 2017-06-28 09:08:53 +02:00
Florian Roth 3f245d27f8 Eventlog cleared ID 104 2017-06-27 17:29:39 +02:00
Thomas Patzke 7fdc78c8bf Merge pull request #36 from dim0x69/master 
rule to detect mimikatz lsadump::changentlm and lsadump::setntlm
 2017-06-19 15:32:56 +02:00
Thomas Patzke 475ec20dcd Merge pull request #37 from benno001/patch-2 
Added LogPoint aggregation
 2017-06-19 15:32:27 +02:00
Ben de Haan 43c4486de0 Added LogPoint aggregation 
Added generateAggregation function for LogPoint
 2017-06-19 15:21:29 +02:00
Florian Roth d1f1bd59da Changed level of PsExec events to 'low' 2017-06-17 08:50:16 +02:00
Thomas Patzke a4c9e24380 File renaming while deletion with SDelete 2017-06-14 16:55:32 +02:00
Thomas Patzke 8c06a5d83f Access to wceaux.dll while WCE pass-the-hash login on source host 2017-06-14 15:59:45 +02:00
Thomas Patzke 4fcdcc3967 Added rule for PsExec 2017-06-12 23:57:06 +02:00
Florian Roth 576981820b Moved PlugX rule & used builtin ID 4688 for another rule 2017-06-12 11:02:49 +02:00
Florian Roth f85d847fa6 PlugX Detection 
https://docs.google.com/spreadsheets/d/1f5OTQpEEvbiW-NzSfVTrzhmnZJ-hrmAZhRM7JXkDBSY/edit#gid=0
https://countuponsecurity.files.wordpress.com/2017/06/acp-search.png
 2017-06-12 10:46:56 +02:00
Florian Roth c1f5bd1540 Sigmac bugfix: showing faulty condition 2017-06-12 10:07:15 +02:00
Thomas Patzke 91b3c39c0d Amended condition 
Changed condition according to proposed syntax for related event matching (#4)
 2017-06-11 23:54:19 +02:00
dimi ac95e372e5 clarification: if executed locally there is no connection to the samr pipe on IPC$. So this rule detects remote changes 2017-06-09 14:15:37 +02:00
dimi a2a2366dfb rule to detect mimikatz lsadump::changentlm and lsadump::setntlm 2017-06-09 14:05:40 +02:00
Florian Roth 371b41acd9 Improved regsvr32.exe whitelisting bypass rule 
thanks to Nick Carr https://twitter.com/ItsReallyNick/status/872409920938946560
 2017-06-07 13:46:36 +02:00
Florian Roth e5ad1b2f84 Improved regsvr32 whitelisting bypass rule 2017-06-07 12:02:55 +02:00
Florian Roth 1fd7a92e87 Regsvr32.exe anomalies (bugfix and new selection) 2017-06-07 11:43:25 +02:00
Florian Roth 21108e60a6 Fixed description and title 2017-06-03 14:53:08 +02:00
Florian Roth ff5e6e3999 Fireball Sigma Rule 2017-06-03 14:49:06 +02:00
Thomas Patzke 6e782d2f50 Merge branch 'devel-sigmac' 2017-06-02 23:48:13 +02:00
Thomas Patzke 9d49daecea Restructured backends 
Moved most logic into generic base class SingleTextQueryBackend which is
configured by class variables.
 2017-06-02 23:43:45 +02:00
Florian Roth 536e328540 Pandemic Implant 2017-06-01 22:48:59 +02:00