security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth a66955013c Update win_pass_the_hash.yml 2017-03-13 16:16:34 +01:00
Florian Roth a87d513efa Rule: Suspicious executable downloads 2017-03-13 16:11:43 +01:00
IeM 9f5e5a2366 Update win_pass_the_hash.yml 
Added placeholders for WorkstationName to detect network logons between Workstations.
 2017-03-13 16:09:32 +01:00
Florian Roth 85c298c43c Bugfix in rule 2017-03-13 15:09:48 +01:00
Florian Roth 606d74546a Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00
Florian Roth b8db4935e0 Rule: PowerShell UserAgent in Proxy Logs 2017-03-13 13:51:32 +01:00
Florian Roth a0047f7c67 Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00
Thomas Patzke 52d7e9fc07 Parsing log sources in configuration files 2017-03-12 23:12:21 +01:00
Florian Roth 9fd375c130 Bugfix: Added time frame to correlation rule 2017-03-12 17:11:29 +01:00
Florian Roth 4470c2f893 PowerShell Suspicious Invocation > Sysmon 2017-03-12 17:11:05 +01:00
Florian Roth de689c32b5 Suspicious PowerShell Invocation 2017-03-12 17:06:53 +01:00
Thomas Patzke e262b574b2 Merge branch 'master' into devel-sigmac 2017-03-11 23:53:58 +01:00
Thomas Patzke 12e825783b Merge branch 'master' into devel-sigmac 2017-03-11 23:49:56 +01:00
Thomas Patzke 63e23af63c Merge branch 'devel-sigmac-config' into devel-sigmac 2017-03-11 23:49:41 +01:00
Michael Haag 359ae18989 Merge remote-tracking branch 'Neo23x0/master' 2017-03-08 23:05:57 -08:00
Florian Roth d6957f1c2e Merge pull request #10 from MHaggis/master 
Sysmon
 2017-03-09 08:05:22 +01:00
Michael Haag 923f298015 Merge remote-tracking branch 'Neo23x0/master' 2017-03-08 22:51:03 -08:00
Michael Haag c5f05dd829 bitsadmin & VSSAdmin 
+Bitsadmin download
+VSSAdmin delete
 2017-03-08 22:49:35 -08:00
IeM 4d5ded46e6 Update win_pass_the_hash.yml 2017-03-08 20:35:26 +01:00
Florian Roth 3507a5e644 Rule: Rare Windows Service Installs 2017-03-08 19:09:34 +01:00
IeM 381b85fd94 Update win_pass_the_hash.yml 
Edited, added additional indicators.
Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
 2017-03-08 18:48:06 +01:00
IeM e4d764ceba Create win_pass_the_hash.yml 
Rule to detects the attack technique pass the hash which is used to move laterally inside the network
 2017-03-08 18:04:31 +01:00
Florian Roth 5484886932 Rule: Windows - Recon Activity (improved) 2017-03-07 13:06:38 +01:00
Florian Roth fa6f76f276 Rule: Windows - Recon Activity 2017-03-07 12:01:39 +01:00
Florian Roth ad9f73a178 Merge branch 'devel-sigmac' 2017-03-07 10:49:03 +01:00
Florian Roth b34d1b7565 Stonedrill rule enhancement 2017-03-07 10:22:14 +01:00
Florian Roth b93379a6a9 Config example: sysmon / logstash index 2017-03-07 10:09:43 +01:00
Florian Roth 5662bae40e Rule: APT StoneDrill Service Install 2017-03-07 09:46:30 +01:00
Florian Roth cd445f8ae9 Bugfix: non-recursive list not pathlib.Path elements but strings 2017-03-07 09:41:46 +01:00
Florian Roth 7113b3aed9 Rule: APT StoneDrill Service Install 2017-03-07 09:24:12 +01:00
Thomas Patzke dae88fbcfa Error and warning messages are printed to stderr 2017-03-06 23:01:33 +01:00
Thomas Patzke 225bfb13d8 Merge branch 'devel-sigmac' 2017-03-06 22:50:57 +01:00
Thomas Patzke aaa3057769 Merge branch 'devel-sigmac-config' into devel-sigmac 2017-03-06 22:50:32 +01:00
Thomas Patzke d1030ec053 Fieldlist backend 
Lists all fields used in given rules.
 2017-03-06 22:47:30 +01:00
Thomas Patzke 05df298d45 Field mappings 2017-03-06 22:07:04 +01:00
Thomas Patzke 66c46b2f44 Removed NullBackend 2017-03-06 22:00:05 +01:00
Thomas Patzke 6ddc15c972 Merge branch 'devel-sigmac' into devel-sigmac-config 2017-03-06 21:32:58 +01:00
Thomas Patzke 66935061ae Merge branch 'devel-sigmac' 2017-03-06 21:28:38 +01:00
Thomas Patzke 896b8fb56e Finished path recursion 2017-03-06 21:26:56 +01:00
Florian Roth da6c5c19ae Update README.md 2017-03-06 09:37:44 +01:00
Florian Roth 362ff157ba Update README.md 2017-03-06 09:37:31 +01:00
Florian Roth df39dee702 Sigmac recursive feature 2017-03-06 09:36:24 +01:00
Florian Roth aad892c834 Windows Built-In rules > LogSource definition 2017-03-05 23:55:52 +01:00
Florian Roth 16c5192ee9 Windows Malicious Password Dumper Service Installs 2017-03-05 23:52:02 +01:00
Florian Roth 7b815ef3e5 Sysmon PowerShell - Suspicious Param Combination 2017-03-05 23:51:39 +01:00
Thomas Patzke 8864647e04 Parsing of sigmac configuration files 
* field mappings
* log sources
 2017-03-05 23:44:52 +01:00
Florian Roth 294df21c56 Added expression 2017-03-05 22:45:54 +01:00
Florian Roth 7fae49b183 More PowerShell rules 2017-03-05 15:01:51 +01:00
Florian Roth 1e1cf9cb9e PowerShell Rules Revision 2017-03-05 14:14:31 +01:00
Florian Roth 965c3a9226 Merge pull request #7 from yampelo/patch-1 
Update powershell_malicious_commandlets.yml
 2017-03-05 08:58:55 +01:00