security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,878 Commits 1 Branch 57 Tags
c81d3bf56c9e730fc0eb5bfe84e87dd3caec0fb2
Commit Graph

1084 Commits

Author SHA1 Message Date
Florian Roth c81d3bf56c rule: emissary panda activity 2019-09-03 15:31:25 +02:00
Florian Roth d9606067a6 rule: MuddyWater script execution 2019-08-31 08:50:59 +02:00
Florian Roth a3349823e5 rule: implant teardown 2019-08-30 11:48:51 +02:00
Florian Roth 8a078b6c86 rule: APT28 UA 2019-08-30 11:48:38 +02:00
Florian Roth f2c44c80b6 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/process_creation/win_encoded_frombase64string.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2019-08-28 09:21:25 +02:00
Florian Roth f71dc41531 rule: extended csc rule 2019-08-28 09:00:43 +02:00
Florian Roth 406b40af11 rule: suspicious msbuild folder 2019-08-28 09:00:35 +02:00
Florian Roth ca2019b57f fix: typo in MITRE tag 2019-08-27 12:32:56 +02:00
Florian Roth 6b7cd94197 Changes 2019-08-27 12:23:42 +02:00
weev3 d42a51372d Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30
Florian Roth 70a26a6132 fix: fixed MITRE tags 2019-08-24 13:58:54 +02:00
Florian Roth c321fc2680 rule: csc.exe suspicious source folder 2019-08-24 13:53:15 +02:00
Florian Roth b32ed3c817 rules: encoded FromBase64String keyword 2019-08-24 13:53:05 +02:00
Florian Roth 1dfd560299 rule: csc.exe suspicious source folder 2019-08-24 13:49:40 +02:00
Florian Roth a137a1380b rules: encoded FromBase64String keyword 2019-08-24 12:38:51 +02:00
Florian Roth c9a4e6fe8a rule: process creations in env var folders 2019-08-24 08:26:37 +02:00
Florian Roth 87ce52f6fe fix: fixed wrong MITRE tag 2019-08-23 23:19:39 +02:00
Florian Roth 5bd242cb21 rule: encoded IEX 2019-08-23 23:13:36 +02:00
Thomas Patzke 68fb56f503 Merge pull request #345 from ki11oFF/patch-1 
Detection of usage mimikatz trough WinRM
 2019-08-23 23:04:07 +02:00
Thomas Patzke 945f45ebd7 Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement 
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
 2019-08-23 23:01:25 +02:00
Thomas Patzke fc08e3c5b7 Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement 
Win susp add sid history improvement
 2019-08-23 22:58:46 +02:00
Florian Roth cc01f76e99 docs: minor changes 2019-08-22 14:22:55 +02:00
Florian Roth c291038ebe rule: renamed powershell 2019-08-22 14:22:55 +02:00
ecco d0a24f4409 filter NULL values to remove false positives 2019-08-20 05:10:41 -04:00
Karneades 18bbec4bcd improve(rule): add Empire links and userland match 
Add default task name and powershell task command to match what the rule name says: detects default config.
 2019-08-09 11:58:43 +02:00
Florian Roth 4fcb52d098 fix: removed mmc susp rule due to many FPs 2019-08-07 14:26:15 +02:00
Florian Roth f6fd1df6f4 Rule: separate Ryuk rule created for VBurovs strings 2019-08-06 10:33:46 +02:00
Florian Roth a8b738e346 Merge pull request #380 from vburov/patch-5 
Ryuk Ransomware commands from real case
 2019-08-06 10:29:00 +02:00
Florian Roth 83841ea117 Merge pull request #411 from nikotin69/master 
compliance rules by SOC prime
 2019-08-05 20:53:02 +02:00
Florian Roth 302ae9c5d0 Added level 2019-08-05 19:51:22 +02:00
Florian Roth 4dbf392562 Title, Level adjusted 2019-08-05 19:48:56 +02:00
Florian Roth fdb9b351d0 Level to low 2019-08-05 19:48:21 +02:00
Florian Roth 317c0bd07a Removed "Detects" keyword from title 2019-08-05 19:47:46 +02:00
Florian Roth 2af8cb0d0e Update cleartext_protocols.yml 2019-08-05 19:47:03 +02:00
Florian Roth c7ec45c0ff Update workstation_was_locked.yml 2019-08-05 19:44:14 +02:00
Florian Roth e64fcb32a2 Update group_modification_logging.yml 2019-08-05 19:43:59 +02:00
Florian Roth 5caf4f5f14 Update default_credentials_usage.yml 2019-08-05 19:43:46 +02:00
Florian Roth 10cc1de4c9 Fixed global rule syntax 2019-08-05 19:43:15 +02:00
Florian Roth dcdd021dc6 Duplicate port 3306 2019-08-05 19:36:50 +02:00
Karneades 42e6c9149b Remove unneeded event code 2019-08-05 19:13:39 +02:00
Karneades 0e3cc042f4 Add more exclusions to mmc process rule 2019-08-05 18:53:33 +02:00
Karneades 5caa951b8f Add new rule for detecting MMC spawning a shell 
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml. And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml.
 2019-08-05 18:42:31 +02:00
nikotin 780d9223e6 compliance rules by SOC prime 2019-08-05 19:42:19 +03:00
Karneades cfe44ad17d Fix win_susp_mmc_source to match what title says 
Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.
 2019-08-05 16:21:56 +02:00
Florian Roth 6a8adc72ac rule: reworked vssadmin rule 2019-08-04 11:27:17 +02:00
Florian Roth d32fc2b2cf fix: fixing rule win_cmstp_com_object_access 
https://github.com/Neo23x0/sigma/issues/408
 2019-07-31 14:16:52 +02:00
Florian Roth 0657f29c99 Rule: reworked win_susp_powershell_enc_cmd 2019-07-30 14:36:30 +02:00
Florian Roth 9143e89f3e Rule: renamed and reworked hacktool Ruler rule 2019-07-26 14:49:09 +02:00
Florian Roth f3fb2b41b2 Rule: FP filters extended 2019-07-23 14:58:36 +02:00
Florian Roth 2c57b443e4 docs: modification date in rule 2019-07-17 09:21:35 +02:00