security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
983 Commits 1 Branch 57 Tags
ca7e8d64685c93356ed28dffa289581cf3fcd1f3
Commit Graph

983 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
yt0ng ca7e8d6468 removing for new pull request 2018-08-17 18:42:10 +02:00
yt0ng 5bb6f566ba ::Merge remote-tracking branch 'upstream/master' 2018-08-17 18:39:36 +02:00
yt0ng 8ecf167e85 Powershell AMSI Bypass via .NET Reflection 
[Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
 2018-08-17 18:26:04 +02:00
yt0ng 07e411fe6b Oilrig Information gathering 
whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1
 2018-08-15 14:29:59 +02:00
Florian Roth 4e91462838 fix: Bugfix in Adwind rule 2018-08-15 12:33:03 +02:00
Florian Roth 92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Florian Roth 7c05b85bcd rule: Added malware UA 2018-08-15 12:33:03 +02:00
Thomas Patzke dce4b4825d Fixed aggregations without field name 
Generated query contained field name "None".
 2018-08-10 15:07:07 +02:00
Thomas Patzke 2c0e76be3d Escaped * where required 2018-08-10 13:53:08 +02:00
Thomas Patzke 5b02695b13 Merge pull request #146 from samsson/patch-8 
Hiding files with attrib.exe sysmon rule
 2018-08-08 22:57:30 +02:00
Lurkkeli 7cdc13ef11 Update 2018-08-08 17:05:51 +02:00
Lurkkeli 392351af25 Adding ATT&CK tag 2018-08-08 16:43:54 +02:00
Lurkkeli 4d721f1803 Updating fps 2018-08-08 16:42:26 +02:00
Lurkkeli b9f433414d hiding files with attrib.exe 2018-08-08 16:19:39 +02:00
Thomas Patzke 01215a645e Merge pull request #145 from yt0ng/master 
DNS TXT Answer with possible execution strings
 2018-08-08 15:58:34 +02:00
Thomas Patzke 58afccb2f3 Fixed ATT&CK tagging 2018-08-08 15:58:19 +02:00
yt0ng e44b4f450e DNS TXT Answer with possible execution strings 
https://twitter.com/stvemillertime/status/1024707932447854592
 2018-08-08 15:51:56 +02:00
Thomas Patzke 92c0e0321a Merge pull request #144 from samsson/patch-7 
Added att&ck tags
 2018-08-07 11:19:36 +02:00
Lurkkeli a245820519 added att&ck tag 2018-08-07 08:54:53 +02:00
Lurkkeli 294677a2cc added att&ck tag 2018-08-07 08:50:01 +02:00
Lurkkeli a57e87b345 added att&ck tag 2018-08-07 08:49:05 +02:00
Lurkkeli 99253763af added att&ck tag 2018-08-07 08:45:58 +02:00
Lurkkeli 0bff27ec21 added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:37:51 +02:00
Lurkkeli 198cb63182 added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:36:53 +02:00
Thomas Patzke 518e21fcd2 Merge pull request #134 from nikseetharaman/sysmon_cmstp_com_object_access 
Add CMSTP UAC Bypass via COM Object Access
 2018-08-07 08:33:33 +02:00
Thomas Patzke b9fdf07926 Extended tagging 2018-08-07 08:33:18 +02:00
Lurkkeli b50c13dd1f Update att&ck tag 2018-08-07 08:27:24 +02:00
Thomas Patzke 5d5d42eb9b Merge pull request #140 from yt0ng/master 
Possible Shim Database Persistence via sdbinst.exe
 2018-08-07 08:22:32 +02:00
Thomas Patzke 80eaedab8b Fixed tag and date 2018-08-07 08:22:11 +02:00
Thomas Patzke 3509fbd201 Merge pull request #142 from samsson/patch-5 
Added ATT&CK tag
 2018-08-07 08:20:22 +02:00
Thomas Patzke b049210641 Fixed tags 2018-08-07 08:20:09 +02:00
Lurkkeli 3456f9a74d Update sysmon_susp_wmi_execution.yml 2018-08-07 08:19:58 +02:00
Thomas Patzke b9d0e3172f Merge pull request #143 from samsson/patch-6 
Added ATT&CK tag
 2018-08-07 08:19:01 +02:00
Thomas Patzke 64fa3b162d Tag fixes 2018-08-07 08:18:16 +02:00
Lurkkeli 6472be5e19 Update sysmon_uac_bypass_sdclt.yml 2018-08-07 08:08:53 +02:00
Lurkkeli 21bee17ffd Update sysmon_uac_bypass_eventvwr.yml 2018-08-07 08:07:49 +02:00
yt0ng fc091fe3d7 Added ATTCK Mapping 2018-08-05 14:00:22 +02:00
yt0ng b65cb5eaca Possible Shim Database Persistence via sdbinst.exe 2018-08-05 13:55:04 +02:00
Thomas Patzke f8246e9f49 Removed "not implemented" hints for available options in sigmac 2018-08-04 23:31:29 +02:00
Thomas Patzke 0e986cae4d Fixed log source and field names 2018-08-04 22:58:19 +02:00
Thomas Patzke e6c3313168 Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-08-02 22:45:25 +02:00
Thomas Patzke af9f636199 Removal of backend output classes 
Breaking change: Instead of feeding the output class with the results,
they are now returned as strings (*Backend.generate()) or list
(SigmaCollectionParser.generate()). Users of the library must now take
care of the output to the terminal, files or wherever Sigma rules should
be pushed to.
 2018-08-02 22:41:32 +02:00
Florian Roth acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth 1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Thomas Patzke 1c9d0a176e Moved const_start into class definition 2018-07-28 23:51:33 +02:00
Thomas Patzke 8ceebba0d2 Merging split of config 2018-07-27 23:56:18 +02:00
Thomas Patzke df74460629 Fixed imports after config split 2018-07-27 23:54:18 +02:00
Thomas Patzke e02af9aa37 Merge config split branches 2018-07-27 23:16:50 +02:00
Thomas Patzke eb440b3357 Split config - code removal from configuration 2018-07-27 23:02:35 +02:00
Thomas Patzke 36ada66007 Split config - Copy configuration 2018-07-27 23:01:41 +02:00