security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
4,222 Commits 1 Branch 57 Tags
e12d710ab4e2a9e235fde2d60164b6bb4aeced75
Commit Graph

2698 Commits

Author SHA1 Message Date
Florian Roth 8ae8c213a9 Merge pull request #1337 from architect00/master 
rule: scheduled task deletion
 2021-02-07 15:26:13 +01:00
bartlomiej-czyz e79168ee56 Create win_rundll32_without_parameters.yml 2021-02-03 22:18:23 +01:00
Florian Roth 179db920ec Merge pull request #1343 from Neo23x0/rule-devel 
Rule devel
 2021-02-01 12:28:22 +01:00
Florian Roth aaeb72a2b6 fix: FPs 2021-02-01 11:47:23 +01:00
Florian Roth 33fee6af8b rule: security product uninstallation 2021-01-30 11:24:08 +01:00
Florian Roth e533b4effb fix: tags 2021-01-28 13:51:51 +01:00
Florian Roth cd4491cba2 rule: disable volume snaptshots 2021-01-28 13:48:30 +01:00
Florian Roth 6b9eef58da Merge pull request #1338 from Neo23x0/rule-devel 
Improved UNC2452 activity rules
 2021-01-25 14:36:44 +01:00
Florian Roth 7d99a48bb2 rule: new Quakbot pattern 2021-01-25 12:03:30 +01:00
Florian Roth a4bec724a6 rule: SonicWall exploitation 2021-01-25 11:54:23 +01:00
Florian Roth b62c705bf0 Improved UNC2452 activity rules 2021-01-22 09:18:11 +01:00
k-vdv e4edf7bc1b fix service from system to security for rule win_pcap_drivers.yml 2021-01-22 09:10:02 +01:00
David Straßegger 6a6929cfb6 implemented rule for scheduled task deletion 2021-01-22 08:09:56 +01:00
Florian Roth efa39eb18d Merge pull request #1336 from Neo23x0/rule-devel 
rule: Raccine uninstall
 2021-01-21 18:17:31 +01:00
Florian Roth 4ad70f0aaa rule: Raccine uninstall 2021-01-21 17:59:17 +01:00
Florian Roth 492d931138 Merge pull request #1335 from Neo23x0/rule-devel 
rule: UNC2452 PowerShell pattern
 2021-01-21 09:20:22 +01:00
Florian Roth c5a7558ca0 fix: fixed actor name in description 2021-01-21 09:19:51 +01:00
Florian Roth a0b8eeac6f fix: minor issues 2021-01-20 18:52:50 +01:00
Florian Roth 8b319e3686 rule: UNC2452 PowerShell pattern 2021-01-20 18:51:49 +01:00
Florian Roth cd4fbca66b Merge pull request #1330 from d4rk-d4nph3/master 
Added Stealthy Office Persistence via VSTO
 2021-01-20 11:36:25 +01:00
Florian Roth c00d3a8fe0 Merge pull request #1334 from Neo23x0/rule-devel 
rule: plink anomaly rules
 2021-01-20 11:36:16 +01:00
Bhabesh Rai dac229a8bb Added rule for Oracle WebLogic Exploit CVE-2021-2109 2021-01-20 14:28:18 +05:45
Florian Roth eedc483be4 rework: impossible rule with Sysmon 2021-01-19 14:12:40 +01:00
Florian Roth fdc969385a rule: plink anomaly rules 2021-01-19 12:39:40 +01:00
Florian Roth 7162528a1a docs: removed CVE 2021-01-15 13:25:10 +01:00
Florian Roth 3d2c6a118d Merge pull request #1332 from 2d4d/master 
Add xHunt Campaign: BumbleBee Webshell
 2021-01-13 18:19:01 +01:00
Florian Roth d58cdeab3a Merge pull request #1331 from Neo23x0/rule-devel 
rule: NTFS vulnerability
 2021-01-12 09:09:33 +01:00
Arnim Rupp b2860b870e Update win_webshell_detection.yml 2021-01-11 21:08:20 +01:00
Florian Roth cf37abee4d docs: more details 2021-01-11 19:56:36 +01:00
Arnim Rupp 5d80d634c3 Add xHunt Campaign: BumbleBee Webshell 
add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
 2021-01-11 19:44:07 +01:00
Florian Roth a0fccf8647 rule: NTFS vulnerability 
https://twitter.com/jonasLyk/status/1347900440000811010
 2021-01-11 14:51:26 +01:00
Bhabesh Rai 93c7931037 Added Stealthy Office Persistence via VSTO 2021-01-10 17:54:17 +05:45
Florian Roth c571285fd8 Merge pull request #1329 from Neo23x0/rule-devel 
Rule devel
 2021-01-09 11:32:36 +01:00
Florian Roth 63cc0d23c6 changes provided by FPT.EagleEye Team in 
https://github.com/Neo23x0/sigma/pull/1218/files
 2021-01-09 10:38:20 +01:00
Florian Roth 19171f5bed Merge pull request #1315 from rtkdmasse/split-up-cmstp-rule 
Split up cmstp rule into 3 separate rules and remove duplicates
 2021-01-09 10:30:33 +01:00
Florian Roth 947925d81f Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic 
Update the azure image_load rule to be a generic sysmon rule
 2021-01-09 10:29:52 +01:00
Florian Roth 04f7766d7a Merge pull request #1319 from hieuttmmo/master 
Detect Emotet DLL loading by looking rundll32.exe
 2021-01-09 10:29:24 +01:00
Florian Roth 1a8bb9c991 Merge pull request #1327 from 2d4d/master 
more AV event and suspicious commands
 2021-01-09 10:28:30 +01:00
Arnim Rupp d5de3fe5f9 more AV event and suspicious commands 
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
 2021-01-07 17:54:19 +01:00
Florian Roth 30dcc28a1f Cisco ASA FTD Exploit CVE-2020-3452 2021-01-07 13:17:58 +01:00
yugoslavskiy 5ec4e42569 Merge pull request #1165 from w0rk3r/oscd3 
[OSCD] Updated win_etw_trace_evasion - Added new detections, Removed reference to deprecated rule and changed selections
 2021-01-06 00:12:22 +03:00
Florian Roth ab408750ac Merge pull request #1314 from Neo23x0/rule-devel 
rule: Lazarus activity
 2020-12-30 13:27:38 +01:00
Florian Roth 9ecaeb715f Merge pull request #1317 from rtkdmasse/fix-missing-product-mouse-lock 
Fix missing product mouse lock
 2020-12-30 13:27:20 +01:00
ZikyHD 8a6b182fee Update win_susp_adfind.yml 2020-12-29 14:41:46 +01:00
ZikyHD ece829bb25 Update win_susp_adfind.yml 
Typo on field name
 2020-12-29 14:40:36 +01:00
Florian Roth 0a83f91386 Merge pull request #1321 from d4rk-d4nph3/master 
Fixed typo in file format
 2020-12-28 09:13:48 +01:00
Bhabesh Rai bf77c8266a Fixed typo in file format 2020-12-28 11:46:02 +05:45
Florian Roth 896fc21911 Merge pull request #1320 from d4rk-d4nph3/master 
Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass
 2020-12-27 20:37:36 +01:00
Florian Roth a6212a4490 style: some minor style changes 2020-12-27 20:06:19 +01:00
Bhabesh Rai 1cfad987b0 Added rule for CVE-2020-10148 SolarWinds Orion API Authentication Bypass 2020-12-27 17:34:49 +05:45