security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
740 Commits 1 Branch 57 Tags
e23cdafb85fba83129dbbb844a67c56bb4ecbbf5
Commit Graph

149 Commits

Author SHA1 Message Date
Florian Roth d1d4473505 Rule: ADS with executable 
https://twitter.com/0xrawsec/status/1002478725605273600
 2018-06-03 02:08:57 +02:00
Florian Roth 49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Markus Härnvi cf237cf658 "author" should be a string and not a list, according to the specification 2018-04-16 23:42:51 +02:00
Florian Roth d8bbf26f2c Added msiexec to rule in order to cover new threats 
https://twitter.com/DissectMalware/status/984252467474026497
 2018-04-12 09:12:50 +02:00
Florian Roth 58517907ad Improved rule to provide support for for old sysmon \REGISTRY syntax 2018-04-11 20:15:17 +02:00
Florian Roth 0ffd226293 Moved new rule to sysmon folder 2018-04-11 20:11:54 +02:00
Florian Roth 52d405bb1b Improved shell spawning rule 2018-04-11 20:09:42 +02:00
Florian Roth a9c7fe202e Rule: Windows shell spawning suspicious program 2018-04-09 08:37:30 +02:00
Florian Roth e53826e167 Extended Sysmon Office Shell rule 2018-04-09 08:37:30 +02:00
Thomas Patzke f113832c04 Merge pull request #69 from jmallette/rules 
Create cmdkey recon rule
 2018-04-08 23:23:30 +02:00
Thomas Patzke a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke dacc6ae3d3 Fieldname case: Commandline -> CommandLine 2018-03-25 23:08:28 +02:00
Florian Roth e141a834ff Rule: Ping hex IP address 
https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
 2018-03-23 17:00:00 +01:00
Florian Roth 97204d8dc0 Renamed rule 2018-03-20 15:04:11 +01:00
Florian Roth e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth a7eb4d3e34 Renamed rule 2018-03-20 11:12:35 +01:00
Florian Roth b84bbd327b Rule: NetNTLM Downgrade Attack 
https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 2018-03-20 11:07:21 +01:00
Florian Roth a6d293e31d Improved tscon rule 2018-03-20 10:54:04 +01:00
Florian Roth 8fb6bc7a8a Rule: Suspicious taskmgr as LOCAL_SYSTEM 2018-03-19 16:36:39 +01:00
Florian Roth af8be8f064 Several rule updates 2018-03-19 16:36:15 +01:00
Florian Roth 648ac5a52e Rules: tscon.exe anomalies 
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 2018-03-17 19:14:13 +01:00
Karneades 49c12f1df8 Add missing binaries 2018-03-16 10:52:43 +01:00
Florian Roth a257b7d9d7 Rule: Stickykey improved 2018-03-16 09:10:07 +01:00
Florian Roth 0460e7f18a Rule: Suspicious process started from taskmgr 2018-03-15 19:54:03 +01:00
Florian Roth f5494c6f5f Rule: StickyKey-ike backdoor usage 2018-03-15 19:53:34 +01:00
Florian Roth 5ae5c9de19 Rule: Outlook spawning shells to detect Turla like C&C via Outlook 2018-03-10 09:04:11 +01:00
jmallette aff46be8a3 Create cmdkey recon rule 2018-03-08 13:25:05 -05:00
Thomas Patzke 8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke 8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00
Thomas Patzke 84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Florian Roth 1001afb038 Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
Florian Roth 25dc3e78be Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
Florian Roth 9020a9aa32 Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
Florian Roth 5d763581fa Adding status "experimental" to that rule 2018-02-22 13:28:01 +01:00
Florian Roth 0be687d245 Rule: Detect CVE-2017-0261 exploitation 2018-02-22 13:27:20 +01:00
Florian Roth fa4dbc0f2e Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
SherifEldeeb 348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb 48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb 112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth 285f5bab4f Removed duplicate string 2017-12-11 09:31:54 +01:00
Florian Roth 78854b79c4 Rule: System File Execution Location Anomaly 2017-11-27 14:09:22 +01:00
Florian Roth 93fbc63691 Rule to detect droppers exploiting CVE-2017-11882 2017-11-23 00:58:31 +01:00
Florian Roth 59e5b3b999 Sysmon: Named Pipe detection for APT malware 2017-11-06 14:24:42 +01:00
Florian Roth 37cea85072 Rundll32.exe suspicious network connections 2017-11-04 14:44:30 +01:00
Thomas Patzke 720c992573 Dropped within keyword 
Covered by timeframe attribute.

Fixes issue #26.
 2017-10-30 00:25:56 +01:00
Thomas Patzke 27227855b5 Merge branch 'devel-sigmac' 2017-10-29 23:59:49 +01:00
Thomas Patzke 012cb6227f Added proper handling of null/not null values 
Fixes issue #25
 2017-10-29 23:57:39 +01:00
Florian Roth b7e8000ccb Improved Office Shell rule > added 'schtasks.exe' 2017-10-25 23:53:45 +02:00
Thomas Patzke d7c659128c Removed unneeded array 2017-10-18 15:12:29 +02:00