security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,128 Commits 1 Branch 57 Tags
e53a97fa2fa8bcfdf414ba973728e78d2be6bc85
Commit Graph

1560 Commits

Author SHA1 Message Date
Tran Trung Hieu e53a97fa2f Update condition to filter out printer port 2020-05-14 18:22:49 +07:00
Tran Trung Hieu 443bf09d27 Add author 2020-05-14 18:10:16 +07:00
Tran Trung Hieu e74970cea0 Suspicious network connection from notepad.exe 2020-05-14 18:08:30 +07:00
Tran Trung Hieu 97b690d340 Change level from Critical to High 2020-05-14 09:02:54 +07:00
Tran Trung Hieu d0b1c98d5a Reformat rule 2020-05-14 00:39:41 +07:00
Tran Trung Hieu 3e5b33388b New rule to detect possible CVE-2020-1048 exploitation 2020-05-14 00:24:36 +07:00
zaphod a9ef7ef382 Fix a bad CommandLine search 2020-05-13 11:32:05 +02:00
Florian Roth 09d1b00459 Changed level to ciritcal 2020-05-11 10:40:23 +02:00
tliffick c98be55d21 Update mal_azorult_reg.yml 2020-05-08 21:31:33 -04:00
tliffick 61f061333b Registry entry for Azorult malware 
Detects registry keys used by Azorult malware
 2020-05-08 21:26:24 -04:00
Florian Roth fd7968d4f8 Merge pull request #734 from NVISO-BE/win_susp_failed_logon_source 
New rule: Failed Logon From Public IP
 2020-05-08 16:24:12 +02:00
Remco Verhoef 2d38cb7b52 fix incorrect use of global 2020-05-06 23:00:45 +02:00
Remco Verhoef 40539a0c0e fix incorrect use of action global 2020-05-06 22:53:02 +02:00
Remco Hofman 123a23adae win_susp_failed_logon_source rule 2020-05-06 22:24:02 +02:00
Florian Roth 473c31232e add additional reference 2020-05-05 19:25:33 +02:00
Rettila 0e1fa5c135 Update win_possible_dc_shadow.yml 2020-05-05 18:14:32 +02:00
Rettila 55d018255c Update win_possible_dc_shadow.yml 2020-05-05 16:52:08 +02:00
Rettila 3302c63e0c Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml 2020-05-05 16:51:35 +02:00
Rettila f27aa4bfee Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00
Rettila db810b342f Delete win_possible_dc_shadow.yml 2020-05-05 16:48:39 +02:00
Rettila e3f21805f3 Update win_possible_dc_shadow.yml 2020-05-05 16:43:56 +02:00
Rettila 0f4cc9d365 Create win_possible_dc_shadow.yml 2020-05-05 16:40:52 +02:00
Florian Roth c71e10a7f3 Merge pull request #717 from Karneades/renamedbinary 
Add netsh to renamed binary rule
 2020-05-02 14:12:34 +02:00
Florian Roth b4b9b0155f Merge pull request #716 from Karneades/patch-1 
Add rule to detect wifi creds harvesting using netsh
 2020-05-02 14:12:10 +02:00
Maxime Thiebaut 4600bf73dc Update rules to follow the Sigma state specification 
The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following:

> Declares the status of the rule:
>  - stable: the rule is considered as stable and may be used in production systems or dashboards.
>  - test: an almost stable rule that possibly could require some fine tuning.
>  - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events.

However the Sigma Rx YAML specification states the following:

> ```yaml
> status:
>     type: //any
>     of:
>         - type: //str
>           value: stable
>         - type: //str
>           value: testing
>         - type: //str
>           value: experimental
> ```

The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base:
 - [`sigma/sigma-schema.rx.yml`](https://github.com/Neo23x0/sigma/blob/a805d18bbae60d3e4f291c8a18304104ed2e71c7/sigma-schema.rx.yml#L49)
 - [`sigma/tools/sigma/filter.py`](https://github.com/Neo23x0/sigma/blob/f3c60a63099f80296c8750aaba667e98ac71a4f7/tools/sigma/filter.py#L26)
 - [`sigma/tools/sigmac`](https://github.com/Neo23x0/sigma/blob/4e42bebb3480720966a59528cd8482c6271e603c/tools/sigmac#L98)

Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state.
 2020-04-24 20:50:31 +02:00
Andreas Hunkeler 7d437c2969 Add netsh to renamed binary rule 2020-04-20 17:12:25 +02:00
Andreas Hunkeler d4e9606266 Improve netsh wifi rule another time due to arg shortcut 2020-04-20 16:40:03 +02:00
Andreas Hunkeler af498d8a8c Improve rule to detect argument shortcut in netsh wlan rule 2020-04-20 16:32:25 +02:00
Andreas Hunkeler ba541c3952 Fix title for new netsh wifi rule 2020-04-20 16:20:45 +02:00
Andreas Hunkeler d9e5274c9e Add rule to detect wifi creds harvesting using netsh 2020-04-20 16:14:44 +02:00
Florian Roth 514bd8657b Merge pull request #704 from Iveco/master 
Detect Ghost-In-The-Logs (disabling/bypassing ETW)
 2020-04-14 14:11:27 +02:00
Florian Roth 2e0e170058 Merge pull request #708 from teddy-ROxPin/patch-4 
Create powershell_create_local_user.yml
 2020-04-14 14:11:15 +02:00
Florian Roth 3175a48bdc Casing 2020-04-14 13:40:34 +02:00
Florian Roth ecdec93800 Casing 2020-04-14 13:39:58 +02:00
Florian Roth 5cbe008350 Casing 2020-04-14 13:39:22 +02:00
Florian Roth 5ee0808619 Merge pull request #706 from vesche/update_win_susp_netsh_dll_persistence 
Update win_susp_netsh_dll_persistence.yml
 2020-04-14 13:37:53 +02:00
Florian Roth 4f469c0e39 Adjusted level 2020-04-14 13:37:10 +02:00
Florian Roth 8f40c0a1c8 Merge pull request #710 from vesche/update_win_GPO_scheduledtasks 
Update win_GPO_scheduledtasks.yml
 2020-04-14 13:36:17 +02:00
Maxime Thiebaut 86c6891427 Add Windows Registry Persistence COM Search Order Hijacking 2020-04-14 12:59:29 +02:00
vesche 1f918253e8 Add additional reference 2020-04-13 11:09:36 -05:00
vesche 9cdb3a4a64 Fix typo 2020-04-13 11:09:00 -05:00
teddy-ROxPin 1501331f77 Create powershell_create_local_user.yml 
Adds coverage for creating a local account via PowerShell from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md#atomic-test-4---create-a-new-user-in-powershell
 2020-04-11 02:51:05 -06:00
vesche 3889be6255 Replace reference link for win_susp_netsh_dll_persistence 2020-04-10 01:05:10 -05:00
vesche 82db80bee6 Remove wrong mitre technique 2020-04-10 01:02:43 -05:00
vesche 72b821e046 Update win_susp_netsh_dll_persistence.yml 2020-04-09 11:16:18 -05:00
Iveco 61b9234d7f Update win_user_driver_loaded.yml 
removed internal field
 2020-04-09 11:28:19 +02:00
Thomas Patzke 551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Iveco e913db0dca Update win_user_driver_loaded.yml 
CI
 2020-04-08 18:54:59 +02:00
Iveco c5211eb94a Update sysmon_susp_service_installed.yml 
CI
 2020-04-08 18:54:46 +02:00
Iveco 4520082ef7 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
CI
 2020-04-08 18:54:37 +02:00