security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,344 Commits 1 Branch 57 Tags
e5cd850640355a32f4cfeaac0355b32477b80098
Commit Graph

89 Commits

Author SHA1 Message Date
Tobias Michalski 3970934252 Switched EventID:1 to category: process_creation 2021-06-10 14:13:29 +02:00
Tobias Michalski 56d200bad0 Fixed meta informations 2021-06-10 12:44:19 +02:00
Tobias Michalski bbc8633c67 Merge branch 'master' of github.com:humpalum/sigma 2021-06-10 11:32:08 +02:00
Tobias Michalski 4d6e7e1338 Rules persitence by exploiting Outlook or Exchange 2021-06-10 11:26:21 +02:00
frack113 0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
frack113 7d55c7ca80 category other is useless 
Add a new reference
 2021-05-30 09:17:41 +02:00
frack113 33a5137bc7 Fix logsource to get accurate detection 2021-05-30 08:22:38 +02:00
SomeOne 53b21d1afe Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule 2021-05-16 15:03:58 +02:00
Florian Roth 8af86fa97e docs: change title and add references 2021-04-29 12:33:10 +02:00
BlueTeamOps 59d23535ce Update win_lateral_movement.yml 2021-04-27 23:03:03 +10:00
BlueTeamOps 793504dd6b Rename win_lateral_movement to win_lateral_movement.yml 2021-04-27 22:59:52 +10:00
BlueTeamOps f75ad98903 Create win_lateral_movement 
EID 4674 with the proposed attributes is very rare in prod environment. 
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
 2021-04-27 22:55:58 +10:00
Anton Kutepov 3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
GlebSukhodolskiy daaba7022b Merge branch 'oscd' into oscd_wmi 2021-02-06 00:34:53 +03:00
k-vdv e4edf7bc1b fix service from system to security for rule win_pcap_drivers.yml 2021-01-22 09:10:02 +01:00
GlebSukhodolskiy 3f519ffa20 Just Check 2021-01-07 21:31:51 +03:00
GlebSukhodolskiy da5ec4e952 Update win_wmi_persistence.yml 
Removed sequence of EIDs in Windows Security section.
 2021-01-06 16:50:28 +03:00
yugoslavskiy 5ade9208d5 Merge pull request #1166 from drdoc/oscd 
[OSCD] Possible Zerologon (CVE-2020-1472) exploitation using well-known tools
 2021-01-06 00:12:34 +03:00
mat b3e36281b5 fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00
Florian Roth b31ed47ccf Merge branch 'master' into devel 2020-11-26 09:44:56 +01:00
Jonhnathan c42911cb47 Update win_wmi_persistence.yml 2020-11-20 00:58:49 -03:00
Jonhnathan 718792e0ba Update win_tool_psexec.yml 2020-11-20 00:57:16 -03:00
yugoslavskiy 6ec761d27b update syntax a bit to re-run the test 2020-10-20 17:40:53 +02:00
yugoslavskiy 198add2229 Update win_wmi_persistence.yml 
to trigger a test
 2020-10-17 22:28:10 +02:00
Jonhnathan 1fac65dad0 Fix 2020-10-15 20:29:02 -03:00
Jonhnathan 09c43b7517 Update win_wmi_persistence.yml 2020-10-15 17:08:15 -03:00
Jonhnathan b769728d0b Update win_pcap_drivers.yml 2020-10-15 17:07:22 -03:00
GlebSukhodolskiy 7ca50c94f2 Reference changed 2020-10-15 12:12:22 +03:00
Demyan Sokolin fce386388d Title fixed [2] 
Title capitalization added
 2020-10-14 02:17:20 +03:00
Demyan Sokolin ba2771147b Title length fixed 
Title and description changed to meet requirements.
 2020-10-14 02:04:34 +03:00
Demyan Sokolin 208798e373 [OSCD] Possible Zerologon (CVE-2020-1472) exploitation using well-known tools 2020-10-14 01:55:45 +03:00
GlebSukhodolskiy 9da9c20c63 Description Changed 2020-10-13 22:06:34 +03:00
GlebSukhodolskiy b732c060a1 Fixed sigma syntax 2020-10-13 22:02:53 +03:00
GlebSukhodolskiy cd98d907a1 Log Sources Modified 
Modified Log Sources and Deleted a Sysmon Detection due to Discussion in PR #1161
 2020-10-13 21:39:03 +03:00
GlebSukhodolskiy fa3a06aadb Added 2 More Detection Methods 
Issue #576
 2020-10-13 20:50:43 +03:00
Florian Roth 2cd9b794e6 Merge pull request #1007 from d4rk-d4nph3/master 
Windows Defender AMSI Trigger Detected
 2020-09-15 15:45:00 +02:00
Bhabesh Rai 03c7d751c0 Windows Defender AMSI Trigger Detected 2020-09-14 18:10:38 +05:45
Yugoslavskiy Daniil 1fc202fe5d fix typos, update tags 2020-09-13 15:46:45 +02:00
Florian Roth de5444a81e Merge pull request #989 from oscd-initiative/master 
[OSCD Initiative][ATT&CK tags update]
 2020-09-08 13:27:58 +02:00
Florian Roth 39dfcd40ec Merge pull request #921 from d4rk-d4nph3/master 
Added support for Defender's PSExec and WMI ASR rules.
 2020-09-07 09:40:46 +02:00
Yugoslavskiy Daniil 5026438524 fix modified field 2020-08-25 01:29:57 +02:00
Yugoslavskiy Daniil 42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
Florian Roth f788a723b6 Merge pull request #986 from diskurse/devel 
win_defender_history_delete.yml
 2020-08-21 16:05:49 +02:00
Cian Heasley 28fe002f34 win_defender_history_delete.yml 
Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software".
 2020-08-21 13:51:05 +01:00
Aidan Bracher ad9a8ff956 Updated to include extra registry key 2020-07-18 02:37:11 +01:00
Aidan Bracher 2006aa8f5e Inclusion of registry keys for WinDefender disabling 2020-07-18 02:23:30 +01:00
Bhabesh Rai e0c1d84951 Added new Lateral Movement Attack ID 2020-07-14 22:32:29 +05:45
Bhabesh Rai 6fb045aa4b Conforming to Rule Creation Guide. 2020-07-14 14:20:07 +05:45
Bhabesh Rai 66ad325fde Added support for Defender's PSExec and WMI ASR rules. 2020-07-14 14:01:43 +05:45
Thomas Patzke 28013a15e1 Improved rule 2020-07-07 23:18:07 +02:00