security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,110 Commits 1 Branch 57 Tags
e78d7e6aeefdfd6965705bb769cf5fb983eef4f7
Commit Graph

2033 Commits

Author SHA1 Message Date
Florian Roth e78d7e6aee Merge pull request #1296 from mat-gas/fix-references 
fix "references" field + add test for references in plural form
 2020-12-21 18:25:35 +01:00
Florian Roth 377454cb31 Merge pull request #1299 from tjgeorgen/patch-1 
ATT&CK subtechnique tag updates
 2020-12-21 18:24:00 +01:00
Florian Roth 35ab80b39e Merge pull request #1306 from d4rk-d4nph3/master 
Added rule for Impacket's PsExec execution
 2020-12-21 18:23:41 +01:00
Bhabesh Rai 0a7e95954e Fix for fail build 2020-12-14 12:55:08 +05:45
Bhabesh Rai 63fb31882e Added rule for Impacket's PsExec execution 2020-12-14 12:48:26 +05:45
Florian Roth 1b0aaf62c3 Merge pull request #1266 from omkar72/ryuk 
modifying couple of rules
 2020-12-13 19:05:54 +01:00
Florian Roth e2ade077ed Merge pull request #1275 from bczyz1/patch-3 
update win_apt_slingshot.yml
 2020-12-13 19:04:47 +01:00
Florian Roth 612008a4d8 fix identation 2020-12-11 18:40:17 +01:00
Tran Trung Hieu edc79a8bb6 Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection 2020-12-11 15:17:23 +07:00
Florian Roth b6d62b7a21 Merge pull request #1302 from Neo23x0/rule-devel 
TA505 Dropper, minor fix in PowerShell Rule
 2020-12-08 10:40:07 +01:00
Florian Roth 640470cefd TA505 Loader Rule 2020-12-08 10:15:30 +01:00
Florian Roth 540039cbc3 fix: Malicious Nishang PowerShell Commandlets FP with MDATP 2020-12-05 09:33:42 +01:00
tjgeorgen 1c6c3a36fe include updated RDP att&ck tag 2020-12-04 11:59:23 -05:00
tjgeorgen 0eda1ab462 also update tag for folder variant 2020-12-04 11:42:05 -05:00
tjgeorgen 5208bdd65a add new version of ATT&CK T1500 tag 2020-12-04 11:19:16 -05:00
OG 8e801ede32 Update win_susp_psexec_eula.yml 2020-11-29 17:45:29 +05:30
mat b3e36281b5 fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00
Florian Roth c6fc9de144 New Trickbot wermgr rule 2020-11-26 09:54:27 +01:00
Florian Roth c111ab3141 Improved Trickbot recon rule 2020-11-26 09:54:13 +01:00
Florian Roth b31ed47ccf Merge branch 'master' into devel 2020-11-26 09:44:56 +01:00
bczyz1 05398ae95e change field newprocessname -> image 2020-11-23 13:43:19 +01:00
bczyz1 193021eff8 Update win_apt_slingshot.yml 
fix condition
 2020-11-20 09:19:03 +01:00
Florian Roth af4d546408 Merge pull request #1282 from Neo23x0/rule-devel 
fix: FPs with notepad++ GUP rule
 2020-11-10 13:39:28 +01:00
Florian Roth 2e9d7951a6 Merge pull request #1272 from bczyz1/patch-2 
Fix typo in win_apt_lazarus_session_hijack.yml
 2020-11-10 13:35:08 +01:00
Florian Roth f6c0fb2d33 fix: FPs with notepad++ GUP rule 2020-11-09 16:34:12 +01:00
Florian Roth c3785d6dc7 rule: FPs with WmiPrvSE rule 2020-11-05 16:44:33 +01:00
bczyz1 c554aaea8f update win_apt_slingshot.yml 
- optimized rule
- added detection of task modification (flag /change + /disable as described here https://stackoverflow.com/questions/26169582/does-anyone-know-of-a-way-to-turn-off-windows-defragmenters-default-schedule-us)
 2020-11-05 15:51:22 +01:00
bczyz1 4a5b2d642e Fix typo in win_apt_lazarus_session_hijack.yml 2020-11-03 14:46:29 +01:00
omkargudhate22 f1bb9726ca updated mitre tag 2020-10-30 13:35:40 +05:30
omkar72 86a849728d ryuk changes 2020-10-30 13:15:11 +05:30
Florian Roth 75637324e0 feat: cover newest emotet campaigns 2020-10-23 23:44:48 +02:00
Florian Roth ee789a309c fix: FP with expression 2020-10-20 13:11:10 +02:00
Florian Roth 198b292c26 rule: emotet encoded commands 2020-10-20 12:51:58 +02:00
Florian Roth 48f1be04d4 fix: ping hex ip rule 2020-10-16 10:06:24 +02:00
Florian Roth 3affdd12e0 fix: rule title casing 2020-10-12 09:51:35 +02:00
Florian Roth 0d0cda0f86 docs: improved false positive notes 2020-10-12 09:18:42 +02:00
Florian Roth e7c6794ecd rule: suspicious wmic process call create + rundll32 2020-10-12 09:18:30 +02:00
Florian Roth 2e732eb01f Merge branch 'master' into rule-devel 2020-10-12 09:13:24 +02:00
Florian Roth c56cd2dfff Merge pull request #1024 from omkar72/master 
Com hijack shell folder
 2020-10-02 09:24:16 +02:00
omkargudhate22 4487d9cc7e added event type & changed technique 2020-10-02 09:22:14 +05:30
Florian Roth c17ca6d5fe Merge pull request #1018 from savvyspoon/wcry-dns 
WannaCry Killswitch domain DNS query
 2020-09-29 09:27:21 +02:00
omkargudhate22 68a992d903 updated name 2020-09-27 21:57:19 +05:30
omkargudhate22 e7c8197e34 Updated fields & renamed 2020-09-27 21:52:59 +05:30
omkargudhate22 ebe3dce1d7 Update sysmon_comhijack_uac_bypass.yml 2020-09-27 21:44:41 +05:30
omkar72 3f148e6c7c COM hijack of shell folder to execute arbitrary application & UAC bypass using sdclt. 2020-09-27 21:19:04 +05:30
Florian Roth d7d9c0e772 Merge pull request #1021 from hieuttmmo/master 
Sigma rule to detect AdFind.exe execution
 2020-09-27 09:50:41 +02:00
Florian Roth 8020fe3c40 false positive condition 2020-09-26 17:03:29 +02:00
Florian Roth 60795f7050 Update win_susp_adfind.yml 
Fear that a simple adfind.exe causes too many false positives
 2020-09-26 17:02:39 +02:00
Florian Roth dbdd758365 Duplicate Rule 
we already have a rule for that
 2020-09-26 17:01:32 +02:00
Tran Trung Hieu d4dd0600ad Fix logsource service to process_creation 2020-09-26 21:45:23 +07:00