security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,045 Commits 1 Branch 57 Tags
e913db0dca590e41c965b56ea71d3ca554fbbae7
Commit Graph

3045 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Iveco e913db0dca Update win_user_driver_loaded.yml 
CI
 2020-04-08 18:54:59 +02:00
Iveco c5211eb94a Update sysmon_susp_service_installed.yml 
CI
 2020-04-08 18:54:46 +02:00
Iveco 4520082ef7 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
CI
 2020-04-08 18:54:37 +02:00
Iveco 6d85650390 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed Author
 2020-04-08 18:41:33 +02:00
Iveco fc1febdebe Update sysmon_susp_service_installed.yml 
Fixed Author
 2020-04-08 18:41:25 +02:00
Iveco d0746b50f4 Update win_user_driver_loaded.yml 
Fixed author
 2020-04-08 18:41:16 +02:00
Iveco 3280a1dfb0 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed CI
 2020-04-08 18:23:29 +02:00
Iveco 5e724a0a54 Update sysmon_susp_service_installed.yml 
Fixed CI
 2020-04-08 18:22:51 +02:00
Iveco d1b9c0c34a Update win_user_driver_loaded.yml 
Fixed CI
 2020-04-08 18:21:59 +02:00
iveco e87f2705a7 Detect Ghost-In-The-Logs (disabling/bypassing ETW) 2020-04-08 18:01:04 +02:00
Florian Roth f50767c400 Merge pull request #703 from 0xThiebaut/downgrade 
Update the NTLM downgrade registry paths
 2020-04-07 18:13:29 +02:00
Maxime Thiebaut 73a6428345 Update the NTLM downgrade registry paths 
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
 2020-04-07 17:14:45 +02:00
Thomas Patzke 693830fa83 Merge pull request 659 2020-04-03 23:46:53 +02:00
Florian Roth 2a579a0a1b Merge pull request #699 from mpavlunin/patch-2 
Create new rule T1223
 2020-04-03 19:32:50 +02:00
Florian Roth 4e3985866b Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml 2020-04-03 16:50:48 +02:00
mpavlunin 81d0f82272 Create new rule T1223 
Suspicious Compiled HTML File
 2020-04-03 16:56:26 +03:00
Florian Roth 0ea2db8b9e Merge pull request #484 from hieuttmmo/master 
New sigma rules to detect new MITRE technique in last update (T1502)
 2020-04-03 09:59:36 +02:00
Florian Roth f4928e95bc Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00
Florian Roth c0ab9c5745 Merge pull request #671 from HarishHary/powershell_downgrade_attack 
Powershell downgrade attack (small improvements)
 2020-04-03 09:31:33 +02:00
Florian Roth 6cf0edc076 Merge pull request #685 from teddy-ROxPin/patch-1 
Typo fix for powershell_suspicious_invocation_generic.yml
 2020-04-03 09:30:32 +02:00
Florian Roth aa73c39a35 Merge pull request #692 from Neo23x0/ci-deploy 
PyPI deployment via GitHub Actions
 2020-04-03 09:29:49 +02:00
Florian Roth eef8531a72 Merge pull request #697 from refractionPOINT/lc-remove-timeframe 
Remove generation of LC rules with timeframe.
 2020-04-03 09:29:12 +02:00
Maxime Lamothe-Brassard f92c5e9b18 Remove generation of LC rules with timeframe. 2020-04-02 15:25:30 -07:00
Florian Roth ee7babd8cb fix: security vulnerability with pyyaml < 4.2b1 2020-04-02 12:27:53 +02:00
Florian Roth dec0c108f9 Merge pull request #683 from NVISO-BE/powershell_wmimplant 
WMImplant detection rule
 2020-04-02 11:54:09 +02:00
Florian Roth 1196f8d60f Merge pull request #695 from cobsec/master 
Date typos
 2020-04-02 10:20:18 +02:00
Chris O'Brien fe5dbece3d Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Chris O'Brien 97c0872c81 Date typo. 2020-04-02 09:53:09 +02:00
Thomas Patzke 0db3bbb097 Merge pull request #693 from Neo23x0/dependabot/pip/pyyaml-5.1 
Bump pyyaml from 3.13 to 5.1
 2020-04-01 23:25:57 +02:00
Florian Roth af49c24419 Merge pull request #694 from cobsec/master 
Fixed date typo - by the looks of the commit date the month/date were…
 2020-04-01 18:28:14 +02:00
Chris O'Brien 95e0b12d88 Fixed date typo - by the looks of the commit date the month/date were swapped. 2020-04-01 18:18:13 +02:00
dependabot[bot] c9c73bec3f Bump pyyaml from 3.13 to 5.1 
Bumps [pyyaml](https://github.com/yaml/pyyaml) from 3.13 to 5.1.
- [Release notes](https://github.com/yaml/pyyaml/releases)
- [Changelog](https://github.com/yaml/pyyaml/blob/master/CHANGES)
- [Commits](https://github.com/yaml/pyyaml/compare/3.13...5.1)

Signed-off-by: dependabot[bot] <support@github.com>
 2020-03-31 20:40:52 +00:00
Thomas Patzke 2bda0e097f Merge pull request #691 from Neo23x0/cleanup 
Cleanup
 2020-03-31 22:37:04 +02:00
Thomas Patzke 8c69c7bb02 PyPI deployment via GitHub Actions 2020-03-31 22:36:16 +02:00
Florian Roth 8e39b09ba5 Merge pull request #690 from cnotin/patch-1 
Small typo
 2020-03-31 16:27:21 +02:00
Clément Notin 18cdddb09e Small typo 2020-03-31 15:22:00 +02:00
Florian Roth 6a70bdb126 Merge pull request #689 from 0xThiebaut/win_ad_enumeration 
Add AD User Enumeration
 2020-03-31 10:56:48 +02:00
Maxime Thiebaut 8dcbfd9aca Add AD User Enumeration 
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.

This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.

Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.

False positives may include administrators performing the initial
configuration of new users.
 2020-03-31 09:40:07 +02:00
Remco Hofman b791d599ee Disabled keywords that could cause FPs 2020-03-30 08:53:52 +02:00
Thomas Patzke d33f4b290d Dependency cleanup 
* Consolidated dependencies into main and development (MISP and test
  intergrated).
* Splitted Pipfile dependencies into main and development
* Specified compatible dependencies
 2020-03-29 22:55:09 +02:00
Thomas Patzke 38a5fe3a29 Removed Travis CI configuration 2020-03-29 22:20:04 +02:00
Florian Roth f2a2420e24 Merge pull request #687 from Neo23x0/ci-testing 
Ci testing
 2020-03-29 17:25:28 +02:00
Thomas Patzke 4dbe5e2f17 Moved Elasticsearch dependencies to generic dependencies 
Omitting waiting for Elasticsearch as it should be started at this time.
 2020-03-29 15:19:13 +02:00
Thomas Patzke 5e258efbe7 Improved Elasticsearch waiting process 2020-03-29 14:57:34 +02:00
Thomas Patzke d68b900077 Wait for Elasticsearch before running tests 2020-03-29 14:37:27 +02:00
Thomas Patzke 821a631325 Run Elasticsearch installation as root 2020-03-29 14:00:15 +02:00
Thomas Patzke fbe40bd1e8 Fixed Elasticsearch test 
* Splitted into separate action
* Install dependencies
 2020-03-29 13:41:03 +02:00
Thomas Patzke d24c1e2800 CI testing with GitHub Actions 2020-03-29 13:25:04 +02:00
teddy-ROxPin 1a3731f7ae Typo fix for powershell_suspicious_invocation_generic.yml 
' - windowstyle hidden ' changed to ' -windowstyle hidden '
 2020-03-29 04:16:15 -06:00
Florian Roth 8ea6b12eed Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini 
Add "Suspicious desktop.ini Action" rule
 2020-03-28 13:34:01 +01:00