security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

567 Commits

Author SHA1 Message Date
Thomas Patzke f4e9690d6b Merge pull request #508 from Karneades/fixRule3 
fix: bound keywords to field in multiple PS rules
 2019-10-29 22:34:08 +01:00
Thomas Patzke 78d8ca2b41 Merge pull request #507 from Karneades/fixRule2 
fix: bound keywords to field in PS cred prompt rule
 2019-10-29 22:31:01 +01:00
Karneades ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
Karneades aafab2e936 fix: bound keywords to field in multiple PS rules 
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
 2019-10-29 19:53:18 +01:00
Karneades f31750e567 fix: bound keywords to field in PS cred prompt rule 2019-10-29 19:43:04 +01:00
darkquasar cb6eb35913 adding some more suspicious PS keywords 
found in multiple internally analyzed malicious scripts (in the wild and as result of engagements)
 2019-10-28 22:14:14 -07:00
Yugoslavskiy Daniil 4251d9f490 ilyas ochkov contribution 2019-10-29 03:44:22 +03:00
hieuttmmo 0c07c5ea16 convention 2019-10-25 11:00:05 +07:00
hieuttmmo e86ab608f2 Update powershell_suspicious_profile_create.yml 2019-10-25 10:53:21 +07:00
yugoslavskiy 5eb484a062 add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00
hieuttmmo edb698c7f7 Update powershell_suspicious_profile_create.yml 2019-10-25 00:28:11 +07:00
hieuttmmo 73b10807d8 Rename powershell_susp_profile_create.yml to powershell_suspicious_profile_create.yml 2019-10-25 00:14:39 +07:00
hieuttmmo 0e4cd397ef Create new rules for T1502 2019-10-25 00:14:21 +07:00
yugoslavskiy 4fb9821b49 added: 
win_non_interactive_powershell.yml
	win_remote_powershell_session.yml
	win_wmiprvse_spawning_process.yml
	powershell_alternate_powershell_hosts.yml
	powershell_remote_powershell_session.yml
	sysmon_alternate_powershell_hosts_moduleload.yml
	sysmon_alternate_powershell_hosts_pipe.yml
	sysmon_non_interactive_powershell_execution.yml
	sysmon_powershell_execution_moduleload.yml
	sysmon_powershell_execution_pipe.yml
	sysmon_remote_powershell_session_network.yml
	sysmon_remote_powershell_session_process.yml
	sysmon_wmi_module_load.yml
	sysmon_wmiprvse_spawning_process.yml
 2019-10-24 15:48:38 +02:00
zinint aef5fa3c2b Rename powershell_winlogon_helper_dll.yaml to powershell_winlogon_helper_dll.yml 2019-10-24 16:37:38 +03:00
zinint 5a98fdbbbd ART t1004 2019-10-24 16:33:29 +03:00
zinint 317e9d3df9 PS Data Compressed attack.t1002 
PS Data Compressed attack.t1002
 2019-10-24 15:43:46 +03:00
4A616D6573 fdbdca003b Create win_powershell_web_request.yml 
Broader rule for detecting web requests via various methods using Windows PowerShell, slightly crosses over the below rules but caters for different methods:

https://github.com/Neo23x0/sigma/blob/99b15edf8add183543ca5738ec93f87416c34bd9/rules/windows/process_creation/win_powershell_download.yml
https://github.com/Neo23x0/sigma/blob/0fa914139ca85966b49f0a8eda40a3f26608e86b/rules/windows/powershell/powershell_suspicious_download.yml
 2019-10-24 11:57:37 +11:00
ecco 01956f1312 powershell false positives 2019-09-06 03:54:19 -04:00
Tareq AlKhatib 15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Alec Costello 886de39814 Small edits 
Got trigger happy, first time doing this, please dont cruicify me.
 2019-05-17 17:40:32 +03:00
Alec Costello d90c0ea990 Create powershell_nishang_malicious_commandlets.yml 2019-05-16 17:51:45 +03:00
mrblacyk 99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Thomas Patzke c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Florian Roth 74e3c79f40 Rule: Suspicious PowerShell keywords 2019-02-11 13:02:38 +01:00
Tareq AlKhatib 7e4bb1d21a Removed duplicate filters 2019-01-25 12:21:57 +03:00
Florian Roth 90e8eba530 rule: false positive reduction in PowerShell rules 2019-01-22 16:37:36 +01:00
Thomas Patzke 96eb460944 Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00
Roberto Rodriguez 328762ed67 Update powershell_xor_commandline.yml 
Ducplicate names again for https://github.com/Neo23x0/sigma/search?q=Suspicious+Encoded+PowerShell+Command+Line&unscoped_q=Suspicious+Encoded+PowerShell+Command+Line . This brakes elastalert integration since each rule needs to have its own unique name.
 2018-12-05 05:51:41 +03:00
Thomas Patzke 900db72557 Merge branch 'master' of https://github.com/SherifEldeeb/sigma into SherifEldeeb-master 2018-12-04 23:35:23 +01:00
Kyle Polley 60538e2e12 changed .yaml files to .yml for consistency 2018-11-20 21:07:36 -08:00
Florian Roth fd06cde641 Rule: Detect base64 encoded PowerShell shellcode 
https://twitter.com/cyb3rops/status/1063072865992523776
 2018-11-17 09:10:09 +01:00
Sherif Eldeeb 23eddafb39 Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
Thomas Patzke ff98991c80 Fixed rule 2018-10-18 16:20:51 +02:00
Thomas Patzke a2da73053d Merge branch 'patch-9' of https://github.com/samsson/sigma into samsson-patch-9 2018-10-18 16:16:57 +02:00
Florian Roth a2c6f344ba Lower case T 2018-09-26 11:44:12 +02:00
Braz f35308a4d3 Missing Character 
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
 2018-09-26 11:40:24 +02:00
Thomas Patzke 81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth 68896d9294 style: renamed rule files to all lower case 2018-09-08 10:25:20 +02:00
megan201296 3154be82f3 Added .yml extension and fix typo 2018-09-06 20:28:22 -05:00
Lurkkeli 30fc4bd030 powershell xor commandline 
New rule to detect -bxor usage in a powershell commandline.
 2018-09-05 09:21:15 +02:00
Florian Roth 016b15a2a9 Added quotation marks 
I've added quotation marks to make it clearer (leading dash looks weird)
 2018-07-26 18:10:21 +02:00
Lurkkeli 7796492c2b Update powershell_NTFS_Alternate_Data_Streams 2018-07-26 08:54:08 -07:00
Florian Roth cf7f5c7473 Changes 
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? 
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
 2018-07-25 07:35:59 +02:00
Lurkkeli db82322d17 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00
Lurkkeli fd8c5c5bf6 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:00:21 +02:00
Lurkkeli ad580635ea Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00
ntim c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Florian Roth fc72bd16af Fixed bugs 2018-06-27 09:20:41 +02:00
Thomas Patzke 8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00