security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

2788 Commits

Author SHA1 Message Date
Florian Roth ab499c9c21 rules: crypto coin mining 2021-10-26 08:52:07 +02:00
frack113 7c9da11fa7 fix title 2021-10-26 06:49:44 +02:00
frack113 4bcde17e00 Fix title 2021-10-26 06:49:05 +02:00
frack113 9e61ad2592 Merge pull request #2189 from austinsonger/windows_suspicious_rclone_execution 
win_susp_rclone_execution.yml
 2021-10-25 21:20:00 +02:00
frack113 8eee468cc3 Add detect_by_option 2021-10-25 20:49:30 +02:00
frack113 b3df5bf325 Merge pull request #2192 from frack113/update_win_shadow_copies_deletion 
Update win_shadow_copies_deletion.yml
 2021-10-25 20:29:48 +02:00
frack113 f8574fcd81 Add cve tags 2021-10-25 18:40:50 +02:00
frack113 162d869e2b Add cve tags 2021-10-25 18:14:03 +02:00
frack113 9ff310541a add selection3 2021-10-24 20:14:44 +02:00
frack113 9065485855 update detection 2021-10-24 20:12:55 +02:00
frack113 db640f6080 Update win_susp_rclone_execution.yml 2021-10-24 18:47:04 +02:00
Austin Songer 85d7cb6f3e Update process_creation_certoc_execution.yml 2021-10-24 11:06:51 -05:00
Austin Songer 5ded3e681c Update win_susp_rclone_execution.yml 2021-10-24 11:04:34 -05:00
Austin Songer 9664ec4c35 Update win_susp_rclone_execution.yml 2021-10-23 19:59:37 -05:00
Austin Songer c8383901e1 Update win_susp_rclone_execution.yml 2021-10-23 19:56:43 -05:00
Austin Songer 2d781ac20b Rename win_suspicious_rclone_execution.yml to win_susp_rclone_execution.yml 2021-10-23 19:55:19 -05:00
Austin Songer 05fcc0d890 Rename windows_suspicious_rclone_execution.yml to win_suspicious_rclone_execution.yml 2021-10-23 19:52:37 -05:00
Austin Songer 2f5e235dfe Delete sysmon_rclone_execution.yml 2021-10-23 19:51:59 -05:00
Austin Songer a771549057 Delete win_susp_rclone_exec.yml 2021-10-23 19:51:50 -05:00
Austin Songer 76aa8bf904 Create windows_suspicious_rclone_execution.yml 2021-10-23 19:50:03 -05:00
Austin Songer a78d6cce5f Create process_creation_certoc_execution.yml 2021-10-23 14:10:40 -05:00
Austin Songer b946106103 Delete process_creation_certoc_execution.yml 2021-10-23 14:09:58 -05:00
Austin Songer 4803d61f7f Create process_creation_certoc_execution.yml 2021-10-23 14:09:28 -05:00
Maxime THIEBAUT 9c25c89dbb Add LOLBin rule win_susp_workfolders 2021-10-21 11:43:27 +02:00
frack113 f61127f04e Merge pull request #2157 from frack113/update_wmic_uninstall 
win_susp_wmic_security_product_uninstall update product list
 2021-10-19 14:24:09 +02:00
phantinuss deecced962 fix: FP tuning when CommandLine logging is not activated for 4688 events 2021-10-19 13:37:28 +02:00
frack113 40e8dc506a update product list 2021-10-18 11:19:18 +02:00
frack113 a8a0d546f3 Merge pull request #2113 from austinsonger/process_creation_lolbins_suspicious_driver_install_by_pnputil.yml 
process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
 2021-10-17 08:10:18 +01:00
frack113 5756888b1b adds the alternative options 2021-10-17 08:33:32 +02:00
frack113 5aa62bd342 fix yml 2021-10-12 21:02:15 +02:00
frack113 37c637066b add process_creation_conti_cmd_ransomware.yml 2021-10-12 20:57:12 +02:00
frack113 7497fdb484 Merge pull request #2129 from d4rk-d4nph3/master 
Added rule for possible persistence via VMTools
 2021-10-10 10:55:06 +02:00
Bhabesh Rai a241f526ef Added more strict path 2021-10-10 07:54:40 +05:45
Bhabesh Rai a45e516f99 Added rule for possible persistence via VMTools 2021-10-08 13:28:35 +05:45
Mika Luhta e70d17745e Update modified field 2021-10-07 18:42:22 +02:00
Mika Luhta 0ee777e3b4 Fix rule detection logic 
Changed ParentImage to Image
 2021-10-07 14:25:18 +03:00
frack113 4f86a245f8 Order file i correct directory 2021-10-05 07:30:43 +02:00
frack113 201708c097 Merge pull request #2103 from webboy2015/patch-1 
Create win_lolbas_execution_of_nltest.exe.yaml
 2021-10-05 07:24:05 +02:00
frack113 654b5b4bff Update win_lolbas_execution_of_nltest.yml 2021-10-04 22:08:47 +02:00
frack113 dc030e0128 Merge pull request #2114 from austinsonger/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml 
process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
 2021-10-03 08:24:52 +02:00
Austin Songer 81d1bb0e2b Update process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml 2021-10-02 13:32:20 -05:00
frack113 f652745924 Update and rename win_lolbas_execution_of_nltest.exe to win_lolbas_execution_of_nltest.yml 2021-10-02 07:53:19 +02:00
frack113 e6b32b90af Update win_lolbas_execution_of_nltest.exe 2021-10-02 07:25:11 +02:00
webboy2015 87df79302d Update win_lolbas_execution_of_nltest.exe 
Changed condition as follows:
   detection:
       selection:
          EventID: 4689
          ProcessName|endswith: nltest.exe
          Status: "0x0"
     condition: selection

Included  field - SubjectDomainName
 2021-10-01 12:55:37 -07:00
frack113 19a834e317 Merge pull request #2111 from TareqAlKhatib/master 
Corrected Technique
 2021-10-01 15:17:01 +02:00
Tareq Alkhatib 0d22601112 Added Compromise Infrastructure: Web Services technique 2021-10-01 08:40:59 -04:00
Austin Songer 04acba9c77 Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml 2021-09-30 19:58:21 -05:00
Austin Songer d55ffe721e Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:19:18 -05:00
Austin Songer e274df1b13 Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:18:38 -05:00
Austin Songer b14d9e3826 Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:16:02 -05:00