security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

2788 Commits

Author SHA1 Message Date
Austin Songer 18d65387b5 Create process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:15:03 -05:00
Tareq Alkhatib b0b95ce32b Corrected Technique 2021-09-30 16:34:14 -04:00
frack113 e900945761 Update win_trust_discovery.yml 2021-09-30 19:26:14 +02:00
zaicurity 76224b0fb2 Added alternative nltest command parameter 
Same as recent change to "Recon Activity with NLTEST" (see commit a2418e4d2c)
Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. 
Tested on Windows 10.0.19042
Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
 2021-09-30 18:12:19 +02:00
webboy2015 056067086c Create win_lolbas_execution_of_nltest.exe.yaml 
The attacker might use LOLBAS nltest.exe for the discovery of domain controllers, domain trusts, parent domain, and the current user permissions. This event can be detected in the Windows Security Log by looking for event id 4689 indicating that nltest.exe was executed and has exited with the execution result of "0x0".
 2021-09-29 14:33:36 -07:00
frack113 ed1a1caa2e Merge pull request #2098 from frack113/fix_tags 
fix tags in win_susp_mpcmdrun_download.yml
 2021-09-29 17:06:18 +02:00
neonprimetime security (Justin C Miller) 2ae2c35a7f mispelled 'mshta.exe' in selection_base 
it said 'mhsta.exe' and it should say 'mshta.exe'
 2021-09-29 07:47:12 -05:00
frack113 4a66ea04bd fix tags 2021-09-29 08:26:05 +02:00
zaicurity a2418e4d2c Added alternative command parameter 
Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. 
Tested on Windows 10.0.19042
Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
 2021-09-28 17:39:21 +02:00
frack113 c3222945ef Merge pull request #2093 from austinsonger/win_sysmon_driver_unload.yml 
win_sysmon_driver_unload.yml
 2021-09-28 16:22:43 +02:00
Austin Songer 3e7b3073cf Update win_sysmon_driver_unload.yml 2021-09-27 23:30:30 -05:00
Florian Roth b227f8459d fix: typo in filename 2021-09-27 22:37:20 +02:00
Florian Roth ada966c5be Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-09-27 22:34:30 +02:00
Florian Roth cee44e6688 renamed files: lowercase 2021-09-27 22:33:30 +02:00
kidrek 267da51745 The issues have been fixed 2021-09-24 22:18:00 +02:00
kidrek ecd4719a20 add new rule win_process_dump_rdrleakdiag 2021-09-24 18:22:06 +02:00
frack113 c59b0eb543 Merge pull request #2063 from frack113/last_global 
Split Last Global Rules
 2021-09-23 13:54:57 +02:00
Florian Roth 3107ede1c4 Merge branch 'pr/2065' 2021-09-23 09:18:15 +02:00
Austin Songer ab613af365 Update sysmon_atlassian_confluence_cve_2021_26084_exploit.yml 2021-09-22 22:24:24 -05:00
frack113 6e6d57b019 fix filename 2021-09-22 18:45:08 +02:00
unknown 9924cc3946 win-apt-greenbug-fix amend b64 value of /server= as seen in IOC 2021-09-22 10:33:04 -04:00
frack113 ab5f5f95bc fix filename 2021-09-22 16:27:05 +02:00
frack113 3c906b52a0 fix filename 2021-09-22 16:21:07 +02:00
unknown 3ace73f9fd win-apt-greenbug-fix - change modified date as well 2021-09-21 16:59:32 -04:00
unknown 993bf46550 win-apt-greenbug-fix small change to B64encoded value of '/server=' in detection criteria 2021-09-21 16:56:01 -04:00
frack113 8c13bd23b9 split global win_powershell_web_request 2021-09-21 13:44:19 +02:00
frack113 ba3c7a020a split global win_root_certificate_installed.yml 2021-09-21 13:34:32 +02:00
frack113 6368a88ad3 split global win_software_discovery.yml 2021-09-21 13:28:47 +02:00
frack113 4718f914e9 split global sysmon_hack_dumpert.yml 2021-09-21 10:43:42 +02:00
frack113 318f8b714e split global win_tool_psexec.yml 2021-09-21 10:10:48 +02:00
Florian Roth 8909eefb90 Merge pull request #2052 from phantinuss/pr 
xwizard dll sideloading
 2021-09-20 12:35:42 +02:00
phantinuss 25a407e24f Update win_dll_sideload_xwizard.yml 2021-09-20 10:56:37 +02:00
Florian Roth 6c630502dc Update win_dll_sideload_xwizard.yml 2021-09-20 10:54:53 +02:00
phantinuss 4e794fe3e7 xwizard dll sideloading 2021-09-20 10:39:31 +02:00
frack113 d5108502a2 split win_apt_chafer_mar18.yml 2021-09-19 11:48:20 +02:00
frack113 faff9e6db7 spli win_apt_slingshot.yml 2021-09-19 11:36:40 +02:00
frack113 e69ec4624a split win_apt_gallium.yml 2021-09-19 11:24:17 +02:00
frack113 c43c12e557 split win_apt_turla_commands.yml 2021-09-19 11:17:50 +02:00
frack113 b576ad115b split win_apt_unidentified_nov_18.yml 2021-09-19 11:11:04 +02:00
frack113 06de91c92a split win_apt_wocao.yml 2021-09-19 11:07:24 +02:00
frack113 dc8ad15d1a split win_exchange_transportagent.yml 2021-09-19 11:03:16 +02:00
frack113 deb0ad5f58 split win_hktl_createminidump.yml 2021-09-19 10:19:34 +02:00
frack113 18e7e16005 split win_mal_adwind.yml 2021-09-19 10:12:03 +02:00
frack113 416b0556b1 split win_silenttrinity_stage_use.yml 2021-09-19 10:02:05 +02:00
frack113 7d000f2b1d split win_susp_winrm_AWL_bypass.yml 2021-09-19 09:41:17 +02:00
frack113 6dd4315f36 Merge pull request #2035 from frack113/fix_bad_category 
Fix bad category in possible_privilege_escalation_via_service_registry_permissions
 2021-09-17 06:35:29 +02:00
frack113 8a847e0538 Update process_creation_possible_privilege_escalation_via_service_registry_permissions.yml 2021-09-15 19:05:31 +02:00
frack113 973e0666ac Merge pull request #2020 from frack113/pc_global 
Split some global process_creation rules
 2021-09-15 19:03:30 +02:00
frack113 3b8282c221 fix detection 2021-09-15 16:21:30 +02:00
frack113 437ea3408b split sysmon_stickykey_like_backdoor.yml 2021-09-12 09:58:43 +02:00