security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

2788 Commits

Author SHA1 Message Date
ecco bdf8f99fdb fix typo 2019-09-04 11:31:00 -04:00
Florian Roth 7bef822da7 rule: minor improvement to susp ps enc cmd 2019-09-04 16:31:49 +02:00
Denys Iuzvyk 774be4d008 Escaped '\*' to '\*' where required 2019-09-04 14:05:58 +03:00
ecco fc89804f34 rule: impacket framework lateralization detection 2019-09-03 10:28:59 -04:00
ecco 8cad0c638e add comcvcs.dll memdump method 2019-09-02 07:49:19 -04:00
Florian Roth dca5a7a248 Merge pull request #432 from EccoTheFlintstone/master 
add/modify powershell Empire rules
 2019-09-02 11:40:36 +02:00
ecco 5f30e52739 add/modify powershell Empire rules 2019-09-02 05:04:44 -04:00
Florian Roth ace0cc36c6 rule: improved csc rule 2019-08-31 08:44:09 +02:00
Florian Roth f2c44c80b6 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/process_creation/win_encoded_frombase64string.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2019-08-28 09:21:25 +02:00
Florian Roth f71dc41531 rule: extended csc rule 2019-08-28 09:00:43 +02:00
Florian Roth 406b40af11 rule: suspicious msbuild folder 2019-08-28 09:00:35 +02:00
Florian Roth 70a26a6132 fix: fixed MITRE tags 2019-08-24 13:58:54 +02:00
Florian Roth c321fc2680 rule: csc.exe suspicious source folder 2019-08-24 13:53:15 +02:00
Florian Roth b32ed3c817 rules: encoded FromBase64String keyword 2019-08-24 13:53:05 +02:00
Florian Roth 1dfd560299 rule: csc.exe suspicious source folder 2019-08-24 13:49:40 +02:00
Florian Roth a137a1380b rules: encoded FromBase64String keyword 2019-08-24 12:38:51 +02:00
Florian Roth c9a4e6fe8a rule: process creations in env var folders 2019-08-24 08:26:37 +02:00
Florian Roth 87ce52f6fe fix: fixed wrong MITRE tag 2019-08-23 23:19:39 +02:00
Florian Roth 5bd242cb21 rule: encoded IEX 2019-08-23 23:13:36 +02:00
Florian Roth cc01f76e99 docs: minor changes 2019-08-22 14:22:55 +02:00
ecco d0a24f4409 filter NULL values to remove false positives 2019-08-20 05:10:41 -04:00
Florian Roth 4fcb52d098 fix: removed mmc susp rule due to many FPs 2019-08-07 14:26:15 +02:00
Florian Roth f6fd1df6f4 Rule: separate Ryuk rule created for VBurovs strings 2019-08-06 10:33:46 +02:00
Florian Roth a8b738e346 Merge pull request #380 from vburov/patch-5 
Ryuk Ransomware commands from real case
 2019-08-06 10:29:00 +02:00
Karneades 42e6c9149b Remove unneeded event code 2019-08-05 19:13:39 +02:00
Karneades 0e3cc042f4 Add more exclusions to mmc process rule 2019-08-05 18:53:33 +02:00
Karneades 5caa951b8f Add new rule for detecting MMC spawning a shell 
Add (analog to win_mshta_spawn_shell.yml) a dedicated rule for dedecting MMC spawning a shell. See https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml. And it should cover the (removed) cmd part from the existing rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_mmc_source.yml.
 2019-08-05 18:42:31 +02:00
Karneades cfe44ad17d Fix win_susp_mmc_source to match what title says 
Remove cmd.exe filter to match what title and rule says: detect all processes created by MMC. A new dedicated rule will be created for detecting shells spawned by MMC.
 2019-08-05 16:21:56 +02:00
Florian Roth 6a8adc72ac rule: reworked vssadmin rule 2019-08-04 11:27:17 +02:00
Florian Roth d32fc2b2cf fix: fixing rule win_cmstp_com_object_access 
https://github.com/Neo23x0/sigma/issues/408
 2019-07-31 14:16:52 +02:00
Florian Roth 0657f29c99 Rule: reworked win_susp_powershell_enc_cmd 2019-07-30 14:36:30 +02:00
Tareq AlKhatib d08a993159 Fixed commandline to detect any shim install from any location 2019-07-08 12:31:18 +03:00
Florian Roth 0b883a90b6 fix: null value in separate expression 2019-07-02 20:14:45 +02:00
Florian Roth ce43d600e3 fix: added null value / application to 4688 problem 2019-07-02 10:51:48 +02:00
Vasiliy Burov 2f123f64a7 Added command that stops services. 2019-06-28 19:46:34 +03:00
Vasiliy Burov 3813d277a6 Ryuk Ransomware commands from real case 2019-06-28 19:26:05 +03:00
Florian Roth ad386474bf fix: removed unusable extensions in proc exec context 2019-06-26 17:03:01 +02:00
Florian Roth 708f3ef002 fix: fixed duplicate element in new double extension rule 2019-06-26 16:00:58 +02:00
Florian Roth 41dc076959 Rule: suspicious double extension 2019-06-26 15:57:25 +02:00
Florian Roth 39b5eddfc7 Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00
Florian Roth 26036e0d35 fix: fixed image in taskmgr rule 2019-06-21 17:15:53 +02:00
Thomas Patzke ff7128209e Adjusted level 2019-06-20 00:03:48 +02:00
Thomas Patzke 0f8849a652 Rule fixes 
* tagging
* removed spaces
* converted to generic log source
* typos/case
 2019-06-20 00:01:56 +02:00
Thomas Patzke 429c29ed5a Merge pull request #363 from yugoslavskiy/win_kernel_and_3rd_party_drivers_exploits_token_stealing 
rule added: Windows Kernel and 3rd-party drivers exploits. Token stea…
 2019-06-19 23:43:10 +02:00
Thomas Patzke dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Michael Wade f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Thomas Patzke a23f15d42b Converted rule to generic log source 2019-06-11 13:20:15 +02:00
Thomas Patzke 5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
yugoslavskiy 5827165c2d event id deleted 2019-06-03 15:51:54 +02:00
yugoslavskiy cf947e3720 changed to process_creation category 2019-06-03 15:47:24 +02:00