security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

864 Commits

Author SHA1 Message Date
alexpetrov12 7aa804fe90 added new rules 
Packet capture Windows command prompt, ODBCCONF execution dll, Windows Registry Persistence - COM key linking
 2019-10-25 18:01:36 +03:00
Mikhail Larin 334301c185 OSCD event rules from Jet CSIRT team 2019-10-25 17:57:56 +03:00
stvetro dcaacd07bf 4 rules to cover ART 2019-10-25 15:38:47 +04:00
yugoslavskiy 5eb484a062 add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00
yugoslavskiy 4fb9821b49 added: 
win_non_interactive_powershell.yml
	win_remote_powershell_session.yml
	win_wmiprvse_spawning_process.yml
	powershell_alternate_powershell_hosts.yml
	powershell_remote_powershell_session.yml
	sysmon_alternate_powershell_hosts_moduleload.yml
	sysmon_alternate_powershell_hosts_pipe.yml
	sysmon_non_interactive_powershell_execution.yml
	sysmon_powershell_execution_moduleload.yml
	sysmon_powershell_execution_pipe.yml
	sysmon_remote_powershell_session_network.yml
	sysmon_remote_powershell_session_process.yml
	sysmon_wmi_module_load.yml
	sysmon_wmiprvse_spawning_process.yml
 2019-10-24 15:48:38 +02:00
yugoslavskiy 3934f6c756 add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00
alexpetrov12 cc998aa667 fix 2019-10-24 00:48:43 +03:00
alexpetrov12 f1ccf296f4 fix 2019-10-24 00:40:58 +03:00
alexpetrov12 d3715a508b fix 2019-10-23 18:15:46 +03:00
alexpetrov12 4c84412944 added new rule 
silenttrinity_stage_ use, sysmon_mimikatz_сreds_dump, sysmon_registry_persistence_key_linking, sysmon_сreds_dump
 2019-10-23 18:08:30 +03:00
alexpetrov12 e38540a37f fix 2019-10-23 13:28:04 +03:00
alexpetrov12 c1cfbacd24 fix 2019-10-23 13:18:57 +03:00
alexpetrov12 ad9b98541c fix 2019-10-23 13:05:38 +03:00
alexpetrov12 fa4a8c974d fix 2019-10-23 12:45:06 +03:00
alexpetrov12 f4ea01217e fix 2019-10-23 02:47:04 +03:00
alexpetrov12 ebe4fe0377 fix 2019-10-23 02:42:37 +03:00
alexpetrov12 6c4f4ce309 fix 2019-10-23 02:25:04 +03:00
alexpetrov12 8d0c89b598 added new rules 
add rule MiniDumpWriteDump via COM+, renamed_binary_description, cobalt_execute_assembly, win_sysmon_driver_onload
 2019-10-23 01:55:03 +03:00
root 2bd9d8a9d8 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:56:37 +02:00
root fb53855ae5 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:50:49 +02:00
Florian Roth deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Florian Roth c396526f40 rule: LSASS DLL load via undocumented Registry key 
https://twitter.com/SBousseaden/status/1183745981189427200
 2019-10-16 13:18:44 +02:00
Florian Roth e870c86fb0 rule: keyboad layout preloads extended with ' 2019-10-15 15:11:00 +02:00
Florian Roth 7ee3974428 rule: suspicious keyboard layout load 2019-10-14 16:25:27 +02:00
Florian Roth e0009bfb4a fix: merged duplicate rules 2019-10-01 16:14:38 +02:00
Florian Roth d8af435827 rule: RUN key pointing to suspicious folders 2019-10-01 16:08:31 +02:00
Florian Roth c44f940fb6 rule: suspicious RUN key created by exe in temp/download folders 2019-10-01 16:08:13 +02:00
Florian Roth de3a843bea Merge pull request #457 from EccoTheFlintstone/sysmon_eventid3 
sysmon eventid 3: filter on outgoing connections (initiated: true) to…
 2019-09-28 10:16:02 +02:00
ecco 7a1d48cccd fix: PsExec false positives 2019-09-26 04:50:43 -04:00
ecco 4c54e8322a sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives 2019-09-25 11:11:22 -04:00
ecco 0c96777f6a sysmon rules cleanup and move to process_creation 2019-09-11 10:24:43 -04:00
Florian Roth 038900e2fe fix: renamed powershell rule 2019-09-06 17:33:56 +02:00
Florian Roth 7f1b6eb311 fix: duplicate rule 2019-09-06 10:30:47 +02:00
Florian Roth fcbae16cc8 rule: image debugger 2019-09-06 10:28:20 +02:00
Florian Roth e9fc8d3d09 rule: split up registry debugger registration rule into two 2019-09-06 10:13:21 +02:00
Florian Roth 27f875755f rule: debugger registration 2019-09-06 10:08:09 +02:00
ecco 01956f1312 powershell false positives 2019-09-06 03:54:19 -04:00
Denys Iuzvyk 774be4d008 Escaped '\*' to '\*' where required 2019-09-04 14:05:58 +03:00
Florian Roth ca2019b57f fix: typo in MITRE tag 2019-08-27 12:32:56 +02:00
Florian Roth 6b7cd94197 Changes 2019-08-27 12:23:42 +02:00
weev3 d42a51372d Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30
Thomas Patzke 68fb56f503 Merge pull request #345 from ki11oFF/patch-1 
Detection of usage mimikatz trough WinRM
 2019-08-23 23:04:07 +02:00
Florian Roth c291038ebe rule: renamed powershell 2019-08-22 14:22:55 +02:00
Karneades 18bbec4bcd improve(rule): add Empire links and userland match 
Add default task name and powershell task command to match what the rule name says: detects default config.
 2019-08-09 11:58:43 +02:00
Florian Roth f3fb2b41b2 Rule: FP filters extended 2019-07-23 14:58:36 +02:00
Christophe Tafani-Dereeper 5bc10a4855 Include Github raw URLs in suspicious downloads detection rule 2019-07-05 09:01:35 +00:00
Thomas Patzke dbbc1751ef Converted rule to generic log source 2019-06-19 23:25:25 +02:00
Thomas Patzke d14f5c3436 Merge pull request #371 from savvyspoon/issue285 
CAR tagging
 2019-06-19 23:21:43 +02:00
Thomas Patzke d82df83ef1 Merge pull request #369 from TareqAlKhatib/refactors 
Refactors
 2019-06-19 23:16:19 +02:00
Michael Wade f70549ec54 First Pass 2019-06-13 23:15:38 -05:00