security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
frack113 4a66ea04bd fix tags 2021-09-29 08:26:05 +02:00
zaicurity a2418e4d2c Added alternative command parameter 
Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. 
Tested on Windows 10.0.19042
Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
 2021-09-28 17:39:21 +02:00
frack113 c27084dd0c Merge pull request #2094 from frack113/backend_sysmon 
Fix logsource  not a string
 2021-09-28 16:22:58 +02:00
frack113 c3222945ef Merge pull request #2093 from austinsonger/win_sysmon_driver_unload.yml 
win_sysmon_driver_unload.yml
 2021-09-28 16:22:43 +02:00
Austin Songer 3e7b3073cf Update win_sysmon_driver_unload.yml 2021-09-27 23:30:30 -05:00
Florian Roth 1da59d9175 Merge pull request #2092 from SigmaHQ/rule-devel 
docs: changed description
 2021-09-27 23:13:09 +02:00
Florian Roth 4161cd909f docs: changed description 2021-09-27 23:12:18 +02:00
Florian Roth 10b70edff0 Merge pull request #2091 from SigmaHQ/rule-devel 
NOBELIUM FoggyWeb backdoor loading
 2021-09-27 23:09:18 +02:00
Florian Roth b227f8459d fix: typo in filename 2021-09-27 22:37:20 +02:00
Florian Roth ada966c5be Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-09-27 22:34:30 +02:00
Florian Roth cee44e6688 renamed files: lowercase 2021-09-27 22:33:30 +02:00
Florian Roth 97bb6a0257 rule: NOBELIUM FoggyWeb 2021-09-27 22:28:25 +02:00
frack113 bcf40fa4e4 Fix logsource not a string 2021-09-27 18:59:05 +02:00
Florian Roth 5ef1c913cf fix: wrong condition 
https://github.com/SigmaHQ/sigma/issues/2089
 2021-09-27 18:33:57 +02:00
Florian Roth f196e3174d refactor: moved last global rule to unsupported 2021-09-26 10:54:11 +02:00
frack113 7dc574bc01 Merge pull request #2078 from kidrek/win_process_dump_rdrleakdiag 
add new rule win_process_dump_rdrleakdiag
 2021-09-25 07:55:52 +02:00
kidrek 267da51745 The issues have been fixed 2021-09-24 22:18:00 +02:00
kidrek ecd4719a20 add new rule win_process_dump_rdrleakdiag 2021-09-24 18:22:06 +02:00
frack113 ef75695647 convert re to endswith 2021-09-24 15:39:56 +02:00
frack113 aa96f21d0f fix filename 2021-09-23 14:52:56 +02:00
Florian Roth bb2e6acd40 Merge pull request #1926 from pbssubhash/master 
Adding CVE's Exploitation attempt detection: Year - 2010
 2021-09-23 14:08:15 +02:00
frack113 c59b0eb543 Merge pull request #2063 from frack113/last_global 
Split Last Global Rules
 2021-09-23 13:54:57 +02:00
Florian Roth 3107ede1c4 Merge branch 'pr/2065' 2021-09-23 09:18:15 +02:00
Austin Songer 53f426342c Update win_file_winword_cve_2021_40444.yml 2021-09-22 22:26:05 -05:00
Austin Songer ab613af365 Update sysmon_atlassian_confluence_cve_2021_26084_exploit.yml 2021-09-22 22:24:24 -05:00
frack113 3ac0d93f5b Merge pull request #2062 from Pooch11/win-apt-greenbug-fix 
win-apt-greenbug-fix small change to B64encoded value of '/server='
 2021-09-22 20:05:37 +02:00
frack113 6e6d57b019 fix filename 2021-09-22 18:45:08 +02:00
unknown 9924cc3946 win-apt-greenbug-fix amend b64 value of /server= as seen in IOC 2021-09-22 10:33:04 -04:00
frack113 ab5f5f95bc fix filename 2021-09-22 16:27:05 +02:00
frack113 3c906b52a0 fix filename 2021-09-22 16:21:07 +02:00
frack113 7b995f2d99 Merge pull request #2057 from secDre4mer/master 
Add two rules
 2021-09-22 09:15:32 +02:00
frack113 045e87058b add definition 2021-09-22 08:40:08 +02:00
unknown 3ace73f9fd win-apt-greenbug-fix - change modified date as well 2021-09-21 16:59:32 -04:00
unknown 993bf46550 win-apt-greenbug-fix small change to B64encoded value of '/server=' in detection criteria 2021-09-21 16:56:01 -04:00
frack113 db9e6124e3 fix too many blank lines 2021-09-21 20:24:02 +02:00
frack113 6e08ba55c4 fix error 2021-09-21 20:16:26 +02:00
frack113 b5e91d7185 fix field name and date 2021-09-21 19:41:46 +02:00
frack113 d37685d7cc split global win_cobaltstrike_service_installs.yml 2021-09-21 19:36:34 +02:00
frack113 06a07605fd split global win_mal_creddumper.yml 2021-09-21 19:31:52 +02:00
Florian Roth d884f774f9 Update powershell_memorydump_getstoragediagnosticinfo.yml 2021-09-21 18:01:46 +02:00
phantinuss 46febf48b0 fix: remove rule, too many FPs and no better matching criteria 2021-09-21 16:52:17 +02:00
frack113 dde3b17c20 split global win_mal_service_installs.yml 2021-09-21 16:17:59 +02:00
frack113 518d294ee9 fix id error 2021-09-21 16:06:27 +02:00
frack113 b9d14ef55a split global win_metasploit_or_impacket_smb_psexec_service_install.yml 2021-09-21 16:02:47 +02:00
Max Altgelt bf9bc03258 chore: properly name and describe rules 2021-09-21 15:59:01 +02:00
frack113 9dbc71ca2f split global win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml 2021-09-21 15:50:06 +02:00
frack113 0dd549ba67 fix selection name 2021-09-21 15:25:03 +02:00
frack113 7c8d1ab037 split global win_moriya_rootkit.yml 2021-09-21 15:18:25 +02:00
frack113 a4ad7e5358 split global win_net_ntlm_downgrade.yml 2021-09-21 15:10:08 +02:00
Max Altgelt 8c3faa390c feat: Add rule for live memory dumping 2021-09-21 15:09:12 +02:00