security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
Florian Roth 85736ad859 Merge pull request #1467 from 2d4d/master 
Update av_webshell.yml
 2021-05-11 14:32:11 +02:00
frack113 f07c368ae0 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:18:01 +02:00
frack113 c4c720cc30 Correct cast-sensitive Key "OriginalFileName" 2021-05-11 11:16:12 +02:00
frack113 720dd24814 Correct cast-sensitive Key "OriginalFilename" 2021-05-11 11:13:33 +02:00
frack113 a1b0dfc0cd Correct cast-sensitive Key "DestinationIp" 2021-05-11 10:49:10 +02:00
Bhabesh Rai d90965af38 Updated rule for Advanced IP Scanner 2021-05-10 20:28:37 +05:45
Florian Roth 67e807983c Merge pull request #1470 from SigmaHQ/rule-devel 
New CS rule for malformed UAs, FP fixes
 2021-05-10 13:40:27 +02:00
Florian Roth fcb7aa3bcf fix: FPs with rules 2021-05-10 12:42:59 +02:00
Florian Roth 270aedfd62 Merge pull request #1469 from d4rk-d4nph3/master 
Added rule for RClone usage for exfiltration
 2021-05-10 10:50:35 +02:00
Bhabesh Rai 9c8b9756e5 Added rule for RClone usage for exfiltration 2021-05-10 14:06:53 +05:45
Arnim Rupp b9fc257124 Update av_relevant_files.yml 
added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?)
 2021-05-09 00:03:47 +02:00
Arnim Rupp ad3b829f2d Update av_webshell.yml 
Added new strings and moved some from startwith to contains.
 2021-05-08 08:49:17 +02:00
Austin Songer 39a21a9e89 Got Rid of References that are no longer valid. 2021-05-06 14:14:08 -05:00
Florian Roth 384f40aa5b Merge pull request #1464 from d4rk-d4nph3/master 
Added rule for Moriya rootkit
 2021-05-06 18:15:53 +02:00
Florian Roth 453fa0f299 Update win_moriya_rootkit.yml 2021-05-06 15:24:21 +02:00
Florian Roth 79c11a5cba Update win_moriya_rootkit.yml 2021-05-06 14:59:28 +02:00
Bhabesh Rai e5f95cac0c Added rule for Moriya rootkit 2021-05-06 17:29:20 +05:45
phantinuss da533c7425 fixed title capitalization 2021-05-05 15:22:09 +02:00
phantinuss 254a3bb122 new rules detecting the creation of a local hidden user 2021-05-05 15:12:07 +02:00
Florian Roth 9e662b9159 Update sysmon_vuln_dell_driver_load.yml 2021-05-05 14:31:01 +02:00
Florian Roth 80c7899c56 rule: whoami priv 2021-05-05 14:27:36 +02:00
Florian Roth c4ad770830 Merge pull request #1462 from SigmaHQ/rule-devel 
Rule devel
 2021-05-05 13:21:30 +02:00
Florian Roth 615a284de3 Merge pull request #1461 from d4rk-d4nph3/master 
Added rule for Pingback backdoor
 2021-05-05 12:42:27 +02:00
Florian Roth 44097243bf rule: dell driver load 2021-05-05 12:12:08 +02:00
Florian Roth 0e9176776d refactor: moved rule 2021-05-05 12:11:59 +02:00
Bhabesh Rai 4529fbd1f3 Fixed too many spaces after hyphen error 2021-05-05 12:48:29 +05:45
Bhabesh Rai 1352f0b0a6 Added rule for Pingback backdoor 2021-05-05 12:37:50 +05:45
partyh4rd 5a98e36905 Update powershell_suspicious_getprocess_lsass.yml 
fix mitre_code 1552.004 -> 1003.001
 2021-05-04 14:04:52 +03:00
Florian Roth 451f25910d Merge pull request #1430 from Scoubi/patch-1 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:56 +02:00
Florian Roth de8386d553 Merge pull request #1429 from Scoubi/patch-2 
Create win_Outlook_C2_Macro_Creation.yml
 2021-05-04 12:27:50 +02:00
Florian Roth 4ad3316d74 Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml 2021-05-04 09:41:38 +02:00
Florian Roth 8973b573bd Update and rename rules/windows/other/win_Outlook_C2_Macro_Creation.yml to rules/windows/file_event/win_outlook_c2_macro_creation.yml 2021-05-04 09:36:26 +02:00
Florian Roth c877a9a68d Merge pull request #1454 from ZikyHD/fix_sysmon_registry_persistence_search_order 
Fix sysmon registry persistence search order
 2021-05-04 09:31:16 +02:00
Florian Roth ecb133f97d docs: extended authors of malicious pipe rule 2021-05-04 09:28:17 +02:00
Florian Roth c6aeee958e rule: more named pipes by @blueteam0ps 2021-05-04 09:27:11 +02:00
SomeOne 4aae26cabd Grouping filters 2021-05-01 21:05:34 +02:00
SomeOne 80dc6aaf59 Add FP and fix filters 2021-05-01 20:54:26 +02:00
Florian Roth ff50b5b659 Merge pull request #1451 from SigmaHQ/rule-devel 
Different FP filters
 2021-04-30 08:31:02 +02:00
Florian Roth 020e6c9e29 fix: FP with Edge and call by ordinal 2021-04-29 18:23:14 +02:00
Florian Roth 04709ab9f4 refactor: renamed procdump rule 2021-04-29 17:59:49 +02:00
Florian Roth 1bde7b3799 Merge pull request #1445 from blueteam0ps/patch-8 
Create win_lateral_movement
 2021-04-29 14:39:52 +02:00
Florian Roth 8af86fa97e docs: change title and add references 2021-04-29 12:33:10 +02:00
Florian Roth 4b86d3f407 Merge pull request #1449 from SigmaHQ/rule-devel 
Rule devel
 2021-04-29 12:28:12 +02:00
Florian Roth 3e5f7aeb5e rule: PowerShell Cmdlet Defender Exclusions 2021-04-29 09:56:26 +02:00
BlueTeamOps 59d23535ce Update win_lateral_movement.yml 2021-04-27 23:03:03 +10:00
BlueTeamOps 793504dd6b Rename win_lateral_movement to win_lateral_movement.yml 2021-04-27 22:59:52 +10:00
BlueTeamOps f75ad98903 Create win_lateral_movement 
EID 4674 with the proposed attributes is very rare in prod environment. 
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
 2021-04-27 22:55:58 +10:00
Florian Roth 9166167447 Merge pull request #1433 from d4rk-d4nph3/master 
Added rule for Lazarus activity of Apr 2021
 2021-04-26 20:34:51 +02:00
Florian Roth 3008e5b9e7 Merge pull request #1438 from ZikyHD/fix_process_creation_msdeploy 
Fix typo on CommandLine field
 2021-04-26 20:33:56 +02:00
Florian Roth 194b0af4d2 Merge pull request #1439 from ZikyHD/fix_win_manage-bde_lolbas 
Fix typo on CommandLine field
 2021-04-26 20:33:45 +02:00