security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
GlebSukhodolskiy daaba7022b Merge branch 'oscd' into oscd_wmi 2021-02-06 00:34:53 +03:00
bartlomiej-czyz ae15cef5e7 Rename .yaml to .yml 2021-02-03 22:20:48 +01:00
bartlomiej-czyz e79168ee56 Create win_rundll32_without_parameters.yml 2021-02-03 22:18:23 +01:00
bartlomiej-czyz 3e9c177c65 Create win_metasploit_or_impacket_smb_psexec_service_install.yaml 2021-02-03 22:16:21 +01:00
BlueTeamOps 1a124f9193 Added win_ad_find_discovery.yml 
Rule to detect the most commons switches used in AdFind tool
 2021-02-02 23:34:10 +11:00
BlueTeamOps c3c706503e Update win_sus_auditpol_usage.yml 2021-02-02 22:24:54 +11:00
BlueTeamOps b0d0bb95b0 Created win_sus_auditpol_usage.yml 
This adds detection for suspicious behaviour of the auditpol binary
 2021-02-02 19:12:13 +11:00
Florian Roth 309e15dc5c rule: add call by ordinal 2021-02-01 20:16:31 +01:00
Florian Roth 597633c938 rule: ShimCache Flush 2021-02-01 20:05:28 +01:00
Florian Roth 179db920ec Merge pull request #1343 from Neo23x0/rule-devel 
Rule devel
 2021-02-01 12:28:22 +01:00
Florian Roth aaeb72a2b6 fix: FPs 2021-02-01 11:47:23 +01:00
Florian Roth 33fee6af8b rule: security product uninstallation 2021-01-30 11:24:08 +01:00
Florian Roth e533b4effb fix: tags 2021-01-28 13:51:51 +01:00
Florian Roth cd4491cba2 rule: disable volume snaptshots 2021-01-28 13:48:30 +01:00
Florian Roth 6b9eef58da Merge pull request #1338 from Neo23x0/rule-devel 
Improved UNC2452 activity rules
 2021-01-25 14:36:44 +01:00
Florian Roth 7d99a48bb2 rule: new Quakbot pattern 2021-01-25 12:03:30 +01:00
Florian Roth b62c705bf0 Improved UNC2452 activity rules 2021-01-22 09:18:11 +01:00
k-vdv e4edf7bc1b fix service from system to security for rule win_pcap_drivers.yml 2021-01-22 09:10:02 +01:00
David Straßegger 6a6929cfb6 implemented rule for scheduled task deletion 2021-01-22 08:09:56 +01:00
Florian Roth efa39eb18d Merge pull request #1336 from Neo23x0/rule-devel 
rule: Raccine uninstall
 2021-01-21 18:17:31 +01:00
Florian Roth 4ad70f0aaa rule: Raccine uninstall 2021-01-21 17:59:17 +01:00
Florian Roth 492d931138 Merge pull request #1335 from Neo23x0/rule-devel 
rule: UNC2452 PowerShell pattern
 2021-01-21 09:20:22 +01:00
Florian Roth c5a7558ca0 fix: fixed actor name in description 2021-01-21 09:19:51 +01:00
Florian Roth a0b8eeac6f fix: minor issues 2021-01-20 18:52:50 +01:00
Florian Roth 8b319e3686 rule: UNC2452 PowerShell pattern 2021-01-20 18:51:49 +01:00
Florian Roth cd4fbca66b Merge pull request #1330 from d4rk-d4nph3/master 
Added Stealthy Office Persistence via VSTO
 2021-01-20 11:36:25 +01:00
Florian Roth c00d3a8fe0 Merge pull request #1334 from Neo23x0/rule-devel 
rule: plink anomaly rules
 2021-01-20 11:36:16 +01:00
Florian Roth eedc483be4 rework: impossible rule with Sysmon 2021-01-19 14:12:40 +01:00
Florian Roth fdc969385a rule: plink anomaly rules 2021-01-19 12:39:40 +01:00
Florian Roth 7162528a1a docs: removed CVE 2021-01-15 13:25:10 +01:00
Florian Roth 3d2c6a118d Merge pull request #1332 from 2d4d/master 
Add xHunt Campaign: BumbleBee Webshell
 2021-01-13 18:19:01 +01:00
Florian Roth d58cdeab3a Merge pull request #1331 from Neo23x0/rule-devel 
rule: NTFS vulnerability
 2021-01-12 09:09:33 +01:00
Arnim Rupp b2860b870e Update win_webshell_detection.yml 2021-01-11 21:08:20 +01:00
Florian Roth cf37abee4d docs: more details 2021-01-11 19:56:36 +01:00
Arnim Rupp 5d80d634c3 Add xHunt Campaign: BumbleBee Webshell 
add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
 2021-01-11 19:44:07 +01:00
Florian Roth a0fccf8647 rule: NTFS vulnerability 
https://twitter.com/jonasLyk/status/1347900440000811010
 2021-01-11 14:51:26 +01:00
Bhabesh Rai 93c7931037 Added Stealthy Office Persistence via VSTO 2021-01-10 17:54:17 +05:45
Florian Roth c571285fd8 Merge pull request #1329 from Neo23x0/rule-devel 
Rule devel
 2021-01-09 11:32:36 +01:00
Florian Roth 63cc0d23c6 changes provided by FPT.EagleEye Team in 
https://github.com/Neo23x0/sigma/pull/1218/files
 2021-01-09 10:38:20 +01:00
Florian Roth 19171f5bed Merge pull request #1315 from rtkdmasse/split-up-cmstp-rule 
Split up cmstp rule into 3 separate rules and remove duplicates
 2021-01-09 10:30:33 +01:00
Florian Roth 947925d81f Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic 
Update the azure image_load rule to be a generic sysmon rule
 2021-01-09 10:29:52 +01:00
Florian Roth 04f7766d7a Merge pull request #1319 from hieuttmmo/master 
Detect Emotet DLL loading by looking rundll32.exe
 2021-01-09 10:29:24 +01:00
Florian Roth 1a8bb9c991 Merge pull request #1327 from 2d4d/master 
more AV event and suspicious commands
 2021-01-09 10:28:30 +01:00
GlebSukhodolskiy 3f519ffa20 Just Check 2021-01-07 21:31:51 +03:00
Arnim Rupp d5de3fe5f9 more AV event and suspicious commands 
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
 2021-01-07 17:54:19 +01:00
GlebSukhodolskiy da5ec4e952 Update win_wmi_persistence.yml 
Removed sequence of EIDs in Windows Security section.
 2021-01-06 16:50:28 +03:00
yugoslavskiy befcad2df7 Merge pull request #1234 from w0rk3r/oscd1 
[OSCD] Update win_susp_replace_lolbin.yml
 2021-01-06 00:32:55 +03:00
yugoslavskiy 6ebcb10abd Merge pull request #1233 from V3T0/v3t0_oscd_lolbas_runonce_susp_execution 
[OSCD] Added a rule to detect execution of runonce with suspicious parameters
 2021-01-06 00:32:44 +03:00
yugoslavskiy 3bf1663503 Merge pull request #1232 from V3T0/v3t0_oscd_lolbas_tracker 
[OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments
 2021-01-06 00:32:35 +03:00
yugoslavskiy e4c302bf6f Merge pull request #1231 from vburov/patch-16 
[OSCD] Detects LockerGoga Ransomware command line.
 2021-01-06 00:30:08 +03:00