security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Steven Goossens e5f36dd146 Added rules files split into folders 2020-06-10 16:32:30 +02:00
Remco Hofman 8adaa2d672 Fixed bad indentation 2020-06-10 15:02:41 +02:00
Remco Hofman 83a6e25bcb Fax Service DLL search order hijacking 2020-06-10 15:01:07 +02:00
Remco Hofman cb8e478ac1 Sigma rule to detect Office persistence via addin. 2020-06-10 14:52:13 +02:00
Florian Roth 5c835cf1f2 Merge pull request #813 from ozirus/patch-1 
Create sysmon_apt_muddywater_dnstunnel.yml
 2020-06-09 18:44:45 +02:00
Florian Roth 7a334a8d8a fix: missed line 2020-06-09 17:30:54 +02:00
Florian Roth 04913a4b95 Aligned indentation 2020-06-09 17:20:25 +02:00
Florian Roth 9b8f8b7e09 Merge pull request #822 from NVISO-BE/win_mal_flowcloud 
TA410 FlowCloud malware detection
 2020-06-09 17:18:39 +02:00
Remco Hofman a9bf22750a Fixed bad indentation 2020-06-09 16:30:17 +02:00
Remco Hofman 4ce3ea735e TA410 FlowCloud malware detection 2020-06-09 16:21:46 +02:00
Remco Hofman d14d391761 Octopus Scanner malware rule 2020-06-09 16:12:05 +02:00
Florian Roth 6e349030d9 rule: suspicious camera and mic access 2020-06-08 10:18:44 +02:00
Florian Roth 0c2f2fe6df Merge pull request #816 from Neo23x0/rule-devel 
merged Cyb3rWarD0g's rules
 2020-06-06 16:27:59 +02:00
Florian Roth d3e261862d merged Cyb3rWarD0g's rules 2020-06-06 15:42:22 +02:00
Florian Roth 72deaa98f5 Merge pull request #815 from Neo23x0/rule-devel 
Rule devel
 2020-06-06 14:19:37 +02:00
Florian Roth 3697186281 fix: fixed title 2020-06-06 14:04:40 +02:00
Florian Roth 246a95557b fix: description over multiple lines 2020-06-06 13:56:48 +02:00
Florian Roth d54209dcc5 rule: ETW disabled 2020-06-06 13:56:19 +02:00
Florian Roth 2e77e65285 rule: Covenant launchers 2020-06-05 11:03:28 +02:00
Furkan ÇALIŞKAN 082696ee84 Added UUID 2020-06-04 18:38:42 +03:00
Furkan ÇALIŞKAN e958a6a939 Date added 2020-06-04 18:34:44 +03:00
Furkan ÇALIŞKAN 5e373153eb Title fix 2020-06-04 18:28:37 +03:00
Furkan ÇALIŞKAN 0744107fbb Deleted EventID part 2020-06-04 18:19:08 +03:00
Furkan ÇALIŞKAN 1c677aa172 Fix title as in guideline 
Fix title error as in guideline and other cosmetic changes
 2020-06-04 18:13:32 +03:00
Furkan ÇALIŞKAN bafd6bde5f Convert to process_creation 
Convert to process_creation
 2020-06-04 14:45:10 +03:00
Furkan ÇALIŞKAN 09afae1e66 Create sysmon_apt_muddywater_dnstunnel.yml 
Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
 2020-06-04 14:27:19 +03:00
Trent Liffick 6c8c0cd85d Removed incorrect technique 2020-06-03 17:51:57 -04:00
Trent Liffick 3c89f46899 removed unwanted file 2020-06-03 17:43:12 -04:00
Trent Liffick 2af501c9f5 added rule for zLoader & Office 
detects changes to Office macro settings & ZLoader malware
 2020-06-03 17:40:05 -04:00
Trent Liffick a2ca199e7d added rules for Lazaurs and hhsgov 2020-06-03 17:38:03 -04:00
William Bruneau 84dd8c39c4 Move null values out from list in rules 2020-06-03 13:57:22 +02:00
Sven Scharmentke 4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'. 
This commit fixes the incorrect spelling.
 2020-06-03 09:00:59 +02:00
ecco b1c11cc345 add WMI module load false positive 2020-06-01 03:30:27 -04:00
Florian Roth 74e16fdccd Merge pull request #803 from gamma37/clear_cmd_history 
Edit Clear Command History
 2020-05-29 17:32:43 +02:00
Florian Roth e20b58c421 Merge pull request #806 from SanWieb/sysmon_creation_system_file 
Fixed wrong field & Improve rule
 2020-05-29 17:32:27 +02:00
Sander Wiebing a00f7f19a1 Add tagg Endswith 
Prevent the trigger of {}.exe.log
 2020-05-29 16:25:54 +02:00
Sander Wiebing 38afd8b5de Fixed wrong field 2020-05-28 21:52:17 +02:00
Florian Roth 7f2fa05ed3 Merge pull request #802 from Neo23x0/rule-devel 
ComRAT and KazuarRAT
 2020-05-28 11:16:44 +02:00
gamma37 537bda4417 Update lnx_shell_clear_cmd_history.yml 2020-05-28 10:56:35 +02:00
gamma37 5a48934822 Edit Clear Command History 
I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line.
 2020-05-28 10:52:17 +02:00
Florian Roth 39b41b5582 rule: moved DebugView rule to process creation category 2020-05-28 10:13:38 +02:00
Florian Roth 76dcc1a16f rule: renamed debugview 2020-05-28 09:22:25 +02:00
Florian Roth ec313b6c8a Merge pull request #801 from SanWieb/sysmon_creation_system_file 
Rule: sysmon_creation_system_file
 2020-05-27 08:49:20 +02:00
Sander Wiebing d44fc43c54 Add extension 2020-05-26 19:10:11 +02:00
Sander Wiebing f6ec724d51 Rule: sysmon_creation_system_file 2020-05-26 18:53:54 +02:00
Florian Roth 5bb6770f53 Merge pull request #800 from SanWieb/win_system_exe_anomaly 
Extended Windows processes: win_system_exe_anomaly
 2020-05-26 14:28:47 +02:00
Florian Roth 4ca81b896d rule: Turla ComRAT report 2020-05-26 14:19:22 +02:00
Sander Wiebing 3681b8cb56 Extended Windows processes 2020-05-26 13:56:51 +02:00
Florian Roth 0b398c5bf0 Merge pull request #798 from Neo23x0/rule-devel 
rule: confluence exploit CVE-2019-3398 & Turla ComRAT
 2020-05-26 13:31:57 +02:00
Florian Roth c1f4787566 Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048 
Changes to sysmon_cve-2020-1048
 2020-05-26 13:21:04 +02:00