security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth ce1f46346f Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access 
Add 'Add-Content' to powershell_ntfs_ads_access
 2020-05-26 13:20:40 +02:00
Florian Roth e131f3476e Merge pull request #796 from EccoTheFlintstone/fp 
add more false positives
 2020-05-26 13:20:23 +02:00
Florian Roth b648998fd0 rule: Turla ComRAT 2020-05-26 13:18:50 +02:00
Sander Wiebing f9f814f3b3 Shortened title 2020-05-26 13:06:27 +02:00
Sander Wiebing a241792e10 Reduce FP of legitime processes 
A lot of Windows apps does not have any file characteristics. Some examples:
- Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe
- YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe

All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company.

Python 2.7, 3.3 and 3.7 does not have any file characteristics.

So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml
 2020-05-26 12:58:15 +02:00
Florian Roth cdf1ade625 fix: typo in selection 2020-05-26 12:27:16 +02:00
Florian Roth 828484d7c6 rule: confluence exploit CVE-2019-3398 2020-05-26 12:09:41 +02:00
Remco Hofman 48c5f2ed09 Update to sysmon_cve-2020-1048 
Added .com executables to detection
Second TargetObject should have been Details
 2020-05-26 11:20:21 +02:00
ecco 7037e77569 add more FP 2020-05-25 04:50:22 -04:00
Florian Roth a962bd1bc1 Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source 
Fix 'source' value for win_susp_backup_delete
 2020-05-25 10:48:36 +02:00
Florian Roth 0afe0623af Merge pull request #757 from tliffick/master 
added rule for Blue Mockingbird (cryptominer)
 2020-05-25 10:47:23 +02:00
Sander Wiebing 6fcf3f9ebf Update win_netsh_fw_add.yml 2020-05-25 10:13:26 +02:00
Sander Wiebing 28652e4648 Add Windows Server 2008 and Windows Vista support 
It did not support the command `netsh advfirewall firewall add`
 2020-05-25 10:02:13 +02:00
Sander Wiebing 2678cd1d3e Create win_netsh_fw_add_susp_image.yml 
More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. 

Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
 2020-05-25 09:50:47 +02:00
Sander Wiebing b8ee736f44 Remove AppData folder as suspicious folder 
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)

Too many to whitelist them all
 2020-05-24 15:16:07 +02:00
Florian Roth 6fbfa9dfdd Merge pull request #793 from Neo23x0/rule-devel 
Esentutl rule and StrongPity Loader UA
 2020-05-23 23:47:12 +02:00
ecco f970d28f10 add more false positives 2020-05-23 15:06:15 -04:00
Florian Roth 3028a27055 fix: buggy rule 2020-05-23 18:32:02 +02:00
Florian Roth df715386b6 rule: suspicious esentutl use 2020-05-23 18:27:36 +02:00
Florian Roth d0da2810c1 Merge pull request #792 from EccoTheFlintstone/fff 
fix FP + remove powershell rule redundant with sysmon_in_memory_power…
 2020-05-23 18:13:16 +02:00
Florian Roth 8321cc7ee1 Merge pull request #772 from gamma37/suspicious_activities 
Create a rule for "suspicious activities"
 2020-05-23 18:11:32 +02:00
Florian Roth d1a5471d21 rule: Strong Pity loader UA 2020-05-23 17:38:10 +02:00
ecco 67faf4bd41 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml 2020-05-23 10:56:23 -04:00
Florian Roth 9cd9a301c2 Merge pull request #791 from SanWieb/master 
added rule for Netsh RDP port opening
 2020-05-23 16:50:31 +02:00
Florian Roth e1a05dfc1c Update lnx_auditd_susp_C2_commands.yml 2020-05-23 16:49:03 +02:00
Florian Roth ee1ca77fad Merge pull request #771 from gamma37/new_rules 
Create a new rule to detect "Create Account"
 2020-05-23 16:47:46 +02:00
ecco 10ca3006f5 move rule where needed 2020-05-23 10:07:55 -04:00
ecco d9bc09c38c fix test 2020-05-23 10:02:58 -04:00
ecco 78a7852a43 renamed dbghelp rule with new ID and comment and removed a false positive 2020-05-23 09:16:40 -04:00
Sander Wiebing d310805ed9 rule: Netsh RDP port opening 2020-05-23 14:19:52 +02:00
ecco 75ba5f989c add 1 more FP to wmi load 2020-05-23 07:44:45 -04:00
ecco 9a7f462d79 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) 2020-05-23 07:17:56 -04:00
ecco cfde0625f5 fix false positive matching on every powershell process not run by SYSTEM account 2020-05-23 07:05:09 -04:00
Florian Roth 12e1aeaf9f Merge pull request #788 from Neo23x0/rule-devel 
refactor: split up rule for CVE-2020-1048 into 2 rules
 2020-05-23 09:54:43 +02:00
Florian Roth 34006d0794 refactor: simplified and extended expression in CVE-2020-1048 rule 2020-05-23 09:16:19 +02:00
Florian Roth 57c8e63acd refactore: split up rule for CVE-2020-1048 into 2 rules 2020-05-23 09:09:58 +02:00
ecco ec17c2ab56 filter on createkey only when needed 2020-05-22 10:37:00 -04:00
4A616D6573 879ad6f206 Update win_susp_ntlm_rdp.yml 2020-05-22 13:32:02 +10:00
4A616D6573 daa3c5e053 Update win_susp_ntlm_rdp.yml 2020-05-22 13:28:56 +10:00
4A616D6573 0f8f5fb29c Create win_susp_ntlm_rdp.yml 2020-05-22 13:24:27 +10:00
Florian Roth 91c4c4ecc5 refactor: slightly improved Greenbug rule 2020-05-21 13:38:11 +02:00
Florian Roth 9a3b6c1c77 docs: added MITRE ATT&CK group tag 2020-05-21 09:44:11 +02:00
Florian Roth 344eb713c5 rule: Greenbug campaign 2020-05-21 09:39:57 +02:00
ecco 0dd089db47 various rules cleaning 2020-05-18 20:29:53 -04:00
Thomas Patzke 96fae4be68 Added CrachMapExec rules 2020-05-22 00:50:37 +02:00
Florian Roth 64e0e7ca72 Merge pull request #784 from Neo23x0/rule-devel 
refactor: slightly improved Greenbug rule
 2020-05-21 14:19:09 +02:00
Florian Roth bbf78374b6 Merge pull request #783 from Neo23x0/rule-devel 
Greenbug Rule
 2020-05-21 09:55:46 +02:00
Thomas Patzke 8d9b706d6a Merge pull request #727 from 3CORESec/master 
Override Features
 2020-05-20 19:11:56 +02:00
Florian Roth e7980bb434 Merge pull request #782 from ZikyHD/patch-1 
Remove duplicate 'CommandLine' in fields
 2020-05-20 12:55:41 +02:00
Florian Roth af92a5bd2c Merge pull request #780 from tatsu-i/master 
Null field check to eliminate false positives
 2020-05-20 12:55:29 +02:00