security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth 2e0e170058 Merge pull request #708 from teddy-ROxPin/patch-4 
Create powershell_create_local_user.yml
 2020-04-14 14:11:15 +02:00
Florian Roth 3175a48bdc Casing 2020-04-14 13:40:34 +02:00
Florian Roth ecdec93800 Casing 2020-04-14 13:39:58 +02:00
Florian Roth 5cbe008350 Casing 2020-04-14 13:39:22 +02:00
Florian Roth 5ee0808619 Merge pull request #706 from vesche/update_win_susp_netsh_dll_persistence 
Update win_susp_netsh_dll_persistence.yml
 2020-04-14 13:37:53 +02:00
Florian Roth 4f469c0e39 Adjusted level 2020-04-14 13:37:10 +02:00
Florian Roth 8f40c0a1c8 Merge pull request #710 from vesche/update_win_GPO_scheduledtasks 
Update win_GPO_scheduledtasks.yml
 2020-04-14 13:36:17 +02:00
Maxime Thiebaut 86c6891427 Add Windows Registry Persistence COM Search Order Hijacking 2020-04-14 12:59:29 +02:00
vesche 1f918253e8 Add additional reference 2020-04-13 11:09:36 -05:00
vesche 9cdb3a4a64 Fix typo 2020-04-13 11:09:00 -05:00
teddy-ROxPin 1501331f77 Create powershell_create_local_user.yml 
Adds coverage for creating a local account via PowerShell from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md#atomic-test-4---create-a-new-user-in-powershell
 2020-04-11 02:51:05 -06:00
vesche 3889be6255 Replace reference link for win_susp_netsh_dll_persistence 2020-04-10 01:05:10 -05:00
vesche 82db80bee6 Remove wrong mitre technique 2020-04-10 01:02:43 -05:00
vesche 72b821e046 Update win_susp_netsh_dll_persistence.yml 2020-04-09 11:16:18 -05:00
Iveco 61b9234d7f Update win_user_driver_loaded.yml 
removed internal field
 2020-04-09 11:28:19 +02:00
Thomas Patzke 551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Iveco e913db0dca Update win_user_driver_loaded.yml 
CI
 2020-04-08 18:54:59 +02:00
Iveco c5211eb94a Update sysmon_susp_service_installed.yml 
CI
 2020-04-08 18:54:46 +02:00
Iveco 4520082ef7 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
CI
 2020-04-08 18:54:37 +02:00
Iveco 6d85650390 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed Author
 2020-04-08 18:41:33 +02:00
Iveco fc1febdebe Update sysmon_susp_service_installed.yml 
Fixed Author
 2020-04-08 18:41:25 +02:00
Iveco d0746b50f4 Update win_user_driver_loaded.yml 
Fixed author
 2020-04-08 18:41:16 +02:00
Iveco 3280a1dfb0 Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml 
Fixed CI
 2020-04-08 18:23:29 +02:00
Iveco 5e724a0a54 Update sysmon_susp_service_installed.yml 
Fixed CI
 2020-04-08 18:22:51 +02:00
Iveco d1b9c0c34a Update win_user_driver_loaded.yml 
Fixed CI
 2020-04-08 18:21:59 +02:00
iveco e87f2705a7 Detect Ghost-In-The-Logs (disabling/bypassing ETW) 2020-04-08 18:01:04 +02:00
Maxime Thiebaut 73a6428345 Update the NTLM downgrade registry paths 
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
 2020-04-07 17:14:45 +02:00
Florian Roth 4e3985866b Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml 2020-04-03 16:50:48 +02:00
mpavlunin 81d0f82272 Create new rule T1223 
Suspicious Compiled HTML File
 2020-04-03 16:56:26 +03:00
Florian Roth 0ea2db8b9e Merge pull request #484 from hieuttmmo/master 
New sigma rules to detect new MITRE technique in last update (T1502)
 2020-04-03 09:59:36 +02:00
Florian Roth f4928e95bc Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00
Florian Roth c0ab9c5745 Merge pull request #671 from HarishHary/powershell_downgrade_attack 
Powershell downgrade attack (small improvements)
 2020-04-03 09:31:33 +02:00
Florian Roth 6cf0edc076 Merge pull request #685 from teddy-ROxPin/patch-1 
Typo fix for powershell_suspicious_invocation_generic.yml
 2020-04-03 09:30:32 +02:00
Florian Roth dec0c108f9 Merge pull request #683 from NVISO-BE/powershell_wmimplant 
WMImplant detection rule
 2020-04-02 11:54:09 +02:00
Chris O'Brien fe5dbece3d Date typos...more than I thought... 2020-04-02 10:00:00 +02:00
Chris O'Brien 97c0872c81 Date typo. 2020-04-02 09:53:09 +02:00
Chris O'Brien 95e0b12d88 Fixed date typo - by the looks of the commit date the month/date were swapped. 2020-04-01 18:18:13 +02:00
Clément Notin 18cdddb09e Small typo 2020-03-31 15:22:00 +02:00
Maxime Thiebaut 8dcbfd9aca Add AD User Enumeration 
When the "Read all properties" permission of a user object is set to be
audited in the AD, an event of ID 4662 (An operation was performed on an
object) is triggered whenever a property is accessed.

This rule detects these events by flagging any non-machine
`SubjectUserName` (i.e. another user) which accesses an object of the
`User` AD schema class.

Advantages of this rule include the detection of insider-enumeration
through automated tools such as BloodHound or manually through the usage
of the PowerShell ActiveDirectory module. Although this rule qualifies
as a medium severity one, this event could be qualified as high/critical
one if flagged on non-used canary user-accounts.

False positives may include administrators performing the initial
configuration of new users.
 2020-03-31 09:40:07 +02:00
Remco Hofman b791d599ee Disabled keywords that could cause FPs 2020-03-30 08:53:52 +02:00
teddy-ROxPin 1a3731f7ae Typo fix for powershell_suspicious_invocation_generic.yml 
' - windowstyle hidden ' changed to ' -windowstyle hidden '
 2020-03-29 04:16:15 -06:00
Florian Roth 8ea6b12eed Merge pull request #670 from 0xThiebaut/sysmon_susp_desktop_ini 
Add "Suspicious desktop.ini Action" rule
 2020-03-28 13:34:01 +01:00
Florian Roth fe5b5a7782 Merge pull request #673 from j91321/rules-minor-fixes 
Minor fixes to several rules
 2020-03-28 13:27:05 +01:00
Florian Roth e2b90220a2 Update sysmon_susp_desktop_ini.yml 2020-03-28 13:19:10 +01:00
Florian Roth bbb10a51f4 Update win_powershell_downgrade_attack.yml 2020-03-28 13:17:58 +01:00
Florian Roth 0e94eb9e86 Update win_powershell_downgrade_attack.yml 2020-03-28 13:12:07 +01:00
Florian Roth 2426b39d83 Merge pull request #678 from justintime/title_collision 
Eliminate title collision
 2020-03-28 12:57:55 +01:00
Remco Hofman f52ed4150d WMImplant parameter detection 2020-03-27 15:08:35 +01:00
Iveco 55258e1799 Title capitalized 2020-03-26 17:04:08 +01:00
Iveco 3f577c98e7 Title capalized 2020-03-26 17:03:33 +01:00