security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Antonlovesdnb 1f01fe446f Update sysmon_susp_office_dsparse_dll_load.yml 2020-02-19 14:51:22 -05:00
Antonlovesdnb 6d0805ac13 Update sysmon_susp_winword_vbadll_load.yml 2020-02-19 14:51:00 -05:00
Antonlovesdnb 1e461cb2d1 Update sysmon_susp_office_dotnet_gac_dll_load.yml 2020-02-19 14:50:31 -05:00
Antonlovesdnb 56ffa9ec0e Update sysmon_registry_trust_record_modification.yml 2020-02-19 14:50:09 -05:00
Antonlovesdnb 397cdecb94 5 Rules covering various macro techniques 
- Rule to look for GAC DLL loaded by an Office Product
- Rule to look for any DLL in C:\Windows\assembly loaded by an Office Product
- Rule to look for clr.dll loaded by an Office Product
- Rule to look for directory services parsing dll loaded by an Office Product
- Rule to look for kerberos dll loaded by an Office Product
 2020-02-19 14:43:13 -05:00
Antonlovesdnb f8be92dae0 Add files via upload 2020-02-19 10:13:44 -05:00
Florian Roth a9403b70d5 Merge pull request #623 from Neo23x0/devel 
fix: fixing too restrictive rule
 2020-02-18 11:14:51 +01:00
Florian Roth 6413730810 fix: fixing too restrictive rule 
https://twitter.com/Hexacorn/status/1229702521679118336
 2020-02-18 10:43:22 +01:00
Florian Roth f7a6ffa121 Merge pull request #622 from Neo23x0/devel 
Minor changes, process dump via rundll32 comsvcs.dll
 2020-02-18 10:26:28 +01:00
Florian Roth 04b97bd84c fix: character in filename 2020-02-18 10:19:48 +01:00
Florian Roth cd607d4fed rule: process dump via rundll32 and comsvcs.dll's MiniDumpW 2020-02-18 10:04:55 +01:00
Florian Roth 73dfc847fc rule: changed lsass process dump to level high 2020-02-18 10:03:25 +01:00
yugoslavskiy 7f3f1944d9 fix redundancy 2020-02-18 01:10:56 +03:00
Thomas Patzke 01d6c3b58d Fixes 2020-02-16 23:24:00 +01:00
Wagga b9c745a1b2 New Koadic detection rule 2020-02-16 16:48:49 +01:00
yugoslavskiy d0e284ae18 fix typo (duplicates) 2020-02-16 18:19:25 +03:00
Thomas Patzke f118839664 Further fixes and deduplications 
From suggestions of @yugoslavskiy in issue #554.
 2020-02-16 14:03:07 +01:00
Thomas Patzke 77c927bc14 Revert "Moved rules with enrichments into unsupported" 
This reverts commit ba83b8862a.
 2020-02-15 22:52:06 +01:00
Florian Roth eb36150e6b rule: UserAgent used by PowerTon malware 2020-02-15 19:06:49 +01:00
Florian Roth d909fefa82 Merge pull request #620 from james0d0a/master 
rule: Zeek Suspicious kerberos network traffic RC4
 2020-02-13 09:34:06 +01:00
Florian Roth 94bb7dd77f fix: issues 2020-02-13 09:17:21 +01:00
james dickenson 21e4aa33dc rule modification: fixed filter condition on zeek suspicious rc4 traffic 2020-02-12 21:27:36 -08:00
james dickenson 93367d725d rule: zeek suspicious kerberos RC4 traffic 2020-02-12 21:21:46 -08:00
faloker 6d9c8e44d7 Update rules titles 2020-02-12 23:09:16 +02:00
faloker 1b15dba712 Correct the indentation 2020-02-12 22:48:46 +02:00
faloker f387cf0c37 Add the rule to detect changes to startup scripts 2020-02-12 22:23:18 +02:00
faloker 01d2f9f99d Add the rule to detect backdooring of users keys 2020-02-12 22:22:38 +02:00
faloker b26c5d8c51 Add rules to detect AWS RDS exfiltration 2020-02-12 22:21:52 +02:00
faloker ddf5f8ec23 Update conditions 2020-02-12 22:20:15 +02:00
faloker aacab37f84 Add a rule for guardduty trusted IPs manipulation 2020-02-11 23:28:23 +02:00
faloker b6c834195e Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00
Florian Roth a4c210ed16 rule: remove keywords in powershell rule prone to FPs 2020-02-11 16:26:17 +01:00
Florian Roth bf98d286f9 Merge pull request #615 from Neo23x0/devel 
fix: dumpert rule with wrong sysmon event id
 2020-02-08 20:03:28 +01:00
Florian Roth d9645af840 rule: added Emotet UA 
https://twitter.com/webbthewombat/status/1225827092132179968
 2020-02-08 10:37:56 +01:00
Florian Roth 080532d20c logsource change 
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
 2020-02-07 15:47:27 +01:00
Tim Burrell (MSTIC) f70f847524 additional gallium ttp 
sha1 process creation only makes sense for sysmon
 2020-02-07 14:08:40 +00:00
Florian Roth be9b80d6ab fix: dumpert rule with wrong sysmon event id 2020-02-07 13:14:18 +01:00
Thomas Patzke 7fdd6f7bce Swapped accidental deletion of older rule duplicate 2020-02-06 23:41:05 +01:00
Florian Roth 1a80b180fd Merge pull request #613 from Neo23x0/devel 
rule: dumpert process dump tool
 2020-02-04 23:07:07 +01:00
Florian Roth 10490a6cee rule: reworked dumpert rule 2020-02-04 22:56:04 +01:00
Florian Roth 1f44969afd rule: avoiding build issues with sysmon event id 1 2020-02-04 22:50:46 +01:00
Florian Roth 535e2d149b rule: improved dumpert rule 2020-02-04 22:46:16 +01:00
Florian Roth 8f8b977c85 rule: dumpert process dump tool 2020-02-04 22:38:06 +01:00
Thomas Patzke d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke f7394d09e0 Deduplication 2020-02-03 22:41:55 +01:00
Kevin Dienst 98471bc53c Update proxy_raw_paste_service_access.yml 
Add another paste provider website, ghostbin.co to the list. Note that saved pastes generate pseudo random 5 character strings before being suffixed with `/raw` at the end of the URL. e.g. `https://ghostbin.co/paste/y4e9a/raw`

Thus, I've added a regex match between /paste and /raw. I'm unsure if this is supported, I skimmed the Sigma specification wiki but didn't see anything other than that contains adds '*' to end and beginning of each selection. If this regex isn't going to work then I'd imagine we just have to remove the `.+/raw/` from the URI.
 2020-02-03 07:29:42 -06:00
Thomas Patzke 815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
Thomas Patzke f59b36d891 Fixed rule 2020-02-02 12:54:56 +01:00
Thomas Patzke ba83b8862a Moved rules with enrichments into unsupported 2020-02-02 12:46:03 +01:00
Thomas Patzke 593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00