security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth eac484092c fix: changed hashes field to sha1 for better consistency 2020-01-29 19:52:24 +01:00
Florian Roth a816f4775f rule: FromBase64String command line 2020-01-29 16:05:12 +01:00
Florian Roth 7786edac29 rule: dctask64.exe evasion techniques 
https://twitter.com/gN3mes1s/status/1222088214581825540
 2020-01-28 11:29:24 +01:00
Florian Roth d48fc9d1ff fix: multiple false positive conditions 2020-01-28 10:11:09 +01:00
Florian Roth 240b764660 rule: reduced level of system time mod rule 2020-01-27 14:30:09 +01:00
Florian Roth 5f0589b787 rule: mstsc shadowing 2020-01-24 16:18:19 +01:00
Florian Roth e24ea159f3 rule: split up renamed binary rule 2020-01-24 15:31:07 +01:00
2d4d bace799f07 complete_cve_2019-19781 2020-01-24 15:31:06 +01:00
Florian Roth 4066ae6371 rule: added a reference 2020-01-24 15:31:06 +01:00
Florian Roth 11607a8621 rule: windows audit cve 2020-01-24 15:31:06 +01:00
Florian Roth f40a7aab3d rule: changes at Shitrix rule 2020-01-24 15:31:06 +01:00
sbousseaden a4e62fcb1b Update win_lm_namedpipe.yml 2020-01-24 15:31:06 +01:00
2d4d 341ed340a3 add newbm.pl 2020-01-24 15:31:06 +01:00
Florian Roth 4e07a786a7 rule: updated netscaler rule 2020-01-24 15:31:06 +01:00
Florian Roth c22f7b0b65 fix: shortened path in Citrix Netscaler rule 2020-01-24 15:31:06 +01:00
2d4d d0230f0024 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
2d4d 0bde8b5f00 add rule for Citrix Netscaler CVE-2019-19781 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC) a371cf1057 fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-24 15:31:06 +01:00
Tim Burrell (MSTIC) c24bbdcf81 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-24 15:31:06 +01:00
msec1203 4f29556a01 Update win_susp_winword_wmidll_load.yml 
Update x2
 2020-01-24 15:31:06 +01:00
msec1203 48a071ad4e Update win_susp_winword_wmidll_load.yml 
Fix to error on incorrect mitre tags used.
 2020-01-24 15:31:06 +01:00
GelosSnake 8fbe08d5fa Update win_system_exe_anomaly.yml 
fixing to much original fork.
 2020-01-24 15:31:06 +01:00
GelosSnake 9f3672fdc0 Update win_system_exe_anomaly.yml 
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
 2020-01-24 15:31:06 +01:00
msec1203 4260d01ff0 Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
 2020-01-24 15:31:06 +01:00
Justin Schoenfeld 5f8b152166 Added new sticky key attack binary 2020-01-24 15:31:06 +01:00
david-burkett 5d04c76f68 svchost spawned without cli 2020-01-24 15:31:06 +01:00
david-burkett 032c382184 corrected logic 2020-01-24 15:31:06 +01:00
David Burkett 991e3b8a51 Trickbot behavioral recon activity 2020-01-24 15:31:06 +01:00
Alessio Dalla Piazza 9f7eee8bb1 Add the ability to detect PowerUp - Invoke-AllChecks 
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
 2020-01-24 15:31:06 +01:00
vitaliy0x1 5aa75a90fd added aws_root_account_usage.yml 2020-01-21 15:07:32 +02:00
vitaliy0x1 0d6642abd6 added aws_config_disable_recording.yml 2020-01-21 15:07:10 +02:00
vitaliy0x1 17c00d8a11 added aws_cloudtrail_disable_logging.yml 2020-01-21 15:06:44 +02:00
Thomas Patzke 5f1e933b93 Merge pull request #588 from timbMSFT/timb 
Sigma queries - defense evasion by tampering with svchost; recently released GALLIUM activity group IOCs
 2020-01-20 10:06:06 +01:00
Thomas Patzke 9bb50f3d60 OSCD QA wave 2 
* Improved rules
* Added filtering
* Adjusted severity
 2020-01-17 15:46:28 +01:00
2d4d e35ebcc185 complete_cve_2019-19781 2020-01-15 21:59:33 +01:00
Florian Roth 41c4a499b4 rule: added a reference 2020-01-15 21:27:40 +01:00
Florian Roth 6db20d4bad rule: windows audit cve 2020-01-15 21:23:32 +01:00
Florian Roth 5ef64e4e99 rule: changes at Shitrix rule 2020-01-13 20:15:08 +01:00
Florian Roth a0bad54dbd Merge pull request #592 from 2d4d/fix_web_citrix_cve_2019_19781_exploit.yml 
add newbm.pl
 2020-01-13 14:48:38 +01:00
sbousseaden b60671397d Update win_lm_namedpipe.yml 2020-01-13 10:50:35 +01:00
Florian Roth ba7c634f1a More changes 2020-01-13 09:59:14 +01:00
Florian Roth 7bd820c151 Changes 2020-01-13 09:56:49 +01:00
sreemanshanker ffcfcb70ad Add files via upload 2020-01-13 13:21:06 +08:00
2d4d 364e859a6b add newbm.pl 2020-01-12 00:29:10 +01:00
Thomas Patzke ae6fcefbcd Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00
Thomas Patzke 8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00
Thomas Patzke b34bf98c61 Fixed rule: added condition 2020-01-07 15:20:16 +01:00
Florian Roth a29c832b6a rule: updated netscaler rule 2020-01-07 14:42:16 +01:00
Florian Roth c9a75a8371 fix: shortened path in Citrix Netscaler rule 2020-01-07 13:00:28 +01:00
Florian Roth 48f5f480fd fix: SCCM false positives with whoami.exe rule 2020-01-07 12:13:47 +01:00