security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
2d4d 35fbdd1248 add rule for Citrix Netscaler CVE-2019-19781 2020-01-03 01:48:29 +01:00
2d4d b98e57603e add rule for Citrix Netscaler CVE-2019-19781 2020-01-03 00:34:52 +01:00
Tim Burrell (MSTIC) 9bd0402681 fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-02 20:05:28 +00:00
Tim Burrell (MSTIC) 5051334e85 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
 2020-01-02 14:47:55 +00:00
Florian Roth fd28a64591 rule: WCE 2019-12-31 09:27:38 +01:00
Florian Roth c007ecf90c Merge pull request #585 from Neo23x0/devel 
Devel
 2019-12-30 15:08:43 +01:00
Florian Roth 5980cb8d0c rule: copy from admin share - lateral movement 2019-12-30 14:25:43 +01:00
Florian Roth 86e6b92903 rule: SecurityXploded tool 2019-12-30 14:25:29 +01:00
Florian Roth 5ad793e04a Merge pull request #582 from tvjust/patch-1 
Added new sticky key attack binary
 2019-12-30 14:14:20 +01:00
Florian Roth 948af2993b Merge pull request #583 from msec1203/msec1203-submit-rule1 
MS Office Doc Load WMI DLL Rule
 2019-12-30 14:13:58 +01:00
msec1203 dbdf6680e0 Update win_susp_winword_wmidll_load.yml 
Update x2
 2019-12-30 18:49:39 +09:00
msec1203 a45f877712 Update win_susp_winword_wmidll_load.yml 
Fix to error on incorrect mitre tags used.
 2019-12-30 18:41:16 +09:00
GelosSnake f574c20432 Update win_system_exe_anomaly.yml 
fixing to much original fork.
 2019-12-29 18:02:49 +02:00
GelosSnake 7e7f6d1182 Update win_system_exe_anomaly.yml 
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
 2019-12-29 18:01:19 +02:00
msec1203 845d67f1f3 Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
 2019-12-29 23:14:29 +09:00
Justin Schoenfeld a1f07cdb4b Added new sticky key attack binary 2019-12-29 08:32:23 -05:00
david-burkett 4a65a25070 svchost spawned without cli 2019-12-28 10:28:08 -05:00
david-burkett 35b4806104 corrected logic 2019-12-28 09:55:39 -05:00
David Burkett 474a8617e5 Trickbot behavioral recon activity 2019-12-27 21:25:53 -05:00
Alessio Dalla Piazza f45587074b Add the ability to detect PowerUp - Invoke-AllChecks 
PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
 2019-12-23 11:50:57 +01:00
Florian Roth fc8607bbea rule: whoami as local system 2019-12-22 18:50:26 +01:00
Florian Roth fb76f2b9ac rule: CreateMiniDump 2019-12-22 08:29:12 +01:00
Florian Roth 511229c0b6 rule: modified Bloodhound rule 2019-12-21 21:22:13 +01:00
Florian Roth 1fd4c26005 Merge pull request #569 from Neo23x0/devel 
rule: improved bloodhound rule
 2019-12-20 17:32:21 +01:00
Florian Roth 0fa5ba925e rule :improved bloodhound rule 2019-12-20 17:23:40 +01:00
Florian Roth cbebaf637f Merge pull request #568 from Neo23x0/devel 
Devel
 2019-12-20 16:22:29 +01:00
Florian Roth 0e82dce2a0 fix: fixed wrong condition 2019-12-20 16:11:39 +01:00
Florian Roth 0000257371 rule: improved bloodhound rule 2019-12-20 16:08:26 +01:00
Florian Roth 3a933c38f2 rule: changed level of BloodHound rule 2019-12-20 15:37:58 +01:00
Florian Roth 68efeb909d rule: false positive condition for BloodHound rule 2019-12-20 15:35:13 +01:00
Florian Roth 825b1edb0f Merge pull request #567 from Neo23x0/devel 
Devel
 2019-12-20 15:32:56 +01:00
Florian Roth 5f061c15d0 fix: fixed missing condition 2019-12-20 15:18:05 +01:00
Florian Roth bb466407ee rule: operation Wocao activity 2019-12-20 15:00:07 +01:00
Florian Roth 708c17e2bc rule: Bloodhound 2019-12-20 14:59:36 +01:00
Florian Roth ab038d1ac7 style: minor changes 2019-12-20 14:59:26 +01:00
Thomas Patzke 9ca52259dd Fixed identifier 2019-12-20 00:11:34 +01:00
Thomas Patzke 924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00
Thomas Patzke 694d666539 Merge branch 'master' into oscd 2019-12-19 23:15:15 +01:00
Riccardo Ancarani 8b70cb6761 Add Covenant default named pipe 
Covenant (https://github.com/cobbr/Covenant) can use named pipes for peer to peer communication.
The default named pipe name is "\gruntsvc".
References: https://posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456
 2019-12-18 15:19:47 +00:00
Florian Roth 0a26184286 Merge pull request #563 from Neo23x0/devel 
Devel
 2019-12-17 14:48:07 +01:00
Florian Roth c8b6b5c556 rule: updating csc.exe rule 2019-12-17 13:45:40 +01:00
Florian Roth 7a3041c593 rule: improved csc.exe rule 2019-12-17 11:05:43 +01:00
Florian Roth e8d92fab0c rule: ryuk ransomware 2019-12-16 20:33:12 +01:00
Florian Roth da06e5bc1c Merge pull request #562 from Neo23x0/devel 
Improved PowerShell Encoded Command Rule
 2019-12-16 19:31:15 +01:00
Florian Roth bbaa9df217 rule: better JAB rule 2019-12-16 19:08:51 +01:00
Florian Roth f83eb2268e rule: improved JAB expression 2019-12-16 19:04:05 +01:00
Florian Roth bd7c996588 rule: suspicious PS rule modified to cover newest malware campaigns 2019-12-16 19:02:57 +01:00
Thomas Patzke ef63a65efe Converted to Unix line end 2019-12-15 23:30:42 +01:00
Yugoslavskiy Daniil d19df2e4f7 fix issues with wrong tagging 2019-12-15 00:17:22 +01:00
Yugoslavskiy Daniil 9a511e5e62 fix issue with doubled detection section in apt_silence_downloader_v3.yml 2019-12-15 00:06:28 +01:00