security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Karneades ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
Karneades aafab2e936 fix: bound keywords to field in multiple PS rules 
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
 2019-10-29 19:53:18 +01:00
Karneades f31750e567 fix: bound keywords to field in PS cred prompt rule 2019-10-29 19:43:04 +01:00
Karneades cd20e4a3fc fix: bound keywords to field in WMI persistence rule 
See #501.
 2019-10-29 19:22:41 +01:00
zinint c243c4e210 T1035 2019-10-29 20:58:52 +03:00
booberry46 36fe748c2e Update win_rdp_reverse_tunnel.yml 
With the recent example for the evtx. RDP Tunneling can happen not only from port 3389. So I tune it to fit in general.

Changed the obsolete twitter status with linkage to the evtx from Samir Bousseaden
 2019-10-29 17:25:37 +08:00
darkquasar cb6eb35913 adding some more suspicious PS keywords 
found in multiple internally analyzed malicious scripts (in the wild and as result of engagements)
 2019-10-28 22:14:14 -07:00
darkquasar 96643b5446 New rule Suspicious Remote Thread Created 2019-10-28 22:12:57 -07:00
darkquasar 551d3d653c Dumping Lsass.exe memory with MiniDumpWriteDump API 2019-10-28 22:11:55 -07:00
darkquasar a6b24da6dd Adding rule Suspicious In-Memory Module Execution 2019-10-28 22:07:26 -07:00
Yugoslavskiy Daniil fd606cb376 spaces fix 2019-10-29 03:59:07 +03:00
Yugoslavskiy Daniil 4251d9f490 ilyas ochkov contribution 2019-10-29 03:44:22 +03:00
Yugoslavskiy Daniil 3376cf4dd8 fix some typos and remove redundand references 2019-10-29 01:40:06 +03:00
Florian Roth 8ff85499c8 rule: svchost dll search order hijack 2019-10-28 12:03:03 +01:00
Florian Roth 1a3444d0ef docs: comment on rule expression 2019-10-28 12:02:46 +01:00
RRRabbit becfca6b41 Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00
Teimur Kheirkhabarov 59c6250282 Delete rules/windows/.DS_Store 2019-10-28 09:38:17 +03:00
Teimur Kheirkhabarov 2fb40acfe6 Fix mistake in possible_privilege_escalation_via_service_registry_permissions_weakness 2019-10-28 09:30:26 +03:00
Teimur Kheirkhabarov 32b0a3987e Several mistakes were fixed 2019-10-28 08:43:58 +03:00
Teimur Kheirkhabarov 3125b39239 Change incorrect MITRE Tags for some rules 2019-10-28 07:56:15 +03:00
zinint d1cf80d9b6 Update lnx_auditd_user_discovery.yml 2019-10-28 00:00:06 +03:00
zinint 68b4541274 t1033 2019-10-27 23:59:16 +03:00
zinint 87c8326133 T1033 2019-10-27 23:49:07 +03:00
zinint 55eaae1cea Rename win_app_windows_descovery.yml to win_app_windows_discovery.yml 2019-10-27 23:15:10 +03:00
zinint 93b867024c T1012 2019-10-27 23:13:03 +03:00
Teimur Kheirkhabarov fde949174d OSCD Task 1 - Privilege Escalation 2019-10-27 20:54:07 +03:00
Mikhail Larin 1f6aec8060 removed unsupported rule from oscd branch 2019-10-27 15:33:38 +03:00
4A616D6573 ca819d8707 Update win_susp_net_execution.yml 
Updated tags to pass Travis CI checks.
 2019-10-27 14:06:52 +11:00
root 717e40e8ed modified win_susp_dxcap.yml 2019-10-26 20:27:32 +02:00
root 9bf0150100 modified win_susp_dnx.yml 2019-10-26 20:20:21 +02:00
root 3b70f2edd6 modified win_susp_dnx.yml 2019-10-26 20:16:40 +02:00
root 3528afeef7 modified win_susp_dnx.yml 2019-10-26 20:13:53 +02:00
root 1dca0456ee modified win_susp_dxcap.yml 2019-10-26 20:09:25 +02:00
root cbe0d73ce8 add win_susp_dxcap.yml 2019-10-26 20:06:02 +02:00
root aaf63d2238 add win_susp_dxcap.yml 2019-10-26 20:02:25 +02:00
root 0616c2c39d add win_susp_dnx.yml 2019-10-26 19:58:45 +02:00
root ee21888e67 add win_susp_cdb.yml 2019-10-26 19:49:45 +02:00
booberry46 b7fe52133d Update win_defender_bypass.yml 2019-10-27 00:07:56 +08:00
booberry46 3f1fc9a507 Add files via upload 2019-10-27 00:06:49 +08:00
Florian Roth 66a32549f1 rule: proxy malware ua - Zebrocy 2019-10-26 14:20:29 +02:00
Florian Roth 42808b7eb8 rule: webshell detection improved 2019-10-26 09:14:54 +02:00
root 844d55c781 add win_susp_bginfo.yml 2019-10-26 08:18:37 +02:00
root 5bb5938e86 add win_susp_bginfo.yml 2019-10-26 08:16:08 +02:00
root 01c4c7cdbd modifed win_susp_msoffice.yml 2019-10-26 08:11:09 +02:00
root bea2daac45 modifed win_susp_msoffice.yml 2019-10-26 07:55:44 +02:00
root fc7f8ecea3 add win_susp_msoffice.yml 2019-10-26 07:48:38 +02:00
root 611c193826 modifed win_susp_odbcconf.yml 2019-10-26 07:45:53 +02:00
root aa9a22e662 add win_susp_odbcconf.yml 2019-10-25 19:02:17 +02:00
alexpetrov12 8c2b7e9f85 fix 2019-10-25 18:30:40 +03:00
alexpetrov12 7aa804fe90 added new rules 
Packet capture Windows command prompt, ODBCCONF execution dll, Windows Registry Persistence - COM key linking
 2019-10-25 18:01:36 +03:00