security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Mikhail Larin 334301c185 OSCD event rules from Jet CSIRT team 2019-10-25 17:57:56 +03:00
zinint 6e94e798be t1010 2019-10-25 16:12:51 +03:00
stvetro dcaacd07bf 4 rules to cover ART 2019-10-25 15:38:47 +04:00
hieuttmmo 0c07c5ea16 convention 2019-10-25 11:00:05 +07:00
hieuttmmo e86ab608f2 Update powershell_suspicious_profile_create.yml 2019-10-25 10:53:21 +07:00
yugoslavskiy 5eb484a062 add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00
4A616D6573 5678357f4e Update win_susp_net_execution.yml 
Added tag for:

References:

https://attack.mitre.org/techniques/T1077/
https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
 2019-10-25 12:20:47 +11:00
4A616D6573 a7a753862c Update win_susp_net_execution.yml 
Added:

1. Additional tags for techniques as defined by Atomic Blue.
2. Detection for OriginalFileName as net.exe can easily be renamed.

Part of oscd.community effort.
 2019-10-25 12:06:32 +11:00
4A616D6573 c248842995 Revert "Update win_susp_net_execution.yml" 
This reverts commit f7e26b1e0b.
 2019-10-25 12:03:23 +11:00
4A616D6573 f7e26b1e0b Update win_susp_net_execution.yml 
Added:

1. Additional tags for techniques as defined by Atomic Blue.
2. Detection for OriginalFileName as net.exe can easily be renamed.

Part of oscd.community effort.
 2019-10-25 11:53:56 +11:00
hieuttmmo edb698c7f7 Update powershell_suspicious_profile_create.yml 2019-10-25 00:28:11 +07:00
hieuttmmo 73b10807d8 Rename powershell_susp_profile_create.yml to powershell_suspicious_profile_create.yml 2019-10-25 00:14:39 +07:00
hieuttmmo 0e4cd397ef Create new rules for T1502 2019-10-25 00:14:21 +07:00
yugoslavskiy 4fb9821b49 added: 
win_non_interactive_powershell.yml
	win_remote_powershell_session.yml
	win_wmiprvse_spawning_process.yml
	powershell_alternate_powershell_hosts.yml
	powershell_remote_powershell_session.yml
	sysmon_alternate_powershell_hosts_moduleload.yml
	sysmon_alternate_powershell_hosts_pipe.yml
	sysmon_non_interactive_powershell_execution.yml
	sysmon_powershell_execution_moduleload.yml
	sysmon_powershell_execution_pipe.yml
	sysmon_remote_powershell_session_network.yml
	sysmon_remote_powershell_session_process.yml
	sysmon_wmi_module_load.yml
	sysmon_wmiprvse_spawning_process.yml
 2019-10-24 15:48:38 +02:00
zinint aef5fa3c2b Rename powershell_winlogon_helper_dll.yaml to powershell_winlogon_helper_dll.yml 2019-10-24 16:37:38 +03:00
Florian Roth a5ec6722a1 rule: the actual changes to hwp rule 2019-10-24 15:35:13 +02:00
zinint 5a98fdbbbd ART t1004 2019-10-24 16:33:29 +03:00
zinint 317e9d3df9 PS Data Compressed attack.t1002 
PS Data Compressed attack.t1002
 2019-10-24 15:43:46 +03:00
yugoslavskiy 3934f6c756 add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00
zinint 7c5dc0ca01 Update win_data_compressed.yml 2019-10-24 15:34:13 +03:00
Florian Roth 86c1b4ae4b rule: hwp exploits 2019-10-24 11:46:56 +02:00
4A616D6573 fdbdca003b Create win_powershell_web_request.yml 
Broader rule for detecting web requests via various methods using Windows PowerShell, slightly crosses over the below rules but caters for different methods:

https://github.com/Neo23x0/sigma/blob/99b15edf8add183543ca5738ec93f87416c34bd9/rules/windows/process_creation/win_powershell_download.yml
https://github.com/Neo23x0/sigma/blob/0fa914139ca85966b49f0a8eda40a3f26608e86b/rules/windows/powershell/powershell_suspicious_download.yml
 2019-10-24 11:57:37 +11:00
Yugoslavskiy Daniil 7cfd47be7c add win_scm_database_handle_failure.yml, win_scm_database_privileged_operation.yml, win_syskey_registry_access.yml 2019-10-24 02:40:11 +02:00
alexpetrov12 cc998aa667 fix 2019-10-24 00:48:43 +03:00
alexpetrov12 f1ccf296f4 fix 2019-10-24 00:40:58 +03:00
mrblacyk 499627edf3 File permissions modification (T1222) 2019-10-23 11:24:13 -07:00
mrblacyk 4979b56296 Domain Trust Discovery rule (T1482) 2019-10-23 11:23:12 -07:00
mrblacyk c2d906c15f DD overwrite with zero/null (T1485) 2019-10-23 11:22:33 -07:00
mrblacyk 262514c782 Windows Service stop rule (T1489) 2019-10-23 11:22:09 -07:00
mrblacyk 5ae267e326 Linux systemd reload or start rule (T1501) 2019-10-23 11:21:19 -07:00
alexpetrov12 d3715a508b fix 2019-10-23 18:15:46 +03:00
alexpetrov12 4c84412944 added new rule 
silenttrinity_stage_ use, sysmon_mimikatz_сreds_dump, sysmon_registry_persistence_key_linking, sysmon_сreds_dump
 2019-10-23 18:08:30 +03:00
alexpetrov12 bc943343df update win_sysmon_driver_unload 2019-10-23 15:41:14 +03:00
alexpetrov12 215e500894 fix 2019-10-23 14:43:01 +03:00
alexpetrov12 193c95a11a add new rule1 2019-10-23 14:27:52 +03:00
root edcbc49ce8 add rule win_susp_open with_execution.yml win_susp_devt oolslauncher_execution.yml 2019-10-23 13:00:21 +02:00
alexpetrov12 043e3f7ca6 fix 2019-10-23 13:48:44 +03:00
alexpetrov12 e38540a37f fix 2019-10-23 13:28:04 +03:00
alexpetrov12 c1cfbacd24 fix 2019-10-23 13:18:57 +03:00
alexpetrov12 ad9b98541c fix 2019-10-23 13:05:38 +03:00
alexpetrov12 fa4a8c974d fix 2019-10-23 12:45:06 +03:00
alexpetrov12 f4ea01217e fix 2019-10-23 02:47:04 +03:00
alexpetrov12 ebe4fe0377 fix 2019-10-23 02:42:37 +03:00
alexpetrov12 29cd7fed3e fix 2019-10-23 02:39:40 +03:00
alexpetrov12 5a260db459 fix 2019-10-23 02:27:14 +03:00
alexpetrov12 6c4f4ce309 fix 2019-10-23 02:25:04 +03:00
alexpetrov12 8d0c89b598 added new rules 
add rule MiniDumpWriteDump via COM+, renamed_binary_description, cobalt_execute_assembly, win_sysmon_driver_onload
 2019-10-23 01:55:03 +03:00
Florian Roth 3d4ce9d175 rule: another reference link for 'execution by ordinal' 2019-10-22 15:18:19 +02:00
zinint 49f9b797a7 Update sysmon_xsl_script_processing.yml 2019-10-22 15:20:15 +03:00
zinint a8bd2c8e78 Update win_data_compressed.yml 2019-10-22 14:57:53 +03:00