security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
zinint 74d1fef8b8 Update win_data_compressed.yml 2019-10-22 14:53:43 +03:00
zinint cc6d4b05ac OSCD Task 7 : ART T1002 Exfiltration With Rar 
OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar
 2019-10-22 14:00:52 +03:00
Florian Roth b3654947bc rule: suspicious call by ordinal (rundll32) 2019-10-22 12:40:26 +02:00
Florian Roth 0f02f2bdfc rule: adjusted very noisy rule on AppLocker whitelist bypass 2019-10-22 12:32:37 +02:00
root 00a757959e add rule win_susp_capture_screenshots.yml 2019-10-22 06:06:07 +02:00
root 2bd9d8a9d8 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:56:37 +02:00
root fb53855ae5 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:50:49 +02:00
zinint daf1034621 Update win_possible_applocker_bypass.yml 2019-10-22 00:54:29 +03:00
zinint 789782ef59 Update sysmon_xsl_script_processing.yml 2019-10-22 00:08:46 +03:00
zinint 56f807cb44 Update sysmon_xsl_script_processing.yml 2019-10-22 00:06:54 +03:00
zinint 0d8eff0d86 Update sysmon_xsl_script_processing.yml 2019-10-22 00:06:10 +03:00
zinint a1d72f20c8 Update sysmon_xsl_script_processing.yml 2019-10-21 23:51:39 +03:00
zinint 5248f83fb3 Update sysmon_xsl_script_processing.yml 2019-10-21 23:46:11 +03:00
zinint a685c9c3be Update sysmon_xsl_script_processing.yml 2019-10-21 23:39:33 +03:00
zinint 784d7138ca OSCD Task 7 ART T1220 
OSCD Task 7 ART T1220 rule add
 2019-10-21 22:22:55 +03:00
Florian Roth 4e7ad5c948 rule: added date to crypto miner rule 2019-10-21 13:24:33 +02:00
Florian Roth e8963b2599 rule: crypto miner user agents in proxy logs 2019-10-21 13:21:50 +02:00
Florian Roth c8b5b91815 Merge pull request #471 from a2tf/rule_change_proxy_uri_to_url 
rule: changed two proxy rules from uri-query to url
 2019-10-21 12:52:36 +02:00
root e47caf4749 add rule lnx_auditd_web_rce.yml 2019-10-21 11:54:21 +02:00
root a499141483 modified rule lnx_auditd_web_rce.yml 2019-10-21 11:28:59 +02:00
Florian Roth 9457f01c29 Update proxy_ios_implant.yml 2019-10-21 11:20:11 +02:00
Florian Roth f8d8eb7948 Update proxy_chafer_malware.yml 2019-10-21 11:19:59 +02:00
root ac8308dfc9 add rule lnx_auditd_web_rce.yml 2019-10-21 11:14:24 +02:00
Florian Roth 454ba2b576 rule: modified sudo vuln rule to be most generic 2019-10-20 14:02:10 +02:00
Florian Roth 08ff2f38bc Revert "rule: modified sudo vuln rule to be most generic" 
This reverts commit ef6a25d109.
 2019-10-20 14:01:14 +02:00
Florian Roth ef6a25d109 rule: modified sudo vuln rule to be most generic 2019-10-20 10:37:05 +02:00
a2tf a2753ba5a6 rule: changed two proxy rules from uri-query to url 2019-10-18 14:15:39 +00:00
Thomas Patzke 522f021ef1 Merge pull request #461 from Galapag0s/patch-2 
Added Additional history clearing options
 2019-10-16 22:35:41 +02:00
Florian Roth deb3ecf404 fix: relevant fields in lsass dll load rule 2019-10-16 19:09:20 +02:00
Florian Roth ab292a4029 rule: simplified Emotet rule 2019-10-16 15:29:42 +02:00
Florian Roth 36f678930d rule: updated sudo vuln rule to detect 0-padding part 2 
https://twitter.com/joshbressers/status/1184455759620378627
 2019-10-16 15:10:44 +02:00
Florian Roth 5374d18e4b rule: updated sudo vuln rule to detect 0-padding 
https://twitter.com/taviso/status/1184238670343065600
 2019-10-16 15:03:28 +02:00
Florian Roth c396526f40 rule: LSASS DLL load via undocumented Registry key 
https://twitter.com/SBousseaden/status/1183745981189427200
 2019-10-16 13:18:44 +02:00
Florian Roth 5d143f4f22 rule: emotet rule references extended 2019-10-16 13:18:44 +02:00
Florian Roth d46154da5c rule: extending Emotet rule 2019-10-16 10:22:48 +02:00
Florian Roth 4ea469d138 rule: suspicious compression tool parameters 2019-10-15 16:38:53 +02:00
Florian Roth e870c86fb0 rule: keyboad layout preloads extended with ' 2019-10-15 15:11:00 +02:00
Florian Roth 921a39f1e3 rule: extended sudo rule with variant for USER field 2019-10-15 14:55:09 +02:00
Florian Roth 96d77447d2 rule: added reference and mitre tags 2019-10-15 09:44:17 +02:00
Florian Roth 49ed76004c rule: sudo priv esc vuln CVE-2019-14287 2019-10-15 09:39:08 +02:00
Florian Roth 52fef7ae10 Merge pull request #468 from 2d4d/lsass_without_exe 
remove .exe from lsass
 2019-10-14 18:03:13 +02:00
Florian Roth 8db1cac910 fix: made rule compatible with event id 4688 2019-10-14 18:01:24 +02:00
Florian Roth 0e2284a176 rule: modified the default 2019-10-14 17:50:48 +02:00
Florian Roth 312311494d rule: suspicious code page switch using chcp 2019-10-14 17:45:25 +02:00
2d4d cf5d7f11ad remove .exe from lsass 2019-10-14 17:26:33 +02:00
Florian Roth 7ee3974428 rule: suspicious keyboard layout load 2019-10-14 16:25:27 +02:00
Florian Roth 5583684efd rule: extended suspicious procdump rule 2019-10-14 16:21:37 +02:00
Florian Roth 98f0d01b2e rule: mimikatz use extended 2019-10-11 18:50:33 +02:00
Florian Roth 60af1f5a4b rule: WMI Backdoor Exchange Transport Agent 2019-10-11 12:12:44 +02:00
Florian Roth ec5bb71049 fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00