security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
David Vassallo d7443d71a4 Create win_pass_the_hash_2.yml 
alternative detection methods
 2019-06-14 18:08:36 +03:00
Michael Wade f70549ec54 First Pass 2019-06-13 23:15:38 -05:00
Sherif Eldeeb 2d22a3fe02 Add detection for recent Mimikatz versions 
GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz.
This modification should address both
 2019-06-12 12:13:31 +03:00
Thomas Patzke a23f15d42b Converted rule to generic log source 2019-06-11 13:20:15 +02:00
Thomas Patzke 5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
Tareq AlKhatib 3bcfc53905 Corrected Typo 2019-06-10 09:54:37 +03:00
Tareq AlKhatib fce2a45dac Corrected Typo 2019-06-10 09:51:34 +03:00
James Ahearn eae7e3ab10 Web Source Code Enumeration via .git 2019-06-08 22:40:28 -04:00
Thomas Patzke 407d8214f7 Added APT40 Dropbox exfiltration proxy rule 2019-06-07 14:03:41 +02:00
David Vassallo 41f5ebc403 Update win_alert_ad_user_backdoors.yml 
the original rule generates false positives if the "AllowedToDelegateTo" is set to "-". This seems to be a common occurrence, hence my proposed addition
 2019-06-07 13:29:45 +03:00
Unknown 7b0ecde334 Renamed jusched 
https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
 2019-06-06 14:03:02 +02:00
t0x1c-1 7b9a73fb1f Improved Rule 
Removed complex CommandLine
 2019-06-06 13:45:21 +02:00
yugoslavskiy 5827165c2d event id deleted 2019-06-03 15:51:54 +02:00
yugoslavskiy cf947e3720 changed to process_creation category 2019-06-03 15:47:24 +02:00
yugoslavskiy 6a39b4fb41 date added 2019-06-03 15:42:02 +02:00
yugoslavskiy 10db09c596 rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing 2019-06-03 15:37:41 +02:00
Florian Roth a0c9f1594e Rule: renamed file - name was too generic 2019-06-02 10:57:44 +02:00
Florian Roth 491c519d1f Rule: added wmic SHADOWCOPY DELETE 2019-06-02 10:56:13 +02:00
Florian Roth 80560dc12f Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2019-06-02 09:52:18 +02:00
Florian Roth 5e7ae0590c Rule: Split up WanaCry rule into two separate rules 2019-06-02 09:52:18 +02:00
Nate Guagenti 2163208e9c update correct process name 
incorrect process name. accidentally had fsutil, should be bcdedit.

thanks to https://twitter.com/INIT_3 for pointing this out
 2019-06-01 09:50:50 -04:00
Thomas Patzke 4e96666c04 Merge pull request #336 from petermat/added_rule_T1156 
added rule .bash_profile and .bashrc T1156
 2019-05-30 22:43:33 +02:00
Sarkis Nanyan 60bc5253cf win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 15:43:44 +03:00
Florian Roth 7c1e856095 Merge pull request #353 from lprat/master 
Add rule for CVE-2019-0708
 2019-05-27 09:11:17 +02:00
Florian Roth 323a7313fd FP adjustments 
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
 2019-05-27 08:54:18 +02:00
Thomas Patzke 241d814221 Merged WannaCry rules 2019-05-24 22:17:36 +02:00
Lionel PRAT f65f693a88 Add rule for CVE-2019-0708 2019-05-24 10:01:19 +02:00
Florian Roth 7b63c92fc0 Rule: applying recommendation 
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
 2019-05-23 09:44:25 +02:00
Olaf Hartong b60cfbe244 Added password flag 2019-05-22 13:20:26 +02:00
Florian Roth 346022cfe8 Transformed to process creation rule 2019-05-22 12:50:49 +02:00
Olaf Hartong 4a775650a2 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:36:03 +02:00
Olaf Hartong e675cdf9c4 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:32:07 +02:00
Olaf Hartong 544dfe3704 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:28:42 +02:00
Florian Roth c937fe3c1b Rule: Terminal Service Process Spawn 2019-05-22 10:38:27 +02:00
Florian Roth 74ca0eeb88 Rule: Renamed PsExec 2019-05-21 09:49:40 +02:00
Thomas Patzke 2d0c08cc8b Added wildcards to rule values 
These values appear somewhere in a log message, therefore wildcards are
required.
 2019-05-21 01:03:20 +02:00
Patryk c163dcbe05 Update sysmon_mimikatz_trough_winrm.yml 
Deleted tab character (\t)
 2019-05-20 13:22:36 +02:00
Patryk a9faa3dc33 Create sysmon_mimikatz_trough_winrm.yml 
Detects usage of mimikatz through WinRM protocol
 2019-05-20 12:25:58 +02:00
Alec Costello 886de39814 Small edits 
Got trigger happy, first time doing this, please dont cruicify me.
 2019-05-17 17:40:32 +03:00
Alec Costello 34d9b4b365 Update win_susp_process_creations.yml 
Tested the type method redirecting to a file and dumping the hashes out with pwdump.

Used the wmic method to create the shadow copy.
 2019-05-17 16:10:43 +03:00
Alec Costello 3c8be3d48b Update win_susp_vssadmin_ntds_activity.yml 2019-05-17 15:19:03 +03:00
Alec Costello 8b14a5673d Update win_susp_vssadmin_ntds_activity.yml 
Updated with SAM and SYSTEM for esentutl
 2019-05-17 15:18:01 +03:00
Alec Costello d90c0ea990 Create powershell_nishang_malicious_commandlets.yml 2019-05-16 17:51:45 +03:00
Florian Roth 694fa567b6 Reformatted 2019-05-15 20:22:53 +02:00
Florian Roth 1c36bfde79 Bugfix - Swisscom in Newline 2019-05-15 15:03:55 +02:00
Florian Roth d5f49c5777 Fixed syntax 2019-05-15 14:50:57 +02:00
Florian Roth 508d1cdae0 Removed double back slashes 2019-05-15 14:46:45 +02:00
Unknown 13522b97a7 Adjusting Newline 2019-05-15 12:15:41 +02:00
Unknown 275896dbe6 Suspicious Outbound RDP Rule likely identifying CVE-2019-0708 2019-05-15 11:47:12 +02:00
petermmm b6c4e64a9b fixed attack category number 2->3 2019-05-12 11:59:13 +02:00