security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth 8e500d2caa Bugfix in rule 2018-05-29 14:11:12 +02:00
Alexandre ZANNI 74da324d8f remove old public_html 
remove old public_html
 2018-05-29 11:44:38 +02:00
Alexandre ZANNI a1de770b64 enhance web server paths 
- specify when it is apache only
- add Per-user path
- add archlinux paths
 2018-05-29 11:41:36 +02:00
Florian Roth 51c6d0a767 Rule: Proxy User-Agent VPNFilter 2018-05-24 00:34:07 +02:00
Florian Roth 2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke 079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Matthew Green 16365b7793 Update_WebDAV 
Made the name a bit generic as WebDAV can be used by several download cradles.
Added in HttpMethod as a select as GET requests makes for a great filter point with much less false positives.
 2018-05-16 13:05:15 +10:00
Thomas Patzke 6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth 1aaed07dd7 Rule: Suspicious base64 encoded part of DNS query 2018-05-10 14:08:52 +02:00
Florian Roth 62b490396d Rule: Cobalt Strike DNS Beaconing 2018-05-10 14:08:52 +02:00
Thomas Patzke de2ed08695 Merge branch 'ci-es' 2018-05-01 00:34:11 +02:00
Florian Roth ae6df590a9 Delphi downloader https://goo.gl/rMVUSM 2018-04-24 23:23:21 +02:00
Florian Roth 49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth 3c1c9d2b31 Merge pull request #81 from yt0ng/sigma-yt0ng 
added SquiblyTwo Detection
 2018-04-18 16:39:37 +02:00
Florian Roth 8420d3174a Reordered 2018-04-18 16:34:16 +02:00
yt0ng c637c2e590 Adding Detections for renamed wmic and format 
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
 2018-04-18 15:02:52 +02:00
Florian Roth 9b8df865b1 Extended rule 2018-04-18 12:13:45 +02:00
yt0ng a4fb39a336 also for http 2018-04-18 08:19:47 +02:00
yt0ng 169a4404c2 added SquiblyTwo Detection 2018-04-17 21:33:26 +02:00
Markus Härnvi cf237cf658 "author" should be a string and not a list, according to the specification 2018-04-16 23:42:51 +02:00
Florian Roth d8bbf26f2c Added msiexec to rule in order to cover new threats 
https://twitter.com/DissectMalware/status/984252467474026497
 2018-04-12 09:12:50 +02:00
Florian Roth 58517907ad Improved rule to provide support for for old sysmon \REGISTRY syntax 2018-04-11 20:15:17 +02:00
Florian Roth 0ffd226293 Moved new rule to sysmon folder 2018-04-11 20:11:54 +02:00
Florian Roth 52d405bb1b Improved shell spawning rule 2018-04-11 20:09:42 +02:00
Florian Roth b065c2c35c Simplified rule 2018-04-11 19:03:35 +02:00
Karneades fa6677a41d Remove @ in author 
Be nice to Travis: "error    syntax error: found character '@' that cannot start any token"
 2018-04-11 15:21:42 +02:00
Karneades be3c27981f Add rule for Windows registry persistence mechanisms 2018-04-11 15:13:00 +02:00
Thomas Patzke 788111f174 Fixes for Elasticsearch query correctness CI tests 
* Quoting in rule
* Reading queries without special processing of backslashes

Unfortunately, backslashes still cause breaks caused by Bash handling of
them.
 2018-04-09 22:33:29 +02:00
Florian Roth 56172ae174 Corrected CrackMapExec rule 2018-04-09 08:40:03 +02:00
Florian Roth a9c7fe202e Rule: Windows shell spawning suspicious program 2018-04-09 08:37:30 +02:00
Florian Roth 8ddd40e18e PowerShell Cradle - WebDAV UA 2018-04-09 08:37:30 +02:00
Florian Roth e53826e167 Extended Sysmon Office Shell rule 2018-04-09 08:37:30 +02:00
Florian Roth 6eb8cdfeab TSCookie UA 2018-04-09 08:37:30 +02:00
Thomas Patzke f113832c04 Merge pull request #69 from jmallette/rules 
Create cmdkey recon rule
 2018-04-08 23:23:30 +02:00
root 69671733a8 added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 17:10:00 +02:00
Thomas Patzke a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke b1bfa64231 Removed redundant 'EventLog' conditions 2018-03-26 00:36:40 +02:00
Thomas Patzke f68af2a5da Added reference to Kerberos RC4 rule 2018-03-25 23:19:01 +02:00
Thomas Patzke dacc6ae3d3 Fieldname case: Commandline -> CommandLine 2018-03-25 23:08:28 +02:00
Florian Roth e141a834ff Rule: Ping hex IP address 
https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
 2018-03-23 17:00:00 +01:00
Florian Roth c10da5b734 Improved Chafer activity rule 2018-03-23 10:50:40 +01:00
Florian Roth a797a281ac Rule: Chafer / OilRig activity Mar 18 
https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 2018-03-23 08:59:16 +01:00
Florian Roth f220e61adc Fixed second selection in rule 2018-03-21 10:47:14 +01:00
Florian Roth 70c2f973a3 Rule: Smbexec.py Service Installation 2018-03-21 10:44:37 +01:00
Florian Roth 3c968d4ec6 Fixed rule for any ControlSets 2018-03-21 10:44:37 +01:00
Florian Roth 97204d8dc0 Renamed rule 2018-03-20 15:04:11 +01:00
Florian Roth e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth a7eb4d3e34 Renamed rule 2018-03-20 11:12:35 +01:00
Florian Roth b84bbd327b Rule: NetNTLM Downgrade Attack 
https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 2018-03-20 11:07:21 +01:00
Florian Roth a6d293e31d Improved tscon rule 2018-03-20 10:54:04 +01:00