security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Pawel Mazur e67770d7ea New Rule - Linux - Auditd - Clipboard Collection of Image Data with Xclip Tool 2021-10-01 18:43:03 +02:00
frack113 19a834e317 Merge pull request #2111 from TareqAlKhatib/master 
Corrected Technique
 2021-10-01 15:17:01 +02:00
Tareq Alkhatib 0d22601112 Added Compromise Infrastructure: Web Services technique 2021-10-01 08:40:59 -04:00
Austin Songer 04acba9c77 Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml 2021-09-30 19:58:21 -05:00
Austin Songer d55ffe721e Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:19:18 -05:00
Austin Songer e274df1b13 Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:18:38 -05:00
Austin Songer b14d9e3826 Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:16:02 -05:00
Austin Songer 7f0ad710fd Delete process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:15:40 -05:00
Austin Songer 18d65387b5 Create process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:15:03 -05:00
Austin Songer 3d7f96ddd7 Create process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml 2021-09-30 19:14:34 -05:00
Austin Songer 00513ff2c5 Create macos_suspicious_macos_firmware_activity.yml 2021-09-30 18:47:15 -05:00
Tareq Alkhatib b0b95ce32b Corrected Technique 2021-09-30 16:34:14 -04:00
frack113 e900945761 Update win_trust_discovery.yml 2021-09-30 19:26:14 +02:00
zaicurity 76224b0fb2 Added alternative nltest command parameter 
Same as recent change to "Recon Activity with NLTEST" (see commit a2418e4d2c)
Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. 
Tested on Windows 10.0.19042
Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
 2021-09-30 18:12:19 +02:00
frack113 1c842037cf Merge pull request #2109 from Karneades/patch-1 
Add fp note to powershell winapi rule
 2021-09-30 17:45:03 +02:00
frack113 6eea77ae38 Merge pull request #2105 from frack113/powershell 
powershell_susp_zip_compress add 4104
 2021-09-30 17:40:13 +02:00
Andreas Hunkeler 82ba266a53 Add fp note to powershell winapi rule 2021-09-30 16:38:39 +02:00
frack113 29d66a965c add 4104 2021-09-30 10:03:11 +02:00
webboy2015 056067086c Create win_lolbas_execution_of_nltest.exe.yaml 
The attacker might use LOLBAS nltest.exe for the discovery of domain controllers, domain trusts, parent domain, and the current user permissions. This event can be detected in the Windows Security Log by looking for event id 4689 indicating that nltest.exe was executed and has exited with the execution result of "0x0".
 2021-09-29 14:33:36 -07:00
frack113 84ec2f582a Merge pull request #2100 from kidrek/sysmon_delete_prefetch 
Add new rule - sysmon_delete_prefetch - AntiForensic
 2021-09-29 17:53:33 +02:00
frack113 ed1a1caa2e Merge pull request #2098 from frack113/fix_tags 
fix tags in win_susp_mpcmdrun_download.yml
 2021-09-29 17:06:18 +02:00
neonprimetime security (Justin C Miller) 2ae2c35a7f mispelled 'mshta.exe' in selection_base 
it said 'mhsta.exe' and it should say 'mshta.exe'
 2021-09-29 07:47:12 -05:00
frack113 17ad95cd12 Update sysmon_delete_prefetch.yml 2021-09-29 10:58:00 +02:00
kidrek da4a8a0ffd Fix title field error 2021-09-29 09:49:58 +02:00
kidrek d3fc6b118d Add new rule - sysmon_delete_prefetch - AntiForensic 2021-09-29 09:42:17 +02:00
frack113 4a66ea04bd fix tags 2021-09-29 08:26:05 +02:00
zaicurity a2418e4d2c Added alternative command parameter 
Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. 
Tested on Windows 10.0.19042
Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
 2021-09-28 17:39:21 +02:00
frack113 c27084dd0c Merge pull request #2094 from frack113/backend_sysmon 
Fix logsource  not a string
 2021-09-28 16:22:58 +02:00
frack113 c3222945ef Merge pull request #2093 from austinsonger/win_sysmon_driver_unload.yml 
win_sysmon_driver_unload.yml
 2021-09-28 16:22:43 +02:00
frack113 f8ec71c00c Merge pull request #2072 from austinsonger/aws_attached_malicious_lambda_layer.yml 
aws_attached_malicious_lambda_layer.yml
 2021-09-28 13:08:01 +02:00
Austin Songer 0d07a78a2d Update aws_attached_malicious_lambda_layer.yml 2021-09-27 23:41:19 -05:00
Austin Songer 3e7b3073cf Update win_sysmon_driver_unload.yml 2021-09-27 23:30:30 -05:00
Florian Roth 1da59d9175 Merge pull request #2092 from SigmaHQ/rule-devel 
docs: changed description
 2021-09-27 23:13:09 +02:00
Florian Roth 4161cd909f docs: changed description 2021-09-27 23:12:18 +02:00
Florian Roth 10b70edff0 Merge pull request #2091 from SigmaHQ/rule-devel 
NOBELIUM FoggyWeb backdoor loading
 2021-09-27 23:09:18 +02:00
Florian Roth b227f8459d fix: typo in filename 2021-09-27 22:37:20 +02:00
Florian Roth ada966c5be Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-09-27 22:34:30 +02:00
Florian Roth cee44e6688 renamed files: lowercase 2021-09-27 22:33:30 +02:00
Florian Roth 97bb6a0257 rule: NOBELIUM FoggyWeb 2021-09-27 22:28:25 +02:00
frack113 bcf40fa4e4 Fix logsource not a string 2021-09-27 18:59:05 +02:00
Florian Roth 5ef1c913cf fix: wrong condition 
https://github.com/SigmaHQ/sigma/issues/2089
 2021-09-27 18:33:57 +02:00
frack113 6bce0f967a Merge pull request #2079 from zakibro/master 
New Rule - Linux - Auditd - Clipboard Collection
 2021-09-27 08:34:30 +02:00
zakibro 6a2785492d Update lnx_auditd_clipboard_collection.yml 
Changes after suggestion.
 2021-09-27 07:59:43 +02:00
Florian Roth f196e3174d refactor: moved last global rule to unsupported 2021-09-26 10:54:11 +02:00
MetallicHack d888ce67bc Create azure_ad_user_added_to_sensitive_role.yml 2021-09-25 21:57:10 +02:00
Florian Roth 93bff7f49d docs: new ID 2021-09-25 11:37:39 +02:00
Florian Roth 31ef53738d refactor: removed old Joomla rules, made generic path traversal 2021-09-25 11:37:02 +02:00
frack113 7dc574bc01 Merge pull request #2078 from kidrek/win_process_dump_rdrleakdiag 
add new rule win_process_dump_rdrleakdiag
 2021-09-25 07:55:52 +02:00
frack113 8fe222a92c Merge pull request #2077 from frack113/remove_re 
Convert re to endswith
 2021-09-25 07:55:22 +02:00
Sittikorn S 7c8df0eb55 Update web_cve_2021_22005_vmware_file_upload.yml 2021-09-25 08:05:00 +07:00