security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Florian Roth b62c705bf0 Improved UNC2452 activity rules 2021-01-22 09:18:11 +01:00
k-vdv e4edf7bc1b fix service from system to security for rule win_pcap_drivers.yml 2021-01-22 09:10:02 +01:00
David Straßegger 6a6929cfb6 implemented rule for scheduled task deletion 2021-01-22 08:09:56 +01:00
Florian Roth efa39eb18d Merge pull request #1336 from Neo23x0/rule-devel 
rule: Raccine uninstall
 2021-01-21 18:17:31 +01:00
Florian Roth 4ad70f0aaa rule: Raccine uninstall 2021-01-21 17:59:17 +01:00
Florian Roth 492d931138 Merge pull request #1335 from Neo23x0/rule-devel 
rule: UNC2452 PowerShell pattern
 2021-01-21 09:20:22 +01:00
Florian Roth c5a7558ca0 fix: fixed actor name in description 2021-01-21 09:19:51 +01:00
Florian Roth a0b8eeac6f fix: minor issues 2021-01-20 18:52:50 +01:00
Florian Roth 8b319e3686 rule: UNC2452 PowerShell pattern 2021-01-20 18:51:49 +01:00
Florian Roth cd4fbca66b Merge pull request #1330 from d4rk-d4nph3/master 
Added Stealthy Office Persistence via VSTO
 2021-01-20 11:36:25 +01:00
Florian Roth c00d3a8fe0 Merge pull request #1334 from Neo23x0/rule-devel 
rule: plink anomaly rules
 2021-01-20 11:36:16 +01:00
Bhabesh Rai dac229a8bb Added rule for Oracle WebLogic Exploit CVE-2021-2109 2021-01-20 14:28:18 +05:45
Florian Roth eedc483be4 rework: impossible rule with Sysmon 2021-01-19 14:12:40 +01:00
Florian Roth fdc969385a rule: plink anomaly rules 2021-01-19 12:39:40 +01:00
Florian Roth 7162528a1a docs: removed CVE 2021-01-15 13:25:10 +01:00
Florian Roth 3d2c6a118d Merge pull request #1332 from 2d4d/master 
Add xHunt Campaign: BumbleBee Webshell
 2021-01-13 18:19:01 +01:00
Florian Roth d58cdeab3a Merge pull request #1331 from Neo23x0/rule-devel 
rule: NTFS vulnerability
 2021-01-12 09:09:33 +01:00
Arnim Rupp b2860b870e Update win_webshell_detection.yml 2021-01-11 21:08:20 +01:00
Florian Roth cf37abee4d docs: more details 2021-01-11 19:56:36 +01:00
Arnim Rupp 5d80d634c3 Add xHunt Campaign: BumbleBee Webshell 
add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
 2021-01-11 19:44:07 +01:00
Florian Roth a0fccf8647 rule: NTFS vulnerability 
https://twitter.com/jonasLyk/status/1347900440000811010
 2021-01-11 14:51:26 +01:00
Bhabesh Rai 93c7931037 Added Stealthy Office Persistence via VSTO 2021-01-10 17:54:17 +05:45
Florian Roth c571285fd8 Merge pull request #1329 from Neo23x0/rule-devel 
Rule devel
 2021-01-09 11:32:36 +01:00
Florian Roth 63cc0d23c6 changes provided by FPT.EagleEye Team in 
https://github.com/Neo23x0/sigma/pull/1218/files
 2021-01-09 10:38:20 +01:00
Florian Roth 19171f5bed Merge pull request #1315 from rtkdmasse/split-up-cmstp-rule 
Split up cmstp rule into 3 separate rules and remove duplicates
 2021-01-09 10:30:33 +01:00
Florian Roth 947925d81f Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic 
Update the azure image_load rule to be a generic sysmon rule
 2021-01-09 10:29:52 +01:00
Florian Roth 04f7766d7a Merge pull request #1319 from hieuttmmo/master 
Detect Emotet DLL loading by looking rundll32.exe
 2021-01-09 10:29:24 +01:00
Florian Roth 1a8bb9c991 Merge pull request #1327 from 2d4d/master 
more AV event and suspicious commands
 2021-01-09 10:28:30 +01:00
GlebSukhodolskiy 3f519ffa20 Just Check 2021-01-07 21:31:51 +03:00
Arnim Rupp d5de3fe5f9 more AV event and suspicious commands 
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
 2021-01-07 17:54:19 +01:00
Florian Roth 30dcc28a1f Cisco ASA FTD Exploit CVE-2020-3452 2021-01-07 13:17:58 +01:00
GlebSukhodolskiy da5ec4e952 Update win_wmi_persistence.yml 
Removed sequence of EIDs in Windows Security section.
 2021-01-06 16:50:28 +03:00
yugoslavskiy 05c91cd12f Merge pull request #1238 from alx1m1k/oscd-3 
[OSCD] T1030: Split A File Into Pieces - Lin/macOS
 2021-01-06 00:33:12 +03:00
yugoslavskiy 057c33354a Merge pull request #1237 from alx1m1k/oscd-2 
[OSCD] T1027.001: Binary Padding - Lin/macOS
 2021-01-06 00:33:05 +03:00
yugoslavskiy befcad2df7 Merge pull request #1234 from w0rk3r/oscd1 
[OSCD] Update win_susp_replace_lolbin.yml
 2021-01-06 00:32:55 +03:00
yugoslavskiy 6ebcb10abd Merge pull request #1233 from V3T0/v3t0_oscd_lolbas_runonce_susp_execution 
[OSCD] Added a rule to detect execution of runonce with suspicious parameters
 2021-01-06 00:32:44 +03:00
yugoslavskiy 3bf1663503 Merge pull request #1232 from V3T0/v3t0_oscd_lolbas_tracker 
[OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments
 2021-01-06 00:32:35 +03:00
yugoslavskiy e4c302bf6f Merge pull request #1231 from vburov/patch-16 
[OSCD] Detects LockerGoga Ransomware command line.
 2021-01-06 00:30:08 +03:00
yugoslavskiy 2985836e36 Merge pull request #1140 from omkar72/oscd-5 
[OSCD] adding shortened commands for Netsh in the existing rule
 2021-01-06 00:24:43 +03:00
yugoslavskiy d25ca9b280 Merge pull request #1229 from zinint/1009-19-1 
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
 2021-01-06 00:24:08 +03:00
yugoslavskiy 7889df6644 Merge pull request #1227 from stvetro/oscd-runscripthelper 
[OSCD] - Runscripthelper.exe runs script (LoLBin)
 2021-01-06 00:24:00 +03:00
yugoslavskiy 0ed153237e Merge pull request #1226 from stvetro/oscd-winword 
[OSCD] - Force winword.exe to load DLL (LoLBin)
 2021-01-06 00:23:52 +03:00
yugoslavskiy 1d2f027035 Merge pull request #1224 from stvetro/oscd 
[OSCD] Verclsid.exe Runs COM Object (LOLBin)
 2021-01-06 00:23:45 +03:00
yugoslavskiy f4578b0698 Merge pull request #1223 from zinint/1009-23-1 
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
 2021-01-06 00:23:33 +03:00
yugoslavskiy 23519e47cd Merge pull request #1222 from feedb/oscd 
[OSCD] zer0w
 2021-01-06 00:23:25 +03:00
yugoslavskiy 93718975fb Merge pull request #1221 from grikos/OSCD_117_128 
[OSCD] suspicious csi.exe (rcsi.exe)  LOLBAS detection rule
 2021-01-06 00:23:13 +03:00
yugoslavskiy cd62929bb0 Merge pull request #1220 from aw350m33d/PS_exec_via_redirected_input_stream 
[OSCD] LOLBIN 5 PowerShell with redirection of the input stream.
 2021-01-06 00:23:06 +03:00
yugoslavskiy 70eff4b1fc Merge pull request #1219 from ryanplasma/rplas-SIGMA-547-page-37 
[OSCD] Add Files Dropped to Program Files by Non-Priviledged Process Rule
 2021-01-06 00:22:57 +03:00
yugoslavskiy a5bbccf16c Merge pull request #1214 from tas-kmanager/mt-oscd-sigma547-48-alternative 
[OSCD] Always Install Elevated Alternative
 2021-01-06 00:22:37 +03:00
yugoslavskiy a217a3cfc7 Merge pull request #1213 from alx1m1k/oscd 
[OSCD] T1552.003: Suspicious history file operations - Linux/macOS
 2021-01-06 00:21:19 +03:00