security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
4A616D6573 c8e5fc4e6d Revert "Create win_susp_local_anon_logon_created.yml" 
This reverts commit d174e172b0.
 2019-10-31 21:49:57 +11:00
4A616D6573 d174e172b0 Create win_susp_local_anon_logon_created.yml 2019-10-31 21:44:47 +11:00
Florian Roth 3107c0c268 rule: Formbook rule improved 2019-10-31 09:32:18 +01:00
zinint 60bf34e220 T1042 2019-10-30 23:30:56 +03:00
zinint 12ef86fcbe t1040 2019-10-30 23:18:37 +03:00
zinint b3b203e5b1 t1040 2019-10-30 23:15:19 +03:00
zinint 11e7bdc727 Update lnx_network_sniffing.yml 2019-10-30 22:59:46 +03:00
zinint fd09c00b35 Update lnx_network_sniffing.yml 2019-10-30 20:59:07 +03:00
Florian Roth 4741b6a4d6 rule: Mustang Panda dropper 2019-10-30 18:22:40 +01:00
Florian Roth d661771608 rule: another DTRACK reference 2019-10-30 18:22:25 +01:00
zinint 3d106d8e7f Update lnx_network_sniffing.yml 2019-10-30 19:11:51 +03:00
zinint e0c5479f0a Update lnx_network_sniffing.yml 2019-10-30 19:10:48 +03:00
zinint b5b40f2861 Update lnx_network_sniffing.yml 2019-10-30 19:07:05 +03:00
zinint cc4a8df5e3 Update lnx_network_sniffing.yml 2019-10-30 19:06:53 +03:00
zinint 7e3d8ccaf3 T1040 2019-10-30 19:05:50 +03:00
Florian Roth 3ac28f3eed rule: DTRACK process creation 2019-10-30 15:16:33 +01:00
Thomas Patzke 219f00e3fb Added command line parameter 
Implements #418
 2019-10-29 23:04:28 +01:00
Thomas Patzke 2eeccf48e0 Removed line breaks in Elastalert YAML output 
Fixes #453
 2019-10-29 22:45:37 +01:00
Thomas Patzke f4e9690d6b Merge pull request #508 from Karneades/fixRule3 
fix: bound keywords to field in multiple PS rules
 2019-10-29 22:34:08 +01:00
Thomas Patzke 78d8ca2b41 Merge pull request #507 from Karneades/fixRule2 
fix: bound keywords to field in PS cred prompt rule
 2019-10-29 22:31:01 +01:00
Thomas Patzke 40df0d4534 Merge pull request #506 from Karneades/fixRule1 
fix: bound keywords to field in WMI persistence rule
 2019-10-29 22:30:27 +01:00
Thomas Patzke 6eb49fc1ce Merge pull request #509 from Karneades/fixRule4 
fix: change keyword and bound it to a field in PS rule
 2019-10-29 22:27:54 +01:00
Thomas Patzke b6403793c1 Fixed escaping in rule 2019-10-29 22:06:23 +01:00
zinint 4a560e9375 T1002 2019-10-29 22:56:45 +03:00
zinint 583980f8ec Delete win_data_compressed.yml 2019-10-29 22:56:30 +03:00
zinint 4eb7965662 T1002 2019-10-29 22:54:42 +03:00
zinint 950796f71f Update lnx_auditd_masquerading_crond.yml 2019-10-29 22:48:39 +03:00
zinint c5599399b5 Update lnx_auditd_masquerading_crond.yml 2019-10-29 22:48:00 +03:00
zinint 47f7d648a3 T1036 2019-10-29 22:33:03 +03:00
Karneades ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
Karneades aafab2e936 fix: bound keywords to field in multiple PS rules 
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
 2019-10-29 19:53:18 +01:00
Karneades f31750e567 fix: bound keywords to field in PS cred prompt rule 2019-10-29 19:43:04 +01:00
Karneades cd20e4a3fc fix: bound keywords to field in WMI persistence rule 
See #501.
 2019-10-29 19:22:41 +01:00
zinint c243c4e210 T1035 2019-10-29 20:58:52 +03:00
booberry46 36fe748c2e Update win_rdp_reverse_tunnel.yml 
With the recent example for the evtx. RDP Tunneling can happen not only from port 3389. So I tune it to fit in general.

Changed the obsolete twitter status with linkage to the evtx from Samir Bousseaden
 2019-10-29 17:25:37 +08:00
darkquasar cb6eb35913 adding some more suspicious PS keywords 
found in multiple internally analyzed malicious scripts (in the wild and as result of engagements)
 2019-10-28 22:14:14 -07:00
darkquasar 96643b5446 New rule Suspicious Remote Thread Created 2019-10-28 22:12:57 -07:00
darkquasar 551d3d653c Dumping Lsass.exe memory with MiniDumpWriteDump API 2019-10-28 22:11:55 -07:00
darkquasar a6b24da6dd Adding rule Suspicious In-Memory Module Execution 2019-10-28 22:07:26 -07:00
alx1m1k 116d17c9b1 Merge pull request #1 from yugoslavskiy/oscd 
fix some typos and remove redundant references
 2019-10-29 08:04:04 +03:00
Yugoslavskiy Daniil fd606cb376 spaces fix 2019-10-29 03:59:07 +03:00
Yugoslavskiy Daniil 4251d9f490 ilyas ochkov contribution 2019-10-29 03:44:22 +03:00
Yugoslavskiy Daniil 3376cf4dd8 fix some typos and remove redundand references 2019-10-29 01:40:06 +03:00
Thomas Patzke 632c45843b Merge pull request #500 from refractionPOINT/master 
Adding LimaCharlie to the README's supported targets.
 2019-10-28 21:17:30 +01:00
Maxime Lamothe-Brassard f01913c996 Adding LimaCharlie to the README's supported targets. 2019-10-28 14:48:04 -05:00
Thomas Patzke 6a76f5950b Merge pull request #499 from refractionPOINT/master 
Adding Backend for LimaCharlie D&R rules
 2019-10-28 20:38:33 +01:00
Maxime Lamothe-Brassard f6fb9c7f5f Fixing typo in response metadata. 2019-10-28 11:31:50 -05:00
Maxime Lamothe-Brassard 2873e1ded3 Small refactors to make more readable and remove deprecated code paths to increase coverage. 2019-10-28 10:49:05 -05:00
Florian Roth 8ff85499c8 rule: svchost dll search order hijack 2019-10-28 12:03:03 +01:00
Florian Roth 1a3444d0ef docs: comment on rule expression 2019-10-28 12:02:46 +01:00