security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth dca5a7a248 Merge pull request #432 from EccoTheFlintstone/master 
add/modify powershell Empire rules
 2019-09-02 11:40:36 +02:00
ecco 5f30e52739 add/modify powershell Empire rules 2019-09-02 05:04:44 -04:00
Florian Roth d9606067a6 rule: MuddyWater script execution 2019-08-31 08:50:59 +02:00
Florian Roth ace0cc36c6 rule: improved csc rule 2019-08-31 08:44:09 +02:00
Florian Roth 7cc26e30b4 docs: renamed file name 2019-08-30 12:04:20 +02:00
Florian Roth f8785e722f docs: changed title and description of rule 2019-08-30 12:03:42 +02:00
Florian Roth ba46d6b4de docs: added reference to rule 2019-08-30 11:55:02 +02:00
Florian Roth 398ef9c6aa rules: teardown implant, apt28 ua 2019-08-30 11:53:55 +02:00
Florian Roth a3349823e5 rule: implant teardown 2019-08-30 11:48:51 +02:00
Florian Roth 8a078b6c86 rule: APT28 UA 2019-08-30 11:48:38 +02:00
Lep dfe6b968c0 addins 2019-08-29 15:48:42 +07:00
Lep af264c049b end space 2019-08-29 15:43:36 +07:00
Lep c95a17b061 process_creation 2019-08-28 17:30:13 +07:00
Lep ba30b4929c process_creation update 2019-08-28 17:13:54 +07:00
Florian Roth f2c44c80b6 Merge branch 'master' into rule-devel 
# Conflicts:
#	rules/windows/process_creation/win_encoded_frombase64string.yml
#	rules/windows/process_creation/win_susp_csc_folder.yml
 2019-08-28 09:21:25 +02:00
Florian Roth f71dc41531 rule: extended csc rule 2019-08-28 09:00:43 +02:00
Florian Roth 406b40af11 rule: suspicious msbuild folder 2019-08-28 09:00:35 +02:00
Lep 8b6bd45b0b rules for APT32 2019-08-28 10:12:01 +07:00
Florian Roth fe8f040863 Merge pull request #429 from weev3/master 
Control Panel Item, MITRE_ID=T1196
 2019-08-27 14:24:56 +02:00
Florian Roth ca2019b57f fix: typo in MITRE tag 2019-08-27 12:32:56 +02:00
Florian Roth 6b7cd94197 Changes 2019-08-27 12:23:42 +02:00
weev3 d42a51372d Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30
Steven Goossens cb088e4911 Remove quotes from around the fields to make the query semantically correct 2019-08-26 12:43:26 +00:00
Steven Goossens ad19f05e2c Include mapped names rather then signature names 2019-08-26 12:06:20 +00:00
Steven Goossens 37caccd52e Includes the trial condition so generic query is generated whenever the fields are not defined 2019-08-26 11:48:40 +00:00
Steven Goossens 895682aef2 Implementing the fields to be selected 2019-08-26 10:57:43 +00:00
Thomas Patzke 59a6a0c523 Added ATT&CK technique to rule test 2019-08-25 10:13:11 +02:00
Florian Roth 70a26a6132 fix: fixed MITRE tags 2019-08-24 13:58:54 +02:00
Florian Roth c321fc2680 rule: csc.exe suspicious source folder 2019-08-24 13:53:15 +02:00
Florian Roth b32ed3c817 rules: encoded FromBase64String keyword 2019-08-24 13:53:05 +02:00
Florian Roth 1dfd560299 rule: csc.exe suspicious source folder 2019-08-24 13:49:40 +02:00
Florian Roth a137a1380b rules: encoded FromBase64String keyword 2019-08-24 12:38:51 +02:00
Florian Roth c9a4e6fe8a rule: process creations in env var folders 2019-08-24 08:26:37 +02:00
Florian Roth 87ce52f6fe fix: fixed wrong MITRE tag 2019-08-23 23:19:39 +02:00
Florian Roth 5bd242cb21 rule: encoded IEX 2019-08-23 23:13:36 +02:00
Thomas Patzke 68fb56f503 Merge pull request #345 from ki11oFF/patch-1 
Detection of usage mimikatz trough WinRM
 2019-08-23 23:04:07 +02:00
Thomas Patzke 945f45ebd7 Merge pull request #399 from yugoslavskiy/win_rdp_potential_cve-2019-0708_improvement 
rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved
 2019-08-23 23:01:25 +02:00
Thomas Patzke fc08e3c5b7 Merge pull request #398 from yugoslavskiy/win_susp_add_sid_history_improvement 
Win susp add sid history improvement
 2019-08-23 22:58:46 +02:00
Thomas Patzke 9d3232cf90 Merge pull request #424 from import-au/master 
Support for Malicious cmdlets in ATP
 2019-08-23 22:57:06 +02:00
Florian Roth cc01f76e99 docs: minor changes 2019-08-22 14:22:55 +02:00
Florian Roth c291038ebe rule: renamed powershell 2019-08-22 14:22:55 +02:00
agold 0984293d0c Support for Malicious cmdlets in ATP 2019-08-20 14:33:08 -07:00
Florian Roth 1bfe925f6b Merge pull request #422 from EccoTheFlintstone/master 
Windows process suspicious parents: filter NULL values to remove false positives
 2019-08-20 11:59:16 +02:00
ecco d0a24f4409 filter NULL values to remove false positives 2019-08-20 05:10:41 -04:00
Thomas Patzke 50874c2323 Merge pull request #420 from svent/improve_qradar_backend 
Improve qradar backend
 2019-08-13 08:38:16 +02:00
svent 1ea6d00a39 Fix QRadar field name escaping and handling 2019-08-12 23:47:43 +02:00
svent 826c1e3942 Fix QRadar backend config 2019-08-12 23:47:43 +02:00
Thomas Patzke e1b1db8cca Merge pull request #416 from NVISO-BE/es-dsl-wildcard-fix 
Correctly escape slashes within es-dsl wildcard queries (issue #387)
 2019-08-11 23:19:59 +02:00
Thomas Patzke 2f97300ea2 Pipenv packaging 2019-08-09 14:43:29 +02:00
Florian Roth f328734274 Merge pull request #417 from Karneades/patch-2 
improve(rule): add Empire links and userland match
 2019-08-09 14:36:17 +02:00