security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,541 Commits 1 Branch 57 Tags
eb690d8902cd89698eccec930b7febaaac9efb01
Commit Graph

1541 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Karneades eb690d8902 Remove too loose filter in mshta rule 2019-04-04 22:16:24 +02:00
Florian Roth 81693d81b6 Merge pull request #295 from sbousseaden/master 
Create win_atsvc_task.yml
 2019-04-04 18:32:13 +02:00
sbousseaden c4b8f75940 Update win_lm_namedpipe.yml 2019-04-04 18:22:50 +02:00
sbousseaden 22958c45a3 Update win_GPO_scheduledtasks.yml 2019-04-03 21:50:55 +02:00
sbousseaden b4ac9a432f Update win_susp_psexec.yml 2019-04-03 21:50:25 +02:00
sbousseaden 353e457104 Update win_lm_namedpipe.yml 2019-04-03 21:49:58 +02:00
sbousseaden d5818a417b Update win_impacket_secretdump.yml 2019-04-03 21:49:30 +02:00
sbousseaden 9c5575d003 Update win_atsvc_task.yml 2019-04-03 21:48:38 +02:00
sbousseaden edb98f2781 Update win_account_discovery.yml 2019-04-03 21:40:59 +02:00
Florian Roth 2b814011cd Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature 
Add new signature for linux clear command history
 2019-04-03 19:45:06 +02:00
Florian Roth 13f86e9333 Merge pull request #296 from Karneades/patch-1 
Remove backslashes in CommandLine for sticky key rule
 2019-04-03 19:44:02 +02:00
Florian Roth b4b7d810fc Merge pull request #300 from yt0ng/development 
Sqirrel packages manager, EmpireMonkey, WMI Spawning PowerShel
 2019-04-03 19:20:46 +02:00
yt0ng e0459cec1c renamed file 2019-04-03 17:39:17 +02:00
t0x1c-1 7e058e611c WMI spawning PowerShell seen in various attacks 2019-04-03 16:56:45 +02:00
Unknown 9ada22b8e0 adjusted link 2019-04-03 16:40:18 +02:00
Unknown d2e605fc5c Auto stash before rebase of "Neo23x0/master" 2019-04-03 16:25:18 +02:00
Karneades 865d971704 Remove backslashes in CommandLine for sticky key rule 
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
 2019-04-03 16:16:18 +02:00
sbousseaden eda5298457 Create win_account_backdoor_dcsync_rights.yml 2019-04-03 16:16:05 +02:00
sbousseaden 0756b00cdf Create win_susp_psexec.yml 2019-04-03 15:59:46 +02:00
sbousseaden 9c1a5a5264 Create win_lm_namedpipe.yml 2019-04-03 15:48:42 +02:00
sbousseaden 56b68a0266 Create win_GPO_scheduledtasks.yml 2019-04-03 15:36:24 +02:00
sbousseaden b941f6411f Create win_impacket_secretdump.yml 2019-04-03 15:18:42 +02:00
sbousseaden 516c8f3ea1 Create win_account_discovery.yml 2019-04-03 14:41:11 +02:00
sbousseaden 3d69727332 Create sysmon_rdp_settings_hijack.yml 2019-04-03 14:16:25 +02:00
sbousseaden 016261cacf Update sysmon_lsass_memdump.yml 2019-04-03 14:06:49 +02:00
sbousseaden a85c668f6f Update sysmon_lsass_memdump.yml 2019-04-03 14:00:51 +02:00
sbousseaden d62bc41bfb Create win_svcctl_remote_service.yml 2019-04-03 13:58:20 +02:00
sbousseaden 32c6b34746 Create sysmon_lsass_memdump.yml 2019-04-03 13:51:59 +02:00
sbousseaden 548145ce10 Create win_susp_raccess_sensitive_fext.yml 2019-04-03 13:22:42 +02:00
sbousseaden ddb2d92a98 Create sysmon_tsclient_filewrite_startup.yml 2019-04-03 13:19:59 +02:00
sbousseaden e3f99c323b Create win_atsvc_task.yml 2019-04-03 13:08:12 +02:00
Florian Roth 6cc1770351 Merge pull request #294 from Pr0t3an/patch-3 
Update lnx_shell_susp_rev_shells.yml
 2019-04-03 01:07:07 +02:00
Florian Roth b76925f838 Rule: extending rule with /dev/udp 2019-04-02 20:09:13 +02:00
Pr0t3an d067087632 Update lnx_shell_susp_rev_shells.yml 
added 
 - 'bash -i >& /dev/udp/'
        - 'sh -I >$ /dev/udp/'
        - 'sh -i   >$ /dev/tcp/'
 2019-04-02 18:22:18 +01:00
Florian Roth 5c5a16c4d5 Rule: adding xterm -display string to rule 2019-04-02 18:48:18 +02:00
Florian Roth 453bd10e6e Rule: Suspicious reverse shell command lines 2019-04-02 17:03:57 +02:00
Thomas Patzke 8e854b06f6 Specified source to prevent EventID collisions 
Issue #263
 2019-04-01 23:45:55 +02:00
Thomas Patzke 0419ff215a Fixed quoting of single quotes in grep backend 2019-04-01 23:22:05 +02:00
Florian Roth d06a5431eb Changes 2019-04-01 14:03:54 +02:00
Florian Roth c7553dc8a1 Merge pull request #292 from yt0ng/development 
Allow Incoming Connections by Port or Application on Windows Firewall
 2019-04-01 14:02:10 +02:00
Florian Roth e473efb7c3 Trying to fix ATT&CK framework tag 2019-04-01 10:36:35 +02:00
Florian Roth 3f2ce4b71f Lowered level to medium 2019-04-01 09:47:14 +02:00
t0x1c-1 51c42a15a7 Allow Incoming Connections by Port or Application on Windows Firewall 2019-04-01 08:16:56 +02:00
patrick 0242c40360 Add new signature for linux clear command history 2019-03-24 10:10:14 +01:00
Florian Roth ffac77fb37 Rule: extended LockerGoga description 2019-03-22 11:03:48 +01:00
Florian Roth 1adb040e0b Rule: LockerGoga 2019-03-22 10:59:31 +01:00
Florian Roth 2ad2ba9589 fix: rule field fix in proc_creation rule 2019-03-22 10:59:18 +01:00
Thomas Patzke 140a32d8c9 Sigma tools release 0.10 0.10 2019-03-16 01:02:48 +01:00
Thomas Patzke 2dda9a7b77 Moved Sysmon schema XML from contrib directory into module 2019-03-16 00:59:29 +01:00
Thomas Patzke be25aa2c37 Added CAR tags 2019-03-16 00:37:09 +01:00