security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,749 Commits 1 Branch 57 Tags
f00aaf8461f97abec19f81aa4fc0edaa76ff6cf1
Commit Graph

61 Commits

Author SHA1 Message Date
phantinuss 3a9e10d081 bulk of new rules to match working UACMe UAC bypasses 2021-08-31 12:51:21 +02:00
SomeOne 295054dcbe Replace old mitre techniques by new one 2021-08-22 13:57:56 +02:00
Austin Songer c9128687ee Spelling Errors on Rules 2021-08-18 18:58:20 +00:00
phantinuss 246ba0c17f generalise amsi bypass rule to CobaltStrike BOF injection pattern 
generalise to CobaltStrike BOF injection pattern
 2021-08-13 15:34:01 +02:00
phantinuss 62eca463ac new rule LittleCorporal generated maldoc process injection 2021-08-11 09:25:23 +02:00
Florian Roth eb247704fe Merge pull request #1761 from d4rk-d4nph3/master 
Added rule for Cabinet file expansion and Pypykatz
 2021-08-05 15:50:12 +02:00
phantinuss 882ea7ec22 fix: remove unnecessary single value list 2021-08-04 15:50:39 +02:00
phantinuss 994701bd8e CobaltStrike injected AMSI bypass 2021-08-04 11:28:58 +02:00
Bhabesh Rai 85b88c7646 Added rule for pypykatz 2021-08-03 15:06:27 +05:45
phantinuss 9833cc34e5 direct syscall to NtOpenProcess 2021-07-28 15:14:30 +02:00
frack113 895a2f6154 fix 3 times the same name file 2021-07-02 11:01:07 +02:00
Bhabesh Rai 206adbb2b6 Merging upstream updates 2021-07-01 12:18:30 +05:45
wagga40 11df697cdc Updated rules with modifiers instead of '*' and remove trailing '\\' 2021-06-27 14:51:29 +02:00
frack113 edfb67ddc7 fix TargetImage|endswith 2021-06-21 21:21:34 +02:00
frack113 6558a5b110 fix TargetImage|endswith 2021-06-21 21:19:04 +02:00
frack113 0bc04605cb fix TargetImage|endswith 2021-06-21 21:14:36 +02:00
Florian Roth 0377a30893 fix: several issues 2021-06-14 09:42:25 +02:00
luffynextgen 6fd7979659 Update sysmon_svchost_cred_dump.yml 2021-06-14 08:52:16 +02:00
luffynextgen e170a4a12a Update sysmon_svchost_cred_dump.yml 
following the advices given to me I changed the category and the filter to be closer to sysmon field.
 2021-06-10 14:04:58 +02:00
luffynextgen c75d92410d Create sysmon_svchost_cred_dump.yml 2021-06-10 09:30:08 +02:00
Florian Roth 5cf7078fb3 Merge pull request #1484 from ZikyHD/filter_sysmon_in_memory_assembly_execution 
Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution…
 2021-05-27 12:55:31 +02:00
Florian Roth 8d834cf681 Merge pull request #1480 from ZikyHD/fix_sysmon_cred_dump_lsass_access 
Add Windows Defender on WL
 2021-05-27 12:54:15 +02:00
Florian Roth adbdb5b22f Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
Florian Roth 9b7fb0c0f3 Update win_susp_shell_spawn_from_winrm.yml 2021-05-22 15:28:50 +02:00
frack113 dec9e68876 Fix falsepositives list 2021-05-21 12:38:44 +02:00
frack113 6630ec7c41 Fix falsepositives list 2021-05-21 12:23:09 +02:00
Andreas Hunkeler 226a666827 rule: add rule to detect shell spawn from WinRM host process 2021-05-20 16:05:13 +02:00
SomeOne e46ae5a28c Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution rule 2021-05-16 16:03:33 +02:00
SomeOne a788cd43ee Add Windows Defender on WL 2021-05-16 14:10:33 +02:00
Thomas Patzke 3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
Thomas Patzke 90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
Anton Kutepov 3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
yugoslavskiy c7e9522f29 Merge pull request #1077 from uchakin/oscd 
[OSCD] UAC bypass added
 2021-01-05 23:06:24 +03:00
Daniel Masse d2edf715f2 Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00
yugoslavskiy 5eec5d485b Update sysmon_in_memory_assembly_execution.yml 2020-11-28 10:55:18 +01:00
Jonhnathan f61317b2f9 Update sysmon_in_memory_assembly_execution.yml 2020-11-26 22:50:48 -03:00
Jonhnathan ab2edd1ff0 Update sysmon_malware_verclsid_shellcode.yml 2020-11-20 01:34:43 -03:00
Jonhnathan 240a8b9aa0 Update sysmon_lazagne_cred_dump_lsass_access.yml 2020-11-20 01:33:04 -03:00
Jonhnathan ebd9973dcb Update sysmon_lazagne_cred_dump_lsass_access.yml 2020-11-20 01:32:41 -03:00
Jonhnathan 2194744803 Update sysmon_invoke_phantom.yml 2020-11-20 01:30:58 -03:00
Jonhnathan 4af7f00f4a Improve logic 2020-11-20 01:30:01 -03:00
Roberto Rodriguez 972326f761 A few more - 7 Rules 2020-10-29 21:11:41 -04:00
uchakin 247a4101a7 Update sysmon_load_undocumented_autoelevated_com_interface.yml 2020-10-15 23:37:11 +03:00
Jonhnathan e0c538fdd4 Update sysmon_malware_verclsid_shellcode.yml 2020-10-15 17:19:06 -03:00
Jonhnathan 93faca413e Update sysmon_lsass_memdump.yml 2020-10-15 17:17:57 -03:00
Jonhnathan af5c88e5d5 Update sysmon_lazagne_cred_dump_lsass_access.yml 2020-10-15 17:17:39 -03:00
Jonhnathan a554c3df23 Update sysmon_invoke_phantom.yml 2020-10-15 17:17:19 -03:00
Jonhnathan 1878aa5fbd Update sysmon_cmstp_execution.yml 2020-10-15 17:16:50 -03:00
uchakin a7e5b0ac40 Some fixes for rules 2020-10-14 19:06:59 +03:00
uchakin a73dbd0a5d Fix titles 2020-10-07 22:27:48 +03:00