security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,076 Commits 1 Branch 57 Tags
f29ffc06974c0e5e80d83bb013ae8a6accedc708
Commit Graph

184 Commits

Author SHA1 Message Date
Karneades cc82207882 Add group by to win multiple suspicious cli rule 
* For the detection it's important that these cli
  tools are started on the same machine for alerting.
 2018-09-23 19:38:23 +02:00
Thomas Patzke 81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth 82916f0cff Merge pull request #159 from t0x1c-1/t0x1c-devel 
Suspicious SYSVOL Domain Group Policy Access
 2018-09-08 15:56:54 +02:00
Florian Roth 6f5a73b2e2 style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
John Lambert 7ce5b3515b Create win_susp_powershell_hidden_b64_cmd.yml 
Look in process creation events for powershell commands with base64 encoded content containing suspicious keywords. Require hidden flag to reduce FP.
 2018-09-07 20:23:11 -07:00
Florian Roth 3c240be8a8 fix: more duplicate 'tag' keys in rules 2018-09-04 16:15:02 +02:00
Florian Roth 9c878bef79 fix: duplicate 'tag' key in rule 2018-09-04 16:05:21 +02:00
t0x1c-1 afadda8c04 Suspicious SYSVOL Domain Group Policy Access 2018-09-04 15:52:25 +02:00
Florian Roth d94c1d2046 fix: duplicate 'tag' key in rule 2018-09-04 14:56:55 +02:00
Florian Roth 9cb78558d3 Rule: excluded false positives in rule 2018-09-03 12:02:42 +02:00
Florian Roth b57f3ded64 Rule: GRR false positives 2018-09-03 11:50:34 +02:00
Florian Roth 2a0fcf6bea Rule: PowerShell encoded command JAB 2018-09-03 10:08:29 +02:00
Thomas Patzke ee15b451b4 Fixed log source name 2018-08-27 23:45:30 +02:00
Unknown 2f256aa1ef Adding LSASS Access Detected via Attack Surface Reduction 2018-08-27 10:38:45 +02:00
Florian Roth 5b3175d1d6 Rule: Suspicious procdump use on lsass process 2018-08-26 19:53:57 +02:00
Florian Roth f47a5c2206 fix: Author list to string 2018-08-23 09:40:28 +02:00
Florian Roth 6ee31f6cd1 Update win_susp_commands_recon_activity.yml 
Merged recon commands from @yt0ng's rule
 2018-08-22 17:00:00 +02:00
Florian Roth 92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Florian Roth acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth 1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Thomas Patzke 0d8bc922a3 Merge branch 'master' into master 2018-07-24 08:23:37 +02:00
David Spautz e275d44462 Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00
James Dickenson c4edc26267 windows builtin mitre attack tags 2018-07-23 21:34:20 -07:00
megan201296 a169723005 fixed typo 2018-07-13 13:53:21 -05:00
Thomas Patzke 2dc5295abf Removed redundant attribute from rule 2018-07-10 22:50:02 +02:00
Florian Roth dea019f89d fix: some threat levels adjusted 2018-07-07 13:00:23 -06:00
Florian Roth c3bf968462 High FP Rule 2018-06-29 16:01:46 +02:00
Florian Roth c26c3ee426 Trying to fix rule 2018-06-28 16:39:47 +02:00
Florian Roth 9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
scherma 19ba5df207 False positive circumstance 2018-06-27 21:14:38 +01:00
Florian Roth 86e6518764 Changed (any) statements to (not null) to comply with the newest specs 2018-06-27 20:57:58 +02:00
Florian Roth a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth 9705366060 Adjusted some rules 2018-06-27 16:54:44 +02:00
Florian Roth 28a7e64212 Rule: Sysprep on AppData folder 2018-06-22 14:02:55 +02:00
Thomas Patzke 7d1b801858 Merge branch 'devel-sigmac-wdatp' 2018-06-22 00:43:23 +02:00
Thomas Patzke df6ad82770 Removed redundant attribute from rule 
EventID 4657 already implies the modification.
 2018-06-21 23:59:55 +02:00
Florian Roth 946c946366 Rule: NTLM logon 2018-06-13 00:08:46 +02:00
Florian Roth e23cdafb85 Rule: Fixed missing description 2018-06-13 00:08:46 +02:00
Florian Roth 9c817a493b Rule: DCSync 2018-06-03 16:00:57 +02:00
Florian Roth 8e500d2caa Bugfix in rule 2018-05-29 14:11:12 +02:00
Florian Roth 2db00b8559 Rule: whoami execution 2018-05-22 16:59:58 +02:00
Thomas Patzke 079c04f28d Fixed rule scope 2018-05-18 14:23:52 +02:00
Thomas Patzke 6a3fcdc68c Unified 0x values with other rules 2018-05-13 22:28:43 +02:00
Florian Roth 49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Florian Roth 8420d3174a Reordered 2018-04-18 16:34:16 +02:00
yt0ng c637c2e590 Adding Detections for renamed wmic and format 
https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/mattifestation/status/986280382042595328
 2018-04-18 15:02:52 +02:00
Florian Roth 9b8df865b1 Extended rule 2018-04-18 12:13:45 +02:00
yt0ng a4fb39a336 also for http 2018-04-18 08:19:47 +02:00
yt0ng 169a4404c2 added SquiblyTwo Detection 2018-04-17 21:33:26 +02:00
Thomas Patzke a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00