security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

850 Commits

Author SHA1 Message Date
Florian Roth d83f124f5f Rule: Suspicious communication endpoints 2018-08-30 10:12:12 +02:00
Florian Roth e70395744b Rule: Improved Github communication rule 2018-08-30 10:12:12 +02:00
Thomas Patzke d17cc5c07d Merge pull request #157 from yt0ng/development 
Added Detection of Sysinternals Tools via eulaaccepted registry key
 2018-08-28 22:37:00 +02:00
Unknown 75d72344ca Added Detection of Sysinternals Tools via eulaaccepted registry key 2018-08-28 17:36:22 +02:00
Thomas Patzke 6e7208553a Revert "removing for new pull request" 
This reverts commit ca7e8d6468.
 2018-08-27 23:39:29 +02:00
Thomas Patzke 87e39b8768 Fixed rules 2018-08-26 22:30:47 +02:00
yt0ng df9f6688eb Added Deskop Location, RunOnce and ATTCK 
Added C:\Users\tst01\Desktop\unprotected.vbs as seen by FIN7
 2018-08-25 17:32:34 +02:00
yt0ng eda6f3b9ca rules/windows/sysmon/sysmon_powershell_DLL_execution.yml 2018-08-25 16:33:54 +02:00
yt0ng c7d4b4853d removing sysmon_powershell_AMSI_bypass.yml 2018-08-23 10:17:19 +02:00
Thomas Patzke 49af499353 Merge pull request #151 from nikseetharaman/workflow_compiler 
Add Microsoft Workflow Compiler Sysmon Detection
 2018-08-23 08:24:35 +02:00
Thomas Patzke 9235175e26 Fixed rule 
* Added condition
* Replaced Description wirh Image attribute and improved search pattern
 2018-08-23 08:20:28 +02:00
Thomas Patzke 73535e58a5 Merge pull request #153 from megan201296/patch-10 
Add ATT&CK Matrix tags
 2018-08-23 08:06:58 +02:00
Thomas Patzke d647a7de07 Merge pull request #154 from megan201296/patch-11 
Add MITRE ATT&CK tagging
 2018-08-23 08:06:39 +02:00
Florian Roth 040ba0338d fix: Added Event ID in second selection 2018-08-22 17:03:13 +02:00
megan201296 3f5c32c6da Add MITRE ATT&CK tagging 2018-08-22 09:35:06 -05:00
megan201296 76aabe7e05 Add ATT&CK Matrix tags 2018-08-22 09:30:55 -05:00
Nik Seetharaman e371d945ed Add Microsoft Workflow Compiler Sysmon Detection 2018-08-18 00:53:28 -05:00
yt0ng ca7e8d6468 removing for new pull request 2018-08-17 18:42:10 +02:00
yt0ng 5bb6f566ba ::Merge remote-tracking branch 'upstream/master' 2018-08-17 18:39:36 +02:00
yt0ng 8ecf167e85 Powershell AMSI Bypass via .NET Reflection 
[Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
 2018-08-17 18:26:04 +02:00
Thomas Patzke 2715c44173 Converted first Sysmon rule to generic process_execution rule 2018-08-14 21:34:54 +02:00
Thomas Patzke 2c0e76be3d Escaped * where required 2018-08-10 13:53:08 +02:00
Lurkkeli 7cdc13ef11 Update 2018-08-08 17:05:51 +02:00
Lurkkeli 392351af25 Adding ATT&CK tag 2018-08-08 16:43:54 +02:00
Lurkkeli 4d721f1803 Updating fps 2018-08-08 16:42:26 +02:00
Lurkkeli b9f433414d hiding files with attrib.exe 2018-08-08 16:19:39 +02:00
Thomas Patzke 92c0e0321a Merge pull request #144 from samsson/patch-7 
Added att&ck tags
 2018-08-07 11:19:36 +02:00
Lurkkeli a245820519 added att&ck tag 2018-08-07 08:54:53 +02:00
Lurkkeli 294677a2cc added att&ck tag 2018-08-07 08:50:01 +02:00
Lurkkeli a57e87b345 added att&ck tag 2018-08-07 08:49:05 +02:00
Lurkkeli 99253763af added att&ck tag 2018-08-07 08:45:58 +02:00
Lurkkeli 0bff27ec21 added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:37:51 +02:00
Lurkkeli 198cb63182 added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:36:53 +02:00
Thomas Patzke 518e21fcd2 Merge pull request #134 from nikseetharaman/sysmon_cmstp_com_object_access 
Add CMSTP UAC Bypass via COM Object Access
 2018-08-07 08:33:33 +02:00
Thomas Patzke b9fdf07926 Extended tagging 2018-08-07 08:33:18 +02:00
Lurkkeli b50c13dd1f Update att&ck tag 2018-08-07 08:27:24 +02:00
Thomas Patzke 5d5d42eb9b Merge pull request #140 from yt0ng/master 
Possible Shim Database Persistence via sdbinst.exe
 2018-08-07 08:22:32 +02:00
Thomas Patzke 80eaedab8b Fixed tag and date 2018-08-07 08:22:11 +02:00
Thomas Patzke 3509fbd201 Merge pull request #142 from samsson/patch-5 
Added ATT&CK tag
 2018-08-07 08:20:22 +02:00
Thomas Patzke b049210641 Fixed tags 2018-08-07 08:20:09 +02:00
Lurkkeli 3456f9a74d Update sysmon_susp_wmi_execution.yml 2018-08-07 08:19:58 +02:00
Thomas Patzke 64fa3b162d Tag fixes 2018-08-07 08:18:16 +02:00
Lurkkeli 6472be5e19 Update sysmon_uac_bypass_sdclt.yml 2018-08-07 08:08:53 +02:00
Lurkkeli 21bee17ffd Update sysmon_uac_bypass_eventvwr.yml 2018-08-07 08:07:49 +02:00
yt0ng fc091fe3d7 Added ATTCK Mapping 2018-08-05 14:00:22 +02:00
yt0ng b65cb5eaca Possible Shim Database Persistence via sdbinst.exe 2018-08-05 13:55:04 +02:00
Nik Seetharaman b938fdb0a3 Add CMSTP UAC Bypass via COM Object Access 2018-07-27 02:28:28 -05:00
James Dickenson 5fc118dcac added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
Florian Roth a9fcecab88 Merge pull request #130 from samsson/patch-4 
Fixed typo / Created a rule
 2018-07-26 22:34:46 +02:00
Florian Roth 089498b0b3 Merge pull request #131 from yt0ng/master 
Possible SafetyKatz Dump of debug.bin
 2018-07-25 07:41:38 +02:00