Skip to content

Instantly share code, notes, and snippets.

View 0xtf's full-sized avatar
🏠
Working from home

Tiago Faria 0xtf

🏠
Working from home
83 followers · 5 following
View GitHub Profile
@0xtf
0xtf / fireeye_ost_nids.yml
Last active December 11, 2020 16:11
title: NIDS FireEye Breached Red Team Tool Detected
id: ce129fbc-5c2e-4e49-ac2d-9742afa10c25
status: experimental
description: A red team tool, from the FireEye breach, has been detected.
author: 3CORESec
date: 2020/12/09
modified: 2020/12/10
references:
- https://github.com/fireeye/red_team_tool_countermeasures
tags:
@0xtf
0xtf / 3cs-rule-example.yaml
Created December 16, 2020 05:20
SIEGMA rule example / 3CORESec Rule Development
title: Windows ETW Tampering
id: 29d02e66-cc4e-4cd4-8fd3-7e729e1a230d
status: experimental
description: Detects commands that remove, disable, stop or tamper tracing sessions relevant to security.
author: 3CORESec
date: 2020/11/16
references:
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://github.com/Neo23x0/sigma/blob/8f6ad7df6b7f099db4bc1e867c4614074ea57e87/rules/windows/process_creation/win_etw_trace_evasion.yml
tags: