security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: apply suggestions from code review

Browse Source 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
2023-05-09 16:04:24 +02:00
committed by GitHub
parent 72d003ea24
commit bbf1e54510
14 changed files with 17 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: PowerShell Script With File Hostname Resolving Capabilities
id: fbc5e92f-3044-4e73-a5c6-1c4359b539de
status: experimental
description: Detects powershell scripts that have capabilities to read files, loop through them and resolve dns host entries.
description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
references:
- https://www.fortypoundhead.com/showcontent.asp?artid=24022
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: PowerShell Script With File Upload Capabilities
id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
status: experimental
description: Detects powershell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
- https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml
+1 -1
View File
@@ -31,5 +31,5 @@ detection:
- "-Value 'Start-Process"
condition: all of selection_*
falsepositives:
- Legitimate administration and tuning scripts that aims to add functionality to a user powershell session
- Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session
level: medium
rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Veeam Backup Servers Credential Dumping Script Execution
id: 976d6e6f-a04b-4900-9713-0134a353e38b
status: experimental
description: Detects execution of a powershell script that contains calls to the "Veeam.Backup" class, in order to dump credential stored.
description: Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
references:
- https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/
- https://labs.withsecure.com/publications/fin7-target-veeam-servers