security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #3074 from nasbench/master

Browse Source 
Fix typo and quick update to "msdt" rule
This commit is contained in:
frack113
2022-06-01 18:34:38 +02:00
committed by GitHub
parent 90f22771a0 30225cab11
commit e10fa684bd
9 changed files with 14 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml
+2 -2
View File
@@ -9,10 +9,10 @@ author: frack113
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
definition: Script Block Logging must be enabled
detection:
selection:
ScriptBlockText|contains|all:
ScriptBlockText|contains|all:
- 'New-Object '
- 'System.DirectoryServices.DirectorySearcher'
- '.PropertiesToLoad.Add'
rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml
+1 -1
View File
@@ -10,7 +10,7 @@ author: Max Altgelt, Tobias Michalski
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
definition: Script Block Logging must be enabled
detection:
selection:
ScriptBlockText|contains: Invoke-Nightmare
rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+1 -1
View File
@@ -11,7 +11,7 @@ modified: 2022/05/26
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
definition: Script Block Logging must be enabled
detection:
select_Malicious:
ScriptBlockText|contains:
rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml
+1 -1
View File
@@ -16,7 +16,7 @@ author: Bhabesh Raj
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
definition: Script Block Logging must be enabled
detection:
selection:
ScriptBlockText|contains:
rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml
+1 -1
View File
@@ -13,7 +13,7 @@ author: Max Altgelt, Tobias Michalski
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
definition: Script Block Logging must be enabled
detection:
selection:
ScriptBlockText|contains:
rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
+1 -1
View File
@@ -14,7 +14,7 @@ modified: 2021/08/04
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
definition: Script Block Logging must be enabled
detection:
PfxCertificate:
ScriptBlockText|contains: 'Export-PfxCertificate'
rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml
+1 -1
View File
@@ -13,7 +13,7 @@ modified: 2021/10/16
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
definition: Script Block Logging must be enabled
detection:
select_LSASS:
ScriptBlockText|contains: 'Get-Process lsass'
rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml
+1 -1
View File
@@ -13,7 +13,7 @@ tags:
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
definition: Script Block Logging must be enabled
detection:
selection_4104:
ScriptBlockText|contains|all:
rules/windows/process_creation/proc_creation_win_msdt.yml
+5 -2
View File
@@ -8,7 +8,7 @@ references:
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
- https://twitter.com/_JohnHammond/status/1531672601067675648
date: 2022/05/29
modified: 2022/05/31
modified: 2022/06/01
logsource:
category: process_creation
product: windows
@@ -19,8 +19,11 @@ detection:
selection_specific_cmd:
CommandLine|contains:
- 'IT_BrowseForFile='
- ' /af ' # For answer files
- '/af ' # For answer files
condition: all of selection_specific_*
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1202