 yugoslavskiy
|
fc1fa23440
|
Merge pull request #1191 from vburov/patch-14
[OSCD] Create powershell_cmdline_special_characters.yml
|
2021-01-06 00:18:12 +03:00 |
|
|
yugoslavskiy
|
cfbd10ab8b
|
Merge pull request #1186 from nsaddler/lolbas107_2
[OSCD] LOLBAS CL_Mutexverifiers - powershell
|
2021-01-06 00:17:54 +03:00 |
|
|
yugoslavskiy
|
9d1c695204
|
Merge pull request #1184 from nsaddler/lolbas106_1
[OSCD] LOLBAS CL_Invocation - powershell
|
2021-01-06 00:17:10 +03:00 |
|
|
yugoslavskiy
|
8e6b77fc4f
|
Merge pull request #1177 from OpalSec/oscd
[OSCD] Tasks 24, 25 & 26: Detection for Invoke-Obfuscation CLIP+, STDIN+ & VAR+ Launchers
|
2021-01-06 00:16:34 +03:00 |
|
|
yugoslavskiy
|
b56a7181ce
|
Merge pull request #1157 from invrep-de/oscd
[OSCD] Bad Opsec Powershell Artifacts
|
2021-01-06 00:11:24 +03:00 |
|
|
yugoslavskiy
|
a82c559816
|
Merge pull request #1130 from vburov/patch-13
[OSCD] Create powershell_cmdline_specific_encoded_methods.yml
|
2021-01-05 23:16:24 +03:00 |
|
|
yugoslavskiy
|
32aea9ad2b
|
Merge pull request #1098 from NikitaStormwind/regular31
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (4104, 4103)
|
2021-01-05 23:10:28 +03:00 |
|
|
yugoslavskiy
|
a028cdf1ee
|
Update powershell_shellcode_b64.yml
|
2020-12-01 02:24:35 +01:00 |
|
|
yugoslavskiy
|
7309fb7d0e
|
Update powershell_winlogon_helper_dll.yml
|
2020-12-01 02:23:02 +01:00 |
|
|
Jonhnathan
|
a9fde0117b
|
Merge branch 'oscd' into oscd_rules_improvement
|
2020-11-28 14:52:31 -03:00 |
|
|
yugoslavskiy
|
2e5e4a20d2
|
Update powershell_clear_powershell_history.yml
|
2020-11-28 09:26:18 +01:00 |
|
|
Jonhnathan
|
784cab1dfe
|
Fix missing logic and Field
|
2020-11-26 22:46:17 -03:00 |
|
|
Jonhnathan
|
728276ef13
|
Improve Logic
|
2020-11-20 01:22:20 -03:00 |
|
|
Jonhnathan
|
ee43919eec
|
Change detection logic
|
2020-11-20 01:05:06 -03:00 |
|
|
nsaddler
|
07f777d1b5
|
Update powershell_CL_Mutexverifiers_LOLScript_v2.yml
|
2020-10-28 19:32:18 +03:00 |
|
|
nsaddler
|
7ee644eac0
|
Update powershell_CL_Invocation_LOLScript_v2.yml
|
2020-10-28 19:30:21 +03:00 |
|
|
nsaddler
|
d0a796439b
|
Update powershell_CL_Invocation_LOLScript.yml
|
2020-10-28 19:25:43 +03:00 |
|
|
Наталья Шорникова
|
a4a3e01f25
|
Splitting into two rules
|
2020-10-28 19:13:29 +03:00 |
|
|
Наталья Шорникова
|
55a7fe6b9d
|
Splitting into two rules
|
2020-10-28 19:08:23 +03:00 |
|
|
OpalSec
|
ca09ae5039
|
Modification of search logic per advice from @zinint
Edited suggested searches to improve performance:
VAR+
16ms: .*cmd.*(?:\/c|\/r).*set.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
6ms: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
STDIN+
7ms: .*cmd.*(?:\/c|\/r).*powershell.+(?:\$\{?input}?|noexit).*\"
3ms: .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"
CLIP+
28ms: .*cmd.*(?:\/c|\/r).*\|.*clip(?:\.exe)?.*&&.*clipboard]::\(\s\\\"\{\d\}.*\-f.*\"
11ms: .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
|
2020-10-18 21:15:43 +11:00 |
|
|
nsaddler
|
3aa2a73ba7
|
Update powershell_CL_Invocation_LOLScript.yml
|
2020-10-18 10:38:40 +03:00 |
|
|
nsaddler
|
a6f00d6acc
|
Update powershell_CL_Invocation_LOLScript.yml
|
2020-10-18 02:48:21 +03:00 |
|
|
Vasiliy Burov
|
700ed134bc
|
Update powershell_cmdline_special_characters.yml
|
2020-10-16 10:18:37 +03:00 |
|
|
Vasiliy Burov
|
d2184aee5e
|
Update powershell_cmdline_special_characters.yml
|
2020-10-16 09:58:59 +03:00 |
|
|
Jonhnathan
|
fc6c727c70
|
Update powershell_malicious_commandlets.yml
|
2020-10-15 20:59:27 -03:00 |
|
|
Jonhnathan
|
ce4e22750d
|
Update powershell_winlogon_helper_dll.yml
|
2020-10-15 17:15:23 -03:00 |
|
|
Jonhnathan
|
efe9c2d3d6
|
Update powershell_shellcode_b64.yml
|
2020-10-15 17:14:01 -03:00 |
|
|
Jonhnathan
|
013533fceb
|
Update powershell_prompt_credentials.yml
|
2020-10-15 17:13:16 -03:00 |
|
|
Jonhnathan
|
8cf2596068
|
Update powershell_malicious_keywords.yml
|
2020-10-15 17:12:08 -03:00 |
|
|
Jonhnathan
|
ec10d5a61f
|
Update powershell_malicious_commandlets.yml
|
2020-10-15 17:11:20 -03:00 |
|
|
Jonhnathan
|
4a3607d50b
|
Update powershell_exe_calling_ps.yml
|
2020-10-15 17:09:47 -03:00 |
|
|
Vasiliy Burov
|
b10332dde8
|
Update powershell_cmdline_special_characters.yml
|
2020-10-15 21:31:24 +03:00 |
|
|
Vasiliy Burov
|
ea1a288cc8
|
Update powershell_cmdline_special_characters.yml
|
2020-10-15 20:55:12 +03:00 |
|
|
Vasiliy Burov
|
2657a0219c
|
Update powershell_cmdline_special_characters.yml
|
2020-10-15 20:33:56 +03:00 |
|
|
Vasiliy Burov
|
d27574ce08
|
Update powershell_cmdline_special_characters.yml
|
2020-10-15 20:07:59 +03:00 |
|
|
Vasiliy Burov
|
1838aac682
|
Update powershell_cmdline_special_characters.yml
|
2020-10-15 20:04:49 +03:00 |
|
|
Vasiliy Burov
|
fa7036430e
|
Update powershell_cmdline_special_characters.yml
|
2020-10-15 19:39:24 +03:00 |
|
|
Vasiliy Burov
|
1b0d4e546f
|
Create powershell_cmdline_special_characters.yml
|
2020-10-15 19:04:22 +03:00 |
|
|
Наталья Шорникова
|
ef8f5e626f
|
Adding powershell_CL_Mutexverifiers_LOLScript.yml Rule
|
2020-10-15 17:55:11 +03:00 |
|
|
Наталья Шорникова
|
e8f21bc094
|
Adding powershell_CL_Invocation_LOLScript.yml Rule
|
2020-10-15 17:41:52 +03:00 |
|
|
OpalSec
|
ffbcb402e3
|
Creation of Rules for Task 24 - Invoke-Obfuscation VAR+ Launcher
|
2020-10-15 21:36:27 +11:00 |
|
|
OpalSec
|
762840ec25
|
Creation of Rules for Task 25 - Invoke-Obfuscation STDIN+ Launcher
|
2020-10-15 17:59:36 +11:00 |
|
|
OpalSec
|
df7bd91ffb
|
Create powershell_invoke_obfuscation_clip+.yml
|
2020-10-15 17:50:27 +11:00 |
|
|
invrep-de
|
3be21d5478
|
Some minor formatting updates;
Formatting updates;
|
2020-10-14 16:55:52 -04:00 |
|
|
invrep-de
|
8f28c16d6e
|
Some further updates to fix spacing;
Some further updates to fix spacing;
|
2020-10-14 15:42:19 -04:00 |
|
|
invrep-de
|
637065fd97
|
Some minor updates to address spacing;
Some further minor updates to address spacing;
|
2020-10-14 15:41:31 -04:00 |
|
|
invrep-de
|
2672b10808
|
Some minor restructuring to incorporate the feedback from the oscd team;
Some minor restructuring to incorporate the feedback from the oscd team;
|
2020-10-14 15:37:15 -04:00 |
|
|
Thomas Patzke
|
6cc33e5989
|
Merge pull request #1060 from svch0stz/oscd6
[OSCD] Created powershell_suspicious_mounted_share_deletion.yml
|
2020-10-13 22:59:25 +02:00 |
|
|
Thomas Patzke
|
08eec2b6e6
|
Merge pull request #1094 from NikitaStormwind/Regular30
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (4104, 4103)
|
2020-10-13 21:43:16 +02:00 |
|
|
Thomas Patzke
|
5f4d60951d
|
Merge pull request #1112 from NikitaStormwind/regular29(1)
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (4104, 4103)
|
2020-10-13 21:34:38 +02:00 |
|