7e02555e22
refactor: credential dumper level increased
2021-10-14 14:24:56 +02:00
c202d39acd
Merge pull request #2138 from frack113/conti_ransomware
...
Conti ransomware commandline
2021-10-14 06:31:36 +01:00
4e43fce629
Update powershell_windows_firewall_profile_disabled.yml
2021-10-13 07:01:04 -05:00
5aa62bd342
fix yml
2021-10-12 21:02:15 +02:00
37c637066b
add process_creation_conti_cmd_ransomware.yml
2021-10-12 20:57:12 +02:00
40eed2ec59
Rename powershell_windows_firewall_disabled.yml to powershell_windows_firewall_profile_disabled.yml
2021-10-12 11:57:37 -05:00
d273bc25ea
Create powershell_windows_firewall_disabled.yml
2021-10-12 11:56:37 -05:00
b9fc29bc05
Merge pull request #2131 from frack113/Powershell
...
Powershell order
2021-10-11 15:43:32 +01:00
7497fdb484
Merge pull request #2129 from d4rk-d4nph3/master
...
Added rule for possible persistence via VMTools
2021-10-10 10:55:06 +02:00
1337116d84
Cleanup selection name
2021-10-10 10:17:24 +02:00
a241f526ef
Added more strict path
2021-10-10 07:54:40 +05:45
4ab3ebf6b2
Merge pull request #2128 from OTRF/feature/Susp-ADFS-NamedPipe
...
Detect suspicious named pipe connections to an AD FS WID
2021-10-09 16:47:25 +02:00
2379907f26
docs: extended the description by a word
2021-10-09 16:42:42 +02:00
f475b90ee3
fix: typo in description
2021-10-09 16:41:48 +02:00
5c68c42058
order powershell_script
2021-10-09 10:30:36 +02:00
77749510b7
fix yml
2021-10-09 10:01:40 +02:00
41d098b253
fix yml error
2021-10-09 09:59:21 +02:00
9b0f744f75
order powershell_script
2021-10-09 09:57:45 +02:00
fe7fbfd5fc
order powershell_module
2021-10-09 09:50:49 +02:00
5b49b5ee17
Merge pull request #2130 from phantinuss/master
...
fix: prevent FP triggering of other sources utilising ID 1102
2021-10-08 20:14:08 +02:00
04c37d977b
fix: prevent FP triggering of other sources utilising ID 1102
2021-10-08 16:43:14 +02:00
a45e516f99
Added rule for possible persistence via VMTools
2021-10-08 13:28:35 +05:45
7f17eaeb87
added rule to detect suspicious named pipe connections to an AD FS server
2021-10-08 01:57:22 -04:00
e70d17745e
Update modified field
2021-10-07 18:42:22 +02:00
0ee777e3b4
Fix rule detection logic
...
Changed ParentImage to Image
2021-10-07 14:25:18 +03:00
0d04b469f7
order powershell_classic
2021-10-07 07:40:53 +02:00
6d56e400d2
Merge pull request #2121 from frack113/update_test
...
Update test adding logsource to duplicate logic test
2021-10-06 14:46:48 +02:00
80d09483d9
move to builtin
2021-10-05 07:33:50 +02:00
4f86a245f8
Order file i correct directory
2021-10-05 07:30:43 +02:00
201708c097
Merge pull request #2103 from webboy2015/patch-1
...
Create win_lolbas_execution_of_nltest.exe.yaml
2021-10-05 07:24:05 +02:00
654b5b4bff
Update win_lolbas_execution_of_nltest.yml
2021-10-04 22:08:47 +02:00
fd329f4f9b
Remove unneeded EventID
2021-10-04 21:25:57 +02:00
dc030e0128
Merge pull request #2114 from austinsonger/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
...
process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
2021-10-03 08:24:52 +02:00
81d1bb0e2b
Update process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
2021-10-02 13:32:20 -05:00
f652745924
Update and rename win_lolbas_execution_of_nltest.exe to win_lolbas_execution_of_nltest.yml
2021-10-02 07:53:19 +02:00
e6b32b90af
Update win_lolbas_execution_of_nltest.exe
2021-10-02 07:25:11 +02:00
87df79302d
Update win_lolbas_execution_of_nltest.exe
...
Changed condition as follows:
detection:
selection:
EventID: 4689
ProcessName|endswith: nltest.exe
Status: "0x0"
condition: selection
Included field - SubjectDomainName
2021-10-01 12:55:37 -07:00
19a834e317
Merge pull request #2111 from TareqAlKhatib/master
...
Corrected Technique
2021-10-01 15:17:01 +02:00
0d22601112
Added Compromise Infrastructure: Web Services technique
2021-10-01 08:40:59 -04:00
04acba9c77
Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
2021-09-30 19:58:21 -05:00
b0b95ce32b
Corrected Technique
2021-09-30 16:34:14 -04:00
e900945761
Update win_trust_discovery.yml
2021-09-30 19:26:14 +02:00
76224b0fb2
Added alternative nltest command parameter
...
Same as recent change to "Recon Activity with NLTEST" (see commit a2418e4d2chttps://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
2021-09-30 18:12:19 +02:00
1c842037cf
Merge pull request #2109 from Karneades/patch-1
...
Add fp note to powershell winapi rule
2021-09-30 17:45:03 +02:00
6eea77ae38
Merge pull request #2105 from frack113/powershell
...
powershell_susp_zip_compress add 4104
2021-09-30 17:40:13 +02:00
82ba266a53
Add fp note to powershell winapi rule
2021-09-30 16:38:39 +02:00
29d66a965c
add 4104
2021-09-30 10:03:11 +02:00
056067086c
Create win_lolbas_execution_of_nltest.exe.yaml
...
The attacker might use LOLBAS nltest.exe for the discovery of domain controllers, domain trusts, parent domain, and the current user permissions. This event can be detected in the Windows Security Log by looking for event id 4689 indicating that nltest.exe was executed and has exited with the execution result of "0x0".
2021-09-29 14:33:36 -07:00
84ec2f582a
Merge pull request #2100 from kidrek/sysmon_delete_prefetch
...
Add new rule - sysmon_delete_prefetch - AntiForensic
2021-09-29 17:53:33 +02:00
ed1a1caa2e
Merge pull request #2098 from frack113/fix_tags
...
fix tags in win_susp_mpcmdrun_download.yml
2021-09-29 17:06:18 +02:00
Florian Roth