security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,742 Commits 1 Branch 57 Tags
4bbe4962b01b5b2bffd02edf3659cd670dc9ddef
Commit Graph

5 Commits

Author SHA1 Message Date
frack113 da839775fe Update PS rules 2021-08-21 09:50:59 +02:00
frack113 f040725dd8 fix EventID: 4104 ScriptBlockText 2021-08-04 14:49:50 +02:00
Thomas Patzke 90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
OpalSec ca09ae5039 Modification of search logic per advice from @zinint 
Edited suggested searches to improve performance:

VAR+
16ms:	.*cmd.*(?:\/c|\/r).*set.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

6ms:  .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

STDIN+
7ms:    .*cmd.*(?:\/c|\/r).*powershell.+(?:\$\{?input}?|noexit).*\"

3ms:    .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"

CLIP+
28ms:    .*cmd.*(?:\/c|\/r).*\|.*clip(?:\.exe)?.*&&.*clipboard]::\(\s\\\"\{\d\}.*\-f.*\"

11ms:    .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
 2020-10-18 21:15:43 +11:00
OpalSec 762840ec25 Creation of Rules for Task 25 - Invoke-Obfuscation STDIN+ Launcher 2020-10-15 17:59:36 +11:00