security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,056 Commits 1 Branch 57 Tags
637065fd97ea3f4be5b5c8ada60c0f04182b7321
Commit Graph

2624 Commits

Author SHA1 Message Date
invrep-de 637065fd97 Some minor updates to address spacing; 
Some further minor updates to address spacing;
 2020-10-14 15:41:31 -04:00
invrep-de 2672b10808 Some minor restructuring to incorporate the feedback from the oscd team; 
Some minor restructuring to incorporate the feedback from the oscd team;
 2020-10-14 15:37:15 -04:00
invrep-de 6a9bc7063f [OSCD] Bad Opsec Powershell Artifacts 2020-10-13 02:21:46 +02:00
Thomas Patzke a289eeaae6 Merge pull request #1089 from zBlurr/oscd 
[OSCD] Presentationhost.exe LOLbin
 2020-10-13 01:01:20 +02:00
Thomas Patzke d6ceba3719 Merge pull request #1102 from svch0stz/oscd8 
[OSCD] Create win_root_certificate_installed.yml
 2020-10-13 01:00:23 +02:00
Thomas Patzke d89ca07daa Merge pull request #1133 from omkar72/oscd-1 
[OSCD]updated adfind command line
 2020-10-13 00:58:56 +02:00
Thomas Patzke cb86c509f1 Merge pull request #1129 from bczyz1/oscd-sprint-2-keylogging 
[OSCD] Modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature
 2020-10-13 00:58:24 +02:00
Thomas Patzke eaa9f293e7 Merge pull request #1125 from vburov/patch-12 
[OSCD] Create powershell_cmdline_reversed_strings
 2020-10-13 00:57:22 +02:00
Thomas Patzke eb21860ab9 Merge pull request #1124 from bczyz1/oscd-sprint-2 
[OSCD] Create sysmon_modify_screensaver_binary_path.yml
 2020-10-13 00:56:33 +02:00
Thomas Patzke e2e3177e46 Merge pull request #1135 from omkar72/oscd-2 
[OSCD] finger executable suspicious execution
 2020-10-13 00:52:27 +02:00
Thomas Patzke 80e3c4b587 Merge pull request #1137 from banzay021/oscd 
[OSCD] Pcwrun.exe detection added
 2020-10-13 00:51:04 +02:00
Thomas Patzke 5664f72a2a Merge pull request #1054 from NikitaStormwind/task#70 
[OSCD] Detecting Code injection with PowerShell in another process #70
 2020-10-13 00:47:13 +02:00
Thomas Patzke 4a74a56ba3 Merge pull request #1052 from NikitaStormwind/task 
[OSCD] Detecting use WinAPI Functions in PowerShell #69
 2020-10-13 00:46:25 +02:00
Thomas Patzke 8bee7272ab Merge pull request #1051 from esebese/oscd 
[OSCD] win_syncappvpublishingserver_exe.yml added
 2020-10-13 00:45:22 +02:00
Thomas Patzke 768e500627 Merge pull request #1042 from NikitaStormwind/task29,30 
[OSCD] Detecting use PsExec via Pipe Creation/Access to pipes #29 #30
 2020-10-13 00:40:58 +02:00
Thomas Patzke 14fcdc9899 Merge pull request #1038 from caliskanfurkan/master 
[OSCD] Added explorer.exe lolbin
 2020-10-13 00:36:29 +02:00
omkargudhate22 e2911a025e added tags and corrected image condition format 2020-10-12 17:00:57 +05:30
Alexander Sungurov 175834fe90 Pcwrun.exe detection added 2020-10-12 13:52:49 +03:00
Florian Roth b8dc8d3f7e reduced to avoid FPs 2020-10-12 10:46:34 +02:00
omkar72 0fab2c0930 finger executable suspicious execution 2020-10-12 13:28:52 +05:30
omkar72 99d87d60ec updated adfind command line 2020-10-12 12:52:54 +05:30
omkar72 cf5ad9197c updated adfind command line 2020-10-12 12:42:05 +05:30
omkar72 d29a28a4a8 updated adfind command line 2020-10-12 12:40:50 +05:30
Bartlomiej Czyz e90f91b89e append authors of the update 2020-10-11 23:42:33 +02:00
Bartlomiej Czyz ae41190291 remove redundant reference 2020-10-11 23:39:08 +02:00
svch0stz 2edd79a37f Update win_root_certificate_installed.yml 2020-10-12 08:30:28 +11:00
Vasiliy Burov 1320e0b733 Update powershell_cmdline_reversed_strings.yml 2020-10-11 23:40:12 +03:00
Furkan ÇALIŞKAN edb5b7718e Deleted a part of an already-defined rule 
Lolbin rule for explorer.exe proxy execution;

Test scenario;

cd c:\windows\system32
explorer.exe calc.exe
(pops calc.exe) as in https://twitter.com/bohops/status/986984122563391488/photo/1
 2020-10-11 21:08:17 +03:00
Bartlomiej Czyz 94efeda45d modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature 2020-10-11 19:11:54 +02:00
Vasiliy Burov 64b07ff51a Update powershell_cmdline_reversed_strings.yml 2020-10-11 19:42:39 +03:00
Bartlomiej Czyz 8ae42bca7c fix description & ParentImage -> Image modification to comply with reg events constraints 2020-10-11 17:02:39 +02:00
Vasiliy Burov c868ef655c Update powershell_cmdline_reversed_strings.yml 2020-10-11 17:37:07 +03:00
Vasiliy Burov 7aaf4654cd Rename powershell_cmdline_reversed_strings to powershell_cmdline_reversed_strings.yml 2020-10-11 17:28:56 +03:00
Vasiliy Burov 00f5d1ec92 Update powershell_cmdline_reversed_strings 2020-10-11 17:24:46 +03:00
Vasiliy Burov 51f00c153c Update powershell_cmdline_reversed_strings 2020-10-11 17:18:15 +03:00
Vasiliy Burov dd9c29377b Update powershell_cmdline_reversed_strings 2020-10-11 17:11:58 +03:00
Vasiliy Burov 8f2ddc632e Create powershell_cmdline_reversed_strings 2020-10-11 17:02:02 +03:00
Bartlomiej Czyz 2370730952 create sysmon_modify_screensaver_binary_path.yml 2020-10-11 14:31:06 +02:00
Thomas Patzke 93616af1cb Merge pull request #1036 from svch0stz/oscd4 
[OSCD] Create win_net_use_admin_share.yml
 2020-10-10 00:05:41 +02:00
Thomas Patzke fe554a88cb Merge pull request #1035 from svch0stz/oscd3 
[OSCD] Update win_susp_copy_lateral_movement.yml
 2020-10-10 00:03:26 +02:00
Furkan ÇALIŞKAN a6112dc268 Fixed OSCD wording 2020-10-09 11:59:08 +03:00
Furkan ÇALIŞKAN abcc4a59c2 Fixed OSCD wording 2020-10-09 09:26:01 +03:00
Furkan ÇALIŞKAN 789a0c174f Fixed OSCD wording 2020-10-09 09:25:38 +03:00
svch0stz 5d475ce16d Update win_root_certificate_installed.yml 2020-10-09 13:00:17 +11:00
svch0stz 8d7152d489 Update win_root_certificate_installed.yml 2020-10-09 12:55:37 +11:00
svch0stz ff8547efc5 Update win_root_certificate_installed.yml 2020-10-09 12:48:39 +11:00
svch0stz a68d50a5d9 Create win_root_certificate_installed.yml 2020-10-09 12:29:53 +11:00
Kirill Kiryanov a09488a90f revert changes for making new pull request 2020-10-08 14:20:32 +03:00
Kirill Kiryanov 1581be1ec2 Created rule win_susp_sqldumper_activity.yml 2020-10-08 14:00:43 +03:00
Kirill Kiryanov a38c021876 Created rule win_susp_presentationhost_execution.yml 2020-10-08 13:24:59 +03:00