security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,056 Commits 1 Branch 57 Tags
637065fd97ea3f4be5b5c8ada60c0f04182b7321
Commit Graph

782 Commits

Author SHA1 Message Date
Thomas Patzke a289eeaae6 Merge pull request #1089 from zBlurr/oscd 
[OSCD] Presentationhost.exe LOLbin
 2020-10-13 01:01:20 +02:00
Thomas Patzke d89ca07daa Merge pull request #1133 from omkar72/oscd-1 
[OSCD]updated adfind command line
 2020-10-13 00:58:56 +02:00
Thomas Patzke e2e3177e46 Merge pull request #1135 from omkar72/oscd-2 
[OSCD] finger executable suspicious execution
 2020-10-13 00:52:27 +02:00
Thomas Patzke 80e3c4b587 Merge pull request #1137 from banzay021/oscd 
[OSCD] Pcwrun.exe detection added
 2020-10-13 00:51:04 +02:00
Thomas Patzke 8bee7272ab Merge pull request #1051 from esebese/oscd 
[OSCD] win_syncappvpublishingserver_exe.yml added
 2020-10-13 00:45:22 +02:00
Thomas Patzke 14fcdc9899 Merge pull request #1038 from caliskanfurkan/master 
[OSCD] Added explorer.exe lolbin
 2020-10-13 00:36:29 +02:00
omkargudhate22 e2911a025e added tags and corrected image condition format 2020-10-12 17:00:57 +05:30
Alexander Sungurov 175834fe90 Pcwrun.exe detection added 2020-10-12 13:52:49 +03:00
Florian Roth b8dc8d3f7e reduced to avoid FPs 2020-10-12 10:46:34 +02:00
omkar72 0fab2c0930 finger executable suspicious execution 2020-10-12 13:28:52 +05:30
omkar72 99d87d60ec updated adfind command line 2020-10-12 12:52:54 +05:30
omkar72 cf5ad9197c updated adfind command line 2020-10-12 12:42:05 +05:30
omkar72 d29a28a4a8 updated adfind command line 2020-10-12 12:40:50 +05:30
Furkan ÇALIŞKAN edb5b7718e Deleted a part of an already-defined rule 
Lolbin rule for explorer.exe proxy execution;

Test scenario;

cd c:\windows\system32
explorer.exe calc.exe
(pops calc.exe) as in https://twitter.com/bohops/status/986984122563391488/photo/1
 2020-10-11 21:08:17 +03:00
Thomas Patzke fe554a88cb Merge pull request #1035 from svch0stz/oscd3 
[OSCD] Update win_susp_copy_lateral_movement.yml
 2020-10-10 00:03:26 +02:00
Furkan ÇALIŞKAN a6112dc268 Fixed OSCD wording 2020-10-09 11:59:08 +03:00
Furkan ÇALIŞKAN abcc4a59c2 Fixed OSCD wording 2020-10-09 09:26:01 +03:00
Furkan ÇALIŞKAN 789a0c174f Fixed OSCD wording 2020-10-09 09:25:38 +03:00
Kirill Kiryanov a09488a90f revert changes for making new pull request 2020-10-08 14:20:32 +03:00
Kirill Kiryanov 1581be1ec2 Created rule win_susp_sqldumper_activity.yml 2020-10-08 14:00:43 +03:00
Kirill Kiryanov a38c021876 Created rule win_susp_presentationhost_execution.yml 2020-10-08 13:24:59 +03:00
Furkan CALISKAN 1c413bcf6d Fixed status 2020-10-07 20:45:34 +03:00
svch0stz 3d048ceba0 Update win_susp_copy_lateral_movement.yml 2020-10-07 08:18:09 +11:00
svch0stz ee2c79745f Update win_susp_wsl_lolbin.yml 2020-10-07 08:12:51 +11:00
Furkan CALISKAN bbb9fed3e6 Fixed for FP issues 2020-10-06 19:51:55 +03:00
ensar-pcs 60b3450fa8 [OSCD] win_syncappvpublishingserver_exe.yml added 2020-10-06 19:22:16 +03:00
Furkan CALISKAN 0023a22ead Added FP conditions and fileshare part for cmdline 2020-10-06 19:20:19 +03:00
Furkan CALISKAN a5ceba93a9 Fixed conditions 2020-10-06 19:15:30 +03:00
Furkan CALISKAN 52edc13d15 Fixed dates 2020-10-06 19:10:33 +03:00
Furkan CALISKAN ea6d60c58f Added print lolbin 2020-10-05 23:26:57 +03:00
Furkan CALISKAN db4804d6bf Merge branch 'master' of https://github.com/caliskanfurkan/sigma 2020-10-05 23:03:21 +03:00
Furkan CALISKAN 4d655138b2 Added findstr lolbin 2020-10-05 23:03:05 +03:00
Furkan ÇALIŞKAN b147fc3296 Update win_susp_explorer.yml 
Added known-fp
 2020-10-05 13:22:43 +03:00
Furkan ÇALIŞKAN 85962665fd Update win_susp_explorer.yml 2020-10-05 10:49:54 +03:00
svch0stz 60bd6a3692 Update win_susp_copy_lateral_movement.yml 2020-10-05 14:35:20 +11:00
svch0stz dd2ab4082d Update win_susp_copy_lateral_movement.yml 2020-10-05 14:33:00 +11:00
svch0stz 641f3031bd Update win_susp_copy_lateral_movement.yml 2020-10-05 14:27:39 +11:00
svch0stz 3516819bf8 Delete win_net_use_admin_share.yml 2020-10-05 14:00:36 +11:00
svch0stz c675be41e2 Create win_net_use_admin_share.yml 2020-10-05 13:57:50 +11:00
svch0stz bc947fefc1 Create win_susp_wsl_lolbin.yml 2020-10-05 13:36:40 +11:00
Furkan CALISKAN 00cf61cc5b Added explorer.exe LOLbin, OSCD 2020-10-04 23:47:16 +03:00
Florian Roth c17ca6d5fe Merge pull request #1018 from savvyspoon/wcry-dns 
WannaCry Killswitch domain DNS query
 2020-09-29 09:27:21 +02:00
Florian Roth d7d9c0e772 Merge pull request #1021 from hieuttmmo/master 
Sigma rule to detect AdFind.exe execution
 2020-09-27 09:50:41 +02:00
Florian Roth 8020fe3c40 false positive condition 2020-09-26 17:03:29 +02:00
Florian Roth 60795f7050 Update win_susp_adfind.yml 
Fear that a simple adfind.exe causes too many false positives
 2020-09-26 17:02:39 +02:00
Florian Roth dbdd758365 Duplicate Rule 
we already have a rule for that
 2020-09-26 17:01:32 +02:00
Tran Trung Hieu d4dd0600ad Fix logsource service to process_creation 2020-09-26 21:45:23 +07:00
Tran Trung Hieu c756fc8576 Detect Suspicious AdFind Execution 2020-09-26 21:34:06 +07:00
Mike Wade 7b1ef9ea64 fixing test runner issues 2020-09-15 15:45:33 -06:00
Mike Wade 6ed36b0e41 fixed issues with tabs and duplicate tags 2020-09-15 08:52:00 -06:00