security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5,883 Commits 1 Branch 57 Tags
65a11dde5281a661844d64ecbdabdaa79e66c8a1
Commit Graph

270 Commits

Author SHA1 Message Date
Florian Roth 65a11dde52 fix: rules causing too many false positives 2021-04-09 15:55:14 +02:00
Thomas Patzke b1b0240692 Fixes 2021-04-03 23:21:13 +02:00
Thomas Patzke 90efe974b8 Fixes and improvements 2021-04-03 00:08:55 +02:00
Anton Kutepov 3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
Florian Roth 274b7b0f2e fix: search for keywords within message 2021-02-26 09:42:12 +01:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Florian Roth aaeb72a2b6 fix: FPs 2021-02-01 11:47:23 +01:00
yugoslavskiy d25ca9b280 Merge pull request #1229 from zinint/1009-19-1 
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
 2021-01-06 00:24:08 +03:00
yugoslavskiy f4578b0698 Merge pull request #1223 from zinint/1009-23-1 
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
 2021-01-06 00:23:33 +03:00
yugoslavskiy fc1fa23440 Merge pull request #1191 from vburov/patch-14 
[OSCD] Create powershell_cmdline_special_characters.yml
 2021-01-06 00:18:12 +03:00
yugoslavskiy cfbd10ab8b Merge pull request #1186 from nsaddler/lolbas107_2 
[OSCD] LOLBAS CL_Mutexverifiers - powershell
 2021-01-06 00:17:54 +03:00
yugoslavskiy 9d1c695204 Merge pull request #1184 from nsaddler/lolbas106_1 
[OSCD] LOLBAS CL_Invocation - powershell
 2021-01-06 00:17:10 +03:00
yugoslavskiy 8e6b77fc4f Merge pull request #1177 from OpalSec/oscd 
[OSCD] Tasks 24, 25 & 26: Detection for Invoke-Obfuscation CLIP+, STDIN+ & VAR+ Launchers
 2021-01-06 00:16:34 +03:00
yugoslavskiy b56a7181ce Merge pull request #1157 from invrep-de/oscd 
[OSCD] Bad Opsec Powershell Artifacts
 2021-01-06 00:11:24 +03:00
yugoslavskiy a82c559816 Merge pull request #1130 from vburov/patch-13 
[OSCD] Create powershell_cmdline_specific_encoded_methods.yml
 2021-01-05 23:16:24 +03:00
yugoslavskiy 32aea9ad2b Merge pull request #1098 from NikitaStormwind/regular31 
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (4104, 4103)
 2021-01-05 23:10:28 +03:00
Florian Roth 540039cbc3 fix: Malicious Nishang PowerShell Commandlets FP with MDATP 2020-12-05 09:33:42 +01:00
yugoslavskiy a028cdf1ee Update powershell_shellcode_b64.yml 2020-12-01 02:24:35 +01:00
yugoslavskiy 7309fb7d0e Update powershell_winlogon_helper_dll.yml 2020-12-01 02:23:02 +01:00
Jonhnathan a9fde0117b Merge branch 'oscd' into oscd_rules_improvement 2020-11-28 14:52:31 -03:00
yugoslavskiy 2e5e4a20d2 Update powershell_clear_powershell_history.yml 2020-11-28 09:26:18 +01:00
Jonhnathan 784cab1dfe Fix missing logic and Field 2020-11-26 22:46:17 -03:00
Jonhnathan 728276ef13 Improve Logic 2020-11-20 01:22:20 -03:00
Jonhnathan ee43919eec Change detection logic 2020-11-20 01:05:06 -03:00
nsaddler 07f777d1b5 Update powershell_CL_Mutexverifiers_LOLScript_v2.yml 2020-10-28 19:32:18 +03:00
nsaddler 7ee644eac0 Update powershell_CL_Invocation_LOLScript_v2.yml 2020-10-28 19:30:21 +03:00
nsaddler d0a796439b Update powershell_CL_Invocation_LOLScript.yml 2020-10-28 19:25:43 +03:00
Наталья Шорникова a4a3e01f25 Splitting into two rules 2020-10-28 19:13:29 +03:00
Наталья Шорникова 55a7fe6b9d Splitting into two rules 2020-10-28 19:08:23 +03:00
Florian Roth ee789a309c fix: FP with expression 2020-10-20 13:11:10 +02:00
Timur Zinniatullin 8b255ab959 Add powershell_invoke_obfuscation_via_compress.yml 2020-10-18 19:50:58 +03:00
Timur Zinniatullin eb2af704e7 Update powershell_invoke_obfuscation_via_rundll.yml 2020-10-18 19:05:27 +03:00
Timur Zinniatullin 35a9a7d46c Update powershell_invoke_obfuscation_via_rundll.yml 2020-10-18 18:54:59 +03:00
Timur Zinniatullin eee01f6a86 Add powershell_invoke_obfuscation_via_rundll.yml 2020-10-18 18:51:51 +03:00
OpalSec ca09ae5039 Modification of search logic per advice from @zinint 
Edited suggested searches to improve performance:

VAR+
16ms:	.*cmd.*(?:\/c|\/r).*set.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

6ms:  .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

STDIN+
7ms:    .*cmd.*(?:\/c|\/r).*powershell.+(?:\$\{?input}?|noexit).*\"

3ms:    .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"

CLIP+
28ms:    .*cmd.*(?:\/c|\/r).*\|.*clip(?:\.exe)?.*&&.*clipboard]::\(\s\\\"\{\d\}.*\-f.*\"

11ms:    .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
 2020-10-18 21:15:43 +11:00
nsaddler 3aa2a73ba7 Update powershell_CL_Invocation_LOLScript.yml 2020-10-18 10:38:40 +03:00
nsaddler a6f00d6acc Update powershell_CL_Invocation_LOLScript.yml 2020-10-18 02:48:21 +03:00
Vasiliy Burov 700ed134bc Update powershell_cmdline_special_characters.yml 2020-10-16 10:18:37 +03:00
Vasiliy Burov d2184aee5e Update powershell_cmdline_special_characters.yml 2020-10-16 09:58:59 +03:00
Jonhnathan fc6c727c70 Update powershell_malicious_commandlets.yml 2020-10-15 20:59:27 -03:00
Jonhnathan ce4e22750d Update powershell_winlogon_helper_dll.yml 2020-10-15 17:15:23 -03:00
Jonhnathan efe9c2d3d6 Update powershell_shellcode_b64.yml 2020-10-15 17:14:01 -03:00
Jonhnathan 013533fceb Update powershell_prompt_credentials.yml 2020-10-15 17:13:16 -03:00
Jonhnathan 8cf2596068 Update powershell_malicious_keywords.yml 2020-10-15 17:12:08 -03:00
Jonhnathan ec10d5a61f Update powershell_malicious_commandlets.yml 2020-10-15 17:11:20 -03:00
Jonhnathan 4a3607d50b Update powershell_exe_calling_ps.yml 2020-10-15 17:09:47 -03:00
Vasiliy Burov b10332dde8 Update powershell_cmdline_special_characters.yml 2020-10-15 21:31:24 +03:00
Vasiliy Burov ea1a288cc8 Update powershell_cmdline_special_characters.yml 2020-10-15 20:55:12 +03:00
Vasiliy Burov 2657a0219c Update powershell_cmdline_special_characters.yml 2020-10-15 20:33:56 +03:00
Vasiliy Burov d27574ce08 Update powershell_cmdline_special_characters.yml 2020-10-15 20:07:59 +03:00