security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,451 Commits 1 Branch 57 Tags
6da13f19a63e2aa9410dbcccf6d7bebb2e703975
Commit Graph

30 Commits

Author SHA1 Message Date
Florian Roth 1099c5630e rule: remote thread creation, get-addbaccount 2022-03-16 15:21:01 +01:00
Tim Shelton bda0f3cfe0 FP on valid remote call of Powershell Archive.psm1, maybe beneficial to filter all powershell modules in future 2022-03-14 22:23:06 +00:00
frack113 5938569d3e Refactor regex 2022-03-08 19:07:37 +01:00
frack113 143f5fe4e2 Fix yml 2022-03-07 19:37:33 +01:00
frack113 f9c0e21323 Refactor regex 2022-03-07 19:08:30 +01:00
frack113 464686e0c5 add posh_pm_suspicious_reset_computermachinepassword 2022-02-22 13:44:51 +01:00
Florian Roth 35d4c8bc69 fix: FPs noticed in THOR testing 2022-02-21 10:15:27 +01:00
Florian Roth 51bbe21c70 fix: more Aurora FP fixes 2022-02-16 17:16:50 +01:00
phantinuss 646ce36809 fix: use doublequotes instead of ' because of ' in string 2022-02-11 16:52:45 +01:00
phantinuss 809f7abbb8 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 3 2022-02-11 16:38:52 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 6badb13114 Rename powershell_module 2022-01-15 10:38:27 +01:00
Ahmet Salih 9b261a5cb7 Update powershell_suspicious_invocation_specific_in_contextinfo.yml 
close #2546
 2022-01-11 18:23:30 +03:00
Florian Roth e055ec1d52 refactor: change all " of them" expressions 2022-01-11 10:59:57 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
frack113 426d8193ad Windows redcannary 2021-12-15 19:36:16 +01:00
frack113 221f479825 Windows Redcannay T1069.001 2021-12-12 12:15:27 +01:00
frack113 ee67779811 Windows T1049 RedCannary 2021-12-11 09:38:20 +01:00
phantinuss 07a0a37273 feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' 2021-12-02 14:47:39 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
frack113 faa407dacc cleanup list 2021-10-18 14:52:35 +02:00
frack113 0e1c156ddf fix related 2021-10-18 14:26:06 +02:00
frack113 19da3ac07f add ps_module version 2021-10-18 14:12:52 +02:00
frack113 0ca16b18f4 Change to category: ps_module 2021-10-16 08:05:15 +02:00
frack113 1337116d84 Cleanup selection name 2021-10-10 10:17:24 +02:00
Florian Roth 2379907f26 docs: extended the description by a word 2021-10-09 16:42:42 +02:00
Florian Roth f475b90ee3 fix: typo in description 2021-10-09 16:41:48 +02:00
frack113 5c68c42058 order powershell_script 2021-10-09 10:30:36 +02:00
frack113 41d098b253 fix yml error 2021-10-09 09:59:21 +02:00
frack113 fe7fbfd5fc order powershell_module 2021-10-09 09:50:49 +02:00