security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,201 Commits 1 Branch 57 Tags
7954684fbf590af0d8859aa8a0613ec00d9b13c8
Commit Graph

4201 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 7954684fbf Merge pull request #1260 from alejandroortuno/remote-system-discovery 
[OSCD] Remote System Discovery
 2020-12-21 18:32:08 +01:00
Florian Roth 64197d0dec Merge pull request #1261 from alejandroortuno/emond 
[OSCD] MacOS Emond Launch Daemon
 2020-12-21 18:30:56 +01:00
Florian Roth 133b98ffcb Merge pull request #1262 from invrep-de/oscd 
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy
 2020-12-21 18:30:21 +01:00
Thomas Patzke 2e4c98115d Removed ES query tests 2020-11-30 02:29:35 +01:00
Florian Roth 30c0b440e2 Merge pull request #1228 from stvetro/oscd-GfxDownloadWrapper 
[OSCD] GfxDownloadWrapper downloads file (LoLBin)
 2020-11-28 10:10:30 +01:00
Florian Roth 1ea4bb0b87 wrong field name 2020-11-28 10:10:00 +01:00
Florian Roth c596fefb51 Merge pull request #1242 from tim1234567/oscd-sigma-art-macos-t1555.001 
Detect credential access for macOS via Keychain
 2020-11-28 10:08:22 +01:00
Florian Roth c17c034cb5 Changed selections and condition 
see manpage for security tool on macOS
https://gist.github.com/Capybara/6228955
 2020-11-27 19:23:31 +01:00
Tim I 78d201ad15 Fix value modifier and add a slash 2020-11-24 23:06:21 +03:00
Thomas Patzke 84dc11ca98 Removed ES query tests 2020-11-21 13:33:25 +04:00
Alejandro Ortuno 000c038ede Retrigger tests 2020-11-20 09:30:43 +01:00
Thomas Patzke e3b310438c Removed ES query tests 2020-11-19 09:38:00 +01:00
stvetro 19eb8306d3 Removed unnessary antifalse positive 2020-11-14 09:50:29 +04:00
stvetro 8dc8fdc44b Added antifalsepositive condition 
4688 always has non empty cmd
 2020-10-31 12:46:30 +04:00
yugoslavskiy 167e9745cd Update macos_remote_system_discovery.yml 2020-10-29 02:06:45 +01:00
yugoslavskiy 81f6f24155 Update lnx_remote_system_discovery.yml 2020-10-29 02:06:20 +01:00
Alejandro Ortuno 80b1a19246 Added the space at the beginning of the IP ranges. 2020-10-28 10:16:29 +01:00
invrep-de 8a9db12d30 Enhanced to improve specificity 
Enhanced to improve specificity per feedback received;
 2020-10-26 12:05:16 -04:00
invrep-de 7b49a4690e Merge pull request #1 from invrep-de/invrep-bosp-def 
[OSCD] Bad Opsec Defaults Sacrificial Processes
 2020-10-26 11:53:05 -04:00
invrep-de dc41f64023 [OSCD] Bad Opsec Defaults Sacrificial Processes 
Incorporate feedback from @yugoslavskiy;
 2020-10-26 11:52:16 -04:00
Alejandro Ortuno c83d5a3d65 Added some minor tuning of ip ranges 2020-10-26 09:45:13 +01:00
invrep-de e5567631eb Minor changes to incorporate feedback 
Incorporated feedback from @yugoslavskiy. Thank you!
 2020-10-24 07:27:59 -04:00
invrep-de d623685c2c [OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy 2020-10-23 23:27:52 +02:00
stvetro f27a7832ad Small fix 
Added "\" at file path end
Optimised exclusion of empty cmds
 2020-10-23 13:25:32 +04:00
Alejandro Ortuno 11df6c2566 Sigma rule 2020-10-23 10:16:59 +02:00
Alejandro Ortuno 638fd7eeab Remote system discovery sigma rules for macos and linux 2020-10-22 10:37:29 +02:00
Tim I 0323e50011 Detect credential access for macOS via Keychain 2020-10-19 23:37:46 +03:00
stvetro 43707c9023 Added mitre tags 2020-10-19 19:20:52 +04:00
stvetro 65fc968658 Create win_susp_file_download_via_gfxdownloadwrapper.yml 2020-10-18 20:40:23 +04:00
yugoslavskiy cc2f48b4a3 Merge pull request #1195 from tas-kmanager/mt-oscd-sigma547-48 
[OSCD] Always Install Elevated: unsupported
 2020-10-16 22:24:34 +02:00
tas_kmanager 65c2e5daa4 [OSCD] Always Install Elevated 
Page 48 from #574

Since the slide showing the usage of correlation of events, it was suggested to add the rules to rules-unsupported. Following suggestion from @yugoslavskiy - https://github.com/Neo23x0/sigma/issues/574#issuecomment-707441823
 2020-10-15 21:59:37 -04:00
yugoslavskiy 9e7789bb32 Update win_susp_logon_explicit_credentials.yml 2020-10-16 00:50:29 +02:00
Thomas Patzke 026be7f753 Merge pull request #1039 from Vasilisa-L/oscd 
[OSCD] Pcwutl.dll LOLbin
 2020-10-14 00:24:41 +02:00
Thomas Patzke e39ebe065a Merge pull request #1037 from svch0stz/oscd5 
[OSCD] Create win_susp_logon_explicit_credentials.yml
 2020-10-14 00:23:08 +02:00
Thomas Patzke 95789a5379 Merge pull request #1068 from esebese/task87 
[OSCD] win_visual_basic_compiler.yml added
 2020-10-14 00:21:12 +02:00
Thomas Patzke a83f500267 Merge pull request #1058 from grikos/OSCD_100 
[OSCD] LOLBAS Setupapi.yml
 2020-10-14 00:19:32 +02:00
Thomas Patzke 7e4a205de7 Merge pull request #1059 from ryanplasma/rplas-SIGMA-547-page-20 
[OSCD] Add Usage of reg or Powershell by Non-privileged Users rule
 2020-10-13 23:24:05 +02:00
Thomas Patzke 6cc33e5989 Merge pull request #1060 from svch0stz/oscd6 
[OSCD] Created powershell_suspicious_mounted_share_deletion.yml
 2020-10-13 22:59:25 +02:00
Thomas Patzke b9e38e79fa Merge pull request #1061 from svch0stz/oscd7 
[OSCD] Create win_susp_mounted_share_deletion.yml
 2020-10-13 22:55:54 +02:00
Thomas Patzke 1f4fe42487 Merge pull request #1062 from esebese/task86 
[OSCD] sysmon_tttracer_mod_load.yml added
 2020-10-13 22:35:06 +02:00
Thomas Patzke f7c440b097 Merge pull request #1065 from nsaddler/oscd1 
[OSCD] Accessing WinAPI in PowerShell. Credentials dumping Rule added
 2020-10-13 22:33:14 +02:00
Thomas Patzke 0914c03acb Update sysmon_accessing_winapi_in_powershell_credentials_dumping.yml 2020-10-13 22:32:55 +02:00
Thomas Patzke 60b99116f3 Merge pull request #1064 from Vasilisa-L/OSCD_winrm_AWL 
[OSCD] winrm.vbs_1
 2020-10-13 22:30:14 +02:00
Thomas Patzke a3a45e4a10 Merge pull request #1066 from Vasilisa-L/OSCD_winrm_execution 
[OSCD] winrm.vbs_2
 2020-10-13 22:28:09 +02:00
Thomas Patzke 54a9598d4b Fixed typo 2020-10-13 22:27:27 +02:00
Thomas Patzke 2ba89d7924 Merge pull request #1067 from nsaddler/oscd2 
[OSCD] Too Long Powershell CommandLine Rule added
 2020-10-13 22:20:29 +02:00
Thomas Patzke 772fd83cca Merge pull request #1080 from esebese/task93 
[OSCD] win_class_exec_xwizard.yml added
 2020-10-13 22:10:39 +02:00
Thomas Patzke 2bad4bb60d Merge pull request #1085 from w0rk3r/oscdq 
[OSCD] Update Win_susp_rundll32_activity - Multiple Lolbins
 2020-10-13 21:45:36 +02:00
Thomas Patzke b68286a162 Merge pull request #1093 from SanWieb/OSCD_regini 
[OSCD] regini LOLBAS
 2020-10-13 21:44:32 +02:00
Thomas Patzke 08eec2b6e6 Merge pull request #1094 from NikitaStormwind/Regular30 
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (4104, 4103)
 2020-10-13 21:43:16 +02:00