 Florian Roth
|
133b98ffcb
|
Merge pull request #1262 from invrep-de/oscd
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy
|
2020-12-21 18:30:21 +01:00 |
|
|
Florian Roth
|
1ea4bb0b87
|
wrong field name
|
2020-11-28 10:10:00 +01:00 |
|
|
stvetro
|
19eb8306d3
|
Removed unnessary antifalse positive
|
2020-11-14 09:50:29 +04:00 |
|
|
stvetro
|
8dc8fdc44b
|
Added antifalsepositive condition
4688 always has non empty cmd
|
2020-10-31 12:46:30 +04:00 |
|
|
invrep-de
|
8a9db12d30
|
Enhanced to improve specificity
Enhanced to improve specificity per feedback received;
|
2020-10-26 12:05:16 -04:00 |
|
|
invrep-de
|
dc41f64023
|
[OSCD] Bad Opsec Defaults Sacrificial Processes
Incorporate feedback from @yugoslavskiy;
|
2020-10-26 11:52:16 -04:00 |
|
|
invrep-de
|
e5567631eb
|
Minor changes to incorporate feedback
Incorporated feedback from @yugoslavskiy. Thank you!
|
2020-10-24 07:27:59 -04:00 |
|
|
invrep-de
|
d623685c2c
|
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy
|
2020-10-23 23:27:52 +02:00 |
|
|
stvetro
|
f27a7832ad
|
Small fix
Added "\" at file path end
Optimised exclusion of empty cmds
|
2020-10-23 13:25:32 +04:00 |
|
|
stvetro
|
43707c9023
|
Added mitre tags
|
2020-10-19 19:20:52 +04:00 |
|
|
stvetro
|
65fc968658
|
Create win_susp_file_download_via_gfxdownloadwrapper.yml
|
2020-10-18 20:40:23 +04:00 |
|
|
Thomas Patzke
|
026be7f753
|
Merge pull request #1039 from Vasilisa-L/oscd
[OSCD] Pcwutl.dll LOLbin
|
2020-10-14 00:24:41 +02:00 |
|
|
Thomas Patzke
|
95789a5379
|
Merge pull request #1068 from esebese/task87
[OSCD] win_visual_basic_compiler.yml added
|
2020-10-14 00:21:12 +02:00 |
|
|
Thomas Patzke
|
a83f500267
|
Merge pull request #1058 from grikos/OSCD_100
[OSCD] LOLBAS Setupapi.yml
|
2020-10-14 00:19:32 +02:00 |
|
|
Thomas Patzke
|
7e4a205de7
|
Merge pull request #1059 from ryanplasma/rplas-SIGMA-547-page-20
[OSCD] Add Usage of reg or Powershell by Non-privileged Users rule
|
2020-10-13 23:24:05 +02:00 |
|
|
Thomas Patzke
|
b9e38e79fa
|
Merge pull request #1061 from svch0stz/oscd7
[OSCD] Create win_susp_mounted_share_deletion.yml
|
2020-10-13 22:55:54 +02:00 |
|
|
Thomas Patzke
|
60b99116f3
|
Merge pull request #1064 from Vasilisa-L/OSCD_winrm_AWL
[OSCD] winrm.vbs_1
|
2020-10-13 22:30:14 +02:00 |
|
|
Thomas Patzke
|
a3a45e4a10
|
Merge pull request #1066 from Vasilisa-L/OSCD_winrm_execution
[OSCD] winrm.vbs_2
|
2020-10-13 22:28:09 +02:00 |
|
|
Thomas Patzke
|
54a9598d4b
|
Fixed typo
|
2020-10-13 22:27:27 +02:00 |
|
|
Thomas Patzke
|
2ba89d7924
|
Merge pull request #1067 from nsaddler/oscd2
[OSCD] Too Long Powershell CommandLine Rule added
|
2020-10-13 22:20:29 +02:00 |
|
|
Thomas Patzke
|
772fd83cca
|
Merge pull request #1080 from esebese/task93
[OSCD] win_class_exec_xwizard.yml added
|
2020-10-13 22:10:39 +02:00 |
|
|
Thomas Patzke
|
2bad4bb60d
|
Merge pull request #1085 from w0rk3r/oscdq
[OSCD] Update Win_susp_rundll32_activity - Multiple Lolbins
|
2020-10-13 21:45:36 +02:00 |
|
|
Thomas Patzke
|
b68286a162
|
Merge pull request #1093 from SanWieb/OSCD_regini
[OSCD] regini LOLBAS
|
2020-10-13 21:44:32 +02:00 |
|
|
Thomas Patzke
|
8f4b3b7324
|
Merge pull request #1097 from NikitaStormwind/regular30(2)
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (process_creation)
|
2020-10-13 21:42:38 +02:00 |
|
|
Thomas Patzke
|
79120cd24c
|
Merge pull request #1113 from NikitaStormwind/regular29(2)
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (process_creation)
|
2020-10-13 21:18:03 +02:00 |
|
|
Thomas Patzke
|
33c80b8428
|
Merge pull request #1092 from zBlurr/win_susp_sqldumper_activity
[OSCD] Sqldumper.exe LOLbin
|
2020-10-13 11:51:41 +02:00 |
|
|
Thomas Patzke
|
bf0f2fcec8
|
Merge pull request #1117 from aw350m33d/oscd_lolbin_settingsynchost
[OSCD] Using SettingSyncHost.exe as LOLBin
|
2020-10-13 11:46:04 +02:00 |
|
|
Thomas Patzke
|
acb02d8d65
|
Merge pull request #1148 from sn0w0tter/oscd
[OSCD] LOLBAS atbroker suspicious execution of ATs
|
2020-10-13 11:45:07 +02:00 |
|
|
Thomas Patzke
|
1684db93d8
|
Merge pull request #1143 from NikitaStormwind/regular28(2)
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (process_creation)
|
2020-10-13 11:39:46 +02:00 |
|
|
Thomas Patzke
|
2ac29e0fee
|
Merge pull request #1152 from zinint/1009-27-3
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (process_creation)
|
2020-10-13 11:24:28 +02:00 |
|
|
invrep-de
|
55201a94c0
|
[OSCD] Powershell Disable Windows Defender AV
|
2020-10-13 02:05:00 +02:00 |
|
|
Timur Zinniatullin
|
5bd75521f2
|
Add win_invoke_obfuscation_via_var++.yml
|
2020-10-13 02:23:50 +03:00 |
|
|
sn0w0tter
|
863b880845
|
Titile capitalization
|
2020-10-12 16:04:41 -07:00 |
|
|
Thomas Patzke
|
a289eeaae6
|
Merge pull request #1089 from zBlurr/oscd
[OSCD] Presentationhost.exe LOLbin
|
2020-10-13 01:01:20 +02:00 |
|
|
Thomas Patzke
|
d89ca07daa
|
Merge pull request #1133 from omkar72/oscd-1
[OSCD]updated adfind command line
|
2020-10-13 00:58:56 +02:00 |
|
|
sn0w0tter
|
c6ddbc78ce
|
OSCD LOLBAS atbroker suspicious execution of ATs
|
2020-10-12 15:55:38 -07:00 |
|
|
Thomas Patzke
|
e2e3177e46
|
Merge pull request #1135 from omkar72/oscd-2
[OSCD] finger executable suspicious execution
|
2020-10-13 00:52:27 +02:00 |
|
|
Thomas Patzke
|
80e3c4b587
|
Merge pull request #1137 from banzay021/oscd
[OSCD] Pcwrun.exe detection added
|
2020-10-13 00:51:04 +02:00 |
|
|
Thomas Patzke
|
8bee7272ab
|
Merge pull request #1051 from esebese/oscd
[OSCD] win_syncappvpublishingserver_exe.yml added
|
2020-10-13 00:45:22 +02:00 |
|
|
Thomas Patzke
|
14fcdc9899
|
Merge pull request #1038 from caliskanfurkan/master
[OSCD] Added explorer.exe lolbin
|
2020-10-13 00:36:29 +02:00 |
|
|
Nikita P. Nazarov
|
ec383d9784
|
Detects Obfuscated Powershell via Stdin in Scripts
|
2020-10-12 18:52:28 +03:00 |
|
|
nsaddler
|
df8cd24a5d
|
Update sysmon_long_powershell_commandline.yml
|
2020-10-12 18:28:28 +03:00 |
|
|
Ryan Plas
|
a67c19c08b
|
Split up powershell detection
|
2020-10-12 09:00:08 -04:00 |
|
|
omkargudhate22
|
e2911a025e
|
added tags and corrected image condition format
|
2020-10-12 17:00:57 +05:30 |
|
|
Alexander Sungurov
|
175834fe90
|
Pcwrun.exe detection added
|
2020-10-12 13:52:49 +03:00 |
|
|
Florian Roth
|
b8dc8d3f7e
|
reduced to avoid FPs
|
2020-10-12 10:46:34 +02:00 |
|
|
Sander
|
8c1bd4e466
|
Remove redundant space
|
2020-10-12 10:01:44 +02:00 |
|
|
omkar72
|
0fab2c0930
|
finger executable suspicious execution
|
2020-10-12 13:28:52 +05:30 |
|
|
Sander
|
3ab244c70f
|
regini.exe ADS rule
|
2020-10-12 09:55:34 +02:00 |
|
|
omkar72
|
99d87d60ec
|
updated adfind command line
|
2020-10-12 12:52:54 +05:30 |
|