security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,083 Commits 1 Branch 57 Tags
b6bac087ef163cbd73a2cb46c9bc603f91d5c736
Commit Graph

179 Commits

Author SHA1 Message Date
Nasreddine Bencherchali b6bac087ef Update posh_ps_tamper_defender_remove_mppreference.yml 2022-08-05 18:45:44 +01:00
Nasreddine Bencherchali b4472132a4 Fix after review 2022-08-05 18:40:12 +01:00
Nasreddine Bencherchali f704feaf69 New Rules 2022-08-05 17:11:42 +01:00
Nasreddine Bencherchali 9ef9103368 Update PowerShell + other rules 2022-08-05 17:10:41 +01:00
Florian Roth 6dde3012cc refactor: some changes 2022-07-11 19:55:54 +02:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Nasreddine Bencherchali d2f08cca5d New Rules 2022-07-11 10:22:45 +01:00
Nasreddine Bencherchali aec95b6d65 Update selections and indentation 2022-07-07 20:13:45 +01:00
Nasreddine Bencherchali 49e389db5c Add More paths 2022-07-07 19:13:22 +01:00
Nasreddine Bencherchali b26c28972d Add missing definition fields and references 2022-07-07 19:13:01 +01:00
Nasreddine Bencherchali 3818c77b03 Fix Error 2022-06-28 22:40:42 +01:00
Nasreddine Bencherchali f57b35e992 New Rules 2022-06-28 22:22:12 +01:00
Nasreddine Bencherchali 5e42c4086a Add new PowerShell Function and Scripts 2022-06-28 22:18:44 +01:00
Nasreddine Bencherchali efbfc7fe67 New Rule (https://twitter.com/nas_bench/status/1537919885031772161) 2022-06-21 19:13:53 +01:00
Nasreddine Bencherchali f12f6e3646 Update ID's 2022-06-21 15:46:00 +01:00
Nasreddine Bencherchali e3bfb18f64 New Rules 2022-06-21 11:47:18 +01:00
Nasreddine Bencherchali 78dfcd6299 Renamed "Ps_Recon_Rule" 2022-06-21 11:41:43 +01:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Tim Shelton d3ef79018c False positive - another amazon module filter 2022-06-08 19:00:12 +00:00
frack113 79d284ab51 Add posh_ps_get_gpo 2022-06-04 11:08:22 +02:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
Nasreddine Bencherchali 6aad923023 Fix typo and Update Rule 
- Fixed typo in PowerShell definition to "enabled"
- Removed leading space from "/af" flag in "msdt" rule as it can be used without leading space.
 2022-06-01 15:54:40 +01:00
Tim Shelton c1ef20761a Fixing condition 2022-05-26 16:14:37 +00:00
Tim Shelton 9086efa5cd Updating meta 2022-05-26 16:13:22 +00:00
Tim Shelton 295a984d89 Fixing order of items in yaml 2022-05-26 16:12:31 +00:00
Tim Shelton 879fccd266 merging locally 2022-05-26 15:27:13 +00:00
Tim Shelton b78386d372 FP: ignore Amazon aws powershell 2022-05-26 14:45:00 +00:00
Nasreddine Bencherchali c3d807f53a Add More Malicious PowerShell Script/Cmdlet Names 2022-05-24 22:02:08 +01:00
Tim Shelton 0fb943dc2c FP: fixing modifier 2022-05-23 21:43:43 +00:00
Tim Shelton c807191ab7 FP: filtering out Amaazon AWS header 2022-05-23 21:41:13 +00:00
Florian Roth e86d007d35 Merge pull request #3027 from elhoim/rename_suspicious 
Renamed suspicious in filenames to susp
 2022-05-20 19:28:24 +02:00
MatilJ 10f0a82b94 Fix detection 2022-05-19 21:09:47 +03:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
Florian Roth a55e8f2ac1 refactor: PoSh Defender Tampering 2022-05-18 17:29:38 +02:00
frack113 196aa6d83d move deprecated rules 2022-05-14 09:42:32 +02:00
phantinuss 6f92a11c02 chore: test rules: check for all modifier with single item 2022-05-11 11:06:09 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
phantinuss b991a5be52 chore: test rules: warn on errors or invalid FP reasons 
also adapted the existing rules to pass the tests
 2022-05-09 16:07:55 +02:00
David ANDRE 6c632b1ef0 Modified description 2022-05-05 17:27:35 +02:00
David ANDRE f3dc78b9da Added various disabling options of defender in posh_ps_tamper_defender.yml\nAdded match on default actions of defender to allow. 2022-05-05 17:25:37 +02:00
Florian Roth 0a55406444 fix: wording on two rules 2022-04-26 16:43:44 +02:00
frack113 eec8437dc2 Add posh_ps_win32_product_install_msi 2022-04-24 12:49:00 +02:00
frack113 89985b08c8 New Redcannary Windows Tests 2022-04-09 18:00:15 +02:00
frack113 0f4d61d04e Merge pull request #2872 from frack113/redcannay_20220404 
Windows Redcannary
 2022-04-04 13:23:47 +02:00
Florian Roth eaaabf2468 Update posh_ps_suspicious_get_current_user.yml 2022-04-04 12:19:47 +02:00
frack113 aaafef29b4 Redcannary 2022-04-04 10:57:23 +02:00
Florian Roth b394702748 Update posh_ps_suspicious_gettypefromclsid.yml 2022-04-04 09:28:56 +02:00
frack113 d2b2362ce7 Redcannary 2022-04-02 11:55:02 +02:00
Florian Roth 3f1b8ff727 Update posh_ps_susp_get_addefaultdomainpasswordpolicy.yml 2022-03-21 12:09:33 +01:00
Florian Roth 7ebdfda1b8 Update posh_ps_susp_get_addefaultdomainpasswordpolicy.yml 2022-03-21 11:54:45 +01:00