security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
6,918 Commits 1 Branch 57 Tags
ccaffc79f7c5be8aec26bce30310d3ec82cc751c
Commit Graph

342 Commits

Author SHA1 Message Date
frack113 e33ec91b9a add powershell_keylogging.yml 2021-07-30 08:28:19 +02:00
frack113 38ede57cb4 add powershell_suspicious_recon.yml 2021-07-30 08:20:51 +02:00
frack113 2758c1aa93 add powershell_automated_collection.yml 2021-07-28 14:14:02 +02:00
frack113 aff5264096 Add check for status and level 2021-07-22 19:25:51 +02:00
Florian Roth edfd082754 Merge pull request #1716 from frack113/elk_keyword_rule 
powershell_nishang_malicious_commandlets Elk keywords trouble
 2021-07-22 15:01:13 +02:00
Florian Roth 7a8fcf4237 Merge pull request #1718 from frack113/powercat 
[OSCD] powershell_powercat.yml T1095
 2021-07-22 14:53:34 +02:00
frack113 4cc4df35d8 add powershell_suspicious_mail_acces.yml 2021-07-21 15:27:12 +02:00
frack113 72da7a3053 fix tags attack.t1095 2021-07-21 13:08:35 +02:00
frack113 41c4f1d157 add powershell_powercat.yml 2021-07-21 13:04:27 +02:00
frack113 44254038d3 fix human error : test-sigmac Error 4 2021-07-21 10:01:46 +02:00
frack113 b9b0ef2066 convert keywords to correct field name Payload 2021-07-21 09:44:26 +02:00
frack113 ba50a2309c fix case EventID 2021-07-20 16:26:13 +02:00
frack113 42005a07b7 update powershell_suspicious_download.yml 2021-07-20 16:12:24 +02:00
Florian Roth 8a75890b51 Merge pull request #1702 from d4rk-d4nph3/master 
Added rule for ADRecon execution
 2021-07-17 09:50:29 +02:00
Florian Roth e838a1acc4 increased level 2021-07-17 09:50:11 +02:00
Bhabesh Rai be8fce8e82 Added rule for ADRecon execution 2021-07-16 12:58:47 +05:45
Florian Roth e40b859254 Merge pull request #1695 from frack113/fix_re 
escape / in regex
 2021-07-15 09:25:58 +02:00
frack113 0ef3dc2082 escape / in regex 2021-07-15 08:13:49 +02:00
k-vdv 12b172039f fixed some typos and adjusted capitalization to original 2021-07-14 15:47:17 +02:00
leegengyu 3594b10d74 Insert modified date 2021-07-06 20:56:31 +08:00
G Y c5d2a55f6d powershell_data_compressed.yml - Update selection 
Changed to ScriptBlockText (due to PowerShell logging-specific context).
 2021-07-06 20:36:38 +08:00
leegengyu 7557732ca2 Updated ART reference links from .yaml to .md and sub-technique links. 2021-07-06 17:21:22 +08:00
frack113 d05f3efd1b fix pr 869 2021-07-04 19:44:50 +02:00
Florian Roth 1e152bf594 Merge pull request #1615 from leegengyu/patch-1 
Update powershell_data_compressed.yml - Outdated link
 2021-07-04 14:19:55 +02:00
G Y c63439e74d Update powershell_data_compressed.yml 
Changed reference link from `.yaml` to `.md`.
 2021-07-04 08:15:29 +08:00
G Y d247766a2e Update powershell_data_compressed.yml 
Corrected old link and formatting.
 2021-07-03 20:48:03 +08:00
Florian Roth e7144b34ee fix: bug in syntax 2021-07-03 13:19:56 +02:00
Florian Roth 2d0cdc16fc added modified date 2021-07-03 13:19:14 +02:00
G Y 7f067f7273 Update powershell_powerview_malicious_commandlets.yml 
Added new commandlet names based on aliases seen in https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1, fixed a typo, and improved formatting.
 2021-07-03 11:07:11 +08:00
Bhabesh Rai 206adbb2b6 Merging upstream updates 2021-07-01 12:18:30 +05:45
CriimBow 188b847670 Typo on Find-DomainObjectPropertyOutlier 2021-06-25 10:35:33 +02:00
Florian Roth 5e35e387dd Merge pull request #1549 from SigmaHQ/rule-devel 
Rule devel
 2021-06-10 10:19:47 +02:00
Florian Roth 9c0700bc56 Powershell artefacts to critical 2021-06-10 09:42:07 +02:00
Florian Roth 04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth cfdf3b7c08 Merge pull request #1538 from frack113/powershell_delete_volume_shadow_copies 
Add t1490 powershell delete volume shadow copie
 2021-06-08 11:02:34 +02:00
frack113 0a6f7763aa Split original to existing file 2021-06-07 20:27:14 +02:00
frack113 537272c944 Add t1490 powershell delete volume shadow copie 2021-06-03 22:39:06 +02:00
frack113 bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
Florian Roth ea430c8823 Merge pull request #1471 from d4rk-d4nph3/master 
Updated rule for Advanced IP Scanner and new rule for PowerView
 2021-05-27 12:55:03 +02:00
Florian Roth 059e669ac6 Merge pull request #1496 from frack113/falsepositives_NOT_a_list 
Fix rule where Falsepositives not a valid value
 2021-05-27 12:51:54 +02:00
Florian Roth b5352ac5f7 fix: duplicate UUIDs 2021-05-27 10:29:21 +02:00
Florian Roth adbdb5b22f Merge branch 'master' into falsepositives_NOT_a_list 2021-05-27 10:23:19 +02:00
Bhabesh Rai cc9ac2ddcf Added rule for PowerView's malicious cmdlets 2021-05-25 21:04:32 +05:45
Jonhnathan 26ecbea0ba Update Threat Hunter Playbook Reference 2021-05-22 01:03:49 -03:00
Jonhnathan 4ebdcf2f1d Update Threat Hunter Playbook Reference 2021-05-22 01:03:23 -03:00
frack113 1d1170e8ba Fix falsepositives list 2021-05-21 12:31:01 +02:00
frack113 a6cadc6de5 Fix falsepositives list 2021-05-21 12:29:28 +02:00
frack113 ad376a8328 Fix falsepositives list 2021-05-21 12:28:12 +02:00
frack113 2197514fc5 Fix falsepositives list 2021-05-21 12:26:37 +02:00
frack113 48a7e80192 Fix falsepositives list 2021-05-21 12:24:25 +02:00