 frack113
|
045e87058b
|
add definition
|
2021-09-22 08:40:08 +02:00 |
|
|
Florian Roth
|
d884f774f9
|
Update powershell_memorydump_getstoragediagnosticinfo.yml
|
2021-09-21 18:01:46 +02:00 |
|
|
Max Altgelt
|
bf9bc03258
|
chore: properly name and describe rules
|
2021-09-21 15:59:01 +02:00 |
|
|
Max Altgelt
|
8c3faa390c
|
feat: Add rule for live memory dumping
|
2021-09-21 15:09:12 +02:00 |
|
|
frack113
|
0a6ac0b171
|
split global powershell_alternate_powershell_hosts.yml
|
2021-09-21 09:52:35 +02:00 |
|
|
frack113
|
f5d58a0cb1
|
split powershell_remote_powershell_session.yml
|
2021-09-21 09:48:50 +02:00 |
|
|
frack113
|
95af26f963
|
split powershell_suspicious_download.yml
|
2021-09-21 09:46:02 +02:00 |
|
|
frack113
|
2223afb6fe
|
split global rules
|
2021-09-11 20:30:32 +02:00 |
|
|
frack113
|
e712d9696b
|
Merge pull request #2000 from frack113/split_global
Split frack113 global rules
|
2021-09-08 06:26:35 +02:00 |
|
|
Thomas Patzke
|
143744bc12
|
Various fixes
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
|
2021-09-07 23:38:07 +02:00 |
|
|
frack113
|
0e5e4fa19d
|
Split global rules
|
2021-09-07 13:30:32 +02:00 |
|
|
Florian Roth
|
6b2bacd2cc
|
Merge pull request #1979 from frack113/test_global
Change ID in global action rule
|
2021-09-06 08:44:14 +02:00 |
|
|
frack113
|
1fc2a39720
|
Merge pull request #1975 from frack113/red_T1564.004_2
Redcanary t1564.004 test 2
|
2021-09-03 08:12:08 +02:00 |
|
|
frack113
|
d02ee1eddd
|
Update global ID
|
2021-09-02 21:16:55 +02:00 |
|
|
frack113
|
9bcefc6a93
|
move uuid from global
|
2021-09-02 16:05:05 +02:00 |
|
|
frack113
|
90e673e5ac
|
fix invalid tags
|
2021-09-02 10:17:50 +02:00 |
|
|
frack113
|
25c6f69ea3
|
update references
|
2021-09-02 09:51:44 +02:00 |
|
|
frack113
|
5e87970c77
|
add powershell_store_file_in_alternate_data_stream.yml
|
2021-09-02 09:47:54 +02:00 |
|
|
frack113
|
6f3fc7036e
|
Update tags
|
2021-09-01 09:45:31 +02:00 |
|
|
frack113
|
eb434732a7
|
move rule not only powershell
|
2021-08-31 13:48:07 +02:00 |
|
|
frack113
|
18cdc36d73
|
Fix EventID 4103 detection
|
2021-08-31 13:44:54 +02:00 |
|
|
frack113
|
89e21c69ef
|
fix detection
|
2021-08-31 09:07:54 +02:00 |
|
|
frack113
|
acf59f9795
|
Fix some errors
|
2021-08-30 19:49:44 +02:00 |
|
|
frack113
|
68237dffc4
|
fix HostApplication
|
2021-08-28 08:18:47 +02:00 |
|
|
frack113
|
ef6e0c5a4c
|
Fix error and FP
|
2021-08-28 08:02:16 +02:00 |
|
|
f.hubaut
|
e66007a43d
|
fix file name case
|
2021-08-26 11:15:33 +02:00 |
|
|
frack113
|
33c6ff6b5f
|
add powershell_suspicious_win32_pnpentity
|
2021-08-23 13:17:35 +02:00 |
|
|
frack113
|
fc9666fb4e
|
Merge pull request #1896 from ZikyHD/fix_old_technics
Replace old mitre techniques by new one
|
2021-08-22 18:56:08 +02:00 |
|
|
frack113
|
0a410010a2
|
Merge pull request #1877 from frack113/red_back
Add t1546 redcanary rules
|
2021-08-22 18:50:58 +02:00 |
|
|
SomeOne
|
295054dcbe
|
Replace old mitre techniques by new one
|
2021-08-22 13:57:56 +02:00 |
|
|
frack113
|
42c90b9d20
|
fix powershell_psattack error
|
2021-08-21 10:05:47 +02:00 |
|
|
frack113
|
2f683b9ab7
|
fix powershell_clear_powershell_history error
|
2021-08-21 10:00:48 +02:00 |
|
|
frack113
|
0fb6c35b1f
|
Cleanup PS rules
|
2021-08-21 09:58:58 +02:00 |
|
|
frack113
|
da839775fe
|
Update PS rules
|
2021-08-21 09:50:59 +02:00 |
|
|
frack113
|
6c529f7ab2
|
Update PS rules
|
2021-08-21 09:33:52 +02:00 |
|
|
frack113
|
cb95582077
|
Update PowerShell rule
|
2021-08-21 09:08:38 +02:00 |
|
|
frack113
|
78212546a7
|
Merge pull request #1869 from frack113/redcanary_T1546.013
powershell_trigger_profiles T1546.013
|
2021-08-19 16:17:53 +02:00 |
|
|
frack113
|
90c9c08743
|
fix title
|
2021-08-19 16:09:31 +02:00 |
|
|
frack113
|
89b6e1108b
|
powershell_wmi_persistence fix errors
|
2021-08-19 15:42:19 +02:00 |
|
|
frack113
|
1266a66a8d
|
add powershell_wmi_persistence.yml
|
2021-08-19 15:37:28 +02:00 |
|
|
Florian Roth
|
459a0bdca1
|
Merge pull request #1870 from frack113/fix_fp_Renamed_Powershell
Fix some false positives in renamed powershell
|
2021-08-19 08:23:51 +02:00 |
|
|
Austin Songer
|
c9128687ee
|
Spelling Errors on Rules
|
2021-08-18 18:58:20 +00:00 |
|
|
frack113
|
2d05eda1be
|
fix ContextInfo FP
|
2021-08-18 15:18:29 +02:00 |
|
|
frack113
|
48d0846b53
|
add powershell_trigger_profiles
|
2021-08-18 14:29:50 +02:00 |
|
|
frack113
|
6a282ad24a
|
fix many FP
|
2021-08-18 13:56:14 +02:00 |
|
|
Florian Roth
|
5fa5a412d5
|
fix: FPs with [reflection.assembly]::Load
|
2021-08-18 09:49:34 +02:00 |
|
|
Florian Roth
|
a0625ad074
|
Merge branch 'master' into rule-devel
|
2021-08-17 12:29:55 +02:00 |
|
|
Florian Roth
|
80b3acfce9
|
fix: false positive with Xen / Oracle scripts
|
2021-08-17 12:03:49 +02:00 |
|
|
frack113
|
dfd9e6d8f0
|
Merge pull request #1857 from frack113/fix_HostApplication
Update definition for powershell-classic rule
|
2021-08-16 17:18:24 +02:00 |
|
|
Florian Roth
|
141ca03c9b
|
Merge pull request #1853 from secDre4mer/contileak
feat: Add some rules to detect Conti behaviour
|
2021-08-16 14:18:43 +02:00 |
|