security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

4601 Commits

Author SHA1 Message Date
aw350m3 18c2a107c7 fix tabs... again... 2020-10-17 16:07:40 +00:00
aw350m3 acf87f927c fix tabs 2020-10-17 16:03:49 +00:00
aw350m3 20450d74f1 Added a rule to detect the launch of a PowerShell with redirection of the input stream. 2020-10-17 15:50:55 +00:00
tas_kmanager e955d38f0a [OSCD] Always Install Elevated Alternative 
Page 48 from #574

Alternative to #1195 because it is on the unsupported folder. Following suggestion from @yugoslavskiy - #574 (comment)
 2020-10-16 21:35:53 -04:00
Craig Young 192bca814b Remove all modifier 2020-10-16 15:46:51 -04:00
Roberto Rodriguez 4f039c7945 Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-10-16 14:45:13 -04:00
Craig Young 85e3099297 Added LOLBAS URL 2020-10-16 13:58:59 -04:00
Craig Young e9953b5a82 Utilize Image|endswith for efficiency 
Rather than searching all command lines, it is more efficient to consider first the Image name.
 2020-10-16 13:56:41 -04:00
Craig Young 6e2b899128 Adding oscd.community to authors 2020-10-16 13:51:02 -04:00
Jonhnathan 89bbee6594 Update win_susp_service_dacl_modification.yml 2020-10-16 11:57:54 -03:00
Jonhnathan 3f23aa56c0 Revert "Revert "Changed the rule to download only and not the copy"" 
This reverts commit 17e7eee3a6.
 2020-10-16 11:05:51 -03:00
Jonhnathan 0734274dfa Revert "Revert "Create win_susp_replace_lolbin.yml"" 
This reverts commit fdd9234acc.
 2020-10-16 11:05:40 -03:00
Jonhnathan 23e956dcce Merge branch 'oscd5' of https://github.com/w0rk3r/sigma into oscd5 2020-10-16 11:03:21 -03:00
Jonhnathan b190c1dbba Revert "Revert "Changed the rule to download only and not the copy"" 
This reverts commit 5e9c80c8b1.
 2020-10-16 11:03:18 -03:00
Jonhnathan b4663a1535 Revert "Revert "Create win_susp_replace_lolbin.yml"" 
This reverts commit e47bee2d4e.
 2020-10-16 11:03:10 -03:00
tas_kmanager c4ddd56931 Update sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml 2020-10-16 09:30:20 -04:00
tas_kmanager 832c1d4b1a Update sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml 2020-10-16 08:59:07 -04:00
Jonhnathan 2f7b44964c Create win_susp_service_dacl_modification.yml 2020-10-16 09:30:09 -03:00
Jonhnathan e47bee2d4e Revert "Create win_susp_replace_lolbin.yml" 
This reverts commit e6a6549676.
 2020-10-16 09:10:48 -03:00
Jonhnathan 5e9c80c8b1 Revert "Changed the rule to download only and not the copy" 
This reverts commit 1324bc1ad1.
 2020-10-16 09:10:45 -03:00
unclep@sk aa2cd4bdce The author field escape char fixed 2020-10-16 13:02:40 +03:00
unclep@sk 27bbbf3398 The author field escape char fixed 2020-10-16 12:51:59 +03:00
unclep@sk dc554af970 The author field and FP filter fix applied 2020-10-16 12:49:27 +03:00
unclep@sk 94f60acb7f The author field escape char fixed 2020-10-16 12:09:46 +03:00
Florian Roth 48f1be04d4 fix: ping hex ip rule 2020-10-16 10:06:24 +02:00
Ivan Dyachkov a51eec1a79 fixed image and commandline search 2020-10-16 10:44:59 +03:00
Ivan Dyachkov 78644305d6 '-s' is working too. 2020-10-16 10:39:56 +03:00
tas_kmanager 9b2268a192 [OSCD] Always Install Elevated - Slide 50 - Rule 2 
Page 50 from #574 Rule 2

Look for msiexec spawning command line or powershell then it spawns other processes

using enrichment as suggested by @yugoslavskiy
 2020-10-15 22:36:28 -04:00
tas_kmanager 23358b8db5 [OSCD] Always Install Elevated - Slide 50 - Rule 1 
Page 50 from #574 Rule 1

Look for msiexec spawning command line or powershell
 2020-10-15 22:08:45 -04:00
Jonhnathan 2332e42e4c Update win_susp_copy_lateral_movement.yml 2020-10-15 21:01:23 -03:00
Jonhnathan d4603d196b Update win_susp_adfind.yml 2020-10-15 21:00:15 -03:00
Jonhnathan f4872118a2 Update win_powershell_dll_execution.yml 2020-10-15 20:38:55 -03:00
Jonhnathan 3566dd1594 Fix 2020-10-15 20:35:50 -03:00
Jonhnathan 44c909a4a4 Update win_apt_mustangpanda.yml 2020-10-15 20:33:00 -03:00
Jonhnathan 5fc348fd45 Fix 2020-10-15 20:32:16 -03:00
Jonhnathan 37ee747dfe Update win_apt_chafer_mar18.yml 2020-10-15 20:30:52 -03:00
Jonhnathan 4adf092a25 Update win_workflow_compiler.yml 2020-10-15 20:00:57 -03:00
Jonhnathan eb9bac761f Update win_wmi_spwns_powershell.yml 2020-10-15 20:00:44 -03:00
Jonhnathan b2e1b857ae Update win_wmi_backdoor_exchange_transport_agent.yml 2020-10-15 20:00:27 -03:00
Jonhnathan 86ad1f45f5 Update win_win10_sched_task_0day.yml 2020-10-15 20:00:13 -03:00
Jonhnathan 630e92f3c2 Update win_webshell_spawn.yml 2020-10-15 19:59:59 -03:00
Jonhnathan 138b8fed06 Update win_webshell_recon_detection.yml 2020-10-15 19:59:36 -03:00
Jonhnathan e402356e82 Update win_webshell_detection.yml 2020-10-15 19:58:37 -03:00
Jonhnathan 2d9233d418 Update win_vul_java_remote_debugging.yml 2020-10-15 19:57:43 -03:00
Jonhnathan d9afa1aec6 Update win_termserv_proc_spawn.yml 2020-10-15 19:57:05 -03:00
Jonhnathan 737fbd1619 Update win_system_exe_anomaly.yml 2020-10-15 19:55:57 -03:00
Jonhnathan 434c6257f0 Update win_susp_wmi_execution.yml 2020-10-15 19:52:25 -03:00
Jonhnathan 7b9ec4709f Update win_susp_whoami.yml 2020-10-15 19:51:55 -03:00
Jonhnathan d09dd70695 Update win_susp_userinit_child.yml 2020-10-15 19:51:42 -03:00
Jonhnathan ad8620f729 Update win_susp_tscon_rdp_redirect.yml 2020-10-15 19:51:05 -03:00