security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

4601 Commits

Author SHA1 Message Date
Ivan Dyachkov a8d5ddd93d commented tags 2020-10-14 16:31:00 +03:00
Vasilisa-L b1aa50ebcd T1059.001 added 2020-10-14 16:27:46 +03:00
Ivan Dyachkov d58d55668f fixed tags 2020-10-14 16:00:50 +03:00
Ivan Dyachkov e50306f549 edited 2020-10-14 16:00:08 +03:00
Ivan Dyachkov b24bec6c6c delete diskshadow 2020-10-14 15:55:24 +03:00
Ivan Dyachkov 3f932e4252 #1014 2020-10-14 15:51:32 +03:00
Ivan Dyachkov fa55803545 fixed spaces and tabs 2020-10-14 13:33:27 +03:00
uncleP@sk 947fa79dd3 vsjitdebugger detection added 2020-10-14 13:29:25 +03:00
Ivan Dyachkov 22d5acde10 New rule 2020-10-14 13:28:41 +03:00
uncleP@sk 8fdca7853c te.exe LOLbin detection 2020-10-14 13:02:45 +03:00
Ivan Dyachkov cf9b040600 fixed description, tags 2020-10-14 12:08:22 +03:00
Ivan Dyachkov c0e70106fa Fixed att&ck, deleted commandline key "exec" (does not works without interactive mode so there is no commandline appear) 2020-10-14 10:15:06 +03:00
uncleP@sk 196debf0ad description + author fields fixed 2020-10-14 10:12:34 +03:00
uncleP@sk 2f06c30760 empty line + authors fixed 2020-10-14 10:06:34 +03:00
Jonhnathan 043033c1b7 Update win_etw_trace_evasion.yml 2020-10-13 22:59:06 -03:00
Jonhnathan ac1a6927ad Update win_etw_trace_evasion.yml 2020-10-13 22:55:13 -03:00
Jonhnathan e3446b873a Correct duplicated selection 2020-10-13 22:54:30 -03:00
Jonhnathan b1c9871b74 Add Additional detections for other techniques 2020-10-13 22:51:48 -03:00
tas_kmanager 7916ae0517 Changed the category to process_creation 2020-10-13 20:58:00 -04:00
tas_kmanager 36a5f13b0c Moved the file to the right category 2020-10-13 20:48:16 -04:00
Thomas Patzke 026be7f753 Merge pull request #1039 from Vasilisa-L/oscd 
[OSCD] Pcwutl.dll LOLbin
 2020-10-14 00:24:41 +02:00
Thomas Patzke 95789a5379 Merge pull request #1068 from esebese/task87 
[OSCD] win_visual_basic_compiler.yml added
 2020-10-14 00:21:12 +02:00
Thomas Patzke a83f500267 Merge pull request #1058 from grikos/OSCD_100 
[OSCD] LOLBAS Setupapi.yml
 2020-10-14 00:19:32 +02:00
Thomas Patzke 7e4a205de7 Merge pull request #1059 from ryanplasma/rplas-SIGMA-547-page-20 
[OSCD] Add Usage of reg or Powershell by Non-privileged Users rule
 2020-10-13 23:24:05 +02:00
Thomas Patzke b9e38e79fa Merge pull request #1061 from svch0stz/oscd7 
[OSCD] Create win_susp_mounted_share_deletion.yml
 2020-10-13 22:55:54 +02:00
Jonhnathan a01c08f617 Removed reference to deprecated rule and improve logic 2020-10-13 17:45:35 -03:00
Jonhnathan 4c75d22d93 Revert "Create win_susp_replace_lolbin.yml" 
This reverts commit e6a6549676.
 2020-10-13 17:40:10 -03:00
Jonhnathan 1455d414bc Revert "Changed the rule to download only and not the copy" 
This reverts commit 1324bc1ad1.
 2020-10-13 17:40:07 -03:00
Thomas Patzke 60b99116f3 Merge pull request #1064 from Vasilisa-L/OSCD_winrm_AWL 
[OSCD] winrm.vbs_1
 2020-10-13 22:30:14 +02:00
Thomas Patzke a3a45e4a10 Merge pull request #1066 from Vasilisa-L/OSCD_winrm_execution 
[OSCD] winrm.vbs_2
 2020-10-13 22:28:09 +02:00
Thomas Patzke 54a9598d4b Fixed typo 2020-10-13 22:27:27 +02:00
Thomas Patzke 2ba89d7924 Merge pull request #1067 from nsaddler/oscd2 
[OSCD] Too Long Powershell CommandLine Rule added
 2020-10-13 22:20:29 +02:00
Thomas Patzke 772fd83cca Merge pull request #1080 from esebese/task93 
[OSCD] win_class_exec_xwizard.yml added
 2020-10-13 22:10:39 +02:00
Thomas Patzke 2bad4bb60d Merge pull request #1085 from w0rk3r/oscdq 
[OSCD] Update Win_susp_rundll32_activity - Multiple Lolbins
 2020-10-13 21:45:36 +02:00
Thomas Patzke b68286a162 Merge pull request #1093 from SanWieb/OSCD_regini 
[OSCD] regini LOLBAS
 2020-10-13 21:44:32 +02:00
Thomas Patzke 8f4b3b7324 Merge pull request #1097 from NikitaStormwind/regular30(2) 
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (process_creation)
 2020-10-13 21:42:38 +02:00
grikos a998c9b74c Remove asterisk from condition 2020-10-13 22:37:51 +03:00
Thomas Patzke 79120cd24c Merge pull request #1113 from NikitaStormwind/regular29(2) 
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (process_creation)
 2020-10-13 21:18:03 +02:00
uncleP@sk b4604f88aa title fixed 2020-10-13 21:49:21 +03:00
uncleP@sk 3d3efcd3db title changed 2020-10-13 16:24:52 +03:00
omkargudhate22 cdcb16dcd3 changed main condition for Netsh as well 2020-10-13 17:48:14 +05:30
uncleP@sk 62bb2bc272 [OSCD] LOLBin sqltoolsps.exe detection added 2020-10-13 13:04:37 +03:00
Thomas Patzke 33c80b8428 Merge pull request #1092 from zBlurr/win_susp_sqldumper_activity 
[OSCD] Sqldumper.exe LOLbin
 2020-10-13 11:51:41 +02:00
uncleP@sk b6b9ef85b1 Revert "sqltoolsps.exe usage detection added" 
This reverts commit 77ca94a47f.

wrong branch
 2020-10-13 12:48:58 +03:00
Thomas Patzke bf0f2fcec8 Merge pull request #1117 from aw350m33d/oscd_lolbin_settingsynchost 
[OSCD] Using SettingSyncHost.exe as LOLBin
 2020-10-13 11:46:04 +02:00
Thomas Patzke acb02d8d65 Merge pull request #1148 from sn0w0tter/oscd 
[OSCD] LOLBAS atbroker suspicious execution of ATs
 2020-10-13 11:45:07 +02:00
Thomas Patzke 1684db93d8 Merge pull request #1143 from NikitaStormwind/regular28(2) 
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (process_creation)
 2020-10-13 11:39:46 +02:00
uncleP@sk 77ca94a47f sqltoolsps.exe usage detection added 2020-10-13 12:39:32 +03:00
Thomas Patzke 2ac29e0fee Merge pull request #1152 from zinint/1009-27-3 
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (process_creation)
 2020-10-13 11:24:28 +02:00
Roberto Rodriguez a9bcf45392 Updated Contains keys 2020-10-13 03:43:54 -04:00