security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

4601 Commits

Author SHA1 Message Date
Roberto Rodriguez 2cb540f95e 13 Rules from THP - Backlog Rules (old) 2020-10-13 03:33:55 -04:00
uncleP@sk 3f6ad0cb82 falsepositives changed 2020-10-13 10:25:35 +03:00
uncleP@sk 09d4160b98 filter added 2020-10-13 10:23:08 +03:00
cyb3rward0g 24e0d09a54 update - GitHub Action / Test Sigma 2020-10-12 22:15:49 -04:00
cyb3rward0g 72f35377b3 update - GitHub Action / Test Sigma 2020-10-12 22:11:01 -04:00
invrep-de 55201a94c0 [OSCD] Powershell Disable Windows Defender AV 2020-10-13 02:05:00 +02:00
Timur Zinniatullin 5bd75521f2 Add win_invoke_obfuscation_via_var++.yml 2020-10-13 02:23:50 +03:00
sn0w0tter 863b880845 Titile capitalization 2020-10-12 16:04:41 -07:00
Thomas Patzke a289eeaae6 Merge pull request #1089 from zBlurr/oscd 
[OSCD] Presentationhost.exe LOLbin
 2020-10-13 01:01:20 +02:00
Thomas Patzke d89ca07daa Merge pull request #1133 from omkar72/oscd-1 
[OSCD]updated adfind command line
 2020-10-13 00:58:56 +02:00
sn0w0tter c6ddbc78ce OSCD LOLBAS atbroker suspicious execution of ATs 2020-10-12 15:55:38 -07:00
Thomas Patzke e2e3177e46 Merge pull request #1135 from omkar72/oscd-2 
[OSCD] finger executable suspicious execution
 2020-10-13 00:52:27 +02:00
Thomas Patzke 80e3c4b587 Merge pull request #1137 from banzay021/oscd 
[OSCD] Pcwrun.exe detection added
 2020-10-13 00:51:04 +02:00
Thomas Patzke 8bee7272ab Merge pull request #1051 from esebese/oscd 
[OSCD] win_syncappvpublishingserver_exe.yml added
 2020-10-13 00:45:22 +02:00
Thomas Patzke 14fcdc9899 Merge pull request #1038 from caliskanfurkan/master 
[OSCD] Added explorer.exe lolbin
 2020-10-13 00:36:29 +02:00
Nikita P. Nazarov ec383d9784 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:52:28 +03:00
nsaddler df8cd24a5d Update sysmon_long_powershell_commandline.yml 2020-10-12 18:28:28 +03:00
Ryan Plas a67c19c08b Split up powershell detection 2020-10-12 09:00:08 -04:00
omkargudhate22 7d69a08c30 Update win_netsh_port_fwd.yml 2020-10-12 18:29:02 +05:30
omkar72 a5575f3079 adding shortened commands 2020-10-12 17:47:26 +05:30
omkargudhate22 e2911a025e added tags and corrected image condition format 2020-10-12 17:00:57 +05:30
Alexander Sungurov 175834fe90 Pcwrun.exe detection added 2020-10-12 13:52:49 +03:00
Florian Roth b8dc8d3f7e reduced to avoid FPs 2020-10-12 10:46:34 +02:00
Sander 8c1bd4e466 Remove redundant space 2020-10-12 10:01:44 +02:00
omkar72 0fab2c0930 finger executable suspicious execution 2020-10-12 13:28:52 +05:30
Sander 3ab244c70f regini.exe ADS rule 2020-10-12 09:55:34 +02:00
Florian Roth 3affdd12e0 fix: rule title casing 2020-10-12 09:51:35 +02:00
omkar72 99d87d60ec updated adfind command line 2020-10-12 12:52:54 +05:30
Florian Roth 0d0cda0f86 docs: improved false positive notes 2020-10-12 09:18:42 +02:00
Florian Roth e7c6794ecd rule: suspicious wmic process call create + rundll32 2020-10-12 09:18:30 +02:00
Florian Roth 2e732eb01f Merge branch 'master' into rule-devel 2020-10-12 09:13:24 +02:00
omkar72 cf5ad9197c updated adfind command line 2020-10-12 12:42:05 +05:30
omkar72 d29a28a4a8 updated adfind command line 2020-10-12 12:40:50 +05:30
uncleP@sk 13e829219c reference's list changed 2020-10-12 08:35:11 +03:00
uncleP@sk 8ff91088ee tag's issue solved 2020-10-12 08:31:10 +03:00
Furkan ÇALIŞKAN edb5b7718e Deleted a part of an already-defined rule 
Lolbin rule for explorer.exe proxy execution;

Test scenario;

cd c:\windows\system32
explorer.exe calc.exe
(pops calc.exe) as in https://twitter.com/bohops/status/986984122563391488/photo/1
 2020-10-11 21:08:17 +03:00
uncleP@sk 435f052f75 some typos fixing 2020-10-11 19:45:46 +03:00
uncleP@sk 5aaba1f23a sqlps.exe detection added 2020-10-10 21:29:27 +03:00
Anton Kutepov b4ae5cb747 Fix ATTACK technique. 
Also made a couple of minor cosmetic changes.
 2020-10-10 20:27:00 +03:00
aw350m3 8693bd024f Added a rule to detect the use of SettingSyncHost.exe to run hijacked binary 2020-10-10 17:07:22 +00:00
Jonhnathan 09e6b05033 Update win_susp_rundll32_activity.yml 2020-10-10 10:08:02 -03:00
Semanur Guneysu 75386e6478 Update sysmon_abusing_debug_privilege.yml 
Field motifiers added.Filter 3 fixed due to logical error
 2020-10-10 13:19:02 +03:00
Thomas Patzke fe554a88cb Merge pull request #1035 from svch0stz/oscd3 
[OSCD] Update win_susp_copy_lateral_movement.yml
 2020-10-10 00:03:26 +02:00
Nikita P. Nazarov 79eb7b8bd7 Detects Obfuscated Powershell via use Clip.exe in Scripts 2020-10-09 19:42:27 +03:00
stvetro 4763bf8d10 Three more lolbins added 2020-10-09 18:28:07 +04:00
Nikita Nazarov 4205bb2227 Update win_invoke_obfuscation_via_use_mhsta.yml 2020-10-09 16:30:18 +03:00
Nikita Nazarov d07e0524d5 Update win_invoke_obfuscation_via_use_rundll32.yml 2020-10-09 16:27:56 +03:00
stvetro 59c7e8b0e3 Fixed title 2020-10-09 16:46:18 +04:00
stvetro 9937c0081a Fix issue in title 2020-10-09 16:34:29 +04:00
stvetro 77d6984a65 Fixed attack tags 2020-10-09 16:20:10 +04:00