security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,086 Commits 1 Branch 57 Tags
da5ec4e952f93ddf5e665cc764fb862f29a5ea92
Commit Graph

4086 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
GlebSukhodolskiy da5ec4e952 Update win_wmi_persistence.yml 
Removed sequence of EIDs in Windows Security section.
 2021-01-06 16:50:28 +03:00
yugoslavskiy 198add2229 Update win_wmi_persistence.yml 
to trigger a test
 2020-10-17 22:28:10 +02:00
GlebSukhodolskiy 7ca50c94f2 Reference changed 2020-10-15 12:12:22 +03:00
GlebSukhodolskiy 9da9c20c63 Description Changed 2020-10-13 22:06:34 +03:00
GlebSukhodolskiy b732c060a1 Fixed sigma syntax 2020-10-13 22:02:53 +03:00
GlebSukhodolskiy cd98d907a1 Log Sources Modified 
Modified Log Sources and Deleted a Sysmon Detection due to Discussion in PR #1161
 2020-10-13 21:39:03 +03:00
GlebSukhodolskiy fa3a06aadb Added 2 More Detection Methods 
Issue #576
 2020-10-13 20:50:43 +03:00
Thomas Patzke 33c80b8428 Merge pull request #1092 from zBlurr/win_susp_sqldumper_activity 
[OSCD] Sqldumper.exe LOLbin
 2020-10-13 11:51:41 +02:00
Thomas Patzke bf0f2fcec8 Merge pull request #1117 from aw350m33d/oscd_lolbin_settingsynchost 
[OSCD] Using SettingSyncHost.exe as LOLBin
 2020-10-13 11:46:04 +02:00
Thomas Patzke acb02d8d65 Merge pull request #1148 from sn0w0tter/oscd 
[OSCD] LOLBAS atbroker suspicious execution of ATs
 2020-10-13 11:45:07 +02:00
Thomas Patzke 1684db93d8 Merge pull request #1143 from NikitaStormwind/regular28(2) 
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (process_creation)
 2020-10-13 11:39:46 +02:00
Thomas Patzke 7e8930f15e Merge pull request #1142 from NikitaStormwind/regular28(1) 
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (4104, 4103)
 2020-10-13 11:38:26 +02:00
Thomas Patzke 0c77edb859 Merge pull request #1120 from bczyz1/oscd 
[OSCD] Create powershell_icmp_exfiltration.yml
 2020-10-13 11:37:40 +02:00
Thomas Patzke f457e7a398 Merge pull request #1150 from zinint/1009-27-1 
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (4104, 4103)
 2020-10-13 11:36:19 +02:00
Thomas Patzke 2ac29e0fee Merge pull request #1152 from zinint/1009-27-3 
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (process_creation)
 2020-10-13 11:24:28 +02:00
Thomas Patzke 0636dd6d9f Merge pull request #1154 from invrep-de/oscd 
[OSCD] Powershell Disable Windows Defender AV
 2020-10-13 11:23:03 +02:00
invrep-de 55201a94c0 [OSCD] Powershell Disable Windows Defender AV 2020-10-13 02:05:00 +02:00
Timur Zinniatullin d1ef56bddb @aw350m3 style complience (: 2020-10-13 02:47:09 +03:00
Timur Zinniatullin 5bd75521f2 Add win_invoke_obfuscation_via_var++.yml 2020-10-13 02:23:50 +03:00
Timur Zinniatullin 870574b635 Add powershell_invoke_obfuscation_via_var++.yml 2020-10-13 02:19:57 +03:00
sn0w0tter 863b880845 Titile capitalization 2020-10-12 16:04:41 -07:00
Thomas Patzke a289eeaae6 Merge pull request #1089 from zBlurr/oscd 
[OSCD] Presentationhost.exe LOLbin
 2020-10-13 01:01:20 +02:00
Thomas Patzke d6ceba3719 Merge pull request #1102 from svch0stz/oscd8 
[OSCD] Create win_root_certificate_installed.yml
 2020-10-13 01:00:23 +02:00
Thomas Patzke d89ca07daa Merge pull request #1133 from omkar72/oscd-1 
[OSCD]updated adfind command line
 2020-10-13 00:58:56 +02:00
Thomas Patzke cb86c509f1 Merge pull request #1129 from bczyz1/oscd-sprint-2-keylogging 
[OSCD] Modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature
 2020-10-13 00:58:24 +02:00
Thomas Patzke eaa9f293e7 Merge pull request #1125 from vburov/patch-12 
[OSCD] Create powershell_cmdline_reversed_strings
 2020-10-13 00:57:22 +02:00
Thomas Patzke eb21860ab9 Merge pull request #1124 from bczyz1/oscd-sprint-2 
[OSCD] Create sysmon_modify_screensaver_binary_path.yml
 2020-10-13 00:56:33 +02:00
sn0w0tter c6ddbc78ce OSCD LOLBAS atbroker suspicious execution of ATs 2020-10-12 15:55:38 -07:00
Thomas Patzke e2e3177e46 Merge pull request #1135 from omkar72/oscd-2 
[OSCD] finger executable suspicious execution
 2020-10-13 00:52:27 +02:00
Thomas Patzke 80e3c4b587 Merge pull request #1137 from banzay021/oscd 
[OSCD] Pcwrun.exe detection added
 2020-10-13 00:51:04 +02:00
Thomas Patzke 5664f72a2a Merge pull request #1054 from NikitaStormwind/task#70 
[OSCD] Detecting Code injection with PowerShell in another process #70
 2020-10-13 00:47:13 +02:00
Thomas Patzke 4a74a56ba3 Merge pull request #1052 from NikitaStormwind/task 
[OSCD] Detecting use WinAPI Functions in PowerShell #69
 2020-10-13 00:46:25 +02:00
Thomas Patzke 8bee7272ab Merge pull request #1051 from esebese/oscd 
[OSCD] win_syncappvpublishingserver_exe.yml added
 2020-10-13 00:45:22 +02:00
Thomas Patzke 768e500627 Merge pull request #1042 from NikitaStormwind/task29,30 
[OSCD] Detecting use PsExec via Pipe Creation/Access to pipes #29 #30
 2020-10-13 00:40:58 +02:00
Thomas Patzke 14fcdc9899 Merge pull request #1038 from caliskanfurkan/master 
[OSCD] Added explorer.exe lolbin
 2020-10-13 00:36:29 +02:00
Nikita P. Nazarov ec383d9784 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:52:28 +03:00
Nikita P. Nazarov c5efbc8345 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:47:51 +03:00
omkargudhate22 e2911a025e added tags and corrected image condition format 2020-10-12 17:00:57 +05:30
Alexander Sungurov 175834fe90 Pcwrun.exe detection added 2020-10-12 13:52:49 +03:00
Florian Roth b8dc8d3f7e reduced to avoid FPs 2020-10-12 10:46:34 +02:00
omkar72 0fab2c0930 finger executable suspicious execution 2020-10-12 13:28:52 +05:30
omkar72 99d87d60ec updated adfind command line 2020-10-12 12:52:54 +05:30
omkar72 cf5ad9197c updated adfind command line 2020-10-12 12:42:05 +05:30
omkar72 d29a28a4a8 updated adfind command line 2020-10-12 12:40:50 +05:30
Bartlomiej Czyz e90f91b89e append authors of the update 2020-10-11 23:42:33 +02:00
Bartlomiej Czyz ae41190291 remove redundant reference 2020-10-11 23:39:08 +02:00
Bartlomiej Czyz b6876e5123 remove redundant reference 2020-10-11 23:35:17 +02:00
svch0stz 2edd79a37f Update win_root_certificate_installed.yml 2020-10-12 08:30:28 +11:00
Vasiliy Burov 1320e0b733 Update powershell_cmdline_reversed_strings.yml 2020-10-11 23:40:12 +03:00
Furkan ÇALIŞKAN edb5b7718e Deleted a part of an already-defined rule 
Lolbin rule for explorer.exe proxy execution;

Test scenario;

cd c:\windows\system32
explorer.exe calc.exe
(pops calc.exe) as in https://twitter.com/bohops/status/986984122563391488/photo/1
 2020-10-11 21:08:17 +03:00