security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,086 Commits 1 Branch 57 Tags
da5ec4e952f93ddf5e665cc764fb862f29a5ea92
Commit Graph

162 Commits

Author SHA1 Message Date
Thomas Patzke 7e8930f15e Merge pull request #1142 from NikitaStormwind/regular28(1) 
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (4104, 4103)
 2020-10-13 11:38:26 +02:00
Thomas Patzke 0c77edb859 Merge pull request #1120 from bczyz1/oscd 
[OSCD] Create powershell_icmp_exfiltration.yml
 2020-10-13 11:37:40 +02:00
Timur Zinniatullin d1ef56bddb @aw350m3 style complience (: 2020-10-13 02:47:09 +03:00
Timur Zinniatullin 870574b635 Add powershell_invoke_obfuscation_via_var++.yml 2020-10-13 02:19:57 +03:00
Thomas Patzke cb86c509f1 Merge pull request #1129 from bczyz1/oscd-sprint-2-keylogging 
[OSCD] Modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature
 2020-10-13 00:58:24 +02:00
Thomas Patzke eaa9f293e7 Merge pull request #1125 from vburov/patch-12 
[OSCD] Create powershell_cmdline_reversed_strings
 2020-10-13 00:57:22 +02:00
Thomas Patzke 5664f72a2a Merge pull request #1054 from NikitaStormwind/task#70 
[OSCD] Detecting Code injection with PowerShell in another process #70
 2020-10-13 00:47:13 +02:00
Nikita P. Nazarov c5efbc8345 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:47:51 +03:00
Bartlomiej Czyz e90f91b89e append authors of the update 2020-10-11 23:42:33 +02:00
Bartlomiej Czyz b6876e5123 remove redundant reference 2020-10-11 23:35:17 +02:00
Vasiliy Burov 1320e0b733 Update powershell_cmdline_reversed_strings.yml 2020-10-11 23:40:12 +03:00
Bartlomiej Czyz 94efeda45d modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature 2020-10-11 19:11:54 +02:00
Vasiliy Burov 64b07ff51a Update powershell_cmdline_reversed_strings.yml 2020-10-11 19:42:39 +03:00
Vasiliy Burov c868ef655c Update powershell_cmdline_reversed_strings.yml 2020-10-11 17:37:07 +03:00
Vasiliy Burov 7aaf4654cd Rename powershell_cmdline_reversed_strings to powershell_cmdline_reversed_strings.yml 2020-10-11 17:28:56 +03:00
Vasiliy Burov 00f5d1ec92 Update powershell_cmdline_reversed_strings 2020-10-11 17:24:46 +03:00
Vasiliy Burov 51f00c153c Update powershell_cmdline_reversed_strings 2020-10-11 17:18:15 +03:00
Vasiliy Burov dd9c29377b Update powershell_cmdline_reversed_strings 2020-10-11 17:11:58 +03:00
Vasiliy Burov 8f2ddc632e Create powershell_cmdline_reversed_strings 2020-10-11 17:02:02 +03:00
Bartlomiej Czyz a5dea8c596 [OSCD] Fix powershell_icmp_exfiltration.yml references, add newline at the end of the file #1013 2020-10-10 23:08:39 +02:00
Bartlomiej Czyz 6dcd4a6c6d [OSCD] Create powershell_icmp_exfiltration.yml #1013 2020-10-10 23:05:31 +02:00
Nikita Nazarov d3f0ddd2b1 Update powershell_code_injection.yml 2020-10-07 14:50:00 +03:00
Nikita Nazarov bfa3635cd2 Update powershell_accessing_win_api.yml 2020-10-07 14:47:29 +03:00
Nikita P. Nazarov 0ad9fc61de Detecting Code injection with PowerShell in another process 2020-10-06 20:52:18 +03:00
Nikita P. Nazarov c90d99c0f9 Accessing WinAPI in PowerShell 2020-10-06 19:57:57 +03:00
aw350m3 eb6b9be5a2 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes 2020-08-25 23:51:22 +00:00
aw350m3 c28fce6273 fix duplication of key "modified" in mapping 2020-08-25 00:53:09 +00:00
aw350m3 c22273d162 fix duplication of key modified in mapping 2020-08-25 00:50:38 +00:00
aw350m3 399f378269 att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:26 +00:00
aw350m3 ba2e891433 windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00
Ryan Plas de53a08746 Merge branch 'master' of github.com:Neo23x0/sigma 2020-07-15 10:27:33 -04:00
Florian Roth 58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Ryan Plas 04fd598bcf Update additional rules to have correct logsource attributes 2020-07-13 17:02:17 -04:00
Ryan Plas 25d978d9bd Update powershell_shellcode_b64.yml logsource to use the correct Sigma schema values 2020-07-11 22:17:06 -04:00
Thomas Patzke 7eb499ad85 Added rule id 2020-07-07 22:54:55 +02:00
Thomas Patzke 360b5714a8 Splitted and improved new rule 2020-07-07 22:47:14 +02:00
Thomas Patzke 0ce5f2cc75 Merge branch 'patch-2' of https://github.com/4A616D6573/sigma into pr-483 2020-07-07 22:37:11 +02:00
Harish SEGAR 649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
zaphod 1a598282f4 Add 'Add-Content' to powershell_ntfs_ads_access 2020-05-13 11:57:10 +02:00
Remco Verhoef 40539a0c0e fix incorrect use of action global 2020-05-06 22:53:02 +02:00
Florian Roth 4f469c0e39 Adjusted level 2020-04-14 13:37:10 +02:00
teddy-ROxPin 1501331f77 Create powershell_create_local_user.yml 
Adds coverage for creating a local account via PowerShell from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md#atomic-test-4---create-a-new-user-in-powershell
 2020-04-11 02:51:05 -06:00
Florian Roth 0ea2db8b9e Merge pull request #484 from hieuttmmo/master 
New sigma rules to detect new MITRE technique in last update (T1502)
 2020-04-03 09:59:36 +02:00
Florian Roth f4928e95bc Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00
Florian Roth c0ab9c5745 Merge pull request #671 from HarishHary/powershell_downgrade_attack 
Powershell downgrade attack (small improvements)
 2020-04-03 09:31:33 +02:00
Florian Roth 6cf0edc076 Merge pull request #685 from teddy-ROxPin/patch-1 
Typo fix for powershell_suspicious_invocation_generic.yml
 2020-04-03 09:30:32 +02:00
Remco Hofman b791d599ee Disabled keywords that could cause FPs 2020-03-30 08:53:52 +02:00
teddy-ROxPin 1a3731f7ae Typo fix for powershell_suspicious_invocation_generic.yml 
' - windowstyle hidden ' changed to ' -windowstyle hidden '
 2020-03-29 04:16:15 -06:00
Remco Hofman f52ed4150d WMImplant parameter detection 2020-03-27 15:08:35 +01:00