security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,078 Commits 1 Branch 57 Tags
daddec92170bdfb592c5bbbb4e6eb370af5bce21
Commit Graph

31 Commits

Author SHA1 Message Date
Florian Roth a2c6f344ba Lower case T 2018-09-26 11:44:12 +02:00
Braz f35308a4d3 Missing Character 
Parsed the MITRE ATT&CK informations from the rules. My script crashed because the identifier "T" was missing.
Thanks for your work Flo & Tom!
 2018-09-26 11:40:24 +02:00
Thomas Patzke 81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth 68896d9294 style: renamed rule files to all lower case 2018-09-08 10:25:20 +02:00
megan201296 3154be82f3 Added .yml extension and fix typo 2018-09-06 20:28:22 -05:00
Florian Roth 016b15a2a9 Added quotation marks 
I've added quotation marks to make it clearer (leading dash looks weird)
 2018-07-26 18:10:21 +02:00
Lurkkeli 7796492c2b Update powershell_NTFS_Alternate_Data_Streams 2018-07-26 08:54:08 -07:00
Florian Roth cf7f5c7473 Changes 
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? 
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
 2018-07-25 07:35:59 +02:00
Lurkkeli db82322d17 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00
Lurkkeli fd8c5c5bf6 Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:00:21 +02:00
Lurkkeli ad580635ea Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00
ntim c99dc9f643 Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00
Florian Roth fc72bd16af Fixed bugs 2018-06-27 09:20:41 +02:00
Thomas Patzke 8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00
Thomas Patzke 84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
SherifEldeeb 348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb 48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb 112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth d9f933fec9 Fixed the fixed PSAttack rule 2017-10-19 09:52:40 +02:00
Florian Roth 0b0435bf7a Fixed PSAttack rule 2017-10-18 21:49:38 +02:00
Thomas Patzke f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Florian Roth abb01cc264 Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00
Florian Roth fa37f5afcf Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:46 +01:00
Florian Roth 055992eb05 Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00
Florian Roth a0047f7c67 Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00
Florian Roth de689c32b5 Suspicious PowerShell Invocation 2017-03-12 17:06:53 +01:00
Florian Roth 294df21c56 Added expression 2017-03-05 22:45:54 +01:00
Florian Roth 7fae49b183 More PowerShell rules 2017-03-05 15:01:51 +01:00
Florian Roth 1e1cf9cb9e PowerShell Rules Revision 2017-03-05 14:14:31 +01:00
Omer Yampel 97b4078d01 Update powershell_malicious_commandlets.yml 
Added https://github.com/putterpanda/mimikittenz reference
 2017-03-04 20:26:39 -05:00
Florian Roth d397ee9f68 First PowerShell Ruleset 2017-03-05 01:47:25 +01:00