security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

567 Commits

Author SHA1 Message Date
Austin Songer c9128687ee Spelling Errors on Rules 2021-08-18 18:58:20 +00:00
frack113 2d05eda1be fix ContextInfo FP 2021-08-18 15:18:29 +02:00
frack113 48d0846b53 add powershell_trigger_profiles 2021-08-18 14:29:50 +02:00
frack113 6a282ad24a fix many FP 2021-08-18 13:56:14 +02:00
Florian Roth 5fa5a412d5 fix: FPs with [reflection.assembly]::Load 2021-08-18 09:49:34 +02:00
Florian Roth a0625ad074 Merge branch 'master' into rule-devel 2021-08-17 12:29:55 +02:00
Florian Roth 80b3acfce9 fix: false positive with Xen / Oracle scripts 2021-08-17 12:03:49 +02:00
frack113 dfd9e6d8f0 Merge pull request #1857 from frack113/fix_HostApplication 
Update definition for powershell-classic rule
 2021-08-16 17:18:24 +02:00
Florian Roth 141ca03c9b Merge pull request #1853 from secDre4mer/contileak 
feat: Add some rules to detect Conti behaviour
 2021-08-16 14:18:43 +02:00
frack113 911579023c fix powershell_alternate_powershell_hosts.yml 2021-08-16 13:30:45 +02:00
frack113 2dbf9af27d add definition to powershell-classic 2021-08-16 12:56:24 +02:00
frack113 e8723e892a clean-up powershell_invoke_nightmare.yml 2021-08-16 09:19:10 +02:00
Max Altgelt 5b60e0ea5a feat: Add some rules to detect Conti behaviour 
Add rules based on the leaks from the Conti group to detect
malicious behaviour.
 2021-08-16 09:13:51 +02:00
Max Altgelt d2a35edae9 fix: Remove powershell_alternate_hosts from PR 
Remove a rule using Host Application (which may or may not exist,
based on the log parser) from the PR. A future PR will clean up
rules using Host Application.
 2021-08-16 08:42:17 +02:00
Max Altgelt 6f05e33feb fix: Correct incorrect message / keyword usage 
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
 2021-08-12 16:28:07 +02:00
Florian Roth c44b22b52f Merge pull request #1762 from frack113/redcanary_collection 
[OSCD] Redcanary TA0009 collection
 2021-08-05 15:49:10 +02:00
Florian Roth 448868302d Merge pull request #1767 from frack113/redcanary_t1497_001 
[OSCD] Detect Virtualization Environment (Windows) T1497.001
 2021-08-05 15:47:37 +02:00
Florian Roth 3634901bf1 Update poweshell_detect_vm_env.yml 2021-08-05 15:47:29 +02:00
Florian Roth 6a11190e79 Merge pull request #1769 from frack113/fix_powershell_400 
Cleanup eventid 400 powershell-classic
 2021-08-05 15:47:04 +02:00
Florian Roth da6b5f8ec5 Merge pull request #1770 from frack113/redcanary_powershell_T1070.006 
[OSCD] powershell_timestomp.yml T1070.006
 2021-08-05 15:46:48 +02:00
Florian Roth b1fb462c39 Update powershell_timestomp.yml 2021-08-05 15:46:01 +02:00
frack113 f040725dd8 fix EventID: 4104 ScriptBlockText 2021-08-04 14:49:50 +02:00
frack113 644fe80786 add powershell_timestomp.yml 2021-08-03 16:01:54 +02:00
frack113 b5e4b04cb5 fix eventid 400 powershell-classic 2021-08-03 10:04:15 +02:00
frack113 0efe69bd36 add poweshell_detect_vm_env.yml 2021-08-03 08:30:26 +02:00
frack113 e33ec91b9a add powershell_keylogging.yml 2021-07-30 08:28:19 +02:00
frack113 38ede57cb4 add powershell_suspicious_recon.yml 2021-07-30 08:20:51 +02:00
frack113 2758c1aa93 add powershell_automated_collection.yml 2021-07-28 14:14:02 +02:00
frack113 aff5264096 Add check for status and level 2021-07-22 19:25:51 +02:00
Florian Roth edfd082754 Merge pull request #1716 from frack113/elk_keyword_rule 
powershell_nishang_malicious_commandlets Elk keywords trouble
 2021-07-22 15:01:13 +02:00
Florian Roth 7a8fcf4237 Merge pull request #1718 from frack113/powercat 
[OSCD] powershell_powercat.yml T1095
 2021-07-22 14:53:34 +02:00
frack113 4cc4df35d8 add powershell_suspicious_mail_acces.yml 2021-07-21 15:27:12 +02:00
frack113 72da7a3053 fix tags attack.t1095 2021-07-21 13:08:35 +02:00
frack113 41c4f1d157 add powershell_powercat.yml 2021-07-21 13:04:27 +02:00
frack113 44254038d3 fix human error : test-sigmac Error 4 2021-07-21 10:01:46 +02:00
frack113 b9b0ef2066 convert keywords to correct field name Payload 2021-07-21 09:44:26 +02:00
frack113 ba50a2309c fix case EventID 2021-07-20 16:26:13 +02:00
frack113 42005a07b7 update powershell_suspicious_download.yml 2021-07-20 16:12:24 +02:00
Florian Roth 8a75890b51 Merge pull request #1702 from d4rk-d4nph3/master 
Added rule for ADRecon execution
 2021-07-17 09:50:29 +02:00
Florian Roth e838a1acc4 increased level 2021-07-17 09:50:11 +02:00
Bhabesh Rai be8fce8e82 Added rule for ADRecon execution 2021-07-16 12:58:47 +05:45
Florian Roth e40b859254 Merge pull request #1695 from frack113/fix_re 
escape / in regex
 2021-07-15 09:25:58 +02:00
frack113 0ef3dc2082 escape / in regex 2021-07-15 08:13:49 +02:00
k-vdv 12b172039f fixed some typos and adjusted capitalization to original 2021-07-14 15:47:17 +02:00
leegengyu 3594b10d74 Insert modified date 2021-07-06 20:56:31 +08:00
G Y c5d2a55f6d powershell_data_compressed.yml - Update selection 
Changed to ScriptBlockText (due to PowerShell logging-specific context).
 2021-07-06 20:36:38 +08:00
leegengyu 7557732ca2 Updated ART reference links from .yaml to .md and sub-technique links. 2021-07-06 17:21:22 +08:00
frack113 d05f3efd1b fix pr 869 2021-07-04 19:44:50 +02:00
Florian Roth 1e152bf594 Merge pull request #1615 from leegengyu/patch-1 
Update powershell_data_compressed.yml - Outdated link
 2021-07-04 14:19:55 +02:00
G Y c63439e74d Update powershell_data_compressed.yml 
Changed reference link from `.yaml` to `.md`.
 2021-07-04 08:15:29 +08:00