security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

2788 Commits

Author SHA1 Message Date
yugoslavskiy 40f6d5e543 update syntax a bit to re-run the test 2020-10-20 17:39:04 +02:00
yugoslavskiy 60f71d911d shorten the title to pass the test 2020-10-20 17:08:11 +02:00
Florian Roth 198b292c26 rule: emotet encoded commands 2020-10-20 12:51:58 +02:00
stvetro 6bc483d287 Added mitre tags 2020-10-19 19:28:52 +04:00
stvetro 43707c9023 Added mitre tags 2020-10-19 19:20:52 +04:00
Jonhnathan 6b2c235ab3 Update win_susp_replace_lolbin.yml 2020-10-18 23:44:18 -03:00
v3t0 3a550af9f7 [OSCD] Added a rule to detect execution of runonce with suspicious parameters 2020-10-18 22:38:13 -04:00
v3t0 755a714884 [OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments 2020-10-18 19:35:57 -04:00
Ensar Şamil 4619e98602 Update win_pe_exec_vsjitdebugger.yml 2020-10-18 20:08:29 +03:00
Timur Zinniatullin 0d5b03342a Add win_invoke_obfuscation_via_compress.yml 2020-10-18 19:51:20 +03:00
stvetro 65fc968658 Create win_susp_file_download_via_gfxdownloadwrapper.yml 2020-10-18 20:40:23 +04:00
stvetro a6d99e4418 Create win_susp_runscripthelper.yml 2020-10-18 20:37:53 +04:00
stvetro 5cb76ef7d4 Create win_winword_dll_load.yml 2020-10-18 20:29:39 +04:00
stvetro 5ae052b665 Revert "Revert "Create win_verclsid_runs_com.yml"" 
This reverts commit 8e820d441a.
 2020-10-18 20:10:29 +04:00
stvetro 8e820d441a Revert "Create win_verclsid_runs_com.yml" 
This reverts commit 7e4a958cc5.
 2020-10-18 20:10:21 +04:00
Timur Zinniatullin d84281936b Update win_invoke_obfuscation_via_rundll.yml 2020-10-18 19:05:40 +03:00
stvetro 7e4a958cc5 Create win_verclsid_runs_com.yml 2020-10-18 20:02:34 +04:00
stvetro 07d3a6f340 Removed rules 
to have 1 pull request 1 rule
 2020-10-18 19:57:30 +04:00
Timur Zinniatullin 0c934ea455 Update win_invoke_obfuscation_via_rundll.yml 2020-10-18 18:54:31 +03:00
Timur Zinniatullin 683c4cfc0a Add win_invoke_obfuscation_via_rundll.yml 2020-10-18 18:53:17 +03:00
feedb 54b75b73b2 [OSCD] process_creation_msdeploy 2020-10-18 17:37:14 +03:00
feedb 2b731300fb [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code 
=/
 2020-10-18 17:13:41 +03:00
feedb 744d27d892 [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code 2020-10-18 17:08:52 +03:00
feedb e7c9ead469 [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code 2020-10-18 17:06:09 +03:00
feedb fabf2a03fe Delete win_mshta_invoke_html.yml 2020-10-18 15:29:43 +03:00
feedb 468fd40dda Update win_mshta_invoke_html.yml 2020-10-18 15:23:44 +03:00
feedb 6b39f7bb6e Update win_mshta_invoke_html.yml 2020-10-18 15:19:58 +03:00
feedb ad11fc7b0e Update win_mshta_invoke_html.yml 2020-10-18 15:14:13 +03:00
feedb 5b35991cdd Update win_mshta_invoke_html.yml 2020-10-18 15:05:01 +03:00
feedb 91692e49cd Update win_mshta_invoke_html.yml 2020-10-18 15:02:03 +03:00
feedb 3806196071 Create win_mshta_invoke_html.yml 2020-10-18 14:57:22 +03:00
OpalSec ca09ae5039 Modification of search logic per advice from @zinint 
Edited suggested searches to improve performance:

VAR+
16ms:	.*cmd.*(?:\/c|\/r).*set.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

6ms:  .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

STDIN+
7ms:    .*cmd.*(?:\/c|\/r).*powershell.+(?:\$\{?input}?|noexit).*\"

3ms:    .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"

CLIP+
28ms:    .*cmd.*(?:\/c|\/r).*\|.*clip(?:\.exe)?.*&&.*clipboard]::\(\s\\\"\{\d\}.*\-f.*\"

11ms:    .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
 2020-10-18 21:15:43 +11:00
unclep@sk b69e56539e tags fixed 2020-10-18 09:22:29 +03:00
grikos b75126f580 merged the description into one line 2020-10-17 22:48:40 +03:00
grikos aa87772ee7 empty line at the end of file added & del extra spaces after hyphen 2020-10-17 22:29:49 +03:00
yugoslavskiy e7e5ed6923 Update win_rasautou_dll_execution.yml 
to trigger a test
 2020-10-17 21:27:50 +02:00
grikos ae30660556 suspicious csi.exe (rcsi.exe) LOLBAS detection rule 2020-10-17 22:22:24 +03:00
aw350m3 18c2a107c7 fix tabs... again... 2020-10-17 16:07:40 +00:00
aw350m3 acf87f927c fix tabs 2020-10-17 16:03:49 +00:00
aw350m3 20450d74f1 Added a rule to detect the launch of a PowerShell with redirection of the input stream. 2020-10-17 15:50:55 +00:00
tas_kmanager e955d38f0a [OSCD] Always Install Elevated Alternative 
Page 48 from #574

Alternative to #1195 because it is on the unsupported folder. Following suggestion from @yugoslavskiy - #574 (comment)
 2020-10-16 21:35:53 -04:00
Craig Young 192bca814b Remove all modifier 2020-10-16 15:46:51 -04:00
Roberto Rodriguez 4f039c7945 Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-10-16 14:45:13 -04:00
Craig Young 85e3099297 Added LOLBAS URL 2020-10-16 13:58:59 -04:00
Craig Young e9953b5a82 Utilize Image|endswith for efficiency 
Rather than searching all command lines, it is more efficient to consider first the Image name.
 2020-10-16 13:56:41 -04:00
Craig Young 6e2b899128 Adding oscd.community to authors 2020-10-16 13:51:02 -04:00
Jonhnathan 89bbee6594 Update win_susp_service_dacl_modification.yml 2020-10-16 11:57:54 -03:00
Jonhnathan 3f23aa56c0 Revert "Revert "Changed the rule to download only and not the copy"" 
This reverts commit 17e7eee3a6.
 2020-10-16 11:05:51 -03:00
Jonhnathan 0734274dfa Revert "Revert "Create win_susp_replace_lolbin.yml"" 
This reverts commit fdd9234acc.
 2020-10-16 11:05:40 -03:00
Jonhnathan 23e956dcce Merge branch 'oscd5' of https://github.com/w0rk3r/sigma into oscd5 2020-10-16 11:03:21 -03:00