security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

2788 Commits

Author SHA1 Message Date
Jonhnathan b190c1dbba Revert "Revert "Changed the rule to download only and not the copy"" 
This reverts commit 5e9c80c8b1.
 2020-10-16 11:03:18 -03:00
Jonhnathan b4663a1535 Revert "Revert "Create win_susp_replace_lolbin.yml"" 
This reverts commit e47bee2d4e.
 2020-10-16 11:03:10 -03:00
tas_kmanager c4ddd56931 Update sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml 2020-10-16 09:30:20 -04:00
tas_kmanager 832c1d4b1a Update sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml 2020-10-16 08:59:07 -04:00
Jonhnathan 2f7b44964c Create win_susp_service_dacl_modification.yml 2020-10-16 09:30:09 -03:00
Jonhnathan e47bee2d4e Revert "Create win_susp_replace_lolbin.yml" 
This reverts commit e6a6549676.
 2020-10-16 09:10:48 -03:00
Jonhnathan 5e9c80c8b1 Revert "Changed the rule to download only and not the copy" 
This reverts commit 1324bc1ad1.
 2020-10-16 09:10:45 -03:00
unclep@sk aa2cd4bdce The author field escape char fixed 2020-10-16 13:02:40 +03:00
unclep@sk 27bbbf3398 The author field escape char fixed 2020-10-16 12:51:59 +03:00
unclep@sk dc554af970 The author field and FP filter fix applied 2020-10-16 12:49:27 +03:00
unclep@sk 94f60acb7f The author field escape char fixed 2020-10-16 12:09:46 +03:00
Florian Roth 48f1be04d4 fix: ping hex ip rule 2020-10-16 10:06:24 +02:00
Ivan Dyachkov a51eec1a79 fixed image and commandline search 2020-10-16 10:44:59 +03:00
Ivan Dyachkov 78644305d6 '-s' is working too. 2020-10-16 10:39:56 +03:00
tas_kmanager 9b2268a192 [OSCD] Always Install Elevated - Slide 50 - Rule 2 
Page 50 from #574 Rule 2

Look for msiexec spawning command line or powershell then it spawns other processes

using enrichment as suggested by @yugoslavskiy
 2020-10-15 22:36:28 -04:00
tas_kmanager 23358b8db5 [OSCD] Always Install Elevated - Slide 50 - Rule 1 
Page 50 from #574 Rule 1

Look for msiexec spawning command line or powershell
 2020-10-15 22:08:45 -04:00
Jonhnathan 2332e42e4c Update win_susp_copy_lateral_movement.yml 2020-10-15 21:01:23 -03:00
Jonhnathan d4603d196b Update win_susp_adfind.yml 2020-10-15 21:00:15 -03:00
Jonhnathan f4872118a2 Update win_powershell_dll_execution.yml 2020-10-15 20:38:55 -03:00
Jonhnathan 3566dd1594 Fix 2020-10-15 20:35:50 -03:00
Jonhnathan 44c909a4a4 Update win_apt_mustangpanda.yml 2020-10-15 20:33:00 -03:00
Jonhnathan 5fc348fd45 Fix 2020-10-15 20:32:16 -03:00
Jonhnathan 37ee747dfe Update win_apt_chafer_mar18.yml 2020-10-15 20:30:52 -03:00
Jonhnathan 4adf092a25 Update win_workflow_compiler.yml 2020-10-15 20:00:57 -03:00
Jonhnathan eb9bac761f Update win_wmi_spwns_powershell.yml 2020-10-15 20:00:44 -03:00
Jonhnathan b2e1b857ae Update win_wmi_backdoor_exchange_transport_agent.yml 2020-10-15 20:00:27 -03:00
Jonhnathan 86ad1f45f5 Update win_win10_sched_task_0day.yml 2020-10-15 20:00:13 -03:00
Jonhnathan 630e92f3c2 Update win_webshell_spawn.yml 2020-10-15 19:59:59 -03:00
Jonhnathan 138b8fed06 Update win_webshell_recon_detection.yml 2020-10-15 19:59:36 -03:00
Jonhnathan e402356e82 Update win_webshell_detection.yml 2020-10-15 19:58:37 -03:00
Jonhnathan 2d9233d418 Update win_vul_java_remote_debugging.yml 2020-10-15 19:57:43 -03:00
Jonhnathan d9afa1aec6 Update win_termserv_proc_spawn.yml 2020-10-15 19:57:05 -03:00
Jonhnathan 737fbd1619 Update win_system_exe_anomaly.yml 2020-10-15 19:55:57 -03:00
Jonhnathan 434c6257f0 Update win_susp_wmi_execution.yml 2020-10-15 19:52:25 -03:00
Jonhnathan 7b9ec4709f Update win_susp_whoami.yml 2020-10-15 19:51:55 -03:00
Jonhnathan d09dd70695 Update win_susp_userinit_child.yml 2020-10-15 19:51:42 -03:00
Jonhnathan ad8620f729 Update win_susp_tscon_rdp_redirect.yml 2020-10-15 19:51:05 -03:00
Jonhnathan c38ccefc21 Update win_susp_tscon_localsystem.yml 2020-10-15 19:50:14 -03:00
Jonhnathan 9d8116c486 Update win_susp_taskmgr_parent.yml 2020-10-15 19:50:04 -03:00
Jonhnathan dde03e760b Update win_susp_taskmgr_localsystem.yml 2020-10-15 19:49:47 -03:00
Jonhnathan 4543e18e4e Update win_susp_sysvol_access.yml 2020-10-15 19:49:31 -03:00
Jonhnathan 08a018a2ee Update win_susp_sysprep_appdata.yml 2020-10-15 19:49:12 -03:00
Jonhnathan 4c9124952e Update win_susp_svchost.yml 2020-10-15 19:47:47 -03:00
Jonhnathan 5c7bc4c48a Update win_susp_schtask_creation.yml 2020-10-15 19:47:15 -03:00
Jonhnathan d3f0d25ffb Update win_susp_rundll32_by_ordinal.yml 2020-10-15 19:46:54 -03:00
Jonhnathan 8d471775e0 Update win_susp_regsvr32_anomalies.yml 2020-10-15 19:45:08 -03:00
Jonhnathan cc338507c9 Update win_susp_ps_appdata.yml 2020-10-15 19:43:37 -03:00
Jonhnathan 91fb5cdcd0 Update win_susp_prog_location_process_starts.yml 2020-10-15 19:43:19 -03:00
Jonhnathan 253014ee68 Update win_susp_procdump.yml 2020-10-15 19:42:48 -03:00
Jonhnathan f614ac658f Update win_susp_powershell_parent_combo.yml 2020-10-15 19:42:20 -03:00