security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

2788 Commits

Author SHA1 Message Date
Thomas Patzke 8bee7272ab Merge pull request #1051 from esebese/oscd 
[OSCD] win_syncappvpublishingserver_exe.yml added
 2020-10-13 00:45:22 +02:00
Thomas Patzke 14fcdc9899 Merge pull request #1038 from caliskanfurkan/master 
[OSCD] Added explorer.exe lolbin
 2020-10-13 00:36:29 +02:00
Nikita P. Nazarov ec383d9784 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:52:28 +03:00
nsaddler df8cd24a5d Update sysmon_long_powershell_commandline.yml 2020-10-12 18:28:28 +03:00
Ryan Plas a67c19c08b Split up powershell detection 2020-10-12 09:00:08 -04:00
omkargudhate22 7d69a08c30 Update win_netsh_port_fwd.yml 2020-10-12 18:29:02 +05:30
omkar72 a5575f3079 adding shortened commands 2020-10-12 17:47:26 +05:30
omkargudhate22 e2911a025e added tags and corrected image condition format 2020-10-12 17:00:57 +05:30
Alexander Sungurov 175834fe90 Pcwrun.exe detection added 2020-10-12 13:52:49 +03:00
Florian Roth b8dc8d3f7e reduced to avoid FPs 2020-10-12 10:46:34 +02:00
Sander 8c1bd4e466 Remove redundant space 2020-10-12 10:01:44 +02:00
omkar72 0fab2c0930 finger executable suspicious execution 2020-10-12 13:28:52 +05:30
Sander 3ab244c70f regini.exe ADS rule 2020-10-12 09:55:34 +02:00
Florian Roth 3affdd12e0 fix: rule title casing 2020-10-12 09:51:35 +02:00
omkar72 99d87d60ec updated adfind command line 2020-10-12 12:52:54 +05:30
Florian Roth 0d0cda0f86 docs: improved false positive notes 2020-10-12 09:18:42 +02:00
Florian Roth e7c6794ecd rule: suspicious wmic process call create + rundll32 2020-10-12 09:18:30 +02:00
Florian Roth 2e732eb01f Merge branch 'master' into rule-devel 2020-10-12 09:13:24 +02:00
omkar72 cf5ad9197c updated adfind command line 2020-10-12 12:42:05 +05:30
omkar72 d29a28a4a8 updated adfind command line 2020-10-12 12:40:50 +05:30
uncleP@sk 13e829219c reference's list changed 2020-10-12 08:35:11 +03:00
uncleP@sk 8ff91088ee tag's issue solved 2020-10-12 08:31:10 +03:00
Furkan ÇALIŞKAN edb5b7718e Deleted a part of an already-defined rule 
Lolbin rule for explorer.exe proxy execution;

Test scenario;

cd c:\windows\system32
explorer.exe calc.exe
(pops calc.exe) as in https://twitter.com/bohops/status/986984122563391488/photo/1
 2020-10-11 21:08:17 +03:00
uncleP@sk 435f052f75 some typos fixing 2020-10-11 19:45:46 +03:00
uncleP@sk 5aaba1f23a sqlps.exe detection added 2020-10-10 21:29:27 +03:00
Anton Kutepov b4ae5cb747 Fix ATTACK technique. 
Also made a couple of minor cosmetic changes.
 2020-10-10 20:27:00 +03:00
aw350m3 8693bd024f Added a rule to detect the use of SettingSyncHost.exe to run hijacked binary 2020-10-10 17:07:22 +00:00
Jonhnathan 09e6b05033 Update win_susp_rundll32_activity.yml 2020-10-10 10:08:02 -03:00
Semanur Guneysu 75386e6478 Update sysmon_abusing_debug_privilege.yml 
Field motifiers added.Filter 3 fixed due to logical error
 2020-10-10 13:19:02 +03:00
Thomas Patzke fe554a88cb Merge pull request #1035 from svch0stz/oscd3 
[OSCD] Update win_susp_copy_lateral_movement.yml
 2020-10-10 00:03:26 +02:00
Nikita P. Nazarov 79eb7b8bd7 Detects Obfuscated Powershell via use Clip.exe in Scripts 2020-10-09 19:42:27 +03:00
stvetro 4763bf8d10 Three more lolbins added 2020-10-09 18:28:07 +04:00
Nikita Nazarov 4205bb2227 Update win_invoke_obfuscation_via_use_mhsta.yml 2020-10-09 16:30:18 +03:00
Nikita Nazarov d07e0524d5 Update win_invoke_obfuscation_via_use_rundll32.yml 2020-10-09 16:27:56 +03:00
stvetro 59c7e8b0e3 Fixed title 2020-10-09 16:46:18 +04:00
stvetro 9937c0081a Fix issue in title 2020-10-09 16:34:29 +04:00
stvetro 77d6984a65 Fixed attack tags 2020-10-09 16:20:10 +04:00
stvetro 500fcfbcbe Generated guid 2020-10-09 15:42:05 +04:00
stvetro f6ce48a1be newline addded 2020-10-09 15:39:59 +04:00
stvetro 06c7d29f86 [OSCD] Two LOLBins: ftp.exe and Runscripthelper.exe 
Tasks 45 and 81 from https://github.com/Neo23x0/sigma/issues/1014
 2020-10-09 15:38:01 +04:00
Furkan ÇALIŞKAN a6112dc268 Fixed OSCD wording 2020-10-09 11:59:08 +03:00
Yuliya Fomina 8eb8b996e4 sintax fix 2020-10-09 10:43:16 +03:00
Ivan Dyachkov a88f7df704 fix tag 4 2020-10-09 10:37:51 +03:00
Ivan Dyachkov dbb80b1482 fix tag 3 2020-10-09 10:34:15 +03:00
Yuliya Fomina 44fa88c2a7 Create win_susp_rpcping 2020-10-09 10:33:21 +03:00
Ivan Dyachkov 347978fc8a fix tags 2 2020-10-09 10:31:07 +03:00
Ivan Dyachkov c422ae4c1e fixed tags 2020-10-09 10:25:45 +03:00
Ivan Dyachkov 40a8a9ea04 Added rule win_susp_diskshadow 2020-10-09 10:19:39 +03:00
Ensar Şamil c3851710d1 Update win_class_exec_xwizard.yml 2020-10-09 09:38:14 +03:00
Ensar Şamil 4f49171b55 Update win_visual_basic_compiler.yml 
author and selection fields edited
 2020-10-09 09:35:33 +03:00