abcc4a59c2
Fixed OSCD wording
2020-10-09 09:26:01 +03:00
789a0c174f
Fixed OSCD wording
2020-10-09 09:25:38 +03:00
1738316741
Update on help keys in cmd
2020-10-09 09:23:35 +03:00
0856170073
Update win_susp_mounted_share_deletion.yml
2020-10-09 11:42:06 +11:00
1088a2865b
Update win_susp_mounted_share_deletion.yml
2020-10-09 11:40:57 +11:00
04d56bade4
Removed redundant tag
2020-10-08 23:26:51 +03:00
d00e1073ee
Revert "Created rule win_susp_presentationhost_execution.yml"
...
This reverts commit a38c021876
2020-10-08 22:49:52 +03:00
5e1075b656
Update Powershell section
2020-10-08 15:19:42 -04:00
1695bc56dc
Remove commas
2020-10-08 15:31:17 -03:00
6cd9be66ed
Adding all modifier
2020-10-08 12:57:09 -04:00
60997b0243
Detects Obfuscated Powershell via use MSHTA in Scripts
2020-10-08 18:26:08 +03:00
47c22d0443
Detects Obfuscated Powershell via use Rundll32 in Scripts
2020-10-08 18:06:41 +03:00
ba96efc25e
[OSCD]win_pe_exec_vsjitdebugger.yml added
2020-10-08 17:28:20 +03:00
e6ad52c102
Corrected falsepositives
2020-10-08 15:11:57 +02:00
0e07ea3e70
Corrected author
2020-10-08 15:04:09 +02:00
539400c384
Creation of win_regini
2020-10-08 14:47:22 +02:00
7e28bf4df8
Fixed title format
2020-10-08 14:38:47 +03:00
55ea538841
Created rule win_susp_sqldumper_activity.yml
2020-10-08 14:29:21 +03:00
a09488a90f
revert changes for making new pull request
2020-10-08 14:20:32 +03:00
1581be1ec2
Created rule win_susp_sqldumper_activity.yml
2020-10-08 14:00:43 +03:00
a38c021876
Created rule win_susp_presentationhost_execution.yml
2020-10-08 13:24:59 +03:00
785f7e32e3
typo, - script extention
2020-10-08 10:13:20 +03:00
aba6cd26ca
Delete regex
2020-10-08 10:01:41 +03:00
8d94e993ab
Update win_susp_rundll32_activity.yml
2020-10-07 18:27:25 -03:00
109b1ea9cf
Revert "Create win_susp_replace_lolbin.yml"
...
This reverts commit e6a6549676
2020-10-07 18:26:11 -03:00
15bd7dcd3b
Revert "Changed the rule to download only and not the copy"
...
This reverts commit 1324bc1ad1
2020-10-07 18:26:04 -03:00
357d4bd895
Update sysmon_abusing_debug_privilege.yml
2020-10-07 23:34:03 +03:00
deb8db8599
Adding extension
...
Woops
2020-10-07 16:05:58 -04:00
a0dfde8478
Added UUID
2020-10-07 16:01:53 -04:00
127bc075b0
[OSCD] win_class_exec_xwizard.yml added
2020-10-07 22:49:12 +03:00
aea3c13d01
Initial commit
...
Other parameters besides \query may also be useful for credential dumping. This should be researched.
2020-10-07 15:33:26 -04:00
1324bc1ad1
Changed the rule to download only and not the copy
2020-10-07 16:18:21 -03:00
1c413bcf6d
Fixed status
2020-10-07 20:45:34 +03:00
8696b3ba18
Update sysmon_abusing_debug_privilege.yml
2020-10-07 19:32:05 +03:00
7b64ab552f
Capitalize Title
2020-10-07 10:51:55 -04:00
2d30379ab2
Move to process_creation category
2020-10-07 10:47:40 -04:00
df51044c90
Rule collection implemented
2020-10-07 17:35:14 +03:00
173df7ff3b
Update sysmon_abusing_debug_privilege.yml
2020-10-07 17:31:28 +03:00
8d09b55699
Added category field
2020-10-07 17:25:32 +03:00
6e8d9b9be2
Migrated to the process_creation category.
2020-10-07 17:11:38 +03:00
e6a6549676
Create win_susp_replace_lolbin.yml
...
Item 77 of #1014
2020-10-07 10:37:15 -03:00
f0f419df78
Create win_susp_pester.yml
2020-10-07 15:19:45 +03:00
18da272de4
[OSCD] win_visual_basic_compiler.yml added
2020-10-07 15:04:12 +03:00
9df6608239
Remove asterisk from condition
...
Change
ParentCommandLine:
- 'setupapi.dll*InstallHinfSection'
to
ParentCommandLine|contains|all:
- 'setupapi.dll'
- 'InstallHinfSection'
because some LM/SIEM systems don't process '*' as Splunk or Elasticsearch
2020-10-07 14:54:13 +03:00
59610517a0
Update sysmon_long_powershell_commandline.yml
2020-10-07 14:10:26 +03:00
df21dab585
Update sysmon_long_powershell_commandline.yml
2020-10-07 14:00:41 +03:00
e01e26be1c
Update sysmon_long_powershell_commandline.yml
2020-10-07 13:55:17 +03:00
7d8445fe12
[OSCD] Too Long Powershell CommandLine Rule added
2020-10-07 13:42:05 +03:00
da578a8bb0
Update win_susp_winrm_execution.yml
2020-10-07 12:30:57 +03:00
729e1f6f7f
Сreate win_susp_winrm_execution
2020-10-07 12:20:37 +03:00
Furkan ÇALIŞKAN