security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
frack113 b4d5b44ea8 Merge pull request #2180 from 0xThiebaut/workfolders 
Add LOLBin rule win_susp_workfolders
 2021-10-21 19:11:08 +02:00
frack113 217ac5c9a3 Merge pull request #2170 from frack113/redcanary_T1564_003 
add rule powershell_suspicious_windowstyle
 2021-10-21 18:07:48 +02:00
frack113 39fac24ee6 Merge pull request #2169 from frack113/ExecutionPolicy_Unrestricted 
Add rule powershell_set_policies_to_unsecure_level
 2021-10-21 18:07:26 +02:00
Maxime THIEBAUT 9c25c89dbb Add LOLBin rule win_susp_workfolders 2021-10-21 11:43:27 +02:00
frack113 1775db7fe8 fix cast 2021-10-21 09:58:32 +02:00
frack113 4394aa685d fix cast 2021-10-21 09:47:06 +02:00
frack113 6c7d5124f5 fix detection 2021-10-21 09:28:33 +02:00
Florian Roth 1c51b3d0a9 Merge pull request #2174 from frack113/fix_sysmon_cred_dump_lsass_access 
fix sysmon_cred_dump_lsass_access
 2021-10-21 08:41:19 +02:00
frack113 a074b11264 Merge pull request #2166 from securepeacock/patch-2 
Create registry_event_mal_netwire.yml
 2021-10-21 06:39:13 +02:00
frack113 216b2d65d9 fix SourceImage 2021-10-20 19:45:38 +02:00
frack113 a9bc26f37c add powershell_suspicious_windowstyle 2021-10-20 13:57:24 +02:00
frack113 f9efc127de add powershell_set_policies_to_unsecure_level 2021-10-20 12:58:43 +02:00
securepeacock 8f4a0cf4d6 Update registry_event_mal_netwire.yml 2021-10-19 18:23:42 -04:00
securepeacock ff439099bc Create registry_event_mal_netwire.yml 2021-10-19 18:20:23 -04:00
phantinuss 75193321f8 feat: mstsc history cleared 2021-10-19 18:30:02 +02:00
frack113 66a37298a7 Merge pull request #2158 from frack113/powershell_optimize 
Powershell  deals with the last 4 rules in powershell directory
 2021-10-19 14:24:34 +02:00
frack113 f61127f04e Merge pull request #2157 from frack113/update_wmic_uninstall 
win_susp_wmic_security_product_uninstall update product list
 2021-10-19 14:24:09 +02:00
frack113 57cdfd2612 Merge pull request #2155 from hieuttmmo/master 
Create new rule for detecting Microsfot Defender Tampering via Registry
 2021-10-19 14:23:50 +02:00
Florian Roth 270adfa251 Merge pull request #2159 from phantinuss/fp-tuning 
FP tuning when CommandLine logging is not activated for 4688 events
 2021-10-19 14:20:20 +02:00
Andreas Hunkeler a63cc967fe Fix MITRE tag in COM hijacking rule 2021-10-19 13:51:25 +02:00
phantinuss deecced962 fix: FP tuning when CommandLine logging is not activated for 4688 events 2021-10-19 13:37:28 +02:00
WojciechLesicki 6c86500414 Description changes acording to https://github.com/SwiftOnSecurity/sysmon-config/pull/151 2021-10-18 21:34:05 +02:00
frack113 faa407dacc cleanup list 2021-10-18 14:52:35 +02:00
frack113 0e1c156ddf fix related 2021-10-18 14:26:06 +02:00
frack113 d866b10590 add ps_script verison 2021-10-18 14:13:29 +02:00
frack113 19da3ac07f add ps_module version 2021-10-18 14:12:52 +02:00
frack113 278c01c59f move to deprecated 2021-10-18 14:12:10 +02:00
frack113 40e8dc506a update product list 2021-10-18 11:19:18 +02:00
Tran Trung Hieu ccf6c8df38 Create new rule for detecting Microsfot Defender Tampering via Registry 2021-10-18 10:07:44 +04:00
frack113 a8a0d546f3 Merge pull request #2113 from austinsonger/process_creation_lolbins_suspicious_driver_install_by_pnputil.yml 
process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
 2021-10-17 08:10:18 +01:00
frack113 5756888b1b adds the alternative options 2021-10-17 08:33:32 +02:00
frack113 e5b3a1cc14 Merge pull request #2151 from frack113/ps_category 
Powershell category
 2021-10-17 07:15:31 +01:00
frack113 94fe989f11 Merge pull request #2139 from phantinuss/providername 
Introducing the field 'Provider Name' for Windows Eventlog Log Sources
 2021-10-16 18:05:10 +01:00
frack113 4149fa8632 change to category: ps_classic_* 2021-10-16 08:26:51 +02:00
frack113 f6b0a89161 change to category: ps_script 2021-10-16 08:18:49 +02:00
frack113 0ca16b18f4 Change to category: ps_module 2021-10-16 08:05:15 +02:00
Florian Roth 7e02555e22 refactor: credential dumper level increased 2021-10-14 14:24:56 +02:00
frack113 c202d39acd Merge pull request #2138 from frack113/conti_ransomware 
Conti ransomware commandline
 2021-10-14 06:31:36 +01:00
phantinuss 7c8a735882 fix: change modifed date 2021-10-13 14:22:48 +02:00
phantinuss 5c3cdbe845 fix: replace space with _ 2021-10-13 14:20:26 +02:00
Austin Songer 4e43fce629 Update powershell_windows_firewall_profile_disabled.yml 2021-10-13 07:01:04 -05:00
phantinuss 1099d40473 rename the field 'Provider Name' to 'Provider_Name' 2021-10-13 13:04:11 +02:00
phantinuss 3d8002a237 fix: Use 'Provider Name' for windows eventlog log sources 2021-10-13 11:40:24 +02:00
frack113 5aa62bd342 fix yml 2021-10-12 21:02:15 +02:00
frack113 37c637066b add process_creation_conti_cmd_ransomware.yml 2021-10-12 20:57:12 +02:00
Austin Songer 40eed2ec59 Rename powershell_windows_firewall_disabled.yml to powershell_windows_firewall_profile_disabled.yml 2021-10-12 11:57:37 -05:00
Austin Songer d273bc25ea Create powershell_windows_firewall_disabled.yml 2021-10-12 11:56:37 -05:00
frack113 b9fc29bc05 Merge pull request #2131 from frack113/Powershell 
Powershell order
 2021-10-11 15:43:32 +01:00
frack113 7497fdb484 Merge pull request #2129 from d4rk-d4nph3/master 
Added rule for possible persistence via VMTools
 2021-10-10 10:55:06 +02:00
frack113 1337116d84 Cleanup selection name 2021-10-10 10:17:24 +02:00