security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
Craig Young e9953b5a82 Utilize Image|endswith for efficiency 
Rather than searching all command lines, it is more efficient to consider first the Image name.
 2020-10-16 13:56:41 -04:00
Craig Young 6e2b899128 Adding oscd.community to authors 2020-10-16 13:51:02 -04:00
Nikita P. Nazarov 30ce1ff268 Detected Windows Software Discovery 2020-10-16 20:44:08 +03:00
Jonhnathan 89bbee6594 Update win_susp_service_dacl_modification.yml 2020-10-16 11:57:54 -03:00
Jonhnathan 3f23aa56c0 Revert "Revert "Changed the rule to download only and not the copy"" 
This reverts commit 17e7eee3a6.
 2020-10-16 11:05:51 -03:00
Jonhnathan 0734274dfa Revert "Revert "Create win_susp_replace_lolbin.yml"" 
This reverts commit fdd9234acc.
 2020-10-16 11:05:40 -03:00
Jonhnathan 23e956dcce Merge branch 'oscd5' of https://github.com/w0rk3r/sigma into oscd5 2020-10-16 11:03:21 -03:00
Jonhnathan b190c1dbba Revert "Revert "Changed the rule to download only and not the copy"" 
This reverts commit 5e9c80c8b1.
 2020-10-16 11:03:18 -03:00
Jonhnathan b4663a1535 Revert "Revert "Create win_susp_replace_lolbin.yml"" 
This reverts commit e47bee2d4e.
 2020-10-16 11:03:10 -03:00
tas_kmanager c4ddd56931 Update sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml 2020-10-16 09:30:20 -04:00
tas_kmanager 832c1d4b1a Update sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml 2020-10-16 08:59:07 -04:00
Jonhnathan 2f7b44964c Create win_susp_service_dacl_modification.yml 2020-10-16 09:30:09 -03:00
Jonhnathan e47bee2d4e Revert "Create win_susp_replace_lolbin.yml" 
This reverts commit e6a6549676.
 2020-10-16 09:10:48 -03:00
Jonhnathan 5e9c80c8b1 Revert "Changed the rule to download only and not the copy" 
This reverts commit 1324bc1ad1.
 2020-10-16 09:10:45 -03:00
Jonhnathan 9a5c166bb2 Fix filter 2020-10-16 07:35:59 -03:00
unclep@sk aa2cd4bdce The author field escape char fixed 2020-10-16 13:02:40 +03:00
unclep@sk 27bbbf3398 The author field escape char fixed 2020-10-16 12:51:59 +03:00
unclep@sk dc554af970 The author field and FP filter fix applied 2020-10-16 12:49:27 +03:00
unclep@sk 94f60acb7f The author field escape char fixed 2020-10-16 12:09:46 +03:00
Florian Roth 48f1be04d4 fix: ping hex ip rule 2020-10-16 10:06:24 +02:00
Ivan Dyachkov a51eec1a79 fixed image and commandline search 2020-10-16 10:44:59 +03:00
Ivan Dyachkov 78644305d6 '-s' is working too. 2020-10-16 10:39:56 +03:00
Vasiliy Burov 700ed134bc Update powershell_cmdline_special_characters.yml 2020-10-16 10:18:37 +03:00
Vasiliy Burov d2184aee5e Update powershell_cmdline_special_characters.yml 2020-10-16 09:58:59 +03:00
tas_kmanager 9b2268a192 [OSCD] Always Install Elevated - Slide 50 - Rule 2 
Page 50 from #574 Rule 2

Look for msiexec spawning command line or powershell then it spawns other processes

using enrichment as suggested by @yugoslavskiy
 2020-10-15 22:36:28 -04:00
tas_kmanager 23358b8db5 [OSCD] Always Install Elevated - Slide 50 - Rule 1 
Page 50 from #574 Rule 1

Look for msiexec spawning command line or powershell
 2020-10-15 22:08:45 -04:00
Jonhnathan 2332e42e4c Update win_susp_copy_lateral_movement.yml 2020-10-15 21:01:23 -03:00
Jonhnathan d4603d196b Update win_susp_adfind.yml 2020-10-15 21:00:15 -03:00
Jonhnathan fc6c727c70 Update powershell_malicious_commandlets.yml 2020-10-15 20:59:27 -03:00
Jonhnathan 1584ddf918 Update sysmon_susp_service_installed.yml 2020-10-15 20:50:42 -03:00
Jonhnathan f4872118a2 Update win_powershell_dll_execution.yml 2020-10-15 20:38:55 -03:00
Jonhnathan 3566dd1594 Fix 2020-10-15 20:35:50 -03:00
Jonhnathan 44c909a4a4 Update win_apt_mustangpanda.yml 2020-10-15 20:33:00 -03:00
Jonhnathan 5fc348fd45 Fix 2020-10-15 20:32:16 -03:00
Jonhnathan 37ee747dfe Update win_apt_chafer_mar18.yml 2020-10-15 20:30:52 -03:00
Jonhnathan 1fac65dad0 Fix 2020-10-15 20:29:02 -03:00
Jonhnathan 0dfacd1f63 Fix 2020-10-15 20:27:10 -03:00
Jonhnathan 9795c95a9b Update av_webshell.yml 2020-10-15 20:25:34 -03:00
Jonhnathan 345c3c6451 Fix 2020-10-15 20:24:31 -03:00
Jonhnathan 86ade194a4 Fix 2020-10-15 20:22:56 -03:00
Jonhnathan 0666d21b06 Update win_dcsync.yml 2020-10-15 20:19:06 -03:00
Jonhnathan d7eda3fe7e Update sysmon_wmi_susp_scripting.yml 2020-10-15 20:15:22 -03:00
Jonhnathan 92aaeca075 Update sysmon_susp_powershell_rundll32.yml 2020-10-15 20:14:23 -03:00
Jonhnathan 26b36086c7 Update sysmon_cmstp_execution.yml 2020-10-15 20:13:39 -03:00
Jonhnathan df81f5180d Update sysmon_cactustorch.yml 2020-10-15 20:12:54 -03:00
Jonhnathan 457217bfc0 Update sysmon_win_reg_persistence.yml 2020-10-15 20:11:52 -03:00
Jonhnathan 229e57777a Update sysmon_win_reg_persistence.yml 2020-10-15 20:11:37 -03:00
Jonhnathan 8a52610bf8 Update sysmon_uac_bypass_eventvwr.yml 2020-10-15 20:11:11 -03:00
Jonhnathan 6ea18efdaf Update sysmon_sysinternals_eula_accepted.yml 2020-10-15 20:10:44 -03:00
Jonhnathan 7dfb8f0e99 Update sysmon_suspicious_keyboard_layout_load.yml 2020-10-15 20:10:21 -03:00