security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
grikos a998c9b74c Remove asterisk from condition 2020-10-13 22:37:51 +03:00
Thomas Patzke 5f4d60951d Merge pull request #1112 from NikitaStormwind/regular29(1) 
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (4104, 4103)
 2020-10-13 21:34:38 +02:00
Thomas Patzke 79120cd24c Merge pull request #1113 from NikitaStormwind/regular29(2) 
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (process_creation)
 2020-10-13 21:18:03 +02:00
GlebSukhodolskiy 9da9c20c63 Description Changed 2020-10-13 22:06:34 +03:00
GlebSukhodolskiy b732c060a1 Fixed sigma syntax 2020-10-13 22:02:53 +03:00
uncleP@sk b4604f88aa title fixed 2020-10-13 21:49:21 +03:00
GlebSukhodolskiy cd98d907a1 Log Sources Modified 
Modified Log Sources and Deleted a Sysmon Detection due to Discussion in PR #1161
 2020-10-13 21:39:03 +03:00
sn0w0tter 992edf66cc values enclosed in quotation marks' 2020-10-13 11:30:17 -07:00
GlebSukhodolskiy 1824259ebf Added New Registry Keys 
Issue #576
 2020-10-13 21:03:06 +03:00
GlebSukhodolskiy fa3a06aadb Added 2 More Detection Methods 
Issue #576
 2020-10-13 20:50:43 +03:00
uncleP@sk 3d3efcd3db title changed 2020-10-13 16:24:52 +03:00
omkargudhate22 5b161ff4ae added regex & changed logsource 2020-10-13 17:51:05 +05:30
omkargudhate22 cdcb16dcd3 changed main condition for Netsh as well 2020-10-13 17:48:14 +05:30
omkargudhate22 5c65d07100 add reference & ends with condition 2020-10-13 17:44:39 +05:30
uncleP@sk 62bb2bc272 [OSCD] LOLBin sqltoolsps.exe detection added 2020-10-13 13:04:37 +03:00
Thomas Patzke 33c80b8428 Merge pull request #1092 from zBlurr/win_susp_sqldumper_activity 
[OSCD] Sqldumper.exe LOLbin
 2020-10-13 11:51:41 +02:00
uncleP@sk b6b9ef85b1 Revert "sqltoolsps.exe usage detection added" 
This reverts commit 77ca94a47f.

wrong branch
 2020-10-13 12:48:58 +03:00
Thomas Patzke bf0f2fcec8 Merge pull request #1117 from aw350m33d/oscd_lolbin_settingsynchost 
[OSCD] Using SettingSyncHost.exe as LOLBin
 2020-10-13 11:46:04 +02:00
Thomas Patzke acb02d8d65 Merge pull request #1148 from sn0w0tter/oscd 
[OSCD] LOLBAS atbroker suspicious execution of ATs
 2020-10-13 11:45:07 +02:00
Thomas Patzke 1684db93d8 Merge pull request #1143 from NikitaStormwind/regular28(2) 
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (process_creation)
 2020-10-13 11:39:46 +02:00
uncleP@sk 77ca94a47f sqltoolsps.exe usage detection added 2020-10-13 12:39:32 +03:00
Thomas Patzke 7e8930f15e Merge pull request #1142 from NikitaStormwind/regular28(1) 
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (4104, 4103)
 2020-10-13 11:38:26 +02:00
Thomas Patzke 0c77edb859 Merge pull request #1120 from bczyz1/oscd 
[OSCD] Create powershell_icmp_exfiltration.yml
 2020-10-13 11:37:40 +02:00
Thomas Patzke f457e7a398 Merge pull request #1150 from zinint/1009-27-1 
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (4104, 4103)
 2020-10-13 11:36:19 +02:00
Thomas Patzke 2ac29e0fee Merge pull request #1152 from zinint/1009-27-3 
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (process_creation)
 2020-10-13 11:24:28 +02:00
sn0w0tter 52319c1c18 typo fixed 2020-10-13 01:16:01 -07:00
Vasiliy Burov dff2e16ad2 Update powershell_cmdline_specific_comb_methods.yml 2020-10-13 10:59:20 +03:00
Roberto Rodriguez 6500c230cf Update win_sysmon_channel_reference_deletion.yml 2020-10-13 03:49:48 -04:00
Roberto Rodriguez a9bcf45392 Updated Contains keys 2020-10-13 03:43:54 -04:00
Roberto Rodriguez 2cb540f95e 13 Rules from THP - Backlog Rules (old) 2020-10-13 03:33:55 -04:00
uncleP@sk 3f6ad0cb82 falsepositives changed 2020-10-13 10:25:35 +03:00
uncleP@sk 09d4160b98 filter added 2020-10-13 10:23:08 +03:00
cyb3rward0g cd270672a6 Update delete alternate powershell host 2020-10-12 23:52:35 -04:00
cyb3rward0g 354b6a9822 update - GitHub Action / Test Sigma 2020-10-12 23:07:02 -04:00
cyb3rward0g 24e0d09a54 update - GitHub Action / Test Sigma 2020-10-12 22:15:49 -04:00
cyb3rward0g 72f35377b3 update - GitHub Action / Test Sigma 2020-10-12 22:11:01 -04:00
cyb3rward0g 644f222079 update - GitHub Action / Test Sigma 2020-10-12 21:58:02 -04:00
cyb3rward0g 491049b92a Updated - GitHub Action / Test Sigma 2020-10-12 21:34:07 -04:00
invrep-de 6a9bc7063f [OSCD] Bad Opsec Powershell Artifacts 2020-10-13 02:21:46 +02:00
sn0w0tter 1df582d8db OSCD LOLBAS atbroker suspicious creation of ATs 2020-10-12 17:10:34 -07:00
invrep-de 55201a94c0 [OSCD] Powershell Disable Windows Defender AV 2020-10-13 02:05:00 +02:00
Timur Zinniatullin d1ef56bddb @aw350m3 style complience (: 2020-10-13 02:47:09 +03:00
Timur Zinniatullin 5bd75521f2 Add win_invoke_obfuscation_via_var++.yml 2020-10-13 02:23:50 +03:00
Timur Zinniatullin 946d84329e Add win_invoke_obfuscation_via_var++_services.yml 2020-10-13 02:22:15 +03:00
Timur Zinniatullin 870574b635 Add powershell_invoke_obfuscation_via_var++.yml 2020-10-13 02:19:57 +03:00
sn0w0tter 863b880845 Titile capitalization 2020-10-12 16:04:41 -07:00
Thomas Patzke a289eeaae6 Merge pull request #1089 from zBlurr/oscd 
[OSCD] Presentationhost.exe LOLbin
 2020-10-13 01:01:20 +02:00
Thomas Patzke d6ceba3719 Merge pull request #1102 from svch0stz/oscd8 
[OSCD] Create win_root_certificate_installed.yml
 2020-10-13 01:00:23 +02:00
Thomas Patzke d89ca07daa Merge pull request #1133 from omkar72/oscd-1 
[OSCD]updated adfind command line
 2020-10-13 00:58:56 +02:00
Thomas Patzke cb86c509f1 Merge pull request #1129 from bczyz1/oscd-sprint-2-keylogging 
[OSCD] Modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature
 2020-10-13 00:58:24 +02:00