security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
Thomas Patzke eaa9f293e7 Merge pull request #1125 from vburov/patch-12 
[OSCD] Create powershell_cmdline_reversed_strings
 2020-10-13 00:57:22 +02:00
Thomas Patzke eb21860ab9 Merge pull request #1124 from bczyz1/oscd-sprint-2 
[OSCD] Create sysmon_modify_screensaver_binary_path.yml
 2020-10-13 00:56:33 +02:00
sn0w0tter c6ddbc78ce OSCD LOLBAS atbroker suspicious execution of ATs 2020-10-12 15:55:38 -07:00
Thomas Patzke e2e3177e46 Merge pull request #1135 from omkar72/oscd-2 
[OSCD] finger executable suspicious execution
 2020-10-13 00:52:27 +02:00
Thomas Patzke 80e3c4b587 Merge pull request #1137 from banzay021/oscd 
[OSCD] Pcwrun.exe detection added
 2020-10-13 00:51:04 +02:00
Thomas Patzke 5664f72a2a Merge pull request #1054 from NikitaStormwind/task#70 
[OSCD] Detecting Code injection with PowerShell in another process #70
 2020-10-13 00:47:13 +02:00
Thomas Patzke 4a74a56ba3 Merge pull request #1052 from NikitaStormwind/task 
[OSCD] Detecting use WinAPI Functions in PowerShell #69
 2020-10-13 00:46:25 +02:00
Thomas Patzke 8bee7272ab Merge pull request #1051 from esebese/oscd 
[OSCD] win_syncappvpublishingserver_exe.yml added
 2020-10-13 00:45:22 +02:00
Thomas Patzke 768e500627 Merge pull request #1042 from NikitaStormwind/task29,30 
[OSCD] Detecting use PsExec via Pipe Creation/Access to pipes #29 #30
 2020-10-13 00:40:58 +02:00
Thomas Patzke 14fcdc9899 Merge pull request #1038 from caliskanfurkan/master 
[OSCD] Added explorer.exe lolbin
 2020-10-13 00:36:29 +02:00
cyb3rward0g 21f41eaad9 16 rules from DH APT29 day 1 - contributing soon 2020-10-12 18:13:13 -04:00
cyb3rward0g 104b40ce8f 10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00
nsaddler 28c8b56473 Update sysmon_in_memory_powershell.yml 2020-10-12 19:05:08 +03:00
Наталья Шорникова e70368f1f0 [OSCD] Updating existing rule sysmon_in_memory_powershell.yml 2020-10-12 19:00:47 +03:00
S.kiran kumar bd5e7fda14 Update silenttrinity_stager_msbuild_activity.yml 2020-10-12 21:26:44 +05:30
Nikita P. Nazarov 9b17634aa4 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:56:12 +03:00
Nikita P. Nazarov ec383d9784 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:52:28 +03:00
Nikita P. Nazarov c5efbc8345 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:47:51 +03:00
nsaddler e94a47b9d3 Update sysmon_accessing_winapi_in_powershell_credentials_dumping.yml 2020-10-12 18:33:43 +03:00
nsaddler df8cd24a5d Update sysmon_long_powershell_commandline.yml 2020-10-12 18:28:28 +03:00
nsaddler 07a4d11af7 Update win_powershell_script_installed_as_service.yml 2020-10-12 18:23:06 +03:00
Vasiliy Burov 95cd271686 Update powershell_cmdline_specific_comb_methods.yml 2020-10-12 18:10:46 +03:00
Vasiliy Burov 643d700d53 Update powershell_cmdline_specific_comb_methods.yml 2020-10-12 17:51:19 +03:00
S.kiran kumar 27823763cb Update silenttrinity_stager_msbuild_activity.yml 2020-10-12 20:14:43 +05:30
S.kiran kumar a640c1e151 Update silenttrinity_stager_msbuild_activity.yml 2020-10-12 20:11:24 +05:30
S.kiran kumar f1c9286a25 Updated minor changes 
Change tags.
Change author (add "oscd.community").
Change date format.
Change logsource.
Change detection (use endswith as a modifier).
Change fields.
 2020-10-12 20:06:36 +05:30
omkargudhate22 8f618c9a1f changed condition 2020-10-12 18:59:53 +05:30
omkargudhate22 f162bc1aff remove space 2020-10-12 18:53:47 +05:30
omkargudhate22 ecb42fb5dd Update sysmon_susp_clr_logs.yml 2020-10-12 18:50:07 +05:30
omkar72 cf60438c93 clr logs creation 2020-10-12 18:42:09 +05:30
Ryan Plas a67c19c08b Split up powershell detection 2020-10-12 09:00:08 -04:00
omkargudhate22 7d69a08c30 Update win_netsh_port_fwd.yml 2020-10-12 18:29:02 +05:30
omkar72 a5575f3079 adding shortened commands 2020-10-12 17:47:26 +05:30
omkar72 b32b6f0e09 script loading .net 2020-10-12 17:20:22 +05:30
Vasiliy Burov d31f8d6977 Update powershell_cmdline_specific_comb_methods.yml 2020-10-12 14:43:53 +03:00
omkargudhate22 e2911a025e added tags and corrected image condition format 2020-10-12 17:00:57 +05:30
Vasiliy Burov 2e6f184370 Update powershell_cmdline_specific_comb_methods.yml 2020-10-12 14:11:10 +03:00
Vasiliy Burov 436dd4d90c Update powershell_cmdline_specific_comb_methods.yml 2020-10-12 14:04:24 +03:00
Alexander Sungurov 175834fe90 Pcwrun.exe detection added 2020-10-12 13:52:49 +03:00
Florian Roth b8dc8d3f7e reduced to avoid FPs 2020-10-12 10:46:34 +02:00
Sander 8c1bd4e466 Remove redundant space 2020-10-12 10:01:44 +02:00
omkar72 0fab2c0930 finger executable suspicious execution 2020-10-12 13:28:52 +05:30
Sander 3ab244c70f regini.exe ADS rule 2020-10-12 09:55:34 +02:00
Florian Roth 3affdd12e0 fix: rule title casing 2020-10-12 09:51:35 +02:00
omkar72 99d87d60ec updated adfind command line 2020-10-12 12:52:54 +05:30
Florian Roth 0d0cda0f86 docs: improved false positive notes 2020-10-12 09:18:42 +02:00
Florian Roth e7c6794ecd rule: suspicious wmic process call create + rundll32 2020-10-12 09:18:30 +02:00
Florian Roth 2e732eb01f Merge branch 'master' into rule-devel 2020-10-12 09:13:24 +02:00
omkar72 cf5ad9197c updated adfind command line 2020-10-12 12:42:05 +05:30
omkar72 d29a28a4a8 updated adfind command line 2020-10-12 12:40:50 +05:30