 Jonhnathan
|
e3446b873a
|
Correct duplicated selection
|
2020-10-13 22:54:30 -03:00 |
|
|
Jonhnathan
|
b1c9871b74
|
Add Additional detections for other techniques
|
2020-10-13 22:51:48 -03:00 |
|
|
tas_kmanager
|
7916ae0517
|
Changed the category to process_creation
|
2020-10-13 20:58:00 -04:00 |
|
|
tas_kmanager
|
36a5f13b0c
|
Moved the file to the right category
|
2020-10-13 20:48:16 -04:00 |
|
|
tas_kmanager
|
dd705cc7f9
|
Update sysmon_accesschk_usage_after_priv_escalation.yml
|
2020-10-13 20:43:19 -04:00 |
|
|
tas_kmanager
|
f2ab4a7e32
|
[OSCD] Add Accesschk tool usage rule
Page 43 from #574
|
2020-10-13 20:31:15 -04:00 |
|
|
Demyan Sokolin
|
fce386388d
|
Title fixed [2]
Title capitalization added
|
2020-10-14 02:17:20 +03:00 |
|
|
Demyan Sokolin
|
ba2771147b
|
Title length fixed
Title and description changed to meet requirements.
|
2020-10-14 02:04:34 +03:00 |
|
|
Demyan Sokolin
|
208798e373
|
[OSCD] Possible Zerologon (CVE-2020-1472) exploitation using well-known tools
|
2020-10-14 01:55:45 +03:00 |
|
|
Thomas Patzke
|
026be7f753
|
Merge pull request #1039 from Vasilisa-L/oscd
[OSCD] Pcwutl.dll LOLbin
|
2020-10-14 00:24:41 +02:00 |
|
|
Thomas Patzke
|
e39ebe065a
|
Merge pull request #1037 from svch0stz/oscd5
[OSCD] Create win_susp_logon_explicit_credentials.yml
|
2020-10-14 00:23:08 +02:00 |
|
|
Thomas Patzke
|
95789a5379
|
Merge pull request #1068 from esebese/task87
[OSCD] win_visual_basic_compiler.yml added
|
2020-10-14 00:21:12 +02:00 |
|
|
Thomas Patzke
|
a83f500267
|
Merge pull request #1058 from grikos/OSCD_100
[OSCD] LOLBAS Setupapi.yml
|
2020-10-14 00:19:32 +02:00 |
|
|
Thomas Patzke
|
7e4a205de7
|
Merge pull request #1059 from ryanplasma/rplas-SIGMA-547-page-20
[OSCD] Add Usage of reg or Powershell by Non-privileged Users rule
|
2020-10-13 23:24:05 +02:00 |
|
|
Thomas Patzke
|
6cc33e5989
|
Merge pull request #1060 from svch0stz/oscd6
[OSCD] Created powershell_suspicious_mounted_share_deletion.yml
|
2020-10-13 22:59:25 +02:00 |
|
|
Thomas Patzke
|
b9e38e79fa
|
Merge pull request #1061 from svch0stz/oscd7
[OSCD] Create win_susp_mounted_share_deletion.yml
|
2020-10-13 22:55:54 +02:00 |
|
|
Jonhnathan
|
a01c08f617
|
Removed reference to deprecated rule and improve logic
|
2020-10-13 17:45:35 -03:00 |
|
|
Jonhnathan
|
4c75d22d93
|
Revert "Create win_susp_replace_lolbin.yml"
This reverts commit e6a6549676.
|
2020-10-13 17:40:10 -03:00 |
|
|
Jonhnathan
|
1455d414bc
|
Revert "Changed the rule to download only and not the copy"
This reverts commit 1324bc1ad1.
|
2020-10-13 17:40:07 -03:00 |
|
|
Thomas Patzke
|
1f4fe42487
|
Merge pull request #1062 from esebese/task86
[OSCD] sysmon_tttracer_mod_load.yml added
|
2020-10-13 22:35:06 +02:00 |
|
|
Thomas Patzke
|
f7c440b097
|
Merge pull request #1065 from nsaddler/oscd1
[OSCD] Accessing WinAPI in PowerShell. Credentials dumping Rule added
|
2020-10-13 22:33:14 +02:00 |
|
|
Thomas Patzke
|
0914c03acb
|
Update sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
|
2020-10-13 22:32:55 +02:00 |
|
|
Thomas Patzke
|
60b99116f3
|
Merge pull request #1064 from Vasilisa-L/OSCD_winrm_AWL
[OSCD] winrm.vbs_1
|
2020-10-13 22:30:14 +02:00 |
|
|
Thomas Patzke
|
a3a45e4a10
|
Merge pull request #1066 from Vasilisa-L/OSCD_winrm_execution
[OSCD] winrm.vbs_2
|
2020-10-13 22:28:09 +02:00 |
|
|
Thomas Patzke
|
54a9598d4b
|
Fixed typo
|
2020-10-13 22:27:27 +02:00 |
|
|
Thomas Patzke
|
2ba89d7924
|
Merge pull request #1067 from nsaddler/oscd2
[OSCD] Too Long Powershell CommandLine Rule added
|
2020-10-13 22:20:29 +02:00 |
|
|
Thomas Patzke
|
772fd83cca
|
Merge pull request #1080 from esebese/task93
[OSCD] win_class_exec_xwizard.yml added
|
2020-10-13 22:10:39 +02:00 |
|
|
Thomas Patzke
|
2bad4bb60d
|
Merge pull request #1085 from w0rk3r/oscdq
[OSCD] Update Win_susp_rundll32_activity - Multiple Lolbins
|
2020-10-13 21:45:36 +02:00 |
|
|
Thomas Patzke
|
b68286a162
|
Merge pull request #1093 from SanWieb/OSCD_regini
[OSCD] regini LOLBAS
|
2020-10-13 21:44:32 +02:00 |
|
|
Thomas Patzke
|
08eec2b6e6
|
Merge pull request #1094 from NikitaStormwind/Regular30
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (4104, 4103)
|
2020-10-13 21:43:16 +02:00 |
|
|
Thomas Patzke
|
8f4b3b7324
|
Merge pull request #1097 from NikitaStormwind/regular30(2)
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (process_creation)
|
2020-10-13 21:42:38 +02:00 |
|
|
grikos
|
a998c9b74c
|
Remove asterisk from condition
|
2020-10-13 22:37:51 +03:00 |
|
|
Thomas Patzke
|
5f4d60951d
|
Merge pull request #1112 from NikitaStormwind/regular29(1)
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (4104, 4103)
|
2020-10-13 21:34:38 +02:00 |
|
|
Thomas Patzke
|
79120cd24c
|
Merge pull request #1113 from NikitaStormwind/regular29(2)
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (process_creation)
|
2020-10-13 21:18:03 +02:00 |
|
|
GlebSukhodolskiy
|
9da9c20c63
|
Description Changed
|
2020-10-13 22:06:34 +03:00 |
|
|
GlebSukhodolskiy
|
b732c060a1
|
Fixed sigma syntax
|
2020-10-13 22:02:53 +03:00 |
|
|
uncleP@sk
|
b4604f88aa
|
title fixed
|
2020-10-13 21:49:21 +03:00 |
|
|
GlebSukhodolskiy
|
cd98d907a1
|
Log Sources Modified
Modified Log Sources and Deleted a Sysmon Detection due to Discussion in PR #1161
|
2020-10-13 21:39:03 +03:00 |
|
|
sn0w0tter
|
992edf66cc
|
values enclosed in quotation marks'
|
2020-10-13 11:30:17 -07:00 |
|
|
GlebSukhodolskiy
|
1824259ebf
|
Added New Registry Keys
Issue #576
|
2020-10-13 21:03:06 +03:00 |
|
|
GlebSukhodolskiy
|
fa3a06aadb
|
Added 2 More Detection Methods
Issue #576
|
2020-10-13 20:50:43 +03:00 |
|
|
uncleP@sk
|
3d3efcd3db
|
title changed
|
2020-10-13 16:24:52 +03:00 |
|
|
omkargudhate22
|
5b161ff4ae
|
added regex & changed logsource
|
2020-10-13 17:51:05 +05:30 |
|
|
omkargudhate22
|
cdcb16dcd3
|
changed main condition for Netsh as well
|
2020-10-13 17:48:14 +05:30 |
|
|
omkargudhate22
|
5c65d07100
|
add reference & ends with condition
|
2020-10-13 17:44:39 +05:30 |
|
|
uncleP@sk
|
62bb2bc272
|
[OSCD] LOLBin sqltoolsps.exe detection added
|
2020-10-13 13:04:37 +03:00 |
|
|
Thomas Patzke
|
33c80b8428
|
Merge pull request #1092 from zBlurr/win_susp_sqldumper_activity
[OSCD] Sqldumper.exe LOLbin
|
2020-10-13 11:51:41 +02:00 |
|
|
uncleP@sk
|
b6b9ef85b1
|
Revert "sqltoolsps.exe usage detection added"
This reverts commit 77ca94a47f.
wrong branch
|
2020-10-13 12:48:58 +03:00 |
|
|
Thomas Patzke
|
bf0f2fcec8
|
Merge pull request #1117 from aw350m33d/oscd_lolbin_settingsynchost
[OSCD] Using SettingSyncHost.exe as LOLBin
|
2020-10-13 11:46:04 +02:00 |
|
|
Thomas Patzke
|
acb02d8d65
|
Merge pull request #1148 from sn0w0tter/oscd
[OSCD] LOLBAS atbroker suspicious execution of ATs
|
2020-10-13 11:45:07 +02:00 |
|