blue-team-tools

Author	SHA1	Message	Date
Thomas Patzke	1684db93d8	Merge pull request #1143 from NikitaStormwind/regular28(2) [OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (process_creation)	2020-10-13 11:39:46 +02:00
uncleP@sk	77ca94a47f	sqltoolsps.exe usage detection added	2020-10-13 12:39:32 +03:00
Thomas Patzke	7e8930f15e	Merge pull request #1142 from NikitaStormwind/regular28(1) [OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (4104, 4103)	2020-10-13 11:38:26 +02:00
Thomas Patzke	0c77edb859	Merge pull request #1120 from bczyz1/oscd [OSCD] Create powershell_icmp_exfiltration.yml	2020-10-13 11:37:40 +02:00
Thomas Patzke	f457e7a398	Merge pull request #1150 from zinint/1009-27-1 [OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (4104, 4103)	2020-10-13 11:36:19 +02:00
Thomas Patzke	2ac29e0fee	Merge pull request #1152 from zinint/1009-27-3 [OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (process_creation)	2020-10-13 11:24:28 +02:00
Alejandro Ortuno	c03a696762	additional modifications on commands and process names	2020-10-13 11:00:06 +02:00
Alejandro Ortuno	50fde8c13f	minor changes on command line	2020-10-13 10:55:29 +02:00
Alejandro Ortuno	30bd626d76	Split command line and do contains all.	2020-10-13 10:51:00 +02:00
Alejandro Ortuno	7459bcd08c	Use process_creation for the detection	2020-10-13 10:41:50 +02:00
sn0w0tter	52319c1c18	typo fixed	2020-10-13 01:16:01 -07:00
Vasiliy Burov	dff2e16ad2	Update powershell_cmdline_specific_comb_methods.yml	2020-10-13 10:59:20 +03:00
Roberto Rodriguez	6500c230cf	Update win_sysmon_channel_reference_deletion.yml	2020-10-13 03:49:48 -04:00
Roberto Rodriguez	a9bcf45392	Updated Contains keys	2020-10-13 03:43:54 -04:00
Roberto Rodriguez	2cb540f95e	13 Rules from THP - Backlog Rules (old)	2020-10-13 03:33:55 -04:00
uncleP@sk	3f6ad0cb82	falsepositives changed	2020-10-13 10:25:35 +03:00
uncleP@sk	09d4160b98	filter added	2020-10-13 10:23:08 +03:00
remotephone@gmail.com	a85c19db17	updating files to cover broader network discovery logic, renaming alert, adding recommended changes	2020-10-13 00:39:53 -05:00
remotephone@gmail.com	7d49db3988	updating falsepositives documentation to remove line that's not applicable	2020-10-12 23:19:02 -05:00
cyb3rward0g	cd270672a6	Update delete alternate powershell host	2020-10-12 23:52:35 -04:00
remotephone@gmail.com	89c8a589a5	updating search syntax, splitting process name and cmdline and adding category	2020-10-12 22:49:19 -05:00
cyb3rward0g	55d6bd8089	Update - Adding description to zeek exfiltration compressed files	2020-10-12 23:32:10 -04:00
cyb3rward0g	354b6a9822	update - GitHub Action / Test Sigma	2020-10-12 23:07:02 -04:00
cyb3rward0g	189e3c2605	update - GitHub Action / Test Sigma	2020-10-12 22:43:36 -04:00
cyb3rward0g	24e0d09a54	update - GitHub Action / Test Sigma	2020-10-12 22:15:49 -04:00
cyb3rward0g	72f35377b3	update - GitHub Action / Test Sigma	2020-10-12 22:11:01 -04:00
cyb3rward0g	644f222079	update - GitHub Action / Test Sigma	2020-10-12 21:58:02 -04:00
cyb3rward0g	491049b92a	Updated - GitHub Action / Test Sigma	2020-10-12 21:34:07 -04:00
invrep-de	6a9bc7063f	[OSCD] Bad Opsec Powershell Artifacts	2020-10-13 02:21:46 +02:00
sn0w0tter	1df582d8db	OSCD LOLBAS atbroker suspicious creation of ATs	2020-10-12 17:10:34 -07:00
invrep-de	55201a94c0	[OSCD] Powershell Disable Windows Defender AV	2020-10-13 02:05:00 +02:00
Timur Zinniatullin	d1ef56bddb	@aw350m3 style complience (:	2020-10-13 02:47:09 +03:00
Timur Zinniatullin	5bd75521f2	Add win_invoke_obfuscation_via_var++.yml	2020-10-13 02:23:50 +03:00
Timur Zinniatullin	946d84329e	Add win_invoke_obfuscation_via_var++_services.yml	2020-10-13 02:22:15 +03:00
Timur Zinniatullin	870574b635	Add powershell_invoke_obfuscation_via_var++.yml	2020-10-13 02:19:57 +03:00
sn0w0tter	863b880845	Titile capitalization	2020-10-12 16:04:41 -07:00
Thomas Patzke	a289eeaae6	Merge pull request #1089 from zBlurr/oscd [OSCD] Presentationhost.exe LOLbin	2020-10-13 01:01:20 +02:00
Thomas Patzke	d6ceba3719	Merge pull request #1102 from svch0stz/oscd8 [OSCD] Create win_root_certificate_installed.yml	2020-10-13 01:00:23 +02:00
Thomas Patzke	d89ca07daa	Merge pull request #1133 from omkar72/oscd-1 [OSCD]updated adfind command line	2020-10-13 00:58:56 +02:00
Thomas Patzke	cb86c509f1	Merge pull request #1129 from bczyz1/oscd-sprint-2-keylogging [OSCD] Modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature	2020-10-13 00:58:24 +02:00
Thomas Patzke	eaa9f293e7	Merge pull request #1125 from vburov/patch-12 [OSCD] Create powershell_cmdline_reversed_strings	2020-10-13 00:57:22 +02:00
Thomas Patzke	eb21860ab9	Merge pull request #1124 from bczyz1/oscd-sprint-2 [OSCD] Create sysmon_modify_screensaver_binary_path.yml	2020-10-13 00:56:33 +02:00
sn0w0tter	c6ddbc78ce	OSCD LOLBAS atbroker suspicious execution of ATs	2020-10-12 15:55:38 -07:00
Thomas Patzke	e2e3177e46	Merge pull request #1135 from omkar72/oscd-2 [OSCD] finger executable suspicious execution	2020-10-13 00:52:27 +02:00
Thomas Patzke	80e3c4b587	Merge pull request #1137 from banzay021/oscd [OSCD] Pcwrun.exe detection added	2020-10-13 00:51:04 +02:00
Thomas Patzke	5664f72a2a	Merge pull request #1054 from NikitaStormwind/task#70 [OSCD] Detecting Code injection with PowerShell in another process #70	2020-10-13 00:47:13 +02:00
Thomas Patzke	4a74a56ba3	Merge pull request #1052 from NikitaStormwind/task [OSCD] Detecting use WinAPI Functions in PowerShell #69	2020-10-13 00:46:25 +02:00
Thomas Patzke	8bee7272ab	Merge pull request #1051 from esebese/oscd [OSCD] win_syncappvpublishingserver_exe.yml added	2020-10-13 00:45:22 +02:00
Thomas Patzke	768e500627	Merge pull request #1042 from NikitaStormwind/task29,30 [OSCD] Detecting use PsExec via Pipe Creation/Access to pipes #29 #30	2020-10-13 00:40:58 +02:00
Thomas Patzke	14fcdc9899	Merge pull request #1038 from caliskanfurkan/master [OSCD] Added explorer.exe lolbin	2020-10-13 00:36:29 +02:00

... 100 101 102 103 104 ...

7964 Commits