security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
S.kiran kumar 8a87fc35b2 Update win_susp_security_eventlog_cleared.yml 2020-10-11 19:48:07 +05:30
S.kiran kumar 672bf99c6b Silenttrinity stager communication to c2 2020-10-11 19:45:58 +05:30
Vasiliy Burov dd9c29377b Update powershell_cmdline_reversed_strings 2020-10-11 17:11:58 +03:00
Vasiliy Burov 8f2ddc632e Create powershell_cmdline_reversed_strings 2020-10-11 17:02:02 +03:00
Bartlomiej Czyz 2370730952 create sysmon_modify_screensaver_binary_path.yml 2020-10-11 14:31:06 +02:00
Alejandro Ortuno 418a9d5a02 Use endswith with processname 2020-10-11 09:37:08 +02:00
Bartlomiej Czyz a5dea8c596 [OSCD] Fix powershell_icmp_exfiltration.yml references, add newline at the end of the file #1013 2020-10-10 23:08:39 +02:00
Bartlomiej Czyz 6dcd4a6c6d [OSCD] Create powershell_icmp_exfiltration.yml #1013 2020-10-10 23:05:31 +02:00
uncleP@sk 5aaba1f23a sqlps.exe detection added 2020-10-10 21:29:27 +03:00
Anton Kutepov b4ae5cb747 Fix ATTACK technique. 
Also made a couple of minor cosmetic changes.
 2020-10-10 20:27:00 +03:00
aw350m3 8693bd024f Added a rule to detect the use of SettingSyncHost.exe to run hijacked binary 2020-10-10 17:07:22 +00:00
Jonhnathan 09e6b05033 Update win_susp_rundll32_activity.yml 2020-10-10 10:08:02 -03:00
Alejandro Ortuno 748dccc289 additional changes to split processname and commandline 2020-10-10 13:11:17 +02:00
Semanur Guneysu 75386e6478 Update sysmon_abusing_debug_privilege.yml 
Field motifiers added.Filter 3 fixed due to logical error
 2020-10-10 13:19:02 +03:00
Thomas Patzke 93616af1cb Merge pull request #1036 from svch0stz/oscd4 
[OSCD] Create win_net_use_admin_share.yml
 2020-10-10 00:05:41 +02:00
Thomas Patzke fe554a88cb Merge pull request #1035 from svch0stz/oscd3 
[OSCD] Update win_susp_copy_lateral_movement.yml
 2020-10-10 00:03:26 +02:00
Nikita P. Nazarov 021a2192eb Detects Obfuscated Powershell via use Clip.exe in Scripts 2020-10-09 19:46:11 +03:00
Nikita P. Nazarov 79eb7b8bd7 Detects Obfuscated Powershell via use Clip.exe in Scripts 2020-10-09 19:42:27 +03:00
Nikita P. Nazarov 414c98e7ba Detects Obfuscated Powershell via use Clip.exe in Scripts 2020-10-09 19:37:07 +03:00
Vasiliy Burov e10771652b Update win_disable_event_logging.yml 2020-10-09 18:27:04 +03:00
stvetro 4763bf8d10 Three more lolbins added 2020-10-09 18:28:07 +04:00
Nikita P. Nazarov 527d00c0b9 Detects Obfuscated Powershell via use MSHTA in Scripts 2020-10-09 16:57:09 +03:00
Nikita P. Nazarov 93e65a9042 Detects Obfuscated Powershell via use Rundll32 in Scripts 2020-10-09 16:52:35 +03:00
Vasiliy Burov c77a190a6b Update win_susp_eventlog_cleared.yml 
Added events about security log clearance. Also, I think that the rule "sigma/rules/windows/builtin/win_susp_security_eventlog_cleared.yml" can be deleted.
 2020-10-09 16:51:18 +03:00
Nikita Nazarov 4205bb2227 Update win_invoke_obfuscation_via_use_mhsta.yml 2020-10-09 16:30:18 +03:00
Nikita Nazarov 02e826def3 Update powershell_invoke_obfuscation_via_use_mhsta.yml 2020-10-09 16:29:20 +03:00
Nikita Nazarov d07e0524d5 Update win_invoke_obfuscation_via_use_rundll32.yml 2020-10-09 16:27:56 +03:00
Nikita Nazarov 31095033ab Update powershell_invoke_obfuscation_via_use_rundll32.yml 2020-10-09 16:25:59 +03:00
stvetro 59c7e8b0e3 Fixed title 2020-10-09 16:46:18 +04:00
stvetro 9937c0081a Fix issue in title 2020-10-09 16:34:29 +04:00
stvetro 77d6984a65 Fixed attack tags 2020-10-09 16:20:10 +04:00
stvetro 500fcfbcbe Generated guid 2020-10-09 15:42:05 +04:00
stvetro f6ce48a1be newline addded 2020-10-09 15:39:59 +04:00
stvetro 06c7d29f86 [OSCD] Two LOLBins: ftp.exe and Runscripthelper.exe 
Tasks 45 and 81 from https://github.com/Neo23x0/sigma/issues/1014
 2020-10-09 15:38:01 +04:00
Vasilisa-L cd1bcb9cf4 :( 2020-10-09 13:25:45 +03:00
Yuliya Fomina db21038852 fixed to process_created 2020-10-09 13:02:14 +03:00
Yuliya Fomina e2e40d9adb Create sysmon_rasautou_dll_execution 2020-10-09 12:44:52 +03:00
Furkan ÇALIŞKAN a6112dc268 Fixed OSCD wording 2020-10-09 11:59:08 +03:00
Yuliya Fomina 8eb8b996e4 sintax fix 2020-10-09 10:43:16 +03:00
Ivan Dyachkov a88f7df704 fix tag 4 2020-10-09 10:37:51 +03:00
Ivan Dyachkov dbb80b1482 fix tag 3 2020-10-09 10:34:15 +03:00
Yuliya Fomina 44fa88c2a7 Create win_susp_rpcping 2020-10-09 10:33:21 +03:00
Ivan Dyachkov 347978fc8a fix tags 2 2020-10-09 10:31:07 +03:00
Ivan Dyachkov c422ae4c1e fixed tags 2020-10-09 10:25:45 +03:00
Ivan Dyachkov 40a8a9ea04 Added rule win_susp_diskshadow 2020-10-09 10:19:39 +03:00
Ensar Şamil c3851710d1 Update win_class_exec_xwizard.yml 2020-10-09 09:38:14 +03:00
Ensar Şamil 4f49171b55 Update win_visual_basic_compiler.yml 
author and selection fields edited
 2020-10-09 09:35:33 +03:00
Ensar Şamil d6aa0c31b9 Update sysmon_tttracer_mod_load.yml 2020-10-09 09:34:05 +03:00
Furkan ÇALIŞKAN abcc4a59c2 Fixed OSCD wording 2020-10-09 09:26:01 +03:00
Furkan ÇALIŞKAN 789a0c174f Fixed OSCD wording 2020-10-09 09:25:38 +03:00