security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
uchakin a73dbd0a5d Fix titles 2020-10-07 22:27:48 +03:00
Ömer Günal 18821d2255 Create lnx_clear_logs.yml 2020-10-07 22:27:06 +03:00
Ömer Günal d44ef84b55 Update lnx_process_discovery.yml 2020-10-07 22:26:02 +03:00
Ömer Günal d328f92503 Update at_command.yml 2020-10-07 22:23:48 +03:00
Ömer Günal bdabb14483 Update at_command.yml 2020-10-07 22:22:31 +03:00
Ömer Günal 7b29e3a35f Update lnx_install_root_certificate.yml 2020-10-07 22:20:17 +03:00
Jonhnathan 1324bc1ad1 Changed the rule to download only and not the copy 2020-10-07 16:18:21 -03:00
uchakin b568e14b03 Add 3 rules 2020-10-07 22:06:16 +03:00
Furkan CALISKAN 1c413bcf6d Fixed status 2020-10-07 20:45:34 +03:00
Наталья Шорникова ece635b987 [OSCD] Powershell without powershell.exe Rule Added 2020-10-07 19:52:08 +03:00
Semanur Guneysu 8696b3ba18 Update sysmon_abusing_debug_privilege.yml 2020-10-07 19:32:05 +03:00
Ryan Plas 7b64ab552f Capitalize Title 2020-10-07 10:51:55 -04:00
Ryan Plas 2d30379ab2 Move to process_creation category 2020-10-07 10:47:40 -04:00
Yuliya Fomina df51044c90 Rule collection implemented 2020-10-07 17:35:14 +03:00
Semanur Guneysu 173df7ff3b Update sysmon_abusing_debug_privilege.yml 2020-10-07 17:31:28 +03:00
Semanur Guneysu 8d09b55699 Added category field 2020-10-07 17:25:32 +03:00
Semanur Guneysu 6e8d9b9be2 Migrated to the process_creation category. 2020-10-07 17:11:38 +03:00
Semanur Guneysu f66eedbb74 Create sysmon_abusing_debug_privilege.yml 2020-10-07 16:52:19 +03:00
Jonhnathan e6a6549676 Create win_susp_replace_lolbin.yml 
Item 77 of #1014
 2020-10-07 10:37:15 -03:00
Наталья Шорникова 4bddfaac86 [OSCD] Powershell Script Installed as a Service Rule added 2020-10-07 16:18:38 +03:00
Yuliya Fomina f0f419df78 Create win_susp_pester.yml 2020-10-07 15:19:45 +03:00
esebese 18da272de4 [OSCD] win_visual_basic_compiler.yml added 2020-10-07 15:04:12 +03:00
grikos 9df6608239 Remove asterisk from condition 
Change 
        ParentCommandLine:
            - 'setupapi.dll*InstallHinfSection'
to
        ParentCommandLine|contains|all:
            - 'setupapi.dll'
            - 'InstallHinfSection'

because some LM/SIEM systems don't process '*' as Splunk or Elasticsearch
 2020-10-07 14:54:13 +03:00
Nikita Nazarov d3f0ddd2b1 Update powershell_code_injection.yml 2020-10-07 14:50:00 +03:00
Nikita Nazarov bfa3635cd2 Update powershell_accessing_win_api.yml 2020-10-07 14:47:29 +03:00
Nikita Nazarov 7c9c21cda0 Update sysmon_psexec_pipes_artifacts.yml 2020-10-07 14:43:25 +03:00
Ryan Plas dc856f24e0 Move rule to sysmon folder and update selection names 2020-10-07 07:18:12 -04:00
nsaddler 59610517a0 Update sysmon_long_powershell_commandline.yml 2020-10-07 14:10:26 +03:00
nsaddler df21dab585 Update sysmon_long_powershell_commandline.yml 2020-10-07 14:00:41 +03:00
nsaddler e01e26be1c Update sysmon_long_powershell_commandline.yml 2020-10-07 13:55:17 +03:00
Наталья Шорникова 7d8445fe12 [OSCD] Too Long Powershell CommandLine Rule added 2020-10-07 13:42:05 +03:00
Vasilisa-L da578a8bb0 Update win_susp_winrm_execution.yml 2020-10-07 12:30:57 +03:00
nsaddler 911bc514af Rename sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml to sysmon_accessing_winapi_in_powershell_credentials_dumping.yml 2020-10-07 12:26:30 +03:00
Yuliya Fomina 729e1f6f7f Сreate win_susp_winrm_execution 2020-10-07 12:20:37 +03:00
Наталья Шорникова b6451fcc38 [OSCD] Accessing WinAPI in PowerShell. Credentials dumping Rule added 2020-10-07 12:17:29 +03:00
Yuliya Fomina ab8e9ed8e7 Create win_susp_winrm_AWL_bypass 2020-10-07 12:07:20 +03:00
esebese 4045c68ae4 [OSCD] sysmon_tttracer_mod_load.yml added 2020-10-07 11:17:21 +03:00
grikos 391af43708 Update description & references 2020-10-07 10:32:51 +03:00
svch0stz 0fe1850bf4 Update powershell_suspicious_mounted_share_deletion.yml 2020-10-07 17:54:48 +11:00
svch0stz c879378e35 Update win_susp_mounted_share_deletion.yml 2020-10-07 17:46:13 +11:00
svch0stz a7442328eb Create powershell_suspicious_mounted_share_deletion.yml 2020-10-07 17:44:05 +11:00
svch0stz 3dafef411f Delete powershell_suspicious_mounted_share_deletion.yml 2020-10-07 17:42:25 +11:00
svch0stz dabc092ab9 Create win_susp_mounted_share_deletion.yml 2020-10-07 17:34:48 +11:00
svch0stz 5c2ef0dd35 Update powershell_suspicious_mounted_share_deletion.yml 2020-10-07 17:33:12 +11:00
svch0stz d7acbb369e Created powershell_suspicious_mounted_share_deletion.yml 2020-10-07 17:22:09 +11:00
Vasilisa-L 5d01f71f62 CommandLine|contains -> CommandLine|contains|all: 
Replaced wildcard expression with list of values
 2020-10-07 08:43:22 +03:00
Ryan Plas dbb76b5856 Add Usage of reg or Powershell by Non-privileged Users rule 2020-10-06 22:01:18 -04:00
grikos 49119e162f Delete win_susp_rundll32_setupapi_installhinfsection.yml 2020-10-07 01:04:59 +03:00
grikos a5478950c7 Create win_susp_rundll32_setupapi_installhinfsection.yml 2020-10-07 00:34:00 +03:00
svch0stz e68e212d23 Update win_susp_logon_explicit_credentials.yml 2020-10-07 08:26:43 +11:00