security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
svch0stz ca0f2146ab Update win_net_use_admin_share.yml 2020-10-07 08:23:31 +11:00
grikos 9d9f0bc373 Create win_susp_rundll32_setupapi_installhinfsection.yml 2020-10-07 00:18:41 +03:00
svch0stz 3d048ceba0 Update win_susp_copy_lateral_movement.yml 2020-10-07 08:18:09 +11:00
svch0stz ee2c79745f Update win_susp_wsl_lolbin.yml 2020-10-07 08:12:51 +11:00
Ömer Günal 8ea054ff0b Update at_command.yml 2020-10-07 00:07:30 +03:00
Ömer Günal b0b72de94d Create lnx_process_discovery.yml 2020-10-06 23:52:06 +03:00
Ömer Günal 7b39e76192 Create at_command.yml 2020-10-06 23:48:25 +03:00
Nikita P. Nazarov 0ad9fc61de Detecting Code injection with PowerShell in another process 2020-10-06 20:52:18 +03:00
Ensar Şamil 944a110749 Delete sysmon_tttracer_mod_load.yml 2020-10-06 20:42:32 +03:00
ensar-pcs 4c5d692328 [OSCD] sysmon_tttracer_mod_load.yml added 2020-10-06 20:30:56 +03:00
Nikita P. Nazarov c90d99c0f9 Accessing WinAPI in PowerShell 2020-10-06 19:57:57 +03:00
grikos 6e02e6ac19 Change title and update description 2020-10-06 19:52:31 +03:00
Furkan CALISKAN bbb9fed3e6 Fixed for FP issues 2020-10-06 19:51:55 +03:00
ensar-pcs 60b3450fa8 [OSCD] win_syncappvpublishingserver_exe.yml added 2020-10-06 19:22:16 +03:00
Furkan CALISKAN 0023a22ead Added FP conditions and fileshare part for cmdline 2020-10-06 19:20:19 +03:00
Furkan CALISKAN a5ceba93a9 Fixed conditions 2020-10-06 19:15:30 +03:00
Furkan CALISKAN 52edc13d15 Fixed dates 2020-10-06 19:10:33 +03:00
grikos 79503c63dd fixed typo in att&ck mapping tag 2020-10-06 12:22:19 +03:00
grikos b93e64cd96 Update title according with the guideline 2020-10-06 11:59:20 +03:00
grikos 2638e2a80e newline at the end of file 2020-10-06 10:35:12 +03:00
grikos 6ae36993d9 Create win_susp_vboxdrvInst.yml 2020-10-06 10:18:34 +03:00
Ömer Günal 759268108f rename filename 2020-10-06 09:04:36 +03:00
Vasilisa-L 5b31b8755d Update win_susp_pcwutl.yml 2020-10-06 08:55:01 +03:00
Vasiliy Burov 3f1d44e751 Update win_hack_hydra.yml 2020-10-05 23:52:55 +03:00
Vasiliy Burov f38738e530 Update win_hack_hydra.yml 2020-10-05 23:34:30 +03:00
Furkan CALISKAN ea6d60c58f Added print lolbin 2020-10-05 23:26:57 +03:00
Vasiliy Burov f6ec8673da Update win_hack_hydra.yml 2020-10-05 23:24:59 +03:00
Vasiliy Burov 6a01193661 Update win_hack_hydra.yml 2020-10-05 23:24:08 +03:00
Vasiliy Burov df704ba4fb Create win_hack_hydra.yml 2020-10-05 23:05:27 +03:00
Furkan CALISKAN db4804d6bf Merge branch 'master' of https://github.com/caliskanfurkan/sigma 2020-10-05 23:03:21 +03:00
Furkan CALISKAN 4d655138b2 Added findstr lolbin 2020-10-05 23:03:05 +03:00
Ömer Günal 0e7eb32f62 update description 2020-10-05 20:22:43 +03:00
Ömer Günal 1e7a47440f Install Root Certificate 2020-10-05 20:21:20 +03:00
S.kiran kumar 364ef1e61f [OSCD] Security Eventlog Cleared 
Adding new changes to main
 2020-10-05 22:30:09 +05:30
Nikita P. Nazarov f455146a29 Detecting use PsExec via Pipe Creation/Access to pipes RULE (#29 #30) 2020-10-05 18:08:20 +03:00
Yuliya Fomina 815aa3c719 Edited win_susp_pcwutl 2020-10-05 14:00:21 +03:00
Furkan ÇALIŞKAN b147fc3296 Update win_susp_explorer.yml 
Added known-fp
 2020-10-05 13:22:43 +03:00
Yuliya Fomina 39f955d24d Revert "Create win_susp_pester.yml" 
This reverts commit 577daa378a.
 2020-10-05 13:14:35 +03:00
Yuliya Fomina 577daa378a Create win_susp_pester.yml 2020-10-05 12:22:50 +03:00
Yuliya Fomina ffc768e262 Create win_susp_pcwutl.yml 2020-10-05 11:30:24 +03:00
Furkan ÇALIŞKAN 85962665fd Update win_susp_explorer.yml 2020-10-05 10:49:54 +03:00
svch0stz a02f4840e5 Update win_susp_logon_explicit_credentials.yml 2020-10-05 15:31:30 +11:00
svch0stz 0249d330f5 Update win_susp_logon_explicit_credentials.yml 2020-10-05 15:23:23 +11:00
svch0stz c34cde7938 Create win_susp_logon_explicit_credentials.yml 
❯ python .\sigmac -t splunk -c .\config\splunk-windows.yml ..\rules\windows\builtin\win_susp_logon_explicit_credentials.yml
(source="WinEventLog:Security" (EventCode="4648" (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\winrs.exe" OR Image="*\\wmic.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\reg.exe" OR Image="*\\winrs.exe")) NOT (Target_Server_Name="localhost"))
 2020-10-05 15:17:39 +11:00
svch0stz c82d5ac08e Create win_net_use_admin_share.yml 2020-10-05 14:43:45 +11:00
svch0stz 60bd6a3692 Update win_susp_copy_lateral_movement.yml 2020-10-05 14:35:20 +11:00
svch0stz dd2ab4082d Update win_susp_copy_lateral_movement.yml 2020-10-05 14:33:00 +11:00
svch0stz 641f3031bd Update win_susp_copy_lateral_movement.yml 2020-10-05 14:27:39 +11:00
svch0stz 3516819bf8 Delete win_net_use_admin_share.yml 2020-10-05 14:00:36 +11:00
svch0stz c675be41e2 Create win_net_use_admin_share.yml 2020-10-05 13:57:50 +11:00