security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

10511 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alexey Lednyov 69bde540c7 Added a rule to detect the use windows telemetry mechanism for persistence 2020-10-17 00:48:14 +03:00
yugoslavskiy cc2f48b4a3 Merge pull request #1195 from tas-kmanager/mt-oscd-sigma547-48 
[OSCD] Always Install Elevated: unsupported
 2020-10-16 22:24:34 +02:00
Ömer Günal 26bb43eaf6 Update lnx_system_info_discovery.yml 2020-10-16 23:00:44 +03:00
Ömer Günal a01c04018c Update lnx_password_policy_discovery.yml 2020-10-16 22:52:15 +03:00
Ömer Günal bf12c73118 Update at_command.yml 2020-10-16 22:49:40 +03:00
Craig Young 192bca814b Remove all modifier 2020-10-16 15:46:51 -04:00
Roberto Rodriguez 4f039c7945 Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-10-16 14:45:13 -04:00
Ömer Günal 723df2f15b Update lnx_system_info_discovery.yml 2020-10-16 21:08:01 +03:00
Vasiliy Burov cc3674bd12 Create win_susp_multiple_files_renamed.yml 
It is not the task of the OSCD sprint#2 but I decide to include this rule here :-)
 2020-10-16 21:03:11 +03:00
Craig Young 85e3099297 Added LOLBAS URL 2020-10-16 13:58:59 -04:00
Craig Young e9953b5a82 Utilize Image|endswith for efficiency 
Rather than searching all command lines, it is more efficient to consider first the Image name.
 2020-10-16 13:56:41 -04:00
Ömer Günal f7fbfda794 Update lnx_system_info_discovery.yml 2020-10-16 20:53:00 +03:00
Craig Young 6e2b899128 Adding oscd.community to authors 2020-10-16 13:51:02 -04:00
Nikita P. Nazarov 30ce1ff268 Detected Windows Software Discovery 2020-10-16 20:44:08 +03:00
Ömer Günal 2fa7008363 change reference 2020-10-16 20:42:12 +03:00
Ömer Günal bca3c80f43 Update lnx_clear_logs.yml 2020-10-16 20:39:26 +03:00
Jonhnathan 89bbee6594 Update win_susp_service_dacl_modification.yml 2020-10-16 11:57:54 -03:00
Jonhnathan 3f23aa56c0 Revert "Revert "Changed the rule to download only and not the copy"" 
This reverts commit 17e7eee3a6.
 2020-10-16 11:05:51 -03:00
Jonhnathan 0734274dfa Revert "Revert "Create win_susp_replace_lolbin.yml"" 
This reverts commit fdd9234acc.
 2020-10-16 11:05:40 -03:00
Jonhnathan eee2ace2c6 Revert "Revert "Changed the rule to download only and not the copy"" 
This reverts commit b0ddaf5ac9.
 2020-10-16 11:05:03 -03:00
Jonhnathan ec32341e89 Revert "Revert "Create win_susp_replace_lolbin.yml"" 
This reverts commit 1979906bae.
 2020-10-16 11:04:55 -03:00
Jonhnathan 23e956dcce Merge branch 'oscd5' of https://github.com/w0rk3r/sigma into oscd5 2020-10-16 11:03:21 -03:00
Jonhnathan b190c1dbba Revert "Revert "Changed the rule to download only and not the copy"" 
This reverts commit 5e9c80c8b1.
 2020-10-16 11:03:18 -03:00
Jonhnathan b4663a1535 Revert "Revert "Create win_susp_replace_lolbin.yml"" 
This reverts commit e47bee2d4e.
 2020-10-16 11:03:10 -03:00
tas_kmanager c4ddd56931 Update sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml 2020-10-16 09:30:20 -04:00
tas_kmanager 832c1d4b1a Update sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml 2020-10-16 08:59:07 -04:00
Jonhnathan 2f7b44964c Create win_susp_service_dacl_modification.yml 2020-10-16 09:30:09 -03:00
Jonhnathan e47bee2d4e Revert "Create win_susp_replace_lolbin.yml" 
This reverts commit e6a6549676.
 2020-10-16 09:10:48 -03:00
Jonhnathan 5e9c80c8b1 Revert "Changed the rule to download only and not the copy" 
This reverts commit 1324bc1ad1.
 2020-10-16 09:10:45 -03:00
Jonhnathan 9a5c166bb2 Fix filter 2020-10-16 07:35:59 -03:00
Florian Roth 75f177210e Merge pull request #1205 from Neo23x0/rule-devel 
fix: ping hex ip rule
 2020-10-16 12:33:03 +02:00
unclep@sk aa2cd4bdce The author field escape char fixed 2020-10-16 13:02:40 +03:00
Florian Roth 986b711de6 Merge branch 'master' into rule-devel 2020-10-16 12:01:29 +02:00
unclep@sk 27bbbf3398 The author field escape char fixed 2020-10-16 12:51:59 +03:00
unclep@sk dc554af970 The author field and FP filter fix applied 2020-10-16 12:49:27 +03:00
unclep@sk 94f60acb7f The author field escape char fixed 2020-10-16 12:09:46 +03:00
Florian Roth 48f1be04d4 fix: ping hex ip rule 2020-10-16 10:06:24 +02:00
Ömer Günal 5c34e69fc9 Update lnx_process_discovery.yml 2020-10-16 10:58:51 +03:00
Ömer Günal 0b30835b7b Update at_command.yml 2020-10-16 10:56:06 +03:00
Ömer Günal 373c637e66 Update lnx_install_root_certificate.yml 2020-10-16 10:55:31 +03:00
Ömer Günal 27dcad8ffe Update lnx_process_discovery.yml 2020-10-16 10:52:54 +03:00
Ömer Günal 68e843f0d3 Update lnx_system_info_discovery.yml 2020-10-16 10:48:36 +03:00
Ivan Dyachkov a51eec1a79 fixed image and commandline search 2020-10-16 10:44:59 +03:00
Ivan Dyachkov 78644305d6 '-s' is working too. 2020-10-16 10:39:56 +03:00
Ömer Günal 38c7cb7406 Update lnx_password_policy_discovery.yml 2020-10-16 10:38:36 +03:00
Ömer Günal f1a6e980e5 added category 2020-10-16 10:33:50 +03:00
Ömer Günal 46e887ef38 Update lnx_clear_logs.yml 2020-10-16 10:32:25 +03:00
Vasiliy Burov 700ed134bc Update powershell_cmdline_special_characters.yml 2020-10-16 10:18:37 +03:00
Vasiliy Burov d2184aee5e Update powershell_cmdline_special_characters.yml 2020-10-16 09:58:59 +03:00
tas_kmanager 9b2268a192 [OSCD] Always Install Elevated - Slide 50 - Rule 2 
Page 50 from #574 Rule 2

Look for msiexec spawning command line or powershell then it spawns other processes

using enrichment as suggested by @yugoslavskiy
 2020-10-15 22:36:28 -04:00