security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,749 Commits 1 Branch 57 Tags
f00aaf8461f97abec19f81aa4fc0edaa76ff6cf1
Commit Graph

20 Commits

Author SHA1 Message Date
frack113 acf59f9795 Fix some errors 2021-08-30 19:49:44 +02:00
frack113 da839775fe Update PS rules 2021-08-21 09:50:59 +02:00
Florian Roth 5fa5a412d5 fix: FPs with [reflection.assembly]::Load 2021-08-18 09:49:34 +02:00
Florian Roth a0625ad074 Merge branch 'master' into rule-devel 2021-08-17 12:29:55 +02:00
Florian Roth 80b3acfce9 fix: false positive with Xen / Oracle scripts 2021-08-17 12:03:49 +02:00
Max Altgelt 6f05e33feb fix: Correct incorrect message / keyword usage 
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
 2021-08-12 16:28:07 +02:00
Florian Roth 04faf985d2 more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00
Florian Roth 274b7b0f2e fix: search for keywords within message 2021-02-26 09:42:12 +01:00
aw350m3 eb6b9be5a2 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes 2020-08-25 23:51:22 +00:00
aw350m3 399f378269 att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:26 +00:00
aw350m3 ba2e891433 windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Thomas Patzke 924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00
yugoslavskiy efc404fbae resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml 2019-11-19 02:11:19 +01:00
yugoslavskiy cd69111522 Merge branch 'oscd' into master 2019-11-14 00:36:34 +03:00
Thomas Patzke 0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Karneades ab5556ae8c fix: change keyword and bound it to a field 2019-10-29 19:59:43 +01:00
darkquasar cb6eb35913 adding some more suspicious PS keywords 
found in multiple internally analyzed malicious scripts (in the wild and as result of engagements)
 2019-10-28 22:14:14 -07:00
Tareq AlKhatib 15e2f5df5f fixed typos 2019-06-29 15:35:59 +03:00
Florian Roth 74e3c79f40 Rule: Suspicious PowerShell keywords 2019-02-11 13:02:38 +01:00