blue-team-tools

Author	SHA1	Message	Date
Florian Roth	edf8dde958	Include cases in which certutil.exe is used	2018-09-23 20:57:34 +02:00
Karneades	c73a9e4164	Fix CommandLine in rule sysmon/sysmon_susp_certutil_command Below is an example of a test - the command line does not include the path nor the .exe. I think this comes from the initial detection on the Image path and the later switch to command line. We could also use both the Image path and the Command Line. Message : Process Create: Image: C:\Windows\SysWOW64\certutil.exe CommandLine: certutil xx -decode xxx Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe"	2018-09-23 20:28:56 +02:00
Suleyman Ozarslan	05b91847cd	ATT&CK tagging of Suspicious Certutil Command rule	2018-07-19 16:42:39 +03:00
megan201296	b0bc3b66ed	Fixed typo	2018-07-09 13:32:16 -05:00
Florian Roth	fc72bd16af	Fixed bugs	2018-06-27 09:20:41 +02:00
Markus Härnvi	cf237cf658	"author" should be a string and not a list, according to the specification	2018-04-16 23:42:51 +02:00
SherifEldeeb	348728bdd9	Cleaning up empty list items	2018-01-28 02:36:39 +03:00
SherifEldeeb	48441962cc	Change All "str" references to be "list"to mach schema update	2018-01-28 02:24:16 +03:00
SherifEldeeb	112a0939d7	Change "reference" to "references" to match new schema	2018-01-28 02:12:19 +03:00
Thomas Patzke	986c9ff9b7	Added field names to first rules	2017-09-12 23:54:04 +02:00
Thomas Patzke	84418d2045	Merged builtin/win_susp_certutil_activity.yml with Sysmon rule	2017-08-02 00:04:28 +02:00
Florian Roth	cdf0894e6a	Corrected error in certutil rules (-f means force overwrite, not file) > the -urlcache is the relevant command	2017-07-20 12:54:55 -06:00
Florian Roth	3a55b31da2	certutil file download - more generic approach	2017-07-20 12:48:47 -06:00
Florian Roth	b85d96e458	certutil detections (renamed, extended) see https://twitter.com/subTee/status/888102593838362624	2017-07-20 12:38:10 -06:00

14 Commits