security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,404 Commits 1 Branch 57 Tags
f34bc22537b1fc9271cd341663b3975db548f283
Commit Graph

3139 Commits

Author SHA1 Message Date
Nasreddine Bencherchali f34bc22537 Create proc_creation_win_lolbin_forfiles.yml 2022-06-14 17:39:55 +01:00
Nasreddine Bencherchali 6476152624 Create proc_creation_win_conhost_path_traversal.yml 2022-06-14 17:39:52 +01:00
Florian Roth afce3ffcae Merge branch 'master' into msdt-rules 2022-06-13 22:55:40 +02:00
Florian Roth 2a4e6d8ebe Merge pull request #3123 from phantinuss/master 
fix FP and add Follina reference to description
 2022-06-13 22:54:54 +02:00
Florian Roth 037bf0f6bb Update proc_creation_win_lolbin_susp_certreq_download.yml 2022-06-13 18:27:56 +02:00
Nasreddine Bencherchali 0e0f44fc0c Update proc_creation_win_msdt.yml 2022-06-13 16:36:19 +01:00
Nasreddine Bencherchali 8ca55de64c Update proc_creation_win_msdt.yml 2022-06-13 14:33:12 +01:00
Nasreddine Bencherchali ffd236158c Update MSDT Rules 2022-06-13 14:30:35 +01:00
phantinuss 92c2976793 docs: add Follina reference in description 2022-06-13 13:30:21 +02:00
Nasreddine Bencherchali e96532344f Removed "modified" date 2022-06-13 11:31:47 +01:00
Nasreddine Bencherchali 21f20c9e7a Renamed to shorter names 2022-06-13 00:52:53 +01:00
Nasreddine Bencherchali 7b3e6c7f59 Update proc_creation_win_lolbin_rasautou_dll_execution.yml 2022-06-13 00:21:32 +01:00
Nasreddine Bencherchali ffd135c6b6 Renamed LOLBIN rules + Other 2022-06-12 23:59:25 +01:00
Nasreddine Bencherchali 13b02a2aec Renamed LOLBIN Rules 2 2022-06-12 21:37:42 +01:00
Nasreddine Bencherchali 3cfb370266 Renamed LOLBIN Rules 2022-06-12 21:36:52 +01:00
Florian Roth 6d07a3aaff Merge pull request #3121 from frack113/Cmdkey 
Update Cmdkey
 2022-06-12 18:37:19 +02:00
Florian Roth 1c8c9d4ff2 refactor: one more space char 2022-06-12 18:06:51 +02:00
frack113 dc67990e07 Update proc_creation_win_local_system_owner_account_discovery.yml 2022-06-12 17:58:33 +02:00
frack113 fb0618795f Update proc_creation_win_mstsc.yml 2022-06-12 17:52:37 +02:00
Florian Roth 9caea8bb03 Merge pull request #3118 from SigmaHQ/rule-devel 
rules: DNS ext requests, ISO phish, BITS refactor
 2022-06-12 17:51:11 +02:00
frack113 b0730c613b Update Cmdkey 2022-06-12 17:31:24 +02:00
CD-R0M 6786bd58ac Merge branch 'SigmaHQ:master' into master 2022-06-11 10:21:07 -04:00
frack113 6c211887a9 Remove unneeded star 2022-06-11 12:58:14 +02:00
Nasreddine Bencherchali de78f9f5b3 Update proc_creation_win_cmdkey_recon.yml 2022-06-11 11:18:33 +01:00
Nasreddine Bencherchali b8ab72c222 Update proc_creation_win_mstsc.yml 2022-06-11 02:23:38 +01:00
Nasreddine Bencherchali c610e4a749 Update proc_creation_win_cmdkey_recon.yml 2022-06-11 02:23:31 +01:00
Nasreddine Bencherchali 3aa1d3710a Update proc_creation_win_susp_curl_fileupload.yml 2022-06-11 02:23:14 +01:00
Nasreddine Bencherchali 0e68a801b1 Update proc_creation_win_susp_curl_download.yml 2022-06-11 02:22:56 +01:00
Nasreddine Bencherchali 50bb79d54e Update proc_creation_win_susp_wsl_lolbin.yml 2022-06-11 02:21:39 +01:00
Nasreddine Bencherchali 2d174ec4fc Update proc_creation_win_susp_gup_execution.yml 2022-06-10 19:08:30 +01:00
Nasreddine Bencherchali 41dd9246fd GUP LOLBIN Rules + Update AccCheckConsole Rule 2022-06-10 19:07:25 +01:00
Florian Roth a05e154869 fix: condition 2022-06-10 13:46:19 +02:00
Florian Roth 3ffe83bd70 fix: typo 2022-06-10 13:18:55 +02:00
Florian Roth d172b136bf Merge pull request #3109 from frack113/diagcab 
Add file_event_win_susp_diagcab
 2022-06-10 07:34:33 +02:00
Nasreddine Bencherchali 7267e547df Update proc_creation_win_susp_cdb.yml 2022-06-09 19:16:38 +01:00
Nasreddine Bencherchali 929d264529 Update proc_creation_win_susp_cdb.yml 2022-06-09 19:14:24 +01:00
Nasreddine Bencherchali 4e1423ba74 Update proc_creation_win_susp_cdb.yml 2022-06-09 19:13:22 +01:00
Nasreddine Bencherchali 639a6dd550 Update proc_creation_win_lolbin_mftrace.yml 2022-06-09 18:52:32 +01:00
Nasreddine Bencherchali fc44b0999b Update proc_creation_win_lolbin_mftrace.yml 2022-06-09 18:47:53 +01:00
Nasreddine Bencherchali a934f587d4 Update proc_creation_win_lolbin_mftrace.yml 2022-06-09 18:04:35 +01:00
Nasreddine Bencherchali 78bdfa85a9 Fix 2022-06-09 18:00:24 +01:00
Nasreddine Bencherchali f4b0dd69f1 Update proc_creation_win_lolbin_adplus.yml 2022-06-09 16:15:28 +01:00
Nasreddine Bencherchali 0a0e976ccf Update proc_creation_win_susp_dxcap.yml 2022-06-09 15:58:52 +01:00
Nasreddine Bencherchali 87e813a649 Update proc_creation_win_lolbin_squirrel.yml 2022-06-09 15:58:22 +01:00
Nasreddine Bencherchali 4561d86d81 New/Update LOLBIN Rules 2022-06-09 15:56:33 +01:00
frack113 e6cf3d34d1 Update modified 2022-06-09 13:27:07 +02:00
svch0stz ffcf5872c5 Update proc_creation_win_susp_recon_activity.yml 2022-06-09 20:34:25 +10:00
frack113 54b1baa188 Add proc_creation_win_msdt_diagcab 2022-06-09 08:57:51 +02:00
svch0stz c1a601fef8 Update proc_creation_win_susp_recon_activity.yml 
Using "/do" is still a valid argument . looking for /dom will exclude this. 

Other option is to remove the "/do" argument and just look for cmdline contains:
- net group "domain admins"

https://twitter.com/TheDFIRReport/status/1534227586225684481
 2022-06-09 10:14:57 +10:00
Florian Roth 7f61789082 rule: renamed rundll32.exe 2022-06-08 17:23:29 +02:00