security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

7892 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nikita Nazarov 654bd7bdba Update win_software_discovery.yml 
Add edits
 2020-10-19 11:05:45 +03:00
Jonhnathan 6b2c235ab3 Update win_susp_replace_lolbin.yml 2020-10-18 23:44:18 -03:00
v3t0 3a550af9f7 [OSCD] Added a rule to detect execution of runonce with suspicious parameters 2020-10-18 22:38:13 -04:00
v3t0 755a714884 [OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments 2020-10-18 19:35:57 -04:00
Alejandro Ortuno 41f5d7e876 Adding Ömer as leading author 2020-10-18 20:30:32 +02:00
Alejandro Ortuno 8a43dec5a3 Adding Ömer as the leading author 2020-10-18 20:28:55 +02:00
Vasiliy Burov 439f88f75a Create win_mal_lockergoga.yml 2020-10-18 20:25:37 +03:00
Ensar Şamil 4619e98602 Update win_pe_exec_vsjitdebugger.yml 2020-10-18 20:08:29 +03:00
Timur Zinniatullin 0d5b03342a Add win_invoke_obfuscation_via_compress.yml 2020-10-18 19:51:20 +03:00
Timur Zinniatullin 8b255ab959 Add powershell_invoke_obfuscation_via_compress.yml 2020-10-18 19:50:58 +03:00
Timur Zinniatullin 30f7dad901 Add win_invoke_obfuscation_via_compress_services.yml 2020-10-18 19:50:30 +03:00
stvetro 65fc968658 Create win_susp_file_download_via_gfxdownloadwrapper.yml 2020-10-18 20:40:23 +04:00
stvetro a6d99e4418 Create win_susp_runscripthelper.yml 2020-10-18 20:37:53 +04:00
stvetro 5cb76ef7d4 Create win_winword_dll_load.yml 2020-10-18 20:29:39 +04:00
stvetro 5ae052b665 Revert "Revert "Create win_verclsid_runs_com.yml"" 
This reverts commit 8e820d441a.
 2020-10-18 20:10:29 +04:00
stvetro 8e820d441a Revert "Create win_verclsid_runs_com.yml" 
This reverts commit 7e4a958cc5.
 2020-10-18 20:10:21 +04:00
Timur Zinniatullin d84281936b Update win_invoke_obfuscation_via_rundll.yml 2020-10-18 19:05:40 +03:00
Timur Zinniatullin eb2af704e7 Update powershell_invoke_obfuscation_via_rundll.yml 2020-10-18 19:05:27 +03:00
Timur Zinniatullin 39bac712c3 Update win_invoke_obfuscation_via_rundll_services.yml 2020-10-18 19:05:09 +03:00
stvetro 7e4a958cc5 Create win_verclsid_runs_com.yml 2020-10-18 20:02:34 +04:00
stvetro 07d3a6f340 Removed rules 
to have 1 pull request 1 rule
 2020-10-18 19:57:30 +04:00
Timur Zinniatullin 35a9a7d46c Update powershell_invoke_obfuscation_via_rundll.yml 2020-10-18 18:54:59 +03:00
Timur Zinniatullin 0c934ea455 Update win_invoke_obfuscation_via_rundll.yml 2020-10-18 18:54:31 +03:00
Timur Zinniatullin 98febd2101 Update win_invoke_obfuscation_via_rundll_services.yml 2020-10-18 18:54:06 +03:00
Timur Zinniatullin 683c4cfc0a Add win_invoke_obfuscation_via_rundll.yml 2020-10-18 18:53:17 +03:00
Timur Zinniatullin 1bde40a98d Add win_invoke_obfuscation_via_rundll_services.yml 2020-10-18 18:52:25 +03:00
Timur Zinniatullin eee01f6a86 Add powershell_invoke_obfuscation_via_rundll.yml 2020-10-18 18:51:51 +03:00
feedb 54b75b73b2 [OSCD] process_creation_msdeploy 2020-10-18 17:37:14 +03:00
feedb 2b731300fb [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code 
=/
 2020-10-18 17:13:41 +03:00
feedb 744d27d892 [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code 2020-10-18 17:08:52 +03:00
feedb e7c9ead469 [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code 2020-10-18 17:06:09 +03:00
feedb fabf2a03fe Delete win_mshta_invoke_html.yml 2020-10-18 15:29:43 +03:00
feedb 468fd40dda Update win_mshta_invoke_html.yml 2020-10-18 15:23:44 +03:00
feedb 6b39f7bb6e Update win_mshta_invoke_html.yml 2020-10-18 15:19:58 +03:00
feedb ad11fc7b0e Update win_mshta_invoke_html.yml 2020-10-18 15:14:13 +03:00
feedb 5b35991cdd Update win_mshta_invoke_html.yml 2020-10-18 15:05:01 +03:00
feedb 91692e49cd Update win_mshta_invoke_html.yml 2020-10-18 15:02:03 +03:00
feedb 3806196071 Create win_mshta_invoke_html.yml 2020-10-18 14:57:22 +03:00
OpalSec ca09ae5039 Modification of search logic per advice from @zinint 
Edited suggested searches to improve performance:

VAR+
16ms:	.*cmd.*(?:\/c|\/r).*set.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

6ms:  .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

STDIN+
7ms:    .*cmd.*(?:\/c|\/r).*powershell.+(?:\$\{?input}?|noexit).*\"

3ms:    .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"

CLIP+
28ms:    .*cmd.*(?:\/c|\/r).*\|.*clip(?:\.exe)?.*&&.*clipboard]::\(\s\\\"\{\d\}.*\-f.*\"

11ms:    .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
 2020-10-18 21:15:43 +11:00
Vasiliy Burov 3bddff4d52 Update win_susp_multiple_files_renamed.yml 2020-10-18 11:52:34 +03:00
nsaddler 3aa2a73ba7 Update powershell_CL_Invocation_LOLScript.yml 2020-10-18 10:38:40 +03:00
unclep@sk b69e56539e tags fixed 2020-10-18 09:22:29 +03:00
S.kiran kumar 31ad3fcd6b Mitre tags changed 2020-10-18 08:08:25 +05:30
nsaddler a6f00d6acc Update powershell_CL_Invocation_LOLScript.yml 2020-10-18 02:48:21 +03:00
yugoslavskiy 4180663593 Update win_powershell_script_installed_as_service.yml 2020-10-18 01:32:20 +02:00
yugoslavskiy 30970903bc Update win_powershell_script_installed_as_service.yml 2020-10-18 01:32:07 +02:00
Наталья Шорникова 789e7227be Splitting into two 2020-10-18 02:16:11 +03:00
nsaddler 8d1b863182 Update sysmon_in_memory_powershell.yml 2020-10-18 01:16:11 +03:00
nsaddler 3aff4836ca Update sysmon_wab_dllpath_reg_change.yml 2020-10-18 00:19:27 +03:00
yugoslavskiy 198add2229 Update win_wmi_persistence.yml 
to trigger a test
 2020-10-17 22:28:10 +02:00