security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

7892 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
yugoslavskiy 35526cc413 Update sysmon_asep_reg_keys_modification.yml 
to trigger a test
 2020-10-17 22:27:46 +02:00
yugoslavskiy cefa892c49 Update powershell_bad_opsec_artifacts.yml 
to trigger a test
 2020-10-17 22:27:04 +02:00
yugoslavskiy 5142d6d114 Update sysmon_susp_clr_logs.yml 
to trigger a test
 2020-10-17 22:26:35 +02:00
yugoslavskiy cb8cbf5a17 Update lnx_schedule_task_job_cron.yml 
to trigger a test once again)
 2020-10-17 22:25:52 +02:00
yugoslavskiy 00652d3692 Update sysmon_susp_script_dotnet_clr_dll_load.yml 
to trigger a test
 2020-10-17 22:25:01 +02:00
yugoslavskiy a3bddc6313 Update macos_clear_system_logs.yml 
to trigger a test
 2020-10-17 22:24:16 +02:00
yugoslavskiy 5f67ba4558 Update win_susp_rpcping.yml 
to trigger a test
 2020-10-17 22:22:52 +02:00
yugoslavskiy d6b64f2caf Update lnx_schedule_task_job_cron.yml 
to trigger a test
 2020-10-17 22:22:20 +02:00
yugoslavskiy 2663cb7d38 Update win_susp_pester.yml 
to trigger a test
 2020-10-17 22:21:41 +02:00
grikos b75126f580 merged the description into one line 2020-10-17 22:48:40 +03:00
yugoslavskiy fc3e7c37ab Update sysmon_uac_bypass_via_dism.yml 
to execute the test
 2020-10-17 21:35:44 +02:00
grikos aa87772ee7 empty line at the end of file added & del extra spaces after hyphen 2020-10-17 22:29:49 +03:00
yugoslavskiy e7e5ed6923 Update win_rasautou_dll_execution.yml 
to trigger a test
 2020-10-17 21:27:50 +02:00
grikos ae30660556 suspicious csi.exe (rcsi.exe) LOLBAS detection rule 2020-10-17 22:22:24 +03:00
yugoslavskiy b71787d1d7 Update win_susp_vboxdrvInst.yml 2020-10-17 19:45:40 +02:00
aw350m3 18c2a107c7 fix tabs... again... 2020-10-17 16:07:40 +00:00
aw350m3 acf87f927c fix tabs 2020-10-17 16:03:49 +00:00
aw350m3 20450d74f1 Added a rule to detect the launch of a PowerShell with redirection of the input stream. 2020-10-17 15:50:55 +00:00
Roberto Rodriguez 7c9249f6ad Create sysmon_wmic_remote_xsl_scripting_dlls.yml 
BSides Delhi Example
 2020-10-17 11:17:48 -04:00
Ryan Plas 782a55b8e5 Add Files Dropped to Program Files by Non-Priviledged Process Rule 2020-10-17 10:47:30 -04:00
Alexandre ZANNI c961fa046e readme: package in linux distros 2020-10-17 15:50:19 +02:00
Ryan Plas ff84852803 Replace start of paths with placeholders 2020-10-17 09:36:25 -04:00
sn0w0tter 6b85cc4b88 rerun PR checks 2020-10-17 04:41:10 -07:00
Alexey Lednyov 1a0e2b3c8e Add a technique tag 2020-10-17 08:46:57 +03:00
remotephone 48cabeafe5 Updated author section 2020-10-16 22:02:58 -05:00
remotephone 8f6ce25bab Merge changes from pull 1084 with this one 
https://github.com/Neo23x0/sigma/pull/1084 includes some commands I missed. This merges both and creates an OR selection condition to match both possible conditions.
 2020-10-16 22:01:44 -05:00
remotephone ffde8b0208 Update to handle different file locations 2020-10-16 21:54:41 -05:00
tas_kmanager e955d38f0a [OSCD] Always Install Elevated Alternative 
Page 48 from #574

Alternative to #1195 because it is on the unsupported folder. Following suggestion from @yugoslavskiy - #574 (comment)
 2020-10-16 21:35:53 -04:00
Mikhail Larin 29f2f1acfe added fish to macos rule 2020-10-17 02:37:21 +03:00
Mikhail Larin 65854752a9 additional shells for both rules fix 2020-10-17 02:33:32 +03:00
Mikhail Larin fb3bee0cad title fix 2020-10-17 02:17:40 +03:00
Mikhail Larin 9b568df527 Lin/Mac T1552.003 2020-10-17 02:06:01 +03:00
Alexander Akhremchik 451187bfbd fixed title capitalization 2020-10-17 01:26:02 +03:00
Alexander Akhremchik 860dc24e4b add zerologon rule 2020-10-17 01:13:57 +03:00
Alexander Akhremchik dbb18b89dc add zerologon rule 2020-10-17 01:11:31 +03:00
Alexey Lednyov 761bebfece Fix title 2020-10-17 01:10:47 +03:00
Alexey Lednyov 69bde540c7 Added a rule to detect the use windows telemetry mechanism for persistence 2020-10-17 00:48:14 +03:00
yugoslavskiy cc2f48b4a3 Merge pull request #1195 from tas-kmanager/mt-oscd-sigma547-48 
[OSCD] Always Install Elevated: unsupported
 2020-10-16 22:24:34 +02:00
Ömer Günal 26bb43eaf6 Update lnx_system_info_discovery.yml 2020-10-16 23:00:44 +03:00
Ömer Günal a01c04018c Update lnx_password_policy_discovery.yml 2020-10-16 22:52:15 +03:00
Ömer Günal bf12c73118 Update at_command.yml 2020-10-16 22:49:40 +03:00
Craig Young 192bca814b Remove all modifier 2020-10-16 15:46:51 -04:00
Roberto Rodriguez 4f039c7945 Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-10-16 14:45:13 -04:00
Ömer Günal 723df2f15b Update lnx_system_info_discovery.yml 2020-10-16 21:08:01 +03:00
Vasiliy Burov cc3674bd12 Create win_susp_multiple_files_renamed.yml 
It is not the task of the OSCD sprint#2 but I decide to include this rule here :-)
 2020-10-16 21:03:11 +03:00
Craig Young 85e3099297 Added LOLBAS URL 2020-10-16 13:58:59 -04:00
Craig Young e9953b5a82 Utilize Image|endswith for efficiency 
Rather than searching all command lines, it is more efficient to consider first the Image name.
 2020-10-16 13:56:41 -04:00
Ömer Günal f7fbfda794 Update lnx_system_info_discovery.yml 2020-10-16 20:53:00 +03:00
Craig Young 6e2b899128 Adding oscd.community to authors 2020-10-16 13:51:02 -04:00
Nikita P. Nazarov 30ce1ff268 Detected Windows Software Discovery 2020-10-16 20:44:08 +03:00