security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

7892 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ivan Dyachkov b24bec6c6c delete diskshadow 2020-10-14 15:55:24 +03:00
Ivan Dyachkov 3f932e4252 #1014 2020-10-14 15:51:32 +03:00
omkargudhate22 23098d042c Update sysmon_susp_clr_logs.yml 2020-10-14 18:11:49 +05:30
omkargudhate22 75ee2e0f47 Update sysmon_susp_clr_logs.yml 2020-10-14 18:10:42 +05:30
omkargudhate22 f123a51d42 contains all condition 2020-10-14 17:34:01 +05:30
omkargudhate22 8e792f95ab removed regex 2020-10-14 17:31:38 +05:30
omkargudhate22 90725564c6 separated & changed conditions 2020-10-14 17:29:45 +05:30
Ivan Dyachkov fa55803545 fixed spaces and tabs 2020-10-14 13:33:27 +03:00
uncleP@sk 947fa79dd3 vsjitdebugger detection added 2020-10-14 13:29:25 +03:00
Ivan Dyachkov 22d5acde10 New rule 2020-10-14 13:28:41 +03:00
uncleP@sk 8fdca7853c te.exe LOLbin detection 2020-10-14 13:02:45 +03:00
Ivan Dyachkov cf9b040600 fixed description, tags 2020-10-14 12:08:22 +03:00
Demyan Sokolin ffaad3a124 retrigger checks 2020-10-14 12:01:33 +03:00
S.kiran kumar 0d25660624 Update silenttrinity_stager_msbuild_activity.yml 2020-10-14 14:13:20 +05:30
Alejandro Ortuno 2ef52dbfd8 Initial Sigma Rule 2020-10-14 10:24:59 +02:00
Alejandro Ortuno bf8426d71b Initial commit of sigma rule 2020-10-14 10:14:00 +02:00
S.kiran kumar 2fa7ae2c1c Update silenttrinity_stager_msbuild_activity.yml 2020-10-14 13:04:49 +05:30
Ivan Dyachkov c0e70106fa Fixed att&ck, deleted commandline key "exec" (does not works without interactive mode so there is no commandline appear) 2020-10-14 10:15:06 +03:00
uncleP@sk 196debf0ad description + author fields fixed 2020-10-14 10:12:34 +03:00
uncleP@sk 2f06c30760 empty line + authors fixed 2020-10-14 10:06:34 +03:00
Alejandro Ortuno 75a05db446 Add slash to bypass testing 2020-10-14 08:50:15 +02:00
remotephone@gmail.com 8e7fbbd147 fixing UUID and description 2020-10-14 00:54:51 -05:00
remotephone@gmail.com ed22c8e0fe adding macos screencapture rule 2020-10-14 00:51:55 -05:00
remotephone@gmail.com 8bbde90328 adding line at end of file 2020-10-14 00:05:28 -05:00
remotephone@gmail.com 3cddb86b70 updating tags 2020-10-14 00:01:30 -05:00
remotephone@gmail.com 7343936653 adding gui input capture, first iteration 2020-10-13 23:59:53 -05:00
S.kiran kumar 6b25378a61 Removed * operator 2020-10-14 10:07:16 +05:30
S.kiran kumar 4fa6ca01ef Changed category. 2020-10-14 10:05:41 +05:30
remotephone@gmail.com df20d2a5d2 adding new line at end of file 2020-10-13 22:44:02 -05:00
remotephone@gmail.com 7e002fcb5f updating selections to make query more efficient and less prone to evasion 2020-10-13 22:17:26 -05:00
remotephone@gmail.com 56952ecdd4 updating to select commandline arguments correctly for macos rule, and cleaning up description across both rules 2020-10-13 22:09:37 -05:00
Jonhnathan 043033c1b7 Update win_etw_trace_evasion.yml 2020-10-13 22:59:06 -03:00
Jonhnathan ac1a6927ad Update win_etw_trace_evasion.yml 2020-10-13 22:55:13 -03:00
Jonhnathan e3446b873a Correct duplicated selection 2020-10-13 22:54:30 -03:00
Jonhnathan b1c9871b74 Add Additional detections for other techniques 2020-10-13 22:51:48 -03:00
tas_kmanager 7916ae0517 Changed the category to process_creation 2020-10-13 20:58:00 -04:00
tas_kmanager 36a5f13b0c Moved the file to the right category 2020-10-13 20:48:16 -04:00
tas_kmanager dd705cc7f9 Update sysmon_accesschk_usage_after_priv_escalation.yml 2020-10-13 20:43:19 -04:00
tas_kmanager f2ab4a7e32 [OSCD] Add Accesschk tool usage rule 
Page 43 from #574
 2020-10-13 20:31:15 -04:00
Demyan Sokolin fce386388d Title fixed [2] 
Title capitalization added
 2020-10-14 02:17:20 +03:00
Demyan Sokolin ba2771147b Title length fixed 
Title and description changed to meet requirements.
 2020-10-14 02:04:34 +03:00
Demyan Sokolin 208798e373 [OSCD] Possible Zerologon (CVE-2020-1472) exploitation using well-known tools 2020-10-14 01:55:45 +03:00
Thomas Patzke 026be7f753 Merge pull request #1039 from Vasilisa-L/oscd 
[OSCD] Pcwutl.dll LOLbin
 2020-10-14 00:24:41 +02:00
Thomas Patzke e39ebe065a Merge pull request #1037 from svch0stz/oscd5 
[OSCD] Create win_susp_logon_explicit_credentials.yml
 2020-10-14 00:23:08 +02:00
Thomas Patzke 95789a5379 Merge pull request #1068 from esebese/task87 
[OSCD] win_visual_basic_compiler.yml added
 2020-10-14 00:21:12 +02:00
Thomas Patzke a83f500267 Merge pull request #1058 from grikos/OSCD_100 
[OSCD] LOLBAS Setupapi.yml
 2020-10-14 00:19:32 +02:00
Thomas Patzke 7e4a205de7 Merge pull request #1059 from ryanplasma/rplas-SIGMA-547-page-20 
[OSCD] Add Usage of reg or Powershell by Non-privileged Users rule
 2020-10-13 23:24:05 +02:00
Thomas Patzke 6cc33e5989 Merge pull request #1060 from svch0stz/oscd6 
[OSCD] Created powershell_suspicious_mounted_share_deletion.yml
 2020-10-13 22:59:25 +02:00
Thomas Patzke b9e38e79fa Merge pull request #1061 from svch0stz/oscd7 
[OSCD] Create win_susp_mounted_share_deletion.yml
 2020-10-13 22:55:54 +02:00
Jonhnathan a01c08f617 Removed reference to deprecated rule and improve logic 2020-10-13 17:45:35 -03:00