security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

7892 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
uncleP@sk 09d4160b98 filter added 2020-10-13 10:23:08 +03:00
remotephone@gmail.com a85c19db17 updating files to cover broader network discovery logic, renaming alert, adding recommended changes 2020-10-13 00:39:53 -05:00
remotephone@gmail.com 7d49db3988 updating falsepositives documentation to remove line that's not applicable 2020-10-12 23:19:02 -05:00
cyb3rward0g cd270672a6 Update delete alternate powershell host 2020-10-12 23:52:35 -04:00
remotephone@gmail.com 89c8a589a5 updating search syntax, splitting process name and cmdline and adding category 2020-10-12 22:49:19 -05:00
cyb3rward0g 55d6bd8089 Update - Adding description to zeek exfiltration compressed files 2020-10-12 23:32:10 -04:00
cyb3rward0g 354b6a9822 update - GitHub Action / Test Sigma 2020-10-12 23:07:02 -04:00
cyb3rward0g 189e3c2605 update - GitHub Action / Test Sigma 2020-10-12 22:43:36 -04:00
cyb3rward0g 24e0d09a54 update - GitHub Action / Test Sigma 2020-10-12 22:15:49 -04:00
cyb3rward0g 72f35377b3 update - GitHub Action / Test Sigma 2020-10-12 22:11:01 -04:00
cyb3rward0g 644f222079 update - GitHub Action / Test Sigma 2020-10-12 21:58:02 -04:00
cyb3rward0g 491049b92a Updated - GitHub Action / Test Sigma 2020-10-12 21:34:07 -04:00
invrep-de 6a9bc7063f [OSCD] Bad Opsec Powershell Artifacts 2020-10-13 02:21:46 +02:00
sn0w0tter 1df582d8db OSCD LOLBAS atbroker suspicious creation of ATs 2020-10-12 17:10:34 -07:00
invrep-de 55201a94c0 [OSCD] Powershell Disable Windows Defender AV 2020-10-13 02:05:00 +02:00
Timur Zinniatullin d1ef56bddb @aw350m3 style complience (: 2020-10-13 02:47:09 +03:00
Timur Zinniatullin 5bd75521f2 Add win_invoke_obfuscation_via_var++.yml 2020-10-13 02:23:50 +03:00
Timur Zinniatullin 946d84329e Add win_invoke_obfuscation_via_var++_services.yml 2020-10-13 02:22:15 +03:00
Timur Zinniatullin 870574b635 Add powershell_invoke_obfuscation_via_var++.yml 2020-10-13 02:19:57 +03:00
sn0w0tter 863b880845 Titile capitalization 2020-10-12 16:04:41 -07:00
Thomas Patzke a289eeaae6 Merge pull request #1089 from zBlurr/oscd 
[OSCD] Presentationhost.exe LOLbin
 2020-10-13 01:01:20 +02:00
Thomas Patzke d6ceba3719 Merge pull request #1102 from svch0stz/oscd8 
[OSCD] Create win_root_certificate_installed.yml
 2020-10-13 01:00:23 +02:00
Thomas Patzke d89ca07daa Merge pull request #1133 from omkar72/oscd-1 
[OSCD]updated adfind command line
 2020-10-13 00:58:56 +02:00
Thomas Patzke cb86c509f1 Merge pull request #1129 from bczyz1/oscd-sprint-2-keylogging 
[OSCD] Modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature
 2020-10-13 00:58:24 +02:00
Thomas Patzke eaa9f293e7 Merge pull request #1125 from vburov/patch-12 
[OSCD] Create powershell_cmdline_reversed_strings
 2020-10-13 00:57:22 +02:00
Thomas Patzke eb21860ab9 Merge pull request #1124 from bczyz1/oscd-sprint-2 
[OSCD] Create sysmon_modify_screensaver_binary_path.yml
 2020-10-13 00:56:33 +02:00
sn0w0tter c6ddbc78ce OSCD LOLBAS atbroker suspicious execution of ATs 2020-10-12 15:55:38 -07:00
Thomas Patzke e2e3177e46 Merge pull request #1135 from omkar72/oscd-2 
[OSCD] finger executable suspicious execution
 2020-10-13 00:52:27 +02:00
Thomas Patzke 80e3c4b587 Merge pull request #1137 from banzay021/oscd 
[OSCD] Pcwrun.exe detection added
 2020-10-13 00:51:04 +02:00
Thomas Patzke 5664f72a2a Merge pull request #1054 from NikitaStormwind/task#70 
[OSCD] Detecting Code injection with PowerShell in another process #70
 2020-10-13 00:47:13 +02:00
Thomas Patzke 4a74a56ba3 Merge pull request #1052 from NikitaStormwind/task 
[OSCD] Detecting use WinAPI Functions in PowerShell #69
 2020-10-13 00:46:25 +02:00
Thomas Patzke 8bee7272ab Merge pull request #1051 from esebese/oscd 
[OSCD] win_syncappvpublishingserver_exe.yml added
 2020-10-13 00:45:22 +02:00
Thomas Patzke 768e500627 Merge pull request #1042 from NikitaStormwind/task29,30 
[OSCD] Detecting use PsExec via Pipe Creation/Access to pipes #29 #30
 2020-10-13 00:40:58 +02:00
Thomas Patzke 14fcdc9899 Merge pull request #1038 from caliskanfurkan/master 
[OSCD] Added explorer.exe lolbin
 2020-10-13 00:36:29 +02:00
cyb3rward0g 21f41eaad9 16 rules from DH APT29 day 1 - contributing soon 2020-10-12 18:13:13 -04:00
Thomas Patzke f064102399 Merge pull request #996 from fryguy04/master 
removed leading slash and allow for mult spaces
 2020-10-12 23:32:17 +02:00
Thomas Patzke 976fc92b22 Merge pull request #971 from alan8trend/parse_nested_parentheses 
Add support nested parentheses for Sigma condition
 2020-10-12 23:30:36 +02:00
Thomas Patzke e8cdd4777a Merge pull request #1026 from ryanplasma/fix-pymisp-error 
Fix error with pymisp in sigma2misp
 2020-10-12 23:14:13 +02:00
cyb3rward0g 104b40ce8f 10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00
nsaddler 28c8b56473 Update sysmon_in_memory_powershell.yml 2020-10-12 19:05:08 +03:00
Наталья Шорникова e70368f1f0 [OSCD] Updating existing rule sysmon_in_memory_powershell.yml 2020-10-12 19:00:47 +03:00
S.kiran kumar bd5e7fda14 Update silenttrinity_stager_msbuild_activity.yml 2020-10-12 21:26:44 +05:30
Nikita P. Nazarov 9b17634aa4 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:56:12 +03:00
Nikita P. Nazarov ec383d9784 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:52:28 +03:00
Nikita P. Nazarov c5efbc8345 Detects Obfuscated Powershell via Stdin in Scripts 2020-10-12 18:47:51 +03:00
nsaddler e94a47b9d3 Update sysmon_accessing_winapi_in_powershell_credentials_dumping.yml 2020-10-12 18:33:43 +03:00
nsaddler df8cd24a5d Update sysmon_long_powershell_commandline.yml 2020-10-12 18:28:28 +03:00
nsaddler 07a4d11af7 Update win_powershell_script_installed_as_service.yml 2020-10-12 18:23:06 +03:00
Vasiliy Burov 95cd271686 Update powershell_cmdline_specific_comb_methods.yml 2020-10-12 18:10:46 +03:00
Vasiliy Burov 643d700d53 Update powershell_cmdline_specific_comb_methods.yml 2020-10-12 17:51:19 +03:00