security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
05d2de4c267856ff843e7aca3824d98ee453412e
blue-team-tools/rules/windows/powershell
T
History
Steven 05d2de4c26 - Cleaned up some more rules where 'service: sysmon' was combined with category 
- Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent

       modified:   rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
       modified:   rules/windows/malware/mal_azorult_reg.yml
       modified:   rules/windows/powershell/powershell_suspicious_profile_create.yml
       modified:   rules/windows/process_creation/sysmon_cmstp_execution.yml
       modified:   rules/windows/process_creation/win_apt_chafer_mar18.yml
       modified:   rules/windows/process_creation/win_apt_unidentified_nov_18.yml
       modified:   rules/windows/process_creation/win_hktl_createminidump.yml
       modified:   rules/windows/process_creation/win_mal_adwind.yml
       modified:   rules/windows/process_creation/win_silenttrinity_stage_use.yml
2020-10-02 10:45:29 +02:00
..
powershell_alternate_powershell_hosts.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_clear_powershell_history.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_create_local_user.yml
att&ck tags review: windows/powershell, windows/process_access, windows/network_connection
2020-08-24 23:31:26 +00:00
powershell_data_compressed.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_dnscat_execution.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_downgrade_attack.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_exe_calling_ps.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_invoke_obfuscation_obfuscated_iex.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_malicious_commandlets.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_malicious_keywords.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_nishang_malicious_commandlets.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_ntfs_ads_access.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_prompt_credentials.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_psattack.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_remote_powershell_session.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_shellcode_b64.yml
att&ck tags review: windows/powershell, windows/process_access, windows/network_connection
2020-08-24 23:31:26 +00:00
powershell_suspicious_download.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_suspicious_invocation_generic.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_suspicious_invocation_specific.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_suspicious_keywords.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_suspicious_profile_create.yml
- Cleaned up some more rules where 'service: sysmon' was combined with category
2020-10-02 10:45:29 +02:00
powershell_winlogon_helper_dll.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_wmimplant.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
powershell_xor_commandline.yml
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
win_powershell_web_request.yml
att&ck tags review: windows/powershell, windows/process_access, windows/network_connection
2020-08-24 23:31:26 +00:00