security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
399cca35df6aded9196daebc275bf826a9c9e176
blue-team-tools/rules/windows/powershell/powershell_script
T
History
phantinuss 399cca35df Merge PR #4684 from @phantinuss - Multiple FP fixes & rule updates 
fix: Firewall Rule Modified In The Windows Firewall Exception List - new optional filter Brave browser
fix: Outbound RDP Connections Over Non-Standard Tools - new FP filter for RAS TSplus
fix: PowerShell Core DLL Loaded By Non PowerShell Process - new optional filter for chocolatey
fix: Remote Thread Creation In Mstsc.Exe From Suspicious Location - Fix a broken path string
fix: Remote Thread Creation In Uncommon Target Image - Reduce level to medium and remove explorer as target due to FP rates.
fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Fix the filters to be more generic
new: Rare Remote Thread Creation By Uncommon Source Image - A split of 66d31e5f-52d6-40a4-9615-002d3789a119
update: All Rules Have Been Deleted From The Windows Firewall Configuration - Remove program files filter to increase coverage. As deleting rules shouldn't be a "normal" behavior.
update: CreateRemoteThread API and LoadLibrary - Reduce level to medium and convert to a TH rule
update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add additional paths to increase coverage
update: Powershell Install a DLL in System Directory - enhance rule context in big script blocks
update: Remote Thread Creation By Uncommon Source Image - Reduced level to medium and move high indicators to 02d1d718-dd13-41af-989d-ea85c7fab93f 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-01-23 12:15:04 +01:00
..
posh_ps_aadinternals_cmdlets_execution.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_access_to_browser_login_data.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_active_directory_module_dll_import.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
posh_ps_add_dnsclient_rule.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_add_windows_capability.yml
feat: new rules, updates and goofy guineapig stuff (#4229)
2023-05-15 15:53:39 +02:00
posh_ps_adrecon_execution.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_amsi_bypass_pattern_nov22.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_amsi_null_bits_bypass.yml
feat: new rules, updates and goofy guineapig stuff (#4229)
2023-05-15 15:53:39 +02:00
posh_ps_apt_silence_eda.yml
feat: new rules, updates and fp fixes (#4162)
2023-04-11 13:04:22 +02:00
posh_ps_as_rep_roasting.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_audio_exfiltration.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
posh_ps_automated_collection.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_capture_screenshots.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_clear_powershell_history.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_clearing_windows_console_history.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_cmdlet_scheduled_task.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_computer_discovery_get_adcomputer.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_copy_item_system_directory.yml
Merge PR #4684 from @phantinuss - Multiple FP fixes & rule updates
2024-01-23 12:15:04 +01:00
posh_ps_cor_profiler.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_create_local_user.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_create_volume_shadow_copy.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_detect_vm_env.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_directorysearcher.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_directoryservices_accountmanagement.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_disable_psreadline_command_history.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_disable_windows_optional_feature.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_dnscat_execution.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_dotnet_assembly_from_file.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_download_com_cradles.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_dump_password_windows_credential_manager.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_enable_psremoting.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_enable_susp_windows_optional_feature.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_enumerate_password_windows_credential_manager.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_etw_trace_evasion.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_exchange_mailbox_smpt_forwarding_rule.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_export_certificate.yml
feat: update metadata and add process creation version
2023-05-18 23:45:48 +02:00
posh_ps_frombase64string_archive.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_get_acl_service.yml
Merge PR #4591 from @frack113 - Update tests to pySigma 0.10.9
2023-11-27 09:08:01 +01:00
posh_ps_get_adcomputer.yml
Update posh_ps_get_adcomputer
2023-07-08 18:02:06 +02:00
posh_ps_get_adgroup.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_get_adreplaccount.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_get_childitem_bookmarks.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_get_process_security_software_discovery.yml
Merge PR #4498 from @Tuutaans - Update PowerShell Security Software Discovery Rule
2023-10-28 12:41:41 +02:00
posh_ps_hktl_rubeus.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
posh_ps_hktl_winpwn.yml
Merge PR #4529 from @swachchhanda000 - Add New Rules Related To WinPwn Execution
2023-12-04 14:24:19 +01:00
posh_ps_hotfix_enum.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_icmp_exfiltration.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_import_module_susp_dirs.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
posh_ps_install_unsigned_appx_packages.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
posh_ps_invoke_command_remote.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_invoke_dnsexfiltration.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_invoke_obfuscation_clip.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_invoke_obfuscation_obfuscated_iex.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_invoke_obfuscation_stdin.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_invoke_obfuscation_var.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_invoke_obfuscation_via_compress.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_invoke_obfuscation_via_rundll.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_invoke_obfuscation_via_stdin.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_invoke_obfuscation_via_use_clip.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_invoke_obfuscation_via_use_mhsta.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_invoke_obfuscation_via_use_rundll32.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_invoke_obfuscation_via_var.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_keylogging.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_localuser.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_mailboxexport_share.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_malicious_commandlets.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
posh_ps_malicious_keywords.yml
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
2023-10-28 13:15:09 +02:00
posh_ps_memorydump_getstoragediagnosticinfo.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
posh_ps_modify_group_policy_settings.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_msxml_com.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_nishang_malicious_commandlets.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
posh_ps_ntfs_ads_access.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_office_comobject_registerxll.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_potential_invoke_mimikatz.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_powerview_malicious_commandlets.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
posh_ps_prompt_credentials.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
posh_ps_psasyncshell.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_psattack.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
posh_ps_remote_session_creation.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_remotefxvgpudisablement_abuse.yml
feat: new rules, updates and goofy guineapig stuff (#4229)
2023-05-15 15:53:39 +02:00
posh_ps_request_kerberos_ticket.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_resolve_list_of_ip_from_file.yml
fix: apply suggestions from code review
2023-05-09 16:04:24 +02:00
posh_ps_root_certificate_installed.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_run_from_mount_diskimage.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_script_with_upload_capabilities.yml
fix: apply suggestions from code review
2023-05-09 16:04:24 +02:00
posh_ps_send_mailmessage.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_sensitive_file_discovery.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_set_acl_susp_location.yml
feat: add rules related to pwsh set-acl cmdlet usage (#4352)
2023-07-20 11:08:44 +02:00
posh_ps_set_acl.yml
feat: add rules related to pwsh set-acl cmdlet usage (#4352)
2023-07-20 11:08:44 +02:00
posh_ps_set_policies_to_unsecure_level.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
posh_ps_shellcode_b64.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
posh_ps_shellintel_malicious_commandlets.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_software_discovery.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_store_file_in_alternate_data_stream.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_susp_ace_tampering.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_susp_ad_group_reco.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_susp_alias_obfscuation.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
posh_ps_susp_clear_eventlog.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_directory_enum.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_download.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_execute_batch_script.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_extracting.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_susp_follina_execution.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_get_current_user.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_get_gpo.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_get_process.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_getprocess_lsass.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
posh_ps_susp_gettypefromclsid.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_hyper_v_condlet.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_invocation_generic.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
posh_ps_susp_invocation_specific.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_susp_invoke_webrequest_useragent.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_susp_iofilestream.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_keylogger_activity.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_susp_keywords.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_susp_local_group_reco.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_mail_acces.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_susp_mount_diskimage.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_mounted_share_deletion.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_susp_networkcredential.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_new_psdrive.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_proxy_scripts.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_recon_export.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_susp_remove_adgroupmember.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_service_dacl_modification_set_service.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_set_alias.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
posh_ps_susp_smb_share_reco.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_susp_ssl_keyword.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_start_process.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_unblock_file.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_wallpaper.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_susp_win32_pnpentity.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_susp_win32_shadowcopy_deletion.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_win32_shadowcopy.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_susp_windowstyle.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_susp_write_eventlog.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_susp_zip_compress.yml
Merge PR #4631 from @nasbench - add rules related to CISA aa23-347a advisory and other updates
2023-12-18 16:46:46 +01:00
posh_ps_syncappvpublishingserver_exe.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_tamper_windows_defender_rem_mp.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_tamper_windows_defender_set_mp.yml
Merge PR #4663 from @slincoln-aiq - Update Disable Windows Defender Features Rules
2024-01-10 19:24:20 +01:00
posh_ps_test_netconnection.yml
change status to test
2023-01-27 06:48:34 +01:00
posh_ps_timestomp.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_token_obfuscation.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_user_discovery_get_aduser.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_user_profile_tampering.yml
fix: apply suggestions from code review
2023-05-09 16:04:24 +02:00
posh_ps_using_set_service_to_hide_services.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_veeam_credential_dumping_script.yml
fix: apply suggestions from code review
2023-05-09 16:04:24 +02:00
posh_ps_web_request_cmd_and_cmdlets.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
posh_ps_win32_nteventlogfile_usage.yml
fix: apply suggestions from code review
2023-07-24 12:35:11 +02:00
posh_ps_win32_product_install_msi.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_win_api_susp_access.yml
fix: apply suggestions from code review
2023-07-31 12:28:34 +02:00
posh_ps_win_defender_exclusions_added.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_windows_firewall_profile_disabled.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_winlogon_helper_dll.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_wmi_persistence.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
posh_ps_wmi_unquoted_service_search.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
posh_ps_wmimplant.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
posh_ps_x509enrollment.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
posh_ps_xml_iex.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00