security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c2d9e95e83e9a04fead436fad9102e43cb4cb1b0
blue-team-tools/rules/windows/powershell/powershell_module
T
History
Swachchhanda Shrawan Poudel c2d9e95e83 Merge PR #5532 from @swachchhanda000 - fix: refine detections and filters; update Account Tampering with SubStatus field 
fix: SMB Create Remote File Admin Share - filter out local IP
fix: Alternate PowerShell Hosts - PowerShell Module - filter out more legit powershell host
fix: CurrentVersion NT Autorun Keys Modification - filter svchost making legitimate registry change
fix: Potentially Suspicious Desktop Background Change Via Registry - filter EC2Launch.exe
update: Account Tampering - Suspicious Failed Logon Reasons - add SubStatus field
2025-10-17 08:12:25 +05:45
..
posh_pm_active_directory_module_dll_import.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_alternate_powershell_hosts.yml
Merge PR #5532 from @swachchhanda000 - fix: refine detections and filters; update Account Tampering with SubStatus field
2025-10-17 08:12:25 +05:45
posh_pm_bad_opsec_artifacts.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_clear_powershell_history.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_decompress_commands.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_exploit_scripts.yml
Merge PR #5515 from @X-Junior - coverage for Invoke-PowerDPAPI
2025-07-07 12:19:55 +02:00
posh_pm_get_addbaccount.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_get_clipboard.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_hktl_evil_winrm_execution.yml
Merge PR #5149 from @nasbench - Promote older rules status from experimental to test
2025-01-06 15:36:19 +01:00
posh_pm_invoke_obfuscation_clip.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_invoke_obfuscation_obfuscated_iex.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_invoke_obfuscation_stdin.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_invoke_obfuscation_var.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_invoke_obfuscation_via_compress.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_invoke_obfuscation_via_rundll.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_invoke_obfuscation_via_stdin.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_invoke_obfuscation_via_use_clip.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_invoke_obfuscation_via_use_mhsta.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_invoke_obfuscation_via_use_rundll32.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_invoke_obfuscation_via_var.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_malicious_commandlets.yml
Merge PR #5515 from @X-Junior - coverage for Invoke-PowerDPAPI
2025-07-07 12:19:55 +02:00
posh_pm_remote_powershell_session.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_remotefxvgpudisablement_abuse.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_susp_ad_group_reco.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_susp_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_susp_get_nettcpconnection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_susp_invocation_generic.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_susp_invocation_specific.yml
Merge PR #5196 from @swachchhanda000 - Updated and Added rules related to Autorun Registry
2025-05-12 13:28:51 +02:00
posh_pm_susp_local_group_reco.yml
Merge PR #5594 from @vl43den - Update Suspicious Get Local Groups Information
2025-10-01 11:50:48 +02:00
posh_pm_susp_reset_computermachinepassword.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_susp_smb_share_reco.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_susp_zip_compress.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
posh_pm_syncappvpublishingserver_exe.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00