security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,012 Commits 1 Branch 0 Tags
6bdfddac8edea5e327bf28aed7e6dc4a7f701dc6
Commit Graph

5 Commits

Author SHA1 Message Date
Jonhnathan 8a59b49fea [Security Content] Adjust Investigation Guides to be less generic (#1805) 
* PowerShell Suspicious Script with Audio Capture Capabilities

* PowerShell Keylogging Script

* PowerShell MiniDump Script

* Potential Process Injection via PowerShell

* PowerShell Suspicious Discovery Related Windows API Functions

* Suspicious Portable Executable Encoded in Powershell Script

* PowerShell PSReflect Script

* Startup/Logon Script added to Group Policy Object

* Group Policy Abuse for Privilege Addition

* Scheduled Task Execution at Scale via GPO

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Adjust Posh desc

* .

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* .

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update privilege_escalation_group_policy_scheduled_task.toml

* Update rules/windows/privilege_escalation_group_policy_iniscript.toml

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2022-03-31 11:29:30 -03:00
Jonhnathan 5c477849fe [Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807) 
* Update script_block queries

* Update execution_posh_psreflect.toml
 2022-03-03 07:37:25 -03:00
Jonhnathan 1c50f35aed [Security Content] Update rules based on docs review (#1803) 
* Adds suggestions from security-docs

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-03-01 21:39:30 -03:00
Jonhnathan dec4243db0 [Rule Tuning] Update rules based on docs review (#1778) 
* Update rules based on docs review

* trivial change to trigger CLA

* undo changes from triggering build

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-02-16 07:42:06 -09:00
Jonhnathan 7bbeaf3053 [New Rule] PowerShell PSReflect Script (#1558) 2022-01-19 15:31:08 -09:00