 Jonhnathan
|
7c90f1d4c4
|
[Security Content] Refactor Existing Investigation Guides (#1959)
* Initial commit
* Update Investigation guides - security-docs review
* Update command_and_control_dns_tunneling_nslookup.toml
* Update defense_evasion_amsienable_key_mod.toml
* Apply security-docs review
* Remove dot
* Update rules/windows/command_and_control_rdp_tunnel_plink.toml
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
* Apply changes from review
* Apply the suggestion
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
(cherry picked from commit 817b97f428)
|
2022-05-18 16:01:50 +00:00 |
|
|
Jonhnathan
|
4ed2fbe932
|
[Security Content] Adjust Investigation Guides to be less generic (#1805)
* PowerShell Suspicious Script with Audio Capture Capabilities
* PowerShell Keylogging Script
* PowerShell MiniDump Script
* Potential Process Injection via PowerShell
* PowerShell Suspicious Discovery Related Windows API Functions
* Suspicious Portable Executable Encoded in Powershell Script
* PowerShell PSReflect Script
* Startup/Logon Script added to Group Policy Object
* Group Policy Abuse for Privilege Addition
* Scheduled Task Execution at Scale via GPO
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
* Adjust Posh desc
* .
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
* .
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update privilege_escalation_group_policy_scheduled_task.toml
* Update rules/windows/privilege_escalation_group_policy_iniscript.toml
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
(cherry picked from commit 8a59b49fea)
|
2022-03-31 14:31:43 +00:00 |
|
|
Colson Wilhoit
|
150ff0502e
|
Linux Shell Evasion Rule Tuning (#1878)
* Linux Shell Evasion Rule Tuning
* Update execution_python_tty_shell.toml
* Update rules/linux/execution_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_apt_binary.toml
* Update rules/linux/execution_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_awk_binary_shell.toml
* Update rules/linux/execution_c89_c99_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_c89_c99_binary.toml
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_cpulimit_binary.toml
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_expect_binary.toml
* Update rules/linux/execution_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_find_binary.toml
* Update rules/linux/execution_gcc_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_gcc_binary.toml
* Update rules/linux/execution_mysql_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_mysql_binary.toml
* Update rules/linux/execution_nice_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_nice_binary.toml
* Update rules/linux/execution_ssh_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_ssh_binary.toml
* Update execution_perl_tty_shell.toml
* Update execution_python_tty_shell.toml
* Update rules/linux/execution_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_c89_c99_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_gcc_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_mysql_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_nice_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_ssh_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
|
2022-03-29 21:03:35 -04:00 |
|