Yugoslavskiy Daniil
|
34591f9f64
|
add lnx_system_network_connections_discovery.yml, oscd initiative issue #1011, task number 8
|
2020-10-20 01:17:06 +02:00 |
|
yugoslavskiy
|
9e7789bb32
|
Update win_susp_logon_explicit_credentials.yml
|
2020-10-16 00:50:29 +02:00 |
|
Thomas Patzke
|
026be7f753
|
Merge pull request #1039 from Vasilisa-L/oscd
[OSCD] Pcwutl.dll LOLbin
|
2020-10-14 00:24:41 +02:00 |
|
Thomas Patzke
|
e39ebe065a
|
Merge pull request #1037 from svch0stz/oscd5
[OSCD] Create win_susp_logon_explicit_credentials.yml
|
2020-10-14 00:23:08 +02:00 |
|
Thomas Patzke
|
95789a5379
|
Merge pull request #1068 from esebese/task87
[OSCD] win_visual_basic_compiler.yml added
|
2020-10-14 00:21:12 +02:00 |
|
Thomas Patzke
|
a83f500267
|
Merge pull request #1058 from grikos/OSCD_100
[OSCD] LOLBAS Setupapi.yml
|
2020-10-14 00:19:32 +02:00 |
|
Thomas Patzke
|
7e4a205de7
|
Merge pull request #1059 from ryanplasma/rplas-SIGMA-547-page-20
[OSCD] Add Usage of reg or Powershell by Non-privileged Users rule
|
2020-10-13 23:24:05 +02:00 |
|
Thomas Patzke
|
6cc33e5989
|
Merge pull request #1060 from svch0stz/oscd6
[OSCD] Created powershell_suspicious_mounted_share_deletion.yml
|
2020-10-13 22:59:25 +02:00 |
|
Thomas Patzke
|
b9e38e79fa
|
Merge pull request #1061 from svch0stz/oscd7
[OSCD] Create win_susp_mounted_share_deletion.yml
|
2020-10-13 22:55:54 +02:00 |
|
Thomas Patzke
|
1f4fe42487
|
Merge pull request #1062 from esebese/task86
[OSCD] sysmon_tttracer_mod_load.yml added
|
2020-10-13 22:35:06 +02:00 |
|
Thomas Patzke
|
f7c440b097
|
Merge pull request #1065 from nsaddler/oscd1
[OSCD] Accessing WinAPI in PowerShell. Credentials dumping Rule added
|
2020-10-13 22:33:14 +02:00 |
|
Thomas Patzke
|
0914c03acb
|
Update sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
|
2020-10-13 22:32:55 +02:00 |
|
Thomas Patzke
|
60b99116f3
|
Merge pull request #1064 from Vasilisa-L/OSCD_winrm_AWL
[OSCD] winrm.vbs_1
|
2020-10-13 22:30:14 +02:00 |
|
Thomas Patzke
|
a3a45e4a10
|
Merge pull request #1066 from Vasilisa-L/OSCD_winrm_execution
[OSCD] winrm.vbs_2
|
2020-10-13 22:28:09 +02:00 |
|
Thomas Patzke
|
54a9598d4b
|
Fixed typo
|
2020-10-13 22:27:27 +02:00 |
|
Thomas Patzke
|
2ba89d7924
|
Merge pull request #1067 from nsaddler/oscd2
[OSCD] Too Long Powershell CommandLine Rule added
|
2020-10-13 22:20:29 +02:00 |
|
Thomas Patzke
|
772fd83cca
|
Merge pull request #1080 from esebese/task93
[OSCD] win_class_exec_xwizard.yml added
|
2020-10-13 22:10:39 +02:00 |
|
Thomas Patzke
|
2bad4bb60d
|
Merge pull request #1085 from w0rk3r/oscdq
[OSCD] Update Win_susp_rundll32_activity - Multiple Lolbins
|
2020-10-13 21:45:36 +02:00 |
|
Thomas Patzke
|
b68286a162
|
Merge pull request #1093 from SanWieb/OSCD_regini
[OSCD] regini LOLBAS
|
2020-10-13 21:44:32 +02:00 |
|
Thomas Patzke
|
08eec2b6e6
|
Merge pull request #1094 from NikitaStormwind/Regular30
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (4104, 4103)
|
2020-10-13 21:43:16 +02:00 |
|
Thomas Patzke
|
8f4b3b7324
|
Merge pull request #1097 from NikitaStormwind/regular30(2)
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (process_creation)
|
2020-10-13 21:42:38 +02:00 |
|
Thomas Patzke
|
5f4d60951d
|
Merge pull request #1112 from NikitaStormwind/regular29(1)
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (4104, 4103)
|
2020-10-13 21:34:38 +02:00 |
|
Thomas Patzke
|
79120cd24c
|
Merge pull request #1113 from NikitaStormwind/regular29(2)
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (process_creation)
|
2020-10-13 21:18:03 +02:00 |
|
Thomas Patzke
|
33c80b8428
|
Merge pull request #1092 from zBlurr/win_susp_sqldumper_activity
[OSCD] Sqldumper.exe LOLbin
|
2020-10-13 11:51:41 +02:00 |
|
Thomas Patzke
|
bf0f2fcec8
|
Merge pull request #1117 from aw350m33d/oscd_lolbin_settingsynchost
[OSCD] Using SettingSyncHost.exe as LOLBin
|
2020-10-13 11:46:04 +02:00 |
|
Thomas Patzke
|
acb02d8d65
|
Merge pull request #1148 from sn0w0tter/oscd
[OSCD] LOLBAS atbroker suspicious execution of ATs
|
2020-10-13 11:45:07 +02:00 |
|
Thomas Patzke
|
1684db93d8
|
Merge pull request #1143 from NikitaStormwind/regular28(2)
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (process_creation)
|
2020-10-13 11:39:46 +02:00 |
|
Thomas Patzke
|
7e8930f15e
|
Merge pull request #1142 from NikitaStormwind/regular28(1)
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (4104, 4103)
|
2020-10-13 11:38:26 +02:00 |
|
Thomas Patzke
|
0c77edb859
|
Merge pull request #1120 from bczyz1/oscd
[OSCD] Create powershell_icmp_exfiltration.yml
|
2020-10-13 11:37:40 +02:00 |
|
Thomas Patzke
|
f457e7a398
|
Merge pull request #1150 from zinint/1009-27-1
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (4104, 4103)
|
2020-10-13 11:36:19 +02:00 |
|
Thomas Patzke
|
2ac29e0fee
|
Merge pull request #1152 from zinint/1009-27-3
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (process_creation)
|
2020-10-13 11:24:28 +02:00 |
|
Thomas Patzke
|
0636dd6d9f
|
Merge pull request #1154 from invrep-de/oscd
[OSCD] Powershell Disable Windows Defender AV
|
2020-10-13 11:23:03 +02:00 |
|
invrep-de
|
55201a94c0
|
[OSCD] Powershell Disable Windows Defender AV
|
2020-10-13 02:05:00 +02:00 |
|
Timur Zinniatullin
|
d1ef56bddb
|
@aw350m3 style complience (:
|
2020-10-13 02:47:09 +03:00 |
|
Timur Zinniatullin
|
5bd75521f2
|
Add win_invoke_obfuscation_via_var++.yml
|
2020-10-13 02:23:50 +03:00 |
|
Timur Zinniatullin
|
870574b635
|
Add powershell_invoke_obfuscation_via_var++.yml
|
2020-10-13 02:19:57 +03:00 |
|
sn0w0tter
|
863b880845
|
Titile capitalization
|
2020-10-12 16:04:41 -07:00 |
|
Thomas Patzke
|
a289eeaae6
|
Merge pull request #1089 from zBlurr/oscd
[OSCD] Presentationhost.exe LOLbin
|
2020-10-13 01:01:20 +02:00 |
|
Thomas Patzke
|
d6ceba3719
|
Merge pull request #1102 from svch0stz/oscd8
[OSCD] Create win_root_certificate_installed.yml
|
2020-10-13 01:00:23 +02:00 |
|
Thomas Patzke
|
d89ca07daa
|
Merge pull request #1133 from omkar72/oscd-1
[OSCD]updated adfind command line
|
2020-10-13 00:58:56 +02:00 |
|
Thomas Patzke
|
cb86c509f1
|
Merge pull request #1129 from bczyz1/oscd-sprint-2-keylogging
[OSCD] Modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature
|
2020-10-13 00:58:24 +02:00 |
|
Thomas Patzke
|
eaa9f293e7
|
Merge pull request #1125 from vburov/patch-12
[OSCD] Create powershell_cmdline_reversed_strings
|
2020-10-13 00:57:22 +02:00 |
|
Thomas Patzke
|
eb21860ab9
|
Merge pull request #1124 from bczyz1/oscd-sprint-2
[OSCD] Create sysmon_modify_screensaver_binary_path.yml
|
2020-10-13 00:56:33 +02:00 |
|
sn0w0tter
|
c6ddbc78ce
|
OSCD LOLBAS atbroker suspicious execution of ATs
|
2020-10-12 15:55:38 -07:00 |
|
Thomas Patzke
|
e2e3177e46
|
Merge pull request #1135 from omkar72/oscd-2
[OSCD] finger executable suspicious execution
|
2020-10-13 00:52:27 +02:00 |
|
Thomas Patzke
|
80e3c4b587
|
Merge pull request #1137 from banzay021/oscd
[OSCD] Pcwrun.exe detection added
|
2020-10-13 00:51:04 +02:00 |
|
Thomas Patzke
|
5664f72a2a
|
Merge pull request #1054 from NikitaStormwind/task#70
[OSCD] Detecting Code injection with PowerShell in another process #70
|
2020-10-13 00:47:13 +02:00 |
|
Thomas Patzke
|
4a74a56ba3
|
Merge pull request #1052 from NikitaStormwind/task
[OSCD] Detecting use WinAPI Functions in PowerShell #69
|
2020-10-13 00:46:25 +02:00 |
|
Thomas Patzke
|
8bee7272ab
|
Merge pull request #1051 from esebese/oscd
[OSCD] win_syncappvpublishingserver_exe.yml added
|
2020-10-13 00:45:22 +02:00 |
|
Thomas Patzke
|
768e500627
|
Merge pull request #1042 from NikitaStormwind/task29,30
[OSCD] Detecting use PsExec via Pipe Creation/Access to pipes #29 #30
|
2020-10-13 00:40:58 +02:00 |
|