|
|
3fae5dbef6
|
Update to catch services.exe DAC permission change to hide services
|
2020-09-14 16:37:59 -04:00 |
|
|
|
bc63790883
|
Report on cleared Security and System event logs, close #18
|
2020-09-10 11:08:47 -04:00 |
|
|
|
486dd1f9ce
|
Fix Event ID reporting in analysis @scriptedstatement; whitespace cleanup
|
2020-08-18 08:51:54 -04:00 |
|
|
|
d004e13d2e
|
Add .gitignore
|
2020-08-18 08:48:45 -04:00 |
|
|
|
29daee42ce
|
Add simple test case to run all repo EVTX files with DeepBlue.ps1
|
2020-08-18 08:48:22 -04:00 |
|
|
|
8cbb39a17d
|
Fixed typo in Examples section
|
2020-01-20 11:25:07 -05:00 |
|
|
|
7294cc4181
|
Changed multiple failed login alert from 25 to 5 to more accurately reflect password spray attack evidence
|
2019-12-24 11:09:45 -05:00 |
|
|
|
5c0c972328
|
Merge pull request #12 from itpropaul/patch-1
typo: fixed "event 4013" to be "event 4103"
|
2019-07-24 17:01:20 -04:00 |
|
|
|
ea289ac312
|
typo: fixed "event 4013" to be "event 4103"
|
2019-07-24 16:36:34 -04:00 |
|
|
|
5e796ca588
|
Updated the events table
|
2019-05-08 10:47:14 -07:00 |
|
|
|
9834750e0e
|
Removed token::elevate from readme
|
2019-05-08 10:37:03 -07:00 |
|
|
|
d500632c50
|
Disable Mimikatz token::elevate detection; I thought I was on to a cool detect, but sadly it's just Windows operating normally with excessive privileges.
|
2019-05-06 14:40:17 -04:00 |
|
|
|
612cde1cf3
|
Disable Metasploit psexec detect due to false-positive conflict with MS Exchange; revise alert for _Multiple admin logons for one account_ to show attempt count instead of unique event IDs
|
2019-05-06 14:34:31 -04:00 |
|
|
|
1708e03fc3
|
Added section link
|
2019-05-04 17:48:23 -03:00 |
|
|
|
4eeb1c0bb7
|
Minor edits
|
2019-05-04 16:51:44 -03:00 |
|
|
|
840826359b
|
Reorganized the READMEs
|
2019-05-04 12:41:14 -03:00 |
|
|
|
84e726b99e
|
Rename Set-ExecutionPolicy.md to READMEs/Set-ExecutionPolicy.md
|
2019-05-04 12:38:31 -03:00 |
|
|
|
8d7cb1114e
|
Delete readme-deepblue.py
|
2019-05-04 12:38:15 -03:00 |
|
|
|
3640dc1a1b
|
Rename README-DeepWhite.md to READMEs/README-DeepWhite.md
|
2019-05-04 12:37:36 -03:00 |
|
|
|
af4f55cc2c
|
Rename README-DeepBlue.py.md to READMEs/README-DeepBlue.py.md
|
2019-05-04 12:37:13 -03:00 |
|
|
|
3996c44cd3
|
Create test.md
|
2019-05-04 12:36:03 -03:00 |
|
|
|
5e3108288e
|
Create Set-ExecutionPolicy.md
|
2019-05-04 12:34:58 -03:00 |
|
|
|
7166a8f529
|
Updated links
|
2019-05-04 12:04:35 -03:00 |
|
|
|
4572c78387
|
Updated link
|
2019-05-04 12:02:03 -03:00 |
|
|
|
940d8a25a8
|
Added mire output options
|
2019-05-04 11:32:13 -03:00 |
|
|
|
a5db7c4771
|
Output table formatting
|
2019-05-04 10:33:51 -03:00 |
|
|
|
56178ec0f6
|
Reformatted output table
|
2019-05-04 10:33:00 -03:00 |
|
|
|
3673416cc7
|
Fixed output table typo
|
2019-05-04 10:31:50 -03:00 |
|
|
|
8d2c355718
|
Added output section
|
2019-05-04 10:31:10 -03:00 |
|
|
|
7cbb5748e4
|
Add Metsploit psexec-specific privilege requests for Event ID 4672 detection, tweak Mimikatz detection message
|
2019-05-03 11:39:43 -04:00 |
|
|
|
e3cb0142c6
|
Updated detected events
|
2019-05-03 12:21:17 -03:00 |
|
|
|
712b25e9f4
|
Fixed table typo
|
2019-05-03 10:20:11 -03:00 |
|
|
|
9d9fc47473
|
Formatting table
|
2019-05-03 10:09:44 -03:00 |
|
|
|
7d413ffbda
|
Update README.md
|
2019-05-03 10:08:51 -03:00 |
|
|
|
3f393526e5
|
Added Mimikatz token::elevate example
|
2019-05-03 10:07:21 -03:00 |
|
|
|
bcf0022b60
|
Merge pull request #11 from joswr1ght/master
Add more Mimikatz detection, focusing on token::elevate as a non-admin user
|
2019-05-03 12:32:00 +00:00 |
|
|
|
9a293b974e
|
Add more Mimikatz detection, focusing on token::elevate as a non-admin user
|
2019-05-03 06:33:20 -04:00 |
|
|
|
c2dfa045ff
|
Added event log example
|
2019-05-01 16:59:17 -03:00 |
|
|
|
2aa4cfe191
|
Minor formatting
|
2019-05-01 16:15:55 -03:00 |
|
|
|
8ca0df7a0e
|
Menu cleanup
|
2019-05-01 11:51:14 -03:00 |
|
|
|
7c8e3eef00
|
Cleaned up the menus
|
2019-05-01 11:46:43 -03:00 |
|
|
|
7557597acb
|
Updated intro
|
2019-05-01 11:31:02 -03:00 |
|
|
|
12238e78e5
|
s/Lines/Line/g
|
2019-05-01 11:23:47 -03:00 |
|
|
|
68d482ac56
|
More examples
|
2019-05-01 11:00:42 -03:00 |
|
|
|
ecd1a6be47
|
Updated the examples table
|
2019-05-01 10:57:29 -03:00 |
|
|
|
3d3e0b281b
|
Added initial examples menu
|
2019-05-01 10:51:42 -03:00 |
|
|
|
f453ede47c
|
s/Powershell/PowerShell/g
|
2019-05-01 10:31:09 -03:00 |
|
|
|
82cc713117
|
Mentioned run as administrator for live security log
|
2019-05-01 09:58:29 -03:00 |
|
|
|
ac077b145c
|
Merge pull request #10 from joswr1ght/master
Add password spray detection, sample evtx
|
2019-04-30 21:26:54 +00:00 |
|
|
|
f17d32491e
|
Add password spray detection, sample evtx
|
2019-04-30 17:11:56 -04:00 |
|
