ce3c408efa
Minor version update
2023-06-07 16:06:15 -04:00
9e51dd0579
Merge pull request #25 from netscylla/wmi-events
...
Wmi events
2023-06-07 13:41:55 -04:00
2fc4fd599f
Merge pull request #27 from TheNiv/patch-1
...
Fixed windows event log check.
2023-06-07 13:36:07 -04:00
f5b844cb1a
Small typographical error in output
2021-11-11 11:10:04 -05:00
ea97820b79
Fixed windows event log check.
...
The output of the start/stop windows event log service was not correct.
After checking the script on the sample file: disablestop-eventlog.evtx I have noticed that the output was not correct and found out it is actually the third parameter that should be checked instead of the second.
2021-11-06 10:11:03 +02:00
cf9411f721
Added another base64 encoding method
2021-10-29 16:37:26 -04:00
45d62cbfbe
Was analyzing Sysmon event 1 image instead of CommandLine. Fixed
2021-10-29 16:17:25 -04:00
350fe3c134
Added # of unique accounts sprayed
2021-10-28 15:15:27 -04:00
d7d8d5eb80
s/Passworg/Password/g
2021-10-28 14:57:37 -04:00
15999a1243
Inclusive language update
2021-10-28 12:00:04 -04:00
0c7338dd38
Update DeepBlue.ps1
...
fixed indentation
2021-09-16 13:57:35 +01:00
ddb9e3e0fa
Added code to support flagging suspicious wmi filter events, also added sample log file
2021-09-16 13:55:34 +01:00
122d078efe
Update System EID 104 output for DeepBlue.ps1
...
Added in functionality for DeepBlue.ps1 to pull "message" field from EVTX log for System EID 104 log clearing events to properly show the correct log file being cleared.
2021-05-05 16:35:17 -04:00
c2a3840bae
Correct typo in DeepBlue.ps1 hidden service detect
2020-10-13 06:47:30 -04:00
3fae5dbef6
Update to catch services.exe DAC permission change to hide services
2020-09-14 16:37:59 -04:00
bc63790883
Report on cleared Security and System event logs, close #18
2020-09-10 11:08:47 -04:00
486dd1f9ce
Fix Event ID reporting in analysis @scriptedstatement; whitespace cleanup
2020-08-18 08:51:54 -04:00
7294cc4181
Changed multiple failed login alert from 25 to 5 to more accurately reflect password spray attack evidence
2019-12-24 11:09:45 -05:00
d500632c50
Disable Mimikatz token::elevate detection; I thought I was on to a cool detect, but sadly it's just Windows operating normally with excessive privileges.
2019-05-06 14:40:17 -04:00
612cde1cf3
Disable Metasploit psexec detect due to false-positive conflict with MS Exchange; revise alert for _Multiple admin logons for one account_ to show attempt count instead of unique event IDs
2019-05-06 14:34:31 -04:00
7cbb5748e4
Add Metsploit psexec-specific privilege requests for Event ID 4672 detection, tweak Mimikatz detection message
2019-05-03 11:39:43 -04:00
9a293b974e
Add more Mimikatz detection, focusing on token::elevate as a non-admin user
2019-05-03 06:33:20 -04:00
f17d32491e
Add password spray detection, sample evtx
2019-04-30 17:11:56 -04:00
6766ac618c
Add Event ID 4673 Sensitive Privilege Use detection for Mimikatz
2019-04-30 14:38:43 -04:00
cce18d1568
Version 2.01, added password spraying and initial Bloodhound detection
2019-04-30 14:42:16 +00:00
2fe7d13599
Add detector and event log to watch for Event Log Service stop/start as an indicator or event log tampering with eventlogedit
2019-04-28 14:23:23 -04:00
72f9d7a944
Another pre-DerbyCon update
2017-09-20 08:46:20 -04:00
a863f74553
Major Update to v1.9 pre-DerbyCon
2017-09-18 21:49:19 -04:00
dff301f17a
Add files via upload
2017-09-10 21:29:48 -04:00
f91e4c8934
Add files via upload
2017-09-10 18:24:28 -04:00
341e9dcfcf
Add files via upload
2017-09-07 16:27:31 -04:00
8c9bff9614
Major update to version 0.3
2017-08-30 15:43:08 -04:00
42f6273892
s/check-service/check-regex/g
2017-08-19 13:03:27 -04:00
769149b343
Added command obfuscation detection
2016-09-23 17:38:51 -04:00
5a90b6987e
Add files via upload
2016-09-23 11:02:05 -04:00
5755000882
Add files via upload
2016-09-20 15:24:53 -04:00
