|
|
d500632c50
|
Disable Mimikatz token::elevate detection; I thought I was on to a cool detect, but sadly it's just Windows operating normally with excessive privileges.
|
2019-05-06 14:40:17 -04:00 |
|
|
|
612cde1cf3
|
Disable Metasploit psexec detect due to false-positive conflict with MS Exchange; revise alert for _Multiple admin logons for one account_ to show attempt count instead of unique event IDs
|
2019-05-06 14:34:31 -04:00 |
|
|
|
1708e03fc3
|
Added section link
|
2019-05-04 17:48:23 -03:00 |
|
|
|
4eeb1c0bb7
|
Minor edits
|
2019-05-04 16:51:44 -03:00 |
|
|
|
840826359b
|
Reorganized the READMEs
|
2019-05-04 12:41:14 -03:00 |
|
|
|
84e726b99e
|
Rename Set-ExecutionPolicy.md to READMEs/Set-ExecutionPolicy.md
|
2019-05-04 12:38:31 -03:00 |
|
|
|
8d7cb1114e
|
Delete readme-deepblue.py
|
2019-05-04 12:38:15 -03:00 |
|
|
|
3640dc1a1b
|
Rename README-DeepWhite.md to READMEs/README-DeepWhite.md
|
2019-05-04 12:37:36 -03:00 |
|
|
|
af4f55cc2c
|
Rename README-DeepBlue.py.md to READMEs/README-DeepBlue.py.md
|
2019-05-04 12:37:13 -03:00 |
|
|
|
3996c44cd3
|
Create test.md
|
2019-05-04 12:36:03 -03:00 |
|
|
|
5e3108288e
|
Create Set-ExecutionPolicy.md
|
2019-05-04 12:34:58 -03:00 |
|
|
|
7166a8f529
|
Updated links
|
2019-05-04 12:04:35 -03:00 |
|
|
|
4572c78387
|
Updated link
|
2019-05-04 12:02:03 -03:00 |
|
|
|
940d8a25a8
|
Added mire output options
|
2019-05-04 11:32:13 -03:00 |
|
|
|
a5db7c4771
|
Output table formatting
|
2019-05-04 10:33:51 -03:00 |
|
|
|
56178ec0f6
|
Reformatted output table
|
2019-05-04 10:33:00 -03:00 |
|
|
|
3673416cc7
|
Fixed output table typo
|
2019-05-04 10:31:50 -03:00 |
|
|
|
8d2c355718
|
Added output section
|
2019-05-04 10:31:10 -03:00 |
|
|
|
7cbb5748e4
|
Add Metsploit psexec-specific privilege requests for Event ID 4672 detection, tweak Mimikatz detection message
|
2019-05-03 11:39:43 -04:00 |
|
|
|
e3cb0142c6
|
Updated detected events
|
2019-05-03 12:21:17 -03:00 |
|
|
|
712b25e9f4
|
Fixed table typo
|
2019-05-03 10:20:11 -03:00 |
|
|
|
9d9fc47473
|
Formatting table
|
2019-05-03 10:09:44 -03:00 |
|
|
|
7d413ffbda
|
Update README.md
|
2019-05-03 10:08:51 -03:00 |
|
|
|
3f393526e5
|
Added Mimikatz token::elevate example
|
2019-05-03 10:07:21 -03:00 |
|
|
|
bcf0022b60
|
Merge pull request #11 from joswr1ght/master
Add more Mimikatz detection, focusing on token::elevate as a non-admin user
|
2019-05-03 12:32:00 +00:00 |
|
|
|
9a293b974e
|
Add more Mimikatz detection, focusing on token::elevate as a non-admin user
|
2019-05-03 06:33:20 -04:00 |
|
|
|
c2dfa045ff
|
Added event log example
|
2019-05-01 16:59:17 -03:00 |
|
|
|
2aa4cfe191
|
Minor formatting
|
2019-05-01 16:15:55 -03:00 |
|
|
|
8ca0df7a0e
|
Menu cleanup
|
2019-05-01 11:51:14 -03:00 |
|
|
|
7c8e3eef00
|
Cleaned up the menus
|
2019-05-01 11:46:43 -03:00 |
|
|
|
7557597acb
|
Updated intro
|
2019-05-01 11:31:02 -03:00 |
|
|
|
12238e78e5
|
s/Lines/Line/g
|
2019-05-01 11:23:47 -03:00 |
|
|
|
68d482ac56
|
More examples
|
2019-05-01 11:00:42 -03:00 |
|
|
|
ecd1a6be47
|
Updated the examples table
|
2019-05-01 10:57:29 -03:00 |
|
|
|
3d3e0b281b
|
Added initial examples menu
|
2019-05-01 10:51:42 -03:00 |
|
|
|
f453ede47c
|
s/Powershell/PowerShell/g
|
2019-05-01 10:31:09 -03:00 |
|
|
|
82cc713117
|
Mentioned run as administrator for live security log
|
2019-05-01 09:58:29 -03:00 |
|
|
|
ac077b145c
|
Merge pull request #10 from joswr1ght/master
Add password spray detection, sample evtx
|
2019-04-30 21:26:54 +00:00 |
|
|
|
f17d32491e
|
Add password spray detection, sample evtx
|
2019-04-30 17:11:56 -04:00 |
|
|
|
cd44a63604
|
Added list of detected events
|
2019-04-30 17:29:44 -03:00 |
|
|
|
4514af7f4a
|
Minor update, added Set-ExecutionPolicy bypass example
|
2019-04-30 17:12:51 -03:00 |
|
|
|
ae08b49ffc
|
Merge pull request #9 from joswr1ght/master
Add Event ID 4673 Sensitive Privilege Use detection for Mimikatz
|
2019-04-30 19:42:00 +00:00 |
|
|
|
6766ac618c
|
Add Event ID 4673 Sensitive Privilege Use detection for Mimikatz
|
2019-04-30 14:38:43 -04:00 |
|
|
|
cce18d1568
|
Version 2.01, added password spraying and initial Bloodhound detection
|
2019-04-30 14:42:16 +00:00 |
|
|
|
8952278d3b
|
Merge pull request #8 from joswr1ght/master
Add detector and event log to watch for Event Log Service stop/start …
|
2019-04-29 16:50:19 -03:00 |
|
|
|
2fe7d13599
|
Add detector and event log to watch for Event Log Service stop/start as an indicator or event log tampering with eventlogedit
|
2019-04-28 14:23:23 -04:00 |
|
|
|
a98ef0e402
|
Post-DerbyCon update
|
2017-11-07 12:28:21 -05:00 |
|
|
|
6a4766e25e
|
Update README.md
|
2017-10-03 10:02:43 -04:00 |
|
|
|
18ba3fc256
|
Delete Powershell-Invoke-Obfuscation-token-menu.evtx
|
2017-09-22 14:14:02 -04:00 |
|
|
|
4922dc7aa6
|
Tweaked the PowerShell 4104 CLI detector
|
2017-09-20 16:03:21 -04:00 |
|
