output RDP connection from Localcomputer #51
Assignees
Labels
invalid
This doesn't seem right
Comments
|
$outputThisEventの初期化漏れが原因 |
|
ac597c9 でのマージのコンフリクト解消時に誤って削除していた模様。 |
hitenkoku
added a commit
that referenced
this issue
Sep 23, 2021
|
以下の通り、 9a8a806 で対処できていることを確認済み
|
hitenkoku
added
invalid
hitenkoku
added a commit
that referenced
this issue
Nov 2, 2021
* create framework separate util function #28 * create SIGMA Rule Read Framework #28 * create framework add ntlm logon sigma rule test Fixes #28 * fix rule stack #28 * add detection call fix other script call #28 * erase duplicate proceess * fix add-rule template & erase debug print #28 * add SIGMA Powershell Code(not adjust WELA) * add SIGMA rule adjust WELA Framwork #28 * add SIGMA rule translated WELA Framework #28 * add SIGMA rule translated WELA Framework #28 * moved categorize folder * adjust multi rule * fix detected message * checked powershell category rules #28 * fix error * moved dir checked process creation category #28 * checked rules and adjust multi rules #28 * moved SIGMA rule to category directory #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed head comment out * fixed head comment out * fixed lacked if case * fixed lacked rule copy #28 * fixed lacked rule copy #28 * replace sigmac powershell convert result * fixed lacked rule copy #28 * fixed lackedrule copy #28 * fixed sigmac translate error #28 * fix lacked copy rule #28 * fixed lacked copy rule #28 * fixed lacked copy rule#28 * fixed lacked copy rule #28 * unification detectedMessage variable expresstion * unification detectedMessage variable expression * change format to multi detect rules #28 * fixed syntax error #28 * add param and help #28 * erased duplicate file to not execute same detection check * fix output detail to Rules/SIGMA #21 #28 * erase unnecessary liveanalysys parameter #28 * erase unnecessary liveanalysys param #28 * due to remove liveanalysys argument from add-rule * added DeepBlueCLI Util Function #30 * add DeepBlueCLI Rule(4688-ProcessCreate) #30 * add DeepBlueCLI Rule(4672-AdminAccountAccessAllAlert)#30 * add DeepBlueCLI Rule(4720-ProcessCreate) #30 * add providename condition and fix error #30 * fix index to creator and fix func check-command argumentation #30 * fixed multi record process #30 * fixed adjust multi record #30 * fixed adjust multi record in 4688DeepblueRule #30 * add DeepBlueCLI RULE(4728_4732_4756) #30 * remove unnecessary foreach * add DeepBlueCLI Rule(4625) * rename 4625 * fixed lacked extension 4625 * erased unnecessary if * add DeepBlueCLI Rule(4673 Security) #30 * add DeepBlueCLI Rule(4674 Security) #30 * add 4624 and 4628 password spray attack WELA Rule * fix file name * fix filename and event ID in passwordsprayattack * adjust argument dateformat * add DeepBlueCLI Rule(1102 Security) #30 * fix typo * fixed where object search providername #30 * add DeepBlueCLI Rule(7045 System) and add argument in util.ps1 #30 * add DeepBlueCLI Rule(104 System) #30 * add DeepBlueCLI Rule(7030 System) #30 * add DeepBlueCLI Rule(7036 System) #30 * add DeepBlueCLI Rule(7040 System) #30 * add DeepBlueCLI Rule(2 Application) #30 * erase omission of copied data * add DeepBlueCLI Rule(8003 Applocker) #30 * fix detected message * add DeepBlueCLI Rule(8004 Applocker) #30 * add DeepBlueCLI Rule(4103 PowerShell) #30 * add DeepBlueCLI Rule(4104 PowerShell) #30 * filename changed and add DeepBlueCLI Rule(4104 PowerShell) #30 * add DeepBlueCLI Rule(7 Sysmon) #30 * change scope when execute rule #21 #28 #30 * fix syntax error #21 #28 * erased unnecessary module load #21 #28 #30 * remove duplicate process when resolve conflict merge main merge log 17f4f13 * fix autoformatter change * fix autoformat * remove unnecessary global variable #28 * fix autoformatting * add parameter to scriptblock * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix Wrong Filter WELA-Rules #30 change ProviderName to LogName * fix single escape sequence * fix single escape sequence in SIGMA:process_create/sysmon/wmi_event * fix detect output format * fix argumentation in detect function on Rules #21 #28 #30 * add contributors accounts * fix UseDetectRule output color * fix function call error * add Get-WinEvent exception warning output #48 * fix if statement condition * add DeepBlueCLI ResultObject and check-command function add servicecmd and obj #30 * erase test output * fix error when SaveOutput is Null #49 * fix rulename and detected message in 7045-servicecreated * comment out output executing rule name * change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI) and SIGMA #28 WELA-Rule:All Completed SIGMA :20 Completed * change scope detectedMessage SIGMA and duplicate detectedMessage on SIGMA and WELA-Rule #21 #28 #30 WELA-Rule:All Completed SIGMA: All Completed * lacked DeepBlueCLI Result object #30 * add recurse property to Logdirectory file search * add regexes and whitelites and error fix on utils.ps1 #30 - add regexes and whitelist - fix error check when commandline is null * fix event variable is wrong #30 * erase debug output * fix output format & add ruleName and detectedMessage multi detect pattern in rule #21 #28 #30 * fix error - lacked variable call to set_item method - lacked converting firstdetecttime to DateTime type * fixed for loop * Fixed saveoutput case #49 * changed no output executerule case of UseDetectRules is 0 #28 * removed debug output * changed no output executerule case of UseDetectRules is 0 #28 * fix LogonTimeline outputflag lacked initialize in WELA #51 * fix cmdlet is not verb * get rid of lint warn #37 * fix case of 0 divine in LogonTimeline #52 * output change no match logon record #53 - add output case of no match in get-winevent - removed output logon output when LogonEvents count is 0 * output filename in EventIDStatistics mode #54 * removed duplicate filesize output #54 * fix output header evtx files in LogDirectory in EventIDStatistics mode #55 * changed Output Format on DeepBlueCLI Rule #30 * fixed powershell invoke deepbluecli rule logname wrong #30 * fixed lacked count on DeepblueCLI Rule(4625) #30 * erase debug output * fixed error occuring module import error * commented converted powershell * fix rule import argument * fixed rule singlequote error * fix double quote lack error * commented converted powershell * fixed lacked get-winevent remove * fixed lack of convert escape sequence in match * fix result output write-host to write-output * fix output rule import errror to write-host * fix lacked arg in write-output when output empty row * adapt formatter * Feature/add remote computer live analysis #31 (#56) * Add_RDP_analysis_#14 * Add RemoteLiveAnalysis function * Add remote machine analysis * Add Help Messages * Update subtitle * Remove the process of checking the execution-policy. Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> * adapt formatter * fix rule condition change match to eq * used arraylist add method * remove unnecessary process * fixed check comand return * fixed error output condition case of logfile specified and not liveanalysys is false * fixed detection process due sorted difference from DeepBlueCLI * fixed lacked argument call check-command * adapt formatter * add DeepBlueCLI passspray detection logic * fixed passwordguess detection logic #28 * moved show-contributors to utils.ps1 * default servicecd value set * fixed lacked initialize * fixed null result output * fixed typo fixed * AV to read SIGMA mimikatz Rule * add IDs * fixed mimikatz detecion check script blocked by AMSI * fixed result is null exection case * fixed not exist registory value error * fixed read template ps1 file * fixed process view #28 * fixed null check * fixed match rule Co-authored-by: ogino <59769602+oginoPmP@users.noreply.github.com> Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
|
対応完了。マージ済みの為クローズする |
hitenkoku
added a commit
that referenced
this issue
Nov 3, 2021
* create framework separate util function #28 * create SIGMA Rule Read Framework #28 * create framework add ntlm logon sigma rule test Fixes #28 * fix rule stack #28 * add detection call fix other script call #28 * erase duplicate proceess * fix add-rule template & erase debug print #28 * add SIGMA Powershell Code(not adjust WELA) * add SIGMA rule adjust WELA Framwork #28 * add SIGMA rule translated WELA Framework #28 * add SIGMA rule translated WELA Framework #28 * moved categorize folder * adjust multi rule * fix detected message * checked powershell category rules #28 * fix error * moved dir checked process creation category #28 * checked rules and adjust multi rules #28 * moved SIGMA rule to category directory #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed head comment out * fixed head comment out * fixed lacked if case * fixed lacked rule copy #28 * fixed lacked rule copy #28 * replace sigmac powershell convert result * fixed lacked rule copy #28 * fixed lackedrule copy #28 * fixed sigmac translate error #28 * fix lacked copy rule #28 * fixed lacked copy rule #28 * fixed lacked copy rule#28 * fixed lacked copy rule #28 * unification detectedMessage variable expresstion * unification detectedMessage variable expression * change format to multi detect rules #28 * fixed syntax error #28 * add param and help #28 * erased duplicate file to not execute same detection check * fix output detail to Rules/SIGMA #21 #28 * erase unnecessary liveanalysys parameter #28 * erase unnecessary liveanalysys param #28 * due to remove liveanalysys argument from add-rule * added DeepBlueCLI Util Function #30 * add DeepBlueCLI Rule(4688-ProcessCreate) #30 * add DeepBlueCLI Rule(4672-AdminAccountAccessAllAlert)#30 * add DeepBlueCLI Rule(4720-ProcessCreate) #30 * add providename condition and fix error #30 * fix index to creator and fix func check-command argumentation #30 * fixed multi record process #30 * fixed adjust multi record #30 * fixed adjust multi record in 4688DeepblueRule #30 * add DeepBlueCLI RULE(4728_4732_4756) #30 * remove unnecessary foreach * add DeepBlueCLI Rule(4625) * rename 4625 * fixed lacked extension 4625 * erased unnecessary if * add DeepBlueCLI Rule(4673 Security) #30 * add DeepBlueCLI Rule(4674 Security) #30 * add 4624 and 4628 password spray attack WELA Rule * fix file name * fix filename and event ID in passwordsprayattack * adjust argument dateformat * add DeepBlueCLI Rule(1102 Security) #30 * fix typo * fixed where object search providername #30 * add DeepBlueCLI Rule(7045 System) and add argument in util.ps1 #30 * add DeepBlueCLI Rule(104 System) #30 * add DeepBlueCLI Rule(7030 System) #30 * add DeepBlueCLI Rule(7036 System) #30 * add DeepBlueCLI Rule(7040 System) #30 * add DeepBlueCLI Rule(2 Application) #30 * erase omission of copied data * add DeepBlueCLI Rule(8003 Applocker) #30 * fix detected message * add DeepBlueCLI Rule(8004 Applocker) #30 * add DeepBlueCLI Rule(4103 PowerShell) #30 * add DeepBlueCLI Rule(4104 PowerShell) #30 * filename changed and add DeepBlueCLI Rule(4104 PowerShell) #30 * add DeepBlueCLI Rule(7 Sysmon) #30 * change scope when execute rule #21 #28 #30 * fix syntax error #21 #28 * erased unnecessary module load #21 #28 #30 * remove duplicate process when resolve conflict merge main merge log 17f4f13 * fix autoformatter change * fix autoformat * remove unnecessary global variable #28 * fix autoformatting * add parameter to scriptblock * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix Wrong Filter WELA-Rules #30 change ProviderName to LogName * fix single escape sequence * fix single escape sequence in SIGMA:process_create/sysmon/wmi_event * fix detect output format * fix argumentation in detect function on Rules #21 #28 #30 * add contributors accounts * fix UseDetectRule output color * fix function call error * add Get-WinEvent exception warning output #48 * fix if statement condition * add DeepBlueCLI ResultObject and check-command function add servicecmd and obj #30 * erase test output * fix error when SaveOutput is Null #49 * fix rulename and detected message in 7045-servicecreated * comment out output executing rule name * change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI) and SIGMA #28 WELA-Rule:All Completed SIGMA :20 Completed * change scope detectedMessage SIGMA and duplicate detectedMessage on SIGMA and WELA-Rule #21 #28 #30 WELA-Rule:All Completed SIGMA: All Completed * lacked DeepBlueCLI Result object #30 * add recurse property to Logdirectory file search * add regexes and whitelites and error fix on utils.ps1 #30 - add regexes and whitelist - fix error check when commandline is null * fix event variable is wrong #30 * erase debug output * fix output format & add ruleName and detectedMessage multi detect pattern in rule #21 #28 #30 * fix error - lacked variable call to set_item method - lacked converting firstdetecttime to DateTime type * fixed for loop * Fixed saveoutput case #49 * changed no output executerule case of UseDetectRules is 0 #28 * removed debug output * changed no output executerule case of UseDetectRules is 0 #28 * fix LogonTimeline outputflag lacked initialize in WELA #51 * fix cmdlet is not verb * get rid of lint warn #37 * fix case of 0 divine in LogonTimeline #52 * output change no match logon record #53 - add output case of no match in get-winevent - removed output logon output when LogonEvents count is 0 * output filename in EventIDStatistics mode #54 * removed duplicate filesize output #54 * fix output header evtx files in LogDirectory in EventIDStatistics mode #55 * changed Output Format on DeepBlueCLI Rule #30 * fixed powershell invoke deepbluecli rule logname wrong #30 * fixed lacked count on DeepblueCLI Rule(4625) #30 * erase debug output * fixed error occuring module import error * commented converted powershell * fix rule import argument * fixed rule singlequote error * fix double quote lack error * commented converted powershell * fixed lacked get-winevent remove * fixed lack of convert escape sequence in match * fix result output write-host to write-output * fix output rule import errror to write-host * fix lacked arg in write-output when output empty row * adapt formatter * Feature/add remote computer live analysis #31 (#56) * Add_RDP_analysis_#14 * Add RemoteLiveAnalysis function * Add remote machine analysis * Add Help Messages * Update subtitle * Remove the process of checking the execution-policy. Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> * adapt formatter * fix rule condition change match to eq * used arraylist add method * remove unnecessary process * fixed check comand return * fixed error output condition case of logfile specified and not liveanalysys is false * fixed detection process due sorted difference from DeepBlueCLI * fixed lacked argument call check-command * adapt formatter * add DeepBlueCLI passspray detection logic * fixed passwordguess detection logic #28 * moved show-contributors to utils.ps1 * default servicecd value set * fixed lacked initialize * fixed null result output * fixed typo fixed * AV to read SIGMA mimikatz Rule * add IDs * fixed mimikatz detecion check script blocked by AMSI * fixed result is null exection case * fixed not exist registory value error * fixed read template ps1 file * fixed process view #28 * fixed null check * fixed match rule * fixed match contents #21 * comment out debug write-out statement Co-authored-by: ogino <59769602+oginoPmP@users.noreply.github.com> Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
YamatoSecurity
added a commit
that referenced
this issue
Dec 24, 2021
* create framework separate util function #28 * create SIGMA Rule Read Framework #28 * create framework add ntlm logon sigma rule test Fixes #28 * fix rule stack #28 * add detection call fix other script call #28 * erase duplicate proceess * fix add-rule template & erase debug print #28 * add SIGMA Powershell Code(not adjust WELA) * add SIGMA rule adjust WELA Framwork #28 * add SIGMA rule translated WELA Framework #28 * add SIGMA rule translated WELA Framework #28 * moved categorize folder * adjust multi rule * fix detected message * checked powershell category rules #28 * fix error * moved dir checked process creation category #28 * checked rules and adjust multi rules #28 * moved SIGMA rule to category directory #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed head comment out * fixed head comment out * fixed lacked if case * fixed lacked rule copy #28 * fixed lacked rule copy #28 * replace sigmac powershell convert result * fixed lacked rule copy #28 * fixed lackedrule copy #28 * fixed sigmac translate error #28 * fix lacked copy rule #28 * fixed lacked copy rule #28 * fixed lacked copy rule#28 * fixed lacked copy rule #28 * unification detectedMessage variable expresstion * unification detectedMessage variable expression * change format to multi detect rules #28 * fixed syntax error #28 * add param and help #28 * erased duplicate file to not execute same detection check * fix output detail to Rules/SIGMA #21 #28 * erase unnecessary liveanalysys parameter #28 * erase unnecessary liveanalysys param #28 * due to remove liveanalysys argument from add-rule * added DeepBlueCLI Util Function #30 * add DeepBlueCLI Rule(4688-ProcessCreate) #30 * add DeepBlueCLI Rule(4672-AdminAccountAccessAllAlert)#30 * add DeepBlueCLI Rule(4720-ProcessCreate) #30 * add providename condition and fix error #30 * fix index to creator and fix func check-command argumentation #30 * fixed multi record process #30 * fixed adjust multi record #30 * fixed adjust multi record in 4688DeepblueRule #30 * add DeepBlueCLI RULE(4728_4732_4756) #30 * remove unnecessary foreach * add DeepBlueCLI Rule(4625) * rename 4625 * fixed lacked extension 4625 * erased unnecessary if * add DeepBlueCLI Rule(4673 Security) #30 * add DeepBlueCLI Rule(4674 Security) #30 * add 4624 and 4628 password spray attack WELA Rule * fix file name * fix filename and event ID in passwordsprayattack * adjust argument dateformat * add DeepBlueCLI Rule(1102 Security) #30 * fix typo * fixed where object search providername #30 * add DeepBlueCLI Rule(7045 System) and add argument in util.ps1 #30 * add DeepBlueCLI Rule(104 System) #30 * add DeepBlueCLI Rule(7030 System) #30 * add DeepBlueCLI Rule(7036 System) #30 * add DeepBlueCLI Rule(7040 System) #30 * add DeepBlueCLI Rule(2 Application) #30 * erase omission of copied data * add DeepBlueCLI Rule(8003 Applocker) #30 * fix detected message * add DeepBlueCLI Rule(8004 Applocker) #30 * add DeepBlueCLI Rule(4103 PowerShell) #30 * add DeepBlueCLI Rule(4104 PowerShell) #30 * filename changed and add DeepBlueCLI Rule(4104 PowerShell) #30 * add DeepBlueCLI Rule(7 Sysmon) #30 * change scope when execute rule #21 #28 #30 * fix syntax error #21 #28 * erased unnecessary module load #21 #28 #30 * remove duplicate process when resolve conflict merge main merge log 17f4f13 * fix autoformatter change * fix autoformat * remove unnecessary global variable #28 * fix autoformatting * add parameter to scriptblock * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix Wrong Filter WELA-Rules #30 change ProviderName to LogName * fix single escape sequence * fix single escape sequence in SIGMA:process_create/sysmon/wmi_event * fix detect output format * fix argumentation in detect function on Rules #21 #28 #30 * add contributors accounts * fix UseDetectRule output color * fix function call error * add Get-WinEvent exception warning output #48 * fix if statement condition * add DeepBlueCLI ResultObject and check-command function add servicecmd and obj #30 * erase test output * fix error when SaveOutput is Null #49 * fix rulename and detected message in 7045-servicecreated * comment out output executing rule name * change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI) and SIGMA #28 WELA-Rule:All Completed SIGMA :20 Completed * change scope detectedMessage SIGMA and duplicate detectedMessage on SIGMA and WELA-Rule #21 #28 #30 WELA-Rule:All Completed SIGMA: All Completed * lacked DeepBlueCLI Result object #30 * add recurse property to Logdirectory file search * add regexes and whitelites and error fix on utils.ps1 #30 - add regexes and whitelist - fix error check when commandline is null * fix event variable is wrong #30 * erase debug output * fix output format & add ruleName and detectedMessage multi detect pattern in rule #21 #28 #30 * fix error - lacked variable call to set_item method - lacked converting firstdetecttime to DateTime type * fixed for loop * Fixed saveoutput case #49 * changed no output executerule case of UseDetectRules is 0 #28 * removed debug output * changed no output executerule case of UseDetectRules is 0 #28 * fix LogonTimeline outputflag lacked initialize in WELA #51 * fix cmdlet is not verb * get rid of lint warn #37 * fix case of 0 divine in LogonTimeline #52 * output change no match logon record #53 - add output case of no match in get-winevent - removed output logon output when LogonEvents count is 0 * output filename in EventIDStatistics mode #54 * removed duplicate filesize output #54 * fix output header evtx files in LogDirectory in EventIDStatistics mode #55 * changed Output Format on DeepBlueCLI Rule #30 * fixed powershell invoke deepbluecli rule logname wrong #30 * fixed lacked count on DeepblueCLI Rule(4625) #30 * erase debug output * fixed error occuring module import error * commented converted powershell * fix rule import argument * fixed rule singlequote error * fix double quote lack error * commented converted powershell * fixed lacked get-winevent remove * fixed lack of convert escape sequence in match * fix result output write-host to write-output * fix output rule import errror to write-host * fix lacked arg in write-output when output empty row * adapt formatter * Feature/add remote computer live analysis #31 (#56) * Add_RDP_analysis_#14 * Add RemoteLiveAnalysis function * Add remote machine analysis * Add Help Messages * Update subtitle * Remove the process of checking the execution-policy. Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> * adapt formatter * fix rule condition change match to eq * used arraylist add method * remove unnecessary process * fixed check comand return * fixed error output condition case of logfile specified and not liveanalysys is false * fixed detection process due sorted difference from DeepBlueCLI * fixed lacked argument call check-command * adapt formatter * add DeepBlueCLI passspray detection logic * fixed passwordguess detection logic #28 * moved show-contributors to utils.ps1 * default servicecd value set * fixed lacked initialize * fixed null result output * fixed typo fixed * AV to read SIGMA mimikatz Rule * add IDs * fixed mimikatz detecion check script blocked by AMSI * fixed result is null exection case * fixed not exist registory value error * fixed read template ps1 file * fixed process view #28 * fixed null check * fixed match rule * fixed match contents #21 * comment out debug write-out statement Co-authored-by: ogino <59769602+oginoPmP@users.noreply.github.com> Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
#14 で実装されたRDPのコネクションはlocal computerは表示されないはずが、表示されてしまっている
The text was updated successfully, but these errors were encountered: