security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Merge PR #5717 from @tropChaud - Add and Enhance Windows Default Domain GPO & RDP Tampering Rules

Browse Source 
new: Windows Default Domain GPO Modification
new: Windows Default Domain GPO Modification via GPME
update: Potential Tampering With RDP Related Registry Keys Via Reg.EXE - Add coverage for SecurityLayer value
update: RDP Sensitive Settings Changed - Add coverage for SecurityLayer value
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
IntelScott
2025-11-23 09:51:08 -05:00
committed by GitHub
parent 5121401b01
commit 0d7658fb3a
5 changed files with 136 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/known-FPs.csv
+1
View File
@@ -70,3 +70,4 @@ ef9dcfed-690c-4c5d-a9d1-482cd422225c;Browser Execution In Headless Mode;.*
65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: (DESKTOP-6D0DBMB|WinDev2310Eval)
de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys Using Reg.EXE;\\Discord\\
24357373-078f-44ed-9ac4-6d334a668a11;Direct Autorun Keys Modification;Discord\.exe
dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr
1 RuleId RuleName MatchString
70 65236ec7-ace0-4f0c-82fd-737b04fd4dcb EVTX Created In Uncommon Location Computer: (DESKTOP-6D0DBMB|WinDev2310Eval)
71 de587dce-915e-4218-aac4-835ca6af6f70 Potential Persistence Attempt Via Run Keys Using Reg.EXE \\Discord\\
72 24357373-078f-44ed-9ac4-6d334a668a11 Direct Autorun Keys Modification Discord\.exe
73 dcff7e85-d01f-4eb5-badd-84e2e6be8294 Windows Default Domain GPO Modification via GPME Computer: WIN-FPV0DSIC9O6.sigma.fr