security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2

Browse Source 
chore: update evtx baseline to v0.8.2 and fix FPs
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
This commit is contained in:
phantinuss
2025-10-09 13:03:39 +02:00
committed by GitHub
parent 90fe2d9e81
commit b242175fe4
63 changed files with 850 additions and 382 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml
+7 -1
View File
@@ -7,6 +7,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
author: frack113
date: 2021-12-28
modified: 2025-10-07
tags:
- attack.persistence
- attack.t1053.005
@@ -30,7 +31,12 @@ detection:
- 'PS_ScheduledTask'
- '-NameSpace'
- 'Root\Microsoft\Windows\TaskScheduler'
condition: 1 of selection_*
filter_main_legitimate_scripts:
ScriptBlockText|contains|all:
- 'Microsoft.PowerShell.Core\Export-ModuleMember'
- 'Microsoft.Management.Infrastructure.CimInstance'
- '__cmdletization_methodParameter'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml
+2 -2
View File
@@ -14,7 +14,7 @@ references:
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-09-12
modified: 2025-03-12
modified: 2025-10-06
tags:
- attack.defense-evasion
- attack.t1070.001
@@ -32,7 +32,7 @@ detection:
- ScriptBlockText|contains|all:
- 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
- 'ClearLog'
- ScriptBlockText|contains:
- ScriptBlockText|contains|all:
- 'Diagnostics.EventLog'
- 'Clear'
condition: selection
rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml
+9 -2
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-08
modified: 2022-12-25
modified: 2025-10-07
tags:
- attack.defense-evasion
- attack.t1070.005
@@ -19,7 +19,14 @@ detection:
ScriptBlockText|contains:
- 'Remove-SmbShare'
- 'Remove-FileShare'
condition: selection
filter_main_module_load:
ScriptBlockText|contains|all:
- 'FileShare.cdxml'
- 'Microsoft.PowerShell.Core\Export-ModuleMember'
- 'ROOT/Microsoft/Windows/Storage/MSFT_FileShare'
- 'ObjectModelWrapper'
- 'Cmdletization.MethodParameter'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators or Power users may remove their shares via cmd line
level: medium