security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
084204d06a7ea8c67c72f855bbb50e7fd472ad9f
blue-team-tools/deprecated/windows
T
History
Swachchhanda Shrawan Poudel 2022e3b420 Merge PR #5802 from @swachchhanda000 - Update Bitsadmin Rules With Regresstion Data 
new: Legitimate Application Writing Files In Uncommon Location
update: Suspicious Download From File-Sharing Website Via Bitsadmin - add github URL
update: File Download Via Bitsadmin To A Suspicious Target Folder - add more susp locations
remove: File Download Via Bitsadmin To An Uncommon Target Folder - deprecate in favor of 2ddef153-167b-4e89-86b6-757a9e65dcac
chore: add regression tests for bitsadmin related rules

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
2026-01-29 12:37:55 +01:00
..
create_remote_thread_win_susp_remote_thread_target.yml
feat: more updates
2023-05-05 17:52:47 +02:00
driver_load_win_mal_creddumper.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
driver_load_win_mal_poortry_driver.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
driver_load_win_powershell_script_installed_as_service.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
driver_load_win_vuln_avast_anti_rootkit_driver.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
driver_load_win_vuln_dell_driver.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
driver_load_win_vuln_drivers_names.yml
Merge PR #5756 from @phantinuss - add a check for duplicate IDs over all rules that ever existed
2025-11-13 14:22:02 +01:00
driver_load_win_vuln_gigabyte_driver.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
driver_load_win_vuln_hw_driver.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
driver_load_win_vuln_lenovo_driver.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
file_event_win_access_susp_teams.yml
Merge PR #4920 from @fornotes - Update file_access based rules
2024-07-22 18:53:48 +02:00
file_event_win_access_susp_unattend_xml.yml
Merge PR #4920 from @fornotes - Update file_access based rules
2024-07-22 18:53:48 +02:00
file_event_win_crackmapexec_patterns.yml
Merge PR #4762 from @nasbench - Fix false positives found in testing
2024-03-11 16:58:55 +01:00
file_event_win_hktl_createminidump.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
file_event_win_lsass_memory_dump_file_creation.yml
Merge PR #4406 from @nasbench - Multiple Updates & Additions
2023-09-07 11:42:15 +02:00
file_event_win_mimikatz_memssp_log_file.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
file_event_win_office_outlook_rdp_file_creation.yml
Merge PR #5538 from @swachchhanda000 - feat: potential spear-phishing through svg files
2025-07-29 10:30:55 +02:00
file_event_win_susp_clr_logs.yml
Merge PR #4940 from @fukusuket - Update unreachable references blog.menasec[.]net
2024-07-31 10:16:56 +02:00
image_load_alternate_powershell_hosts_moduleload.yml
feat: more updates
2023-06-01 23:22:35 +02:00
image_load_office_dsparse_dll_load.yml
Merge PR #5517 from @swachchhanda000 - fix: office 365 apps related false-positives
2025-10-17 07:57:13 +05:45
image_load_office_kerberos_dll_load.yml
Merge PR #5598 from @swachchhanda000 - filter FPs on multiple rules
2025-11-10 13:52:54 +01:00
image_load_side_load_advapi32.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
image_load_side_load_scm.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_svchost_dlls.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_susp_uncommon_image_load.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_susp_winword_wmidll_load.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
net_connection_win_binary_github_com.yml
Merge PR #4754 from @qasimqlf - Update ATT&CK mapping for multiple rules
2024-03-06 17:33:49 +01:00
net_connection_win_reddit_api_non_browser_access.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
net_connection_win_susp_epmap.yml
Merge PR #4762 from @nasbench - Fix false positives found in testing
2024-03-11 16:58:55 +01:00
pipe_created_psexec_pipes_artifacts.yml
feat: rules update
2023-08-07 16:09:21 +02:00
posh_pm_powercat.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
posh_ps_access_to_chrome_login_data.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
posh_ps_azurehound_commands.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
posh_ps_cl_invocation_lolscript.yml
feat: update cl diag script rules
2023-08-17 19:26:21 +02:00
posh_ps_cl_mutexverifiers_lolscript.yml
feat: update cl diag script rules
2023-08-17 19:26:21 +02:00
posh_ps_dnscat_execution.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
posh_ps_file_and_directory_discovery.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
posh_ps_invoke_nightmare.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
posh_ps_susp_gwmi.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
powershell_ps_susp_win32_shadowcopy.yml
Merge PR #5424 from @phantinuss - Some housekeeping
2025-05-20 23:12:55 +02:00
powershell_suspicious_download.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
powershell_suspicious_invocation_generic.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
powershell_suspicious_invocation_specific.yml
refactor: use 1 of selection_*
2023-05-04 14:23:08 +09:00
powershell_syncappvpublishingserver_exe.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_access_win_in_memory_assembly_execution.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_access_win_lazagne_cred_dump_lsass_access.yml
Merge PR #4597 from @nasbench - Update Process Access Rules
2023-12-04 01:14:15 +01:00
proc_access_win_lsass_susp_access.yml
Merge PR #4958 from @fukusuket - Update unreachable/broken references
2024-08-10 01:23:58 +02:00
proc_access_win_pypykatz_cred_dump_lsass_access.yml
Merge PR #4597 from @nasbench - Update Process Access Rules
2023-12-04 01:14:15 +01:00
proc_access_win_susp_invoke_patchingapi.yml
Merge PR #5007 from @fukusuket - Fix unreachable GitHub URL references
2024-09-13 11:14:11 +02:00
proc_creation_win_apt_apt29_thinktanks.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_apt_dragonfly.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_apt_gallium.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_apt_hurricane_panda.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_apt_lazarus_activity_apr21.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_apt_lazarus_loader.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_apt_muddywater_dnstunnel.yml
Merge PR #5756 from @phantinuss - add a check for duplicate IDs over all rules that ever existed
2025-11-13 14:22:02 +01:00
proc_creation_win_apt_ta505_dropper.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
Merge PR #5802 from @swachchhanda000 - Update Bitsadmin Rules With Regresstion Data
2026-01-29 12:37:55 +01:00
proc_creation_win_certutil_susp_execution.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_cmd_read_contents.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_cmd_redirect_to_stream.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_credential_acquisition_registry_hive_dumping.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_cscript_vbs.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_filefix_browsers.yml
Merge PR #5763 from @swachchhanda000 - Update ClickFix/FileFix related rules
2025-11-27 23:00:25 +01:00
proc_creation_win_indirect_cmd.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_indirect_command_execution_forfiles.yml
Merge PR #5227 from @Gude5 - Fix small typos in deprecated rules
2025-03-16 03:09:53 +01:00
proc_creation_win_invoke_obfuscation_via_rundll.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_lolbas_execution_of_wuauclt.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_lolbin_findstr.yml
Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing
2023-11-15 15:35:43 +01:00
proc_creation_win_lolbin_office.yml
feat: new rules & updates (#4328)
2023-07-13 10:01:05 +02:00
proc_creation_win_lolbin_rdrleakdiag.yml
fix: merge rules and update detection
2023-04-24 19:24:19 +02:00
proc_creation_win_lolbins_by_office_applications.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_mal_ryuk.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_malware_trickbot_recon_activity.yml
chore: move rules to new folders (#4205)
2023-05-02 23:17:57 +02:00
proc_creation_win_mavinject_proc_inj.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_msdt_diagcab.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_new_service_creation.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_nslookup_pwsh_download_cradle.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_odbcconf_susp_exec.yml
feat: add/update rules related to odbcconf (#4228)
2023-05-23 14:08:56 +02:00
proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_office_spawning_wmi_commandline.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_possible_applocker_bypass.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_powershell_base64_listing_shadowcopy.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_powershell_base64_shellcode.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_powershell_bitsjob.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_powershell_download_cradles.yml
Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules
2025-07-28 13:32:57 +02:00
proc_creation_win_powershell_service_modification.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_powershell_susp_ps_downloadfile.yml
Merge PR #5622 from @swachchhanda000 - fix duplicate and fps
2025-10-20 09:08:28 +05:45
proc_creation_win_powershell_xor_encoded_command.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_reg_dump_sam.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_regsvr32_anomalies.yml
feat: update more regsvr32
2023-05-26 15:59:30 +02:00
proc_creation_win_renamed_paexec.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_renamed_powershell.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_renamed_psexec.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_renamed_rundll32.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_root_certificate_installed.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_run_from_zip.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_rundll32_js_runhtmlapplication.yml
Merge PR #4973 from @frack113 - Fix date format for some rules along with a broken logsource field
2024-08-16 12:37:51 +02:00
proc_creation_win_rundll32_script_run.yml
Merge PR #4719 from @joshnck - Update Rules Related To RunHTMLApplication Abuse
2024-02-26 11:37:37 +01:00
proc_creation_win_sc_delete_av_services.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_schtasks_user_temp.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_service_stop.yml
chore: fix typo of lowercase Windows in description
2023-06-21 09:52:43 +02:00
proc_creation_win_susp_bitstransfer.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_susp_cmd_exectution_via_wmi.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_susp_commandline_chars.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_susp_lolbin_non_c_drive.yml
Merge PR #4406 from @nasbench - Multiple Updates & Additions
2023-09-07 11:42:15 +02:00
proc_creation_win_susp_run_folder.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_susp_squirrel_lolbin.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_sysinternals_psexec_service_execution.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_sysinternals_psexesvc_start.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_whoami_as_system.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_whoami_execution.yml
Merge PR #5622 from @swachchhanda000 - fix duplicate and fps
2025-10-20 09:08:28 +05:45
proc_creation_win_winword_dll_load.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_wmic_execution_via_office_process.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_wmic_remote_command.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_wmic_remote_service.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
proc_creation_win_wuauclt_execution.yml
Merge PR #4718 from @qasimqlf - Update ATT&CK Mapping For Some Rules
2024-02-26 17:09:30 +01:00
process_creation_syncappvpublishingserver_exe.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
registry_add_sysinternals_sdelete_registry_keys.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
registry_event_asep_reg_keys_modification.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
registry_set_abusing_windows_telemetry_for_persistence.yml
Refractor registry_set rules
2023-08-17 08:57:52 +02:00
registry_set_add_hidden_user.yml
Refractor registry_set rules
2023-08-17 08:57:52 +02:00
registry_set_creation_service_uncommon_folder.yml
Merge PR #5756 from @phantinuss - add a check for duplicate IDs over all rules that ever existed
2025-11-13 14:22:02 +01:00
registry_set_disable_microsoft_office_security_features.yml
Refractor registry_set rules
2023-08-17 08:57:52 +02:00
registry_set_malware_adwind.yml
Merge PR #4783 from @nasbench - Update registry rules logic and fix some false positives
2024-03-26 13:28:49 +01:00
registry_set_office_security.yml
Merge PR #5756 from @phantinuss - add a check for duplicate IDs over all rules that ever existed
2025-11-13 14:22:02 +01:00
registry_set_persistence_com_hijacking_susp_locations.yml
Merge PR #4993 from @nasbench - Fix Issues
2024-09-02 19:03:46 +02:00
registry_set_persistence_search_order.yml
Merge PR #4993 from @nasbench - Fix Issues
2024-09-02 19:03:46 +02:00
registry_set_silentprocessexit.yml
Refractor registry_set rules
2023-08-17 08:57:52 +02:00
sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
sysmon_dcom_iertutil_dll_hijack.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
sysmon_mimikatz_detection_lsass.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
sysmon_powershell_execution_moduleload.yml
Merge PR #5227 from @Gude5 - Fix small typos in deprecated rules
2025-03-16 03:09:53 +01:00
sysmon_rclone_execution.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
win_defender_disabled.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
win_dsquery_domain_trust_discovery.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
win_lateral_movement_condrv.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
win_security_event_log_cleared.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
win_security_group_modification_logging.yml
chore: move rules to new folders (#4205)
2023-05-02 23:17:57 +02:00
win_security_lolbas_execution_of_nltest.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
win_security_windows_defender_exclusions_write_deleted.yml
Merge PR #5176 from @GtUGtHGtNDtEUaE - Update rules covering EventID 4660
2025-01-31 18:08:59 +01:00
win_susp_esentutl_activity.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
win_susp_rclone_exec.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
win_susp_vssadmin_ntds_activity.yml
chore: remove contrib folder + rename folders
2023-04-23 15:42:01 +02:00
win_system_service_install_susp_double_ampersand.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
win_system_susp_sam_dump.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00