security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0dda757ca59b5f80da0e537932e73e8a2be5540d
blue-team-tools/rules/windows
T
History
Sander Wiebing b8ee736f44 Remove AppData folder as suspicious folder 
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)

Too many to whitelist them all
2020-05-24 15:16:07 +02:00
..
builtin
Update win_alert_ad_user_backdoors.yml
2020-05-19 14:50:22 +02:00
deprecated
fix: buggy rule
2020-05-23 18:32:02 +02:00
malware
Changed level to ciritcal
2020-05-11 10:40:23 +02:00
other
fix: converted CRLF line break to LF
2020-03-25 14:36:34 +01:00
powershell
fix incorrect use of action global
2020-05-06 22:53:02 +02:00
process_creation
Merge pull request #791 from SanWieb/master
2020-05-23 16:50:31 +02:00
sysmon
Remove AppData folder as suspicious folder
2020-05-24 15:16:07 +02:00