security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e2ef92104b1da386c25290a42febbdf4f3ebbf9
blue-team-tools/rules/windows/process_creation
T
History
Thomas Patzke 121e21960e Rule changes 
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
2019-05-09 23:09:22 +02:00
..
powershell_xor_commandline.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_attrib_hiding_files.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_bypass_squiblytwo.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_cmdkey_recon.yml
Missing tags
2019-03-06 00:02:37 +01:00
win_cmstp_com_object_access.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_exploit_cve_2015_1641.yml
fixed wrong tags
2019-03-06 06:18:38 +01:00
win_exploit_cve_2017_0261.yml
Missing tags
2019-03-06 00:16:40 +01:00
win_exploit_cve_2017_8759.yml
fixed incorrect date format
2019-03-07 22:52:11 +01:00
win_exploit_cve_2017_11882.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_hack_rubeus.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_lethalhta.yml
atc review
2019-03-06 05:25:12 +01:00
win_mal_adwind.yml
fix: rule field fix in proc_creation rule
2019-03-22 10:59:18 +01:00
win_mal_lockergoga.yml
Rule: extended LockerGoga description
2019-03-22 11:03:48 +01:00
win_mal_wannacry.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_malware_dridex.yml
Missing tags
2019-03-06 00:16:40 +01:00
win_malware_notpetya.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_malware_script_dropper.yml
fixed wrong tags
2019-03-06 06:18:38 +01:00
win_malware_wannacry.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_mavinject_proc_inj.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_mshta_spawn_shell.yml
FP note for HP software
2019-04-19 09:51:32 +02:00
win_multiple_suspicious_cli.yml
Added CAR tags
2019-03-16 00:37:09 +01:00
win_netsh_fw_add.yml
Trying to fix ATT&CK framework tag
2019-04-01 10:36:35 +02:00
win_netsh_port_fwd_3389.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_netsh_port_fwd.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_office_shell.yml
Rule: Extended Office Shell rule
2019-04-15 08:13:35 +02:00
win_office_spawn_exe_from_users_directory.yml
More exact path
2019-04-17 23:45:15 +02:00
win_plugx_susp_exe_locations.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_possible_applocker_bypass.yml
atc review
2019-03-06 05:25:12 +01:00
win_powershell_amsi_bypass.yml
Missing tags
2019-03-06 00:16:40 +01:00
win_powershell_b64_shellcode.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_powershell_dll_execution.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_powershell_download.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_powershell_renamed_ps.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_powershell_suspicious_parameter_variation.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_process_creation_bitsadmin_download.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_psexesvc_start.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_renamed_paexec.yml
Modifications
2019-04-17 23:29:29 +02:00
win_sdbinst_shim_persistence.yml
atc review
2019-03-06 05:25:12 +01:00
win_shell_spawn_susp_program.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_spn_enum.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_bcdedit.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_susp_calc.yml
changed service to product
2019-03-06 05:57:01 +01:00
win_susp_certutil_command.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_certutil_encode.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_cli_escape.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_cmd_http_appdata.yml
Missing tags
2019-03-06 00:16:40 +01:00
win_susp_commands_recon_activity.yml
Missing tags
2019-03-06 00:02:37 +01:00
win_susp_control_dll_load.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_susp_csc.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_exec_folder.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_execution_path_webserver.yml
fixed wrong tags
2019-03-06 06:18:38 +01:00
win_susp_execution_path.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_gup.yml
Added Local directory
2019-04-15 08:47:53 +02:00
win_susp_iss_module_install.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_mmc_source.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_msiexec_web_install.yml
rules update
2019-03-06 00:43:42 +01:00
win_susp_net_execution.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_ntdsutil.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_outlook.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_ping_hex_ip.yml
Missing tags
2019-03-06 00:16:40 +01:00
win_susp_powershell_empire_lanuch.yml
Rule: Detect Empire PowerShell Default Cmdline Params
2019-04-20 09:38:41 +02:00
win_susp_powershell_enc_cmd.yml
Rule: Extended PowerShell Susp Cmdline Enc Commands
2019-04-20 09:38:41 +02:00
win_susp_powershell_hidden_b64_cmd.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_powershell_parent_combo.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_procdump.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_process_creations.yml
fix: bugfix in new proc creation rule
2019-03-02 11:28:13 +01:00
win_susp_prog_location_process_starts.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_ps_appdata.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_rasdial_activity.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_susp_recon_activity.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_susp_regsvr32_anomalies.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_run_locations.yml
Rule changes
2019-05-09 23:09:22 +02:00
win_susp_rundll32_activity.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_schtask_creation.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_script_execution.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_susp_squirrel_lolbin.yml
Auto stash before rebase of "Neo23x0/master"
2019-04-03 16:25:18 +02:00
win_susp_svchost.yml
Update win_subp_svchost rule
2019-04-16 15:00:06 +02:00
win_susp_sysprep_appdata.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_sysvol_access.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_taskmgr_localsystem.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_taskmgr_parent.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_tscon_localsystem.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_susp_tscon_rdp_redirect.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_vssadmin_ntds_activity.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_whoami.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_wmi_execution.yml
Incorporated MITRE CAR mapping from #55
2019-03-16 00:03:27 +01:00
win_system_exe_anomaly.yml
Integrated PR from @P4T12ICK in existing rule
2019-04-21 00:28:40 +02:00
win_vul_java_remote_debugging.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_webshell_detection.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_webshell_spawn.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_wmi_persistence_script_event_consumer.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_wmi_spwns_powershell.yml
Fix condition
2019-04-04 22:32:47 +02:00
win_workflow_compiler.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00