security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
2bd24966c2fa251b304bfcfd9273cc4a973aaa01
blue-team-tools/rules/windows/process_access
T
History
phantinuss 2f9b90584c Merge PR #4476 From @phantinuss - Fix False Positives Found In Testing 
fix: Potentially Suspicious AccessMask Requested From LSASS - FP with Avira from Windows temp folder
fix: Direct Syscall of NtOpenProcess - FP with another Firefox process and removing drive letters
fix: Control Panel Items - FP with command line observed from taskhost.exe
fix: Rundll32 Execution Without DLL File - remove non-essential ParentCommandLine dependency in filter
fix: Schtasks Creation Or Modification With SYSTEM Privileges - remove non-essential ParentImage dependency in filter
fix: Suspicious Elevated System Shell - remove non-essential ParentImage dependency in filter
fix: Suspicious Elevated System Shell - FP with Avira update utility
fix: Execution of Suspicious File Type Extension - FP with OpenOffice

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2023-10-12 12:47:45 +02:00
..
proc_access_win_cmstp_execution_by_access.yml
Order yaml field
2022-10-26 09:42:26 +02:00
proc_access_win_cobaltstrike_bof_injection_pattern.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_access_win_cred_dump_lsass_access.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
proc_access_win_direct_syscall_ntopenprocess.yml
Merge PR #4476 From @phantinuss - Fix False Positives Found In Testing
2023-10-12 12:47:45 +02:00
proc_access_win_hack_sysmonente.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_access_win_handlekatz_lsass_access.yml
Order yaml field
2022-10-26 09:42:26 +02:00
proc_access_win_invoke_patchingapi.yml
fix: fp found in testing
2023-01-25 16:54:11 +01:00
proc_access_win_invoke_phantom.yml
chore: fix typo of lowercase Windows in description
2023-06-21 09:52:43 +02:00
proc_access_win_lazagne_cred_dump_lsass_access.yml
Order yaml field
2022-10-26 09:42:26 +02:00
proc_access_win_littlecorporal_generated_maldoc.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_access_win_load_undocumented_autoelevated_com_interface.yml
Order yaml field
2022-10-26 09:42:26 +02:00
proc_access_win_lsass_dump_comsvcs_dll.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_access_win_lsass_memdump_evasion.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_access_win_lsass_memdump_indicators.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_access_win_lsass_memdump.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
proc_access_win_lsass_werfault.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_access_win_malware_verclsid_shellcode.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_access_win_mimikatz_trough_winrm.yml
Order yaml field
2022-10-26 09:42:26 +02:00
proc_access_win_pypykatz_cred_dump_lsass_access.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_access_win_rare_proc_access_lsass.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
proc_access_win_shellcode_inject_msf_empire.yml
feat: filename test enhancements (#3812)
2022-12-23 09:25:16 +01:00
proc_access_win_susp_proc_access_lsass_susp_source.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
proc_access_win_susp_proc_access_lsass.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
proc_access_win_susp_seclogon.yml
feat: filename test enhancements (#3812)
2022-12-23 09:25:16 +01:00
proc_access_win_svchost_cred_dump.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_access_win_uac_bypass_wow64_logger.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_access_win_winapi_in_powershell_credentials_dumping.yml
feat: filename test enhancements (#3812)
2022-12-23 09:25:16 +01:00