security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
40ccd91a94e7c93b8f0ab363129388b97874a8a4
blue-team-tools/rules/windows
T
History
Nasreddine Bencherchali 40ccd91a94 Update proc_creation_win_msdt_diagcab.yml 
In my testing i found that ".diagcab" extension is not required. You can use .txt with the /cab flag and it'll spawn an msdt process.

Also I added the "-" (dash) version of the flag
2022-06-21 11:45:53 +01:00
..
builtin
Merge pull request #3143 from SigmaHQ/rule-devel
2022-06-19 15:04:46 +02:00
create_remote_thread
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
create_stream_hash
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
dns_query
refactor condition
2022-06-03 15:35:24 +02:00
driver_load
refactor condition
2022-06-03 15:35:24 +02:00
file_access
fix: FPs with Browser Credential Store Access
2022-06-18 09:10:17 +02:00
file_delete
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
file_event
Update file_event_win_notepad_plus_plus_persistence.yml
2022-06-21 11:43:42 +01:00
file_rename
fix: casing of OriginalFileName
2022-06-08 17:14:49 +02:00
image_load
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
network_connection
fix: FPs found in testing environment
2022-06-20 16:17:54 +02:00
pipe_created
fix: FPs found in testing environment
2022-06-20 16:17:54 +02:00
powershell
Removed related field
2022-06-21 11:43:18 +01:00
process_access
fix: FPs found in testing environment
2022-06-20 16:17:54 +02:00
process_creation
Update proc_creation_win_msdt_diagcab.yml
2022-06-21 11:45:53 +01:00
raw_access_thread
fix: FPs with THOR
2022-03-15 18:05:42 +01:00
registry
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
sysmon
fix: FPs from fresh Windows install
2022-04-06 16:09:53 +02:00
wmi_event
refactor: rule adjustments based on hayabusa
2022-06-18 08:39:02 +02:00