security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f469c0e39c5d67e2d2009bcd2e9c6daa8dca0cd
blue-team-tools/rules/windows/builtin
T
History
Maxime Thiebaut 73a6428345 Update the NTLM downgrade registry paths 
Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.
2020-04-07 17:14:45 +02:00
..
win_account_backdoor_dcsync_rights.yml
resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml
2019-11-19 02:11:19 +01:00
win_account_discovery.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_ad_object_writedac_access.yml
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
win_ad_replication_non_machine_account.yml
Exclude Azure AD sync accounts from AD Replication rule
2020-03-02 16:43:20 +01:00
win_ad_user_enumeration.yml
Add AD User Enumeration
2020-03-31 09:40:07 +02:00
win_admin_rdp_login.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_admin_share_access.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_alert_active_directory_user_control.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_alert_ad_user_backdoors.yml
Merge branch 'master' into patch-1
2020-01-31 14:32:27 +01:00
win_alert_enable_weak_encryption.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_alert_lsass_access.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_alert_mimikatz_keywords.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_alert_ruler.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_apt_apt29_tor.yml
Merge branch 'master' into oscd
2020-02-03 23:13:16 +01:00
win_apt_carbonpaper_turla.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_stonedrill.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_turla_service_png.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_atsvc_task.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_audit_cve.yml
rule: added a reference
2020-01-24 15:31:06 +01:00
win_av_relevant_match.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_dcsync.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_disable_event_logging.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_dpapi_domain_backupkey_extraction.yml
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
win_dpapi_domain_masterkey_backup_attempt.yml
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
win_external_device.yml
Update win_external_device.yml
2019-11-20 16:19:45 -06:00
win_GPO_scheduledtasks.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_hack_smbexec.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_impacket_secretdump.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_invoke_obfuscation_obfuscated_iex_services.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_lm_namedpipe.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_lsass_access_non_system_account.yml
OSCD QA wave 1
2020-01-11 00:11:27 +01:00
win_mal_creddumper.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_mal_service_installs.yml
Fixes
2020-02-16 23:24:00 +01:00
win_mal_wceaux_dll.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_mmc20_lateral_movement.yml
fix: eventid in process_creation rules
2020-03-07 10:43:47 +01:00
win_net_ntlm_downgrade.yml
Update the NTLM downgrade registry paths
2020-04-07 17:14:45 +02:00
win_new_or_renamed_user_account_with_dollar_sign.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_overpass_the_hash.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_pass_the_hash_2.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_pass_the_hash.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_possible_dc_sync.yml
UUIDs + moved unsupported logic
2019-12-19 23:56:36 +01:00
win_protected_storage_service_access.yml
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
win_quarkspwdump_clearing_hive_access_history.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_rare_schtasks_creations.yml
newline in description - typo
2020-03-14 14:58:58 -04:00
win_rare_service_installs.yml
newline in description - typo
2020-03-14 14:58:58 -04:00
win_rdp_bluekeep_poc_scanner.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_rdp_localhost_login.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_rdp_potential_cve-2019-0708.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_rdp_reverse_tunnel.yml
Fixed tagging
2020-02-20 23:51:12 +01:00
win_register_new_logon_process_by_rubeus.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_remote_powershell_session.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_remote_registry_management_using_reg_utility.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_sam_registry_hive_handle_request.yml
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
win_scm_database_handle_failure.yml
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
win_scm_database_privileged_operation.yml
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
win_susp_add_domain_trust.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_add_sid_history.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_backup_delete.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_codeintegrity_check_failure.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_dhcp_config_failed.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_dhcp_config.yml
Add correct Source to detection to avoid FP
2020-03-24 19:49:24 +01:00
win_susp_dns_config.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_dsrm_password_change.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_eventlog_cleared.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_failed_logon_reasons.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_failed_logons_single_source.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_interactive_logons.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_kerberos_manipulation.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_ldap_dataexchange.yml
Title capalized
2020-03-26 17:03:33 +01:00
win_susp_local_anon_logon_created.yml
fix: missing id
2020-01-30 10:14:18 +01:00
win_susp_lsass_dump_generic.yml
OSCD QA wave 1
2020-01-11 00:11:27 +01:00
win_susp_lsass_dump.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_mshta_execution.yml
Date typos...more than I thought...
2020-04-02 10:00:00 +02:00
win_susp_msmpeng_crash.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_net_recon_activity.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_ntlm_auth.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_psexec.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_raccess_sensitive_fext.yml
Merge branch 'master' into oscd
2020-02-03 23:13:16 +01:00
win_susp_rc4_kerberos.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_rottenpotato.yml
fix: bugfix in RottenPotato rule - wrong identifier
2019-11-15 11:50:03 +01:00
win_susp_sam_dump.yml
Further fixes and deduplications
2020-02-16 14:03:07 +01:00
win_susp_samr_pwset.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_sdelete.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_security_eventlog_cleared.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_time_modification.yml
rule: reduced level of system time mod rule
2020-01-27 14:30:09 +01:00
win_susp_wmi_login.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_suspicious_outbound_kerberos_connection.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_svcctl_remote_service.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_syskey_registry_access.yml
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
win_tap_driver_installation.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_transferring_files_with_credential_data_via_network_shares.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_usb_device_plugged.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_user_added_to_local_administrators.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_user_creation.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_vul_cve_2020_0688.yml
fix: keyword expression in rule
2020-02-29 16:03:31 +01:00