security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
82f23c5f63d5efdd88cb151331e106d0b71dffd5
blue-team-tools/rules/windows/process_creation
T
History
yugoslavskiy 82f23c5f63 Merge pull request #477 from zinint/oscd 
add 13 new rules:

- rules/linux/auditd/lnx_auditd_masquerading_crond.yml 
- rules/linux/auditd/lnx_auditd_user_discovery.yml 
- rules/linux/auditd/lnx_data_compressed.yml 
- rules/linux/auditd/lnx_network_sniffing.yml 
- rules/windows/powershell/powershell_data_compressed.yml 
- rules/windows/powershell/powershell_winlogon_helper_dll.yml 
- rules/windows/process_creation/win_change_default_file_association.yml 
- rules/windows/process_creation/win_data_compressed_with_rar.yml 
- rules/windows/process_creation/win_local_system_owner_account_discovery.yml 
- rules/windows/process_creation/win_network_sniffing.yml 
- rules/windows/process_creation/win_query_registry.yml 
- rules/windows/process_creation/win_service_execution.yml 
- rules/windows/process_creation/win_xsl_script_processing.yml 

modify 1 rule:

- rules/windows/process_creation/win_possible_applocker_bypass.yml
2019-11-05 04:55:29 +03:00
..
powershell_xor_commandline.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_apt_bluemashroom.yml
Fixed wrong backslash escaping of *
2019-10-07 22:14:44 +02:00
win_apt_mustangpanda.yml
rule: Mustang Panda dropper
2019-10-30 18:22:40 +01:00
win_attrib_hiding_files.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_bypass_squiblytwo.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_change_default_file_association.yml
Rename process_creation_change_default_file_association.yml to win_change_default_file_association.yml
2019-11-04 22:48:13 +03:00
win_cmdkey_recon.yml
Missing tags
2019-03-06 00:02:37 +01:00
win_cmstp_com_object_access.yml
fix: fixing rule win_cmstp_com_object_access
2019-07-31 14:16:52 +02:00
win_control_panel_item.yml
sysmon rules cleanup and move to process_creation
2019-09-11 10:24:43 -04:00
win_data_compressed_with_rar.yml
Update and rename win_data_compressed.yml to win_data_compressed_with_rar.yml
2019-11-04 22:55:32 +03:00
win_encoded_frombase64string.yml
fix: fixed MITRE tags
2019-08-24 13:58:54 +02:00
win_encoded_iex.yml
fix: fixed wrong MITRE tag
2019-08-23 23:19:39 +02:00
win_etw_trace_evasion.yml
First Pass
2019-06-13 23:15:38 -05:00
win_exploit_cve_2015_1641.yml
fixed wrong tags
2019-03-06 06:18:38 +01:00
win_exploit_cve_2017_0261.yml
Missing tags
2019-03-06 00:16:40 +01:00
win_exploit_cve_2017_8759.yml
fixed incorrect date format
2019-03-07 22:52:11 +01:00
win_exploit_cve_2017_11882.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_hack_rubeus.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_hwp_exploits.yml
rule: the actual changes to hwp rule
2019-10-24 15:35:13 +02:00
win_impacket_lateralization.yml
Capitalization in Title
2019-09-28 10:30:16 +02:00
win_install_reg_debugger_backdoor.yml
rule: image debugger
2019-09-06 10:28:20 +02:00
win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
event id deleted
2019-06-03 15:51:54 +02:00
win_lethalhta.yml
atc review
2019-03-06 05:25:12 +01:00
win_local_system_owner_account_discovery.yml
Update and rename win_system_owner_user_discovery.yml to win_local_system_owner_account_discovery.yml
2019-11-05 02:31:20 +03:00
win_mal_adwind.yml
fix: rule field fix in proc_creation rule
2019-03-22 10:59:18 +01:00
win_malware_dridex.yml
Missing tags
2019-03-06 00:16:40 +01:00
win_malware_dtrack.yml
rule: another DTRACK reference
2019-10-30 18:22:25 +01:00
win_malware_emotet.yml
rule: simplified Emotet rule
2019-10-16 15:29:42 +02:00
win_malware_formbook.yml
rule: Formbook rule improved
2019-10-31 09:32:18 +01:00
win_malware_notpetya.yml
Fixed wrong backslash escaping of *
2019-10-07 22:14:44 +02:00
win_malware_qbot.yml
rule: QBot process creation
2019-10-01 17:25:04 +02:00
win_malware_script_dropper.yml
fixed wrong tags
2019-03-06 06:18:38 +01:00
win_malware_wannacry.yml
Rule: Split up WanaCry rule into two separate rules
2019-06-02 09:52:18 +02:00
win_mavinject_proc_inj.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_mmc_spawn_shell.yml
Remove unneeded event code
2019-08-05 19:13:39 +02:00
win_mshta_spawn_shell.yml
First Pass
2019-06-13 23:15:38 -05:00
win_multiple_suspicious_cli.yml
Added CAR tags
2019-03-16 00:37:09 +01:00
win_netsh_fw_add.yml
Trying to fix ATT&CK framework tag
2019-04-01 10:36:35 +02:00
win_netsh_port_fwd_3389.yml
First Pass
2019-06-13 23:15:38 -05:00
win_netsh_port_fwd.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_network_sniffing.yml
Update win_network_sniffing.yml
2019-11-04 23:02:03 +03:00
win_office_shell.yml
docs: comment on rule expression
2019-10-28 12:02:46 +01:00
win_office_spawn_exe_from_users_directory.yml
Escaped '\*' to '\*' where required
2019-09-04 14:05:58 +03:00
win_plugx_susp_exe_locations.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_possible_applocker_bypass.yml
Merge pull request #477 from zinint/oscd
2019-11-05 04:55:29 +03:00
win_powershell_amsi_bypass.yml
Missing tags
2019-03-06 00:16:40 +01:00
win_powershell_b64_shellcode.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_powershell_dll_execution.yml
First Pass
2019-06-13 23:15:38 -05:00
win_powershell_download.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_powershell_suspicious_parameter_variation.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_powersploit_empire_schtasks.yml
sysmon rules cleanup and move to process_creation
2019-09-11 10:24:43 -04:00
win_proc_wrong_parent.yml
filter NULL values to remove false positives
2019-08-20 05:10:41 -04:00
win_process_creation_bitsadmin_download.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_psexesvc_start.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_query_registry.yml
Update win_query_registry.yml
2019-11-05 03:04:46 +03:00
win_ransomware_shadowcopy.yml
rule: reworked vssadmin rule
2019-08-04 11:27:17 +02:00
win_renamed_binary.yml
fix: PsExec false positives
2019-09-26 04:50:43 -04:00
win_renamed_paexec.yml
First Pass
2019-06-13 23:15:38 -05:00
win_sdbinst_shim_persistence.yml
Fixed commandline to detect any shim install from any location
2019-07-08 12:31:18 +03:00
win_service_execution.yml
Update win_service_execution.yml
2019-11-05 04:42:53 +03:00
win_shell_spawn_susp_program.yml
Escaped '\*' to '\*' where required
2019-09-04 14:05:58 +03:00
win_spn_enum.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_bcdedit.yml
update correct process name
2019-06-01 09:50:50 -04:00
win_susp_bginfo.yml
fix filenames
2019-11-04 22:49:28 +03:00
win_susp_calc.yml
changed service to product
2019-03-06 05:57:01 +01:00
win_susp_cdb.yml
fix filenames
2019-11-04 22:49:28 +03:00
win_susp_certutil_command.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_certutil_encode.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_cli_escape.yml
remove TAB from cli escape as it's currently unsupported in sigmac
2019-09-23 04:46:10 -04:00
win_susp_cmd_http_appdata.yml
Missing tags
2019-03-06 00:16:40 +01:00
win_susp_codepage_switch.yml
fix: made rule compatible with event id 4688
2019-10-14 18:01:24 +02:00
win_susp_commands_recon_activity.yml
First Pass
2019-06-13 23:15:38 -05:00
win_susp_compression_params.yml
rule: suspicious compression tool parameters
2019-10-15 16:38:53 +02:00
win_susp_comsvcs_procdump.yml
add comcvcs.dll memdump method
2019-09-02 07:49:19 -04:00
win_susp_control_dll_load.yml
First Pass
2019-06-13 23:15:38 -05:00
win_susp_csc_folder.yml
Escaped '\*' to '\*' where required
2019-09-04 14:05:58 +03:00
win_susp_csc.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_devtoolslauncher.yml
fix filenames
2019-11-04 22:49:28 +03:00
win_susp_dnx.yml
fix filenames
2019-11-04 22:49:28 +03:00
win_susp_double_extension.yml
fix: removed unusable extensions in proc exec context
2019-06-26 17:03:01 +02:00
win_susp_dxcap.yml
fix filenames
2019-11-04 22:49:28 +03:00
win_susp_eventlog_clear.yml
move wevtutil / fsutil events from ransomware to dedicated rules
2019-09-06 10:57:03 -04:00
win_susp_exec_folder.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_execution_path_webserver.yml
fixed wrong tags
2019-03-06 06:18:38 +01:00
win_susp_execution_path.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_fsutil_usage.yml
move wevtutil / fsutil events from ransomware to dedicated rules
2019-09-06 10:57:03 -04:00
win_susp_gup.yml
Escaped '\*' to '\*' where required
2019-09-04 14:05:58 +03:00
win_susp_iss_module_install.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_msiexec_web_install.yml
Fixed escaping in rule
2019-10-29 22:06:23 +01:00
win_susp_msoffice.yml
fix filenames
2019-11-04 22:49:28 +03:00
win_susp_net_execution.yml
Added command that stops services.
2019-06-28 19:46:34 +03:00
win_susp_ntdsutil.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_odbcconf.yml
fix filenames
2019-11-04 22:49:28 +03:00
win_susp_openwith.yml
fix filenames
2019-11-04 22:49:28 +03:00
win_susp_outlook_temp.yml
rule: execution in Outlook temp folder
2019-10-01 16:07:43 +02:00
win_susp_outlook.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_ping_hex_ip.yml
Missing tags
2019-03-06 00:16:40 +01:00
win_susp_powershell_empire_launch.yml
add/modify powershell Empire rules
2019-09-02 05:04:44 -04:00
win_susp_powershell_empire_uac_bypass.yml
add/modify powershell Empire rules
2019-09-02 05:04:44 -04:00
win_susp_powershell_enc_cmd.yml
rule: minor improvement to susp ps enc cmd
2019-09-04 16:31:49 +02:00
win_susp_powershell_hidden_b64_cmd.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_powershell_parent_combo.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_procdump.yml
remove .exe from lsass
2019-10-14 17:26:33 +02:00
win_susp_process_creations.yml
fix typo
2019-09-04 11:31:00 -04:00
win_susp_prog_location_process_starts.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_ps_appdata.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_psr_capture_screenshots.yml
fix filenames
2019-11-04 22:49:28 +03:00
win_susp_rasdial_activity.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_susp_recon_activity.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_susp_regsvr32_anomalies.yml
First Pass
2019-06-13 23:15:38 -05:00
win_susp_run_locations.yml
Rule changes
2019-05-09 23:09:22 +02:00
win_susp_rundll32_activity.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_rundll32_by_ordinal.yml
rule: another reference link for 'execution by ordinal'
2019-10-22 15:18:19 +02:00
win_susp_schtask_creation.yml
First Pass
2019-06-13 23:15:38 -05:00
win_susp_script_execution.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_susp_squirrel_lolbin.yml
Added command line parameter
2019-10-29 23:04:28 +01:00
win_susp_svchost.yml
fix: null value in separate expression
2019-07-02 20:14:45 +02:00
win_susp_sysprep_appdata.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_sysvol_access.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_taskmgr_localsystem.yml
atc review
2019-03-06 05:25:12 +01:00
win_susp_taskmgr_parent.yml
fix rule: task manager as parent: task manager can be run with higher privileges (show processes from all users --> UAC) and its parent is still the old taskmgr
2019-09-27 11:06:21 -04:00
win_susp_tscon_localsystem.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_susp_tscon_rdp_redirect.yml
First Pass
2019-06-13 23:15:38 -05:00
win_susp_userinit_child.yml
Rule: Suspicious userinit.exe child process
2019-06-23 13:27:06 +02:00
win_susp_vssadmin_ntds_activity.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_susp_whoami.yml
add/modify powershell Empire rules
2019-09-02 05:04:44 -04:00
win_susp_wmi_execution.yml
Incorporated MITRE CAR mapping from #55
2019-03-16 00:03:27 +01:00
win_system_exe_anomaly.yml
Escaped '\*' to '\*' where required
2019-09-04 14:05:58 +03:00
win_termserv_proc_spawn.yml
Converted rule to generic log source
2019-06-19 23:25:25 +02:00
win_vul_java_remote_debugging.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_webshell_detection.yml
rule: webshell detection improved
2019-10-26 09:14:54 +02:00
win_webshell_spawn.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_win10_sched_task_0day.yml
sysmon rules cleanup and move to process_creation
2019-09-11 10:24:43 -04:00
win_wmi_backdoor_exchange_transport_agent.yml
rule: WMI Backdoor Exchange Transport Agent
2019-10-11 12:12:44 +02:00
win_wmi_persistence_script_event_consumer.yml
Increased indentation to 4
2019-03-02 00:14:20 +01:00
win_wmi_spwns_powershell.yml
Fix condition
2019-04-04 22:32:47 +02:00
win_workflow_compiler.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
win_xsl_script_processing.yml
Update win_xsl_script_processing.yml
2019-11-05 01:32:29 +03:00