security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
871f41df73e68fc6b16403b3f8a53bbc8b2cd8eb
blue-team-tools/rules/windows/builtin/security
T
History
phantinuss f04419c730 Merge PR #4470 From phantinuss - Fix FPs Found In Testing 
fix: Generic Password Dumper Activity on LSASS - FP with GoogleUpdate.exe
fix: Rundll32 Execution Without DLL File - FP with another zzzzInvokeManagedCustomActionOutOfProc MSI installer
fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with being started as a background service
fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - FP with $WinREAgent folder
fix: Files With System Process Name In Unsuspected Locations - FP with wuaucltcore

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2023-10-09 00:07:56 +02:00
..
account_management
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
win_security_aadhealth_mon_agent_regkey_access.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_aadhealth_svc_agent_regkey_access.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_account_backdoor_dcsync_rights.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_account_discovery.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_ad_object_writedac_access.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
win_security_ad_replication_non_machine_account.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
win_security_ad_user_enumeration.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_adcs_certificate_template_configuration_vulnerability_eku.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
win_security_adcs_certificate_template_configuration_vulnerability.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
win_security_add_remove_computer.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
win_security_admin_logon.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
win_security_admin_share_access.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_alert_active_directory_user_control.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
win_security_alert_ad_user_backdoors.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
win_security_alert_enable_weak_encryption.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
win_security_alert_ruler.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_atsvc_task.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_camera_microphone_access.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_cobaltstrike_service_installs.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_dce_rpc_smb_spoolss_named_pipe.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_dcom_iertutil_dll_hijack.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
win_security_dcsync.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_defender_bypass.yml
chore: fix typo of lowercase Windows in description
2023-06-21 09:52:43 +02:00
win_security_device_installation_blocked.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
win_security_disable_event_auditing_critical.yml
feat: new rules & updates (#4328)
2023-07-13 10:01:05 +02:00
win_security_disable_event_auditing.yml
feat: new rules & updates (#4328)
2023-07-13 10:01:05 +02:00
win_security_dot_net_etw_tamper.yml
feat: add two new rules
2022-12-20 23:44:44 +01:00
win_security_dpapi_domain_backupkey_extraction.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
win_security_dpapi_domain_masterkey_backup_attempt.yml
fix: tune more fp
2023-03-15 12:00:20 +01:00
win_security_event_log_cleared.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
win_security_external_device.yml
chore: fix typo of lowercase Windows in description
2023-06-21 09:52:43 +02:00
win_security_gpo_scheduledtasks.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_hidden_user_creation.yml
chore: move rules to new folders (#4205)
2023-05-02 23:17:57 +02:00
win_security_hybridconnectionmgr_svc_installation.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_impacket_psexec.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_impacket_secretdump.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_invoke_obfuscation_clip_services_security.yml
chore: remove unnecessary provider_name filter for security log
2023-02-27 13:04:39 +01:00
win_security_invoke_obfuscation_obfuscated_iex_services_security.yml
Update Title (#3733)
2022-11-28 06:43:17 +01:00
win_security_invoke_obfuscation_stdin_services_security.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
win_security_invoke_obfuscation_var_services_security.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
win_security_invoke_obfuscation_via_compress_services_security.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
win_security_invoke_obfuscation_via_rundll_services_security.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
win_security_invoke_obfuscation_via_stdin_services_security.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
win_security_invoke_obfuscation_via_use_clip_services_security.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
win_security_invoke_obfuscation_via_use_mshta_services_security.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
win_security_invoke_obfuscation_via_use_rundll32_services_security.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
win_security_invoke_obfuscation_via_var_services_security.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
win_security_iso_mount.yml
Update win_security_iso_mount.yml
2023-06-22 09:52:25 -04:00
win_security_lm_namedpipe.yml
fix: fp found in testing
2023-03-14 23:58:04 +01:00
win_security_lsass_access_non_system_account.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
win_security_mal_creddumper.yml
feat: rules update
2023-08-07 16:09:21 +02:00
win_security_mal_service_installs.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_mal_wceaux_dll.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_metasploit_authentication.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_metasploit_or_impacket_smb_psexec_service_install.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
Update Title (#3739)
2022-11-30 11:44:15 +01:00
win_security_net_ntlm_downgrade.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_net_share_obj_susp_desktop_ini.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_new_or_renamed_user_account_with_dollar_sign.yml
Minor Fix
2022-11-22 18:13:34 +05:00
win_security_not_allowed_rdp_access.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_password_policy_enumerated.yml
chore: update metadata
2023-05-18 23:29:02 +02:00
win_security_pcap_drivers.yml
chore: rename folders
2023-04-14 16:55:41 +02:00
win_security_petitpotam_network_share.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_petitpotam_susp_tgt_request.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_possible_dc_shadow.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
win_security_powershell_script_installed_as_service.yml
Update Title (#3739)
2022-11-30 11:44:15 +01:00
win_security_protected_storage_service_access.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
win_security_rdp_reverse_tunnel.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_register_new_logon_process_by_rubeus.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_registry_permissions_weakness_check.yml
Merge PR #4457 from @RobertSchull - new rules MITRE's Center for Threat Informed Defense
2023-09-29 13:56:49 +02:00
win_security_remote_powershell_session.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
win_security_replay_attack_detected.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
win_security_sam_registry_hive_handle_request.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
win_security_scheduled_task_deletion.yml
fix: fp found in testing
2023-06-14 00:23:28 +02:00
win_security_scm_database_handle_failure.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
win_security_scm_database_privileged_operation.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
win_security_service_install_remote_access_software.yml
feat: add missing modified & update order
2023-06-22 01:15:04 +02:00
win_security_service_installation_by_unusal_client.yml
update logsource
2023-01-04 18:52:24 +01:00
win_security_smb_file_creation_admin_shares.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
win_security_susp_add_domain_trust.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_susp_add_sid_history.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_susp_codeintegrity_check_failure.yml
fix: update description
2022-12-07 22:34:56 +01:00
win_security_susp_computer_name.yml
update logsource
2023-01-04 18:52:24 +01:00
win_security_susp_dsrm_password_change.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_susp_eventlog_cleared.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_susp_failed_logon_reasons.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_susp_kerberos_manipulation.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_susp_ldap_dataexchange.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_susp_local_anon_logon_created.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_susp_logon_explicit_credentials.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_susp_lsass_dump_generic.yml
Merge PR #4470 From phantinuss - Fix FPs Found In Testing
2023-10-09 00:07:56 +02:00
win_security_susp_lsass_dump.yml
Rename security rules
2022-10-14 08:53:50 +02:00
win_security_susp_net_recon_activity.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_susp_opened_encrypted_zip_filename.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
win_security_susp_opened_encrypted_zip_outlook.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
win_security_susp_opened_encrypted_zip.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
win_security_susp_outbound_kerberos_connection.yml
fix: typos in titles and descriptions of rules
2023-02-02 19:40:01 +01:00
win_security_susp_possible_shadow_credentials_added.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_susp_psexec.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_susp_raccess_sensitive_fext.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
win_security_susp_rc4_kerberos.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_susp_scheduled_task_creation.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_susp_scheduled_task_delete_or_disable.yml
fix: fp found in testing
2023-03-14 23:58:04 +01:00
win_security_susp_scheduled_task_update.yml
feat: update and enhancements
2023-02-07 13:55:14 +01:00
win_security_susp_sdelete.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_susp_time_modification.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_svcctl_remote_service.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_syskey_registry_access.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
win_security_sysmon_channel_reference_deletion.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_tap_driver_installation.yml
Update Title (#3739)
2022-11-30 11:44:15 +01:00
win_security_teams_suspicious_objectaccess.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_transf_files_with_cred_data_via_network_shares.yml
chore: remove unnecessary provider_name filter for security log
2023-02-27 13:04:39 +01:00
win_security_user_added_to_local_administrators.yml
chore: remove unnecessary provider_name filter for security log
2023-02-27 13:04:39 +01:00
win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml
chore: remove unnecessary provider_name filter for security log
2023-02-27 13:04:39 +01:00
win_security_user_creation.yml
chore: fix typo of lowercase Windows in description
2023-06-21 09:52:43 +02:00
win_security_user_driver_loaded.yml
chore: remove unnecessary provider_name filter for security log
2023-02-27 13:04:39 +01:00
win_security_user_logoff.yml
Order yaml field
2022-10-25 11:08:51 +02:00
win_security_vssaudit_secevent_source_registration.yml
chore: remove unnecessary provider_name filter for security log
2023-02-27 13:04:39 +01:00
win_security_wmi_persistence.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
win_security_wmiprvse_wbemcomn_dll_hijack.yml
chore: remove unnecessary provider_name filter for security log
2023-02-27 13:04:39 +01:00
win_security_workstation_was_locked.yml
feat: filename test enhancements (#3812)
2022-12-23 09:25:16 +01:00