security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ab7d7dbed800d52acd720f8534b4e28bcaa248dc
blue-team-tools/rules/windows/file_event
T
History
Nasreddine Bencherchali dcf236fede Quick Updates and Fixes 
- Added "Invoke-EventViewer.ps1" script to the rule "file_event_win_powershell_exploit_scripts"
- Added "OriginalFileName" to "proc_creation_win_susp_taskkill"
- Created rule for "winword" being used as a LOLBIN to download and load arbitrary DLLs
2022-05-18 12:50:59 +01:00
..
file_event_win_access_susp_unattend_xml.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_advanced_ip_scanner.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_anydesk_artefact.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
file_event_win_apt_unidentified_nov_18.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_crackmapexec_patterns.yml
CrackMapExec patterns
2022-03-15 18:05:04 +01:00
file_event_win_creation_new_shim_database.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_creation_scr_binary_file.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_creation_system_file.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_creation_unquoted_service_path.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_cred_dump_tools_dropped_files.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_csharp_compile_artefact.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_cve_2021_1675_printspooler.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
file_event_win_cve_2021_26858_msexchange.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_cve_2021_41379_msi_lpe.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_cve_2022_24527_lpe.yml
fix: MITRE tags
2022-04-13 19:25:11 +02:00
file_event_win_detect_powerup_dllhijacking.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
file_event_win_ghostpack_safetykatz.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_gotoopener_artefact.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
file_event_win_hack_dumpert.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_hivenightmare_file_exports.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_hktl_nppspy.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_install_teamviewer_desktop.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_iso_file_recent.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
file_event_win_lsass_dump.yml
refactor: add iocs to lsass dump files names
2022-03-10 21:03:16 +01:00
file_event_win_lsass_memory_dump_file_creation.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_macro_file.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_mal_adwind.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_mal_octopus_scanner.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_mal_vhd_download.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_mimikatz_kirbi_file_creation.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_mimimaktz_memssp_log_file.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
file_event_win_moriya_rootkit.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
file_event_win_new_src_file.yml
Update file_event_win_new_src_file.yml
2022-04-28 17:30:30 +02:00
file_event_win_ntds_dit.yml
rules: NTDS.DIT exfiltration
2022-03-11 18:14:09 +01:00
file_event_win_ntds_exfil_tools.yml
rules: NTDS.DIT exfiltration
2022-03-11 18:14:09 +01:00
file_event_win_office_persistence.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_outlook_c2_macro_creation.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_outlook_newform.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
file_event_win_pcre_net_temp_file.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_pingback_backdoor.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_powershell_exploit_scripts.yml
Quick Updates and Fixes
2022-05-18 12:50:59 +01:00
file_event_win_powershell_startup_shortcuts.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_quarkspw_filedump.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_rclone_exec_file.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_redmimicry_winnti_filedrop.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_sam_dump.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_screenconnect_artefact.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
file_event_win_script_creation_by_office_using_file_ext.yml
Cleaned-up tags from ile_event_win_script_creation_by_office_using_file_ext.yml
2022-04-28 12:01:39 +02:00
file_event_win_startup_folder_file_write.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
file_event_win_susp_adsi_cache_usage.yml
fix: FPs found in win2022 domain controller baseline
2022-04-21 10:48:59 +02:00
file_event_win_susp_clr_logs.yml
chore: test rules: capitalization on FP list entries
2022-05-09 16:07:44 +02:00
file_event_win_susp_colorcpl.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_susp_creation_by_mobsync.yml
Add rule create files by Microsoft Sync Center
2022-04-28 13:39:19 +02:00
file_event_win_susp_default_gpo_dir_write.yml
Update file_event_win_susp_default_gpo_dir_write.yml
2022-04-28 17:28:37 +02:00
file_event_win_susp_desktop_ini.yml
chore: test rules: capitalization on FP list entries
2022-05-09 16:07:44 +02:00
file_event_win_susp_desktop_txt.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_susp_desktopimgdownldr_file.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_susp_dropper.yml
Explorer.exe FP
2022-05-08 11:07:52 +02:00
file_event_win_susp_exchange_aspx_write.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_susp_get_variable.yml
Fix title
2022-04-23 18:35:23 +02:00
file_event_win_susp_ntds_dit.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_susp_pfx_file_creation.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_susp_system_interactive_powershell.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_susp_task_write.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_susp_teamviewer_remote_session.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_suspicious_powershell_profile_create.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_tool_psexec.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
file_event_win_tsclient_filewrite_startup.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
file_event_win_uac_bypass_consent_comctl32.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_uac_bypass_dotnet_profiler.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_uac_bypass_eventvwr.yml
fix: removing Level based filter
2022-04-27 15:04:39 +02:00
file_event_win_uac_bypass_ieinstal.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_uac_bypass_msconfig_gui.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_uac_bypass_ntfs_reparse_point.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_uac_bypass_winsat.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_uac_bypass_wmp.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_webshell_creation_detect.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_werfault_dll_hijacking.yml
Update file_event_win_werfault_dll_hijacking.yml
2022-05-12 13:59:49 +02:00
file_event_win_win_cscript_wscript_dropper.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_win_shell_write_susp_directory.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_winrm_awl_bypass.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_winword_cve_2021_40444.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
file_event_win_wmi_persistence_script_event_consumer_write.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
Name Normalization
2022-02-27 07:39:46 +01:00
file_event_win_writing_local_admin_share.yml
Name Normalization
2022-02-27 07:39:46 +01:00