security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cf3cbf808996bfd2b4d4cae3b37d101c208fa490
blue-team-tools/rules/windows/image_load
T
History
Swachchhanda Shrawan Poudel f7f61a9f95 Merge PR #5789 from @swachchhanda000 - Add fps filter observed on ARM-based Windows updates 
fix: Uncommon AppX Package Locations - filter out system32
fix: Unauthorized System Time Modification - filter out vmwaretools
fix: Files With System Process Name In Unsuspected Locations - filter windows temp
fix: Startup Folder File Write - filter out wuauclt.exe and C:$WinREAgent\Scratch\Mount\ directory
fix: Potentially Suspicious WDAC Policy File Creation - filter wuaucltcore.exe
fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - filter C:\Windows\UUS\arm64\
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - filter C:$WinREAgent\Scratch\
fix: Potential System DLL Sideloading From Non System Locations - filter legitimate ARM based locations
fix: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - filter legitimate ARM based locations

---------

Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
2025-12-09 08:29:51 +05:45
..
image_load_clfs_load.yml
Merge PR #5173 from @X-Junior - New rule additions and some fixes
2025-02-22 23:57:41 +01:00
image_load_cmstp_load_dll_from_susp_location.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_dll_amsi_suspicious_process.yml
Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2
2025-10-09 13:03:39 +02:00
image_load_dll_azure_microsoft_account_token_provider_dll_load.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_dll_credui_uncommon_process_load.yml
Merge PR #5778 from @swachchhanda000 - fix: add some filters or tune rules to reduce false positives
2025-12-09 08:15:03 +05:45
image_load_dll_dbghelp_dbgcore_unsigned_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_dll_pcre_dotnet_dll_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_dll_rstrtmgr_suspicious_load.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
image_load_dll_rstrtmgr_uncommon_load.yml
Merge #5798 from @swachchhanda000 - fix: aurora fps
2025-12-09 08:21:14 +05:45
image_load_dll_sdiageng_load_by_msdt.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_dll_system_management_automation_susp_load.yml
Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2
2025-10-09 13:03:39 +02:00
image_load_dll_tttracer_module_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_dll_unsigned_node_load.yml
Merge PR #5762 from @HullaBrian - Unsigned .node File Load
2025-11-25 17:48:05 +05:45
image_load_dll_vss_ps_susp_load.yml
Merge PR #5520 from @swachchhanda000 - Fix Logic in some rules that were causing FPs and FNs
2025-07-14 12:04:39 +02:00
image_load_dll_vssapi_susp_load.yml
Merge PR #5517 from @swachchhanda000 - fix: office 365 apps related false-positives
2025-10-17 07:57:13 +05:45
image_load_dll_vsstrace_susp_load.yml
Merge PR #5789 from @swachchhanda000 - Add fps filter observed on ARM-based Windows updates
2025-12-09 08:29:51 +05:45
image_load_hktl_sharpevtmute.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
image_load_hktl_silenttrinity_stager.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_iexplore_dcom_iertutil_dll_hijack.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_lsass_unsigned_image_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_office_dotnet_assembly_dll_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_office_dotnet_clr_dll_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_office_dotnet_gac_dll_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_office_excel_xll_susp_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_office_outlook_outlvba_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_office_powershell_dll_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_office_vbadll_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_rundll32_remote_share_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_scrcons_wmi_scripteventconsumer.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_side_load_7za.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_abused_dlls_susp_paths.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_side_load_antivirus.yml
Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2
2025-10-09 13:03:39 +02:00
image_load_side_load_appverifui.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_aruba_networks_virtual_intranet_access.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_avkkid.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_ccleaner_du.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_ccleaner_reactivator.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_chrome_frame_helper.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_classicexplorer32.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_comctl32.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_coregen.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_cpl_from_non_system_location.yml
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
2024-12-01 13:40:32 +01:00
image_load_side_load_dbgcore.yml
Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2
2025-10-09 13:03:39 +02:00
image_load_side_load_dbghelp.yml
Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2
2025-10-09 13:03:39 +02:00
image_load_side_load_dbgmodel.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_eacore.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_edputil.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_from_non_system_location.yml
Merge PR #5789 from @swachchhanda000 - Add fps filter observed on ARM-based Windows updates
2025-12-09 08:29:51 +05:45
image_load_side_load_goopdate.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_gup_libcurl.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_iviewers.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_jli.yml
Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2
2025-10-09 13:03:39 +02:00
image_load_side_load_jsschhlp.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_keyscrambler.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_libvlc.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_mfdetours_unsigned.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_mfdetours.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_mpsvc.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_mscorsvc.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_non_existent_dlls.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_office_dlls.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_python.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_rcdll.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_rjvplatform_default_location.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_rjvplatform_non_default_location.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_robform.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_shell_chrome_api.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_shelldispatch.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_smadhook.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_solidpdfcreator.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_third_party.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_ualapi.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_vivaldi_elf.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_vmguestlib.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_vmmap_dbghelp_signed.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_vmmap_dbghelp_unsigned.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_vmware_xfer.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_waveedit.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_wazuh.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_side_load_windows_defender.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_side_load_wwlib.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_susp_baaupdate_dll_load.yml
Merge PR #5533 from @swachchhanda000 - fix: github reported issues
2025-10-18 07:07:22 +05:45
image_load_susp_clickonce_unsigned_module_loaded.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_susp_dll_load_system_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_susp_python_image_load.yml
Merge PR #5599 from @swachchhanda000 - fix FPs around pyinstaller
2025-10-01 11:46:41 +02:00
image_load_susp_script_dotnet_clr_dll_load.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_susp_unsigned_dll.yml
Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2
2025-10-09 13:03:39 +02:00
image_load_thor_unsigned_execution.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_uac_bypass_iscsicpl.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_uac_bypass_via_dism.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
image_load_win_mmc_loads_script_engine_dll.yml
Merge PR #5183 from @swachchhanda000 - add rules for malware abusing grimresource and RTLO techniques
2025-10-01 14:16:23 +02:00
image_load_win_trusted_path_bypass.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_wmi_persistence_commandline_event_consumer.yml
chore: ci: bump validator version (#5722)
2025-10-23 15:43:47 +02:00
image_load_wmic_remote_xsl_scripting_dlls.yml
Merge PR #5789 from @swachchhanda000 - Add fps filter observed on ARM-based Windows updates
2025-12-09 08:29:51 +05:45
image_load_wmiprvse_wbemcomn_dll_hijack.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
image_load_wsman_provider_image_load.yml
Merge PR #5517 from @swachchhanda000 - fix: office 365 apps related false-positives
2025-10-17 07:57:13 +05:45