security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d57787276151060be4e329f8a76eb7dad6e6bd1f
blue-team-tools/rules
T
History
phantinuss c125ae7e7d Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing 
remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135
fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
new: Insenstive Subfolder Search Via Findstr.EXE
new: Remote File Download Via Findstr.EXE
new: Windows Defender Exclusion Deleted
new: Windows Defender Exclusion List Modified
new: Windows Defender Exclusion Reigstry Key - Write Access Requested
update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Suspicious Appended Extension - Enhance list of extension
update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
thanks: @vj-codes for #4554
thanks: @mezzofix for #4520
thanks: @rkmbaxed for #4566 and #4569
thanks: @celalettin-turgut for #4570
2023-11-15 15:35:43 +01:00
..
application
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
category
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
cloud
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
compliance
feat: filename test enhancements (#3812)
2022-12-23 09:25:16 +01:00
linux
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
macos
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
network
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
web
Merge PR #4552 from @ThureinOo - Add Detection of CVE-2023-46747 Remote Code Execution
2023-11-14 09:41:49 +01:00
windows
Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing
2023-11-15 15:35:43 +01:00
README.md
chore: move more rules
2023-04-21 15:01:48 +02:00

README.md

TBD

Reference in New Issue View Git Blame Copy Permalink