blue-team-tools

Files

T

Nasreddine Bencherchali dcf236fede Quick Updates and Fixes

- Added "Invoke-EventViewer.ps1" script to the rule "file_event_win_powershell_exploit_scripts"
- Added "OriginalFileName" to "proc_creation_win_susp_taskkill"
- Created rule for "winword" being used as a LOLBIN to download and load arbitrary DLLs

2022-05-18 12:50:59 +01:00

builtin

FP: filter m$ removaltools from %system32%\MRT.exe and reducing level to low from medium. Task removal could possibly even be just informational.

2022-05-16 14:48:01 +00:00

create_remote_thread

Update create_remote_thread_win_ttdinjec.yml

2022-05-16 16:52:27 +02:00

create_stream_hash

fix: unknown --> Unknown

2022-03-16 13:43:54 +01:00

dns_query

Redcannary

2022-04-04 10:57:23 +02:00

driver_load

chore: test rules: capitalization on FP list entries

2022-05-09 16:07:44 +02:00

file_access

Redcannary test

2022-05-01 11:34:54 +02:00

file_delete

fix: unknown --> Unknown

2022-03-16 13:43:54 +01:00

file_event

Quick Updates and Fixes

2022-05-18 12:50:59 +01:00

file_rename

Fix Requested Changes

2022-05-13 15:28:22 +01:00

image_load

move deprecated rules

2022-05-14 09:42:32 +02:00

network_connection

chore: test rules: capitalization on FP list entries

2022-05-09 16:07:44 +02:00

pipe_created

fix: FPs found in win2022 domain controller baseline

2022-04-21 10:48:59 +02:00

powershell

move deprecated rules

2022-05-14 09:42:32 +02:00

process_access

Merge branch 'master' into aurora-false-positive-fixing

2022-05-16 16:05:02 +02:00

process_creation

Quick Updates and Fixes

2022-05-18 12:50:59 +01:00

raw_access_thread

fix: FPs with THOR

2022-03-15 18:05:42 +01:00

registry

move deprecated rules

2022-05-14 09:42:32 +02:00

sysmon

fix: FPs from fresh Windows install

2022-04-06 16:09:53 +02:00

wmi_event

chore: test rules: capitalization on FP list entries

2022-05-09 16:07:44 +02:00