blue-team-tools/rules/windows/builtin at e52f29dda997cdb3fa084555c0cdcaeee6a73a5d - blue-team-tools - GreySec Git

security-tools/blue-team-tools

Files

T

History

Karneades 68fd20cb66 fix: bound windows event log rules to message field

Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml

2019-11-02 11:25:29 +01:00

..

win_account_backdoor_dcsync_rights.yml

Create win_account_backdoor_dcsync_rights.yml

2019-04-03 16:16:05 +02:00

win_account_discovery.yml

Update win_account_discovery.yml

2019-04-03 21:40:59 +02:00

win_admin_rdp_login.yml

Added CAR tags

2019-03-16 00:37:09 +01:00

win_admin_share_access.yml

Replace "logsource: description" with "definition" to match the specs

2018-11-15 09:00:06 +03:00

win_alert_active_directory_user_control.yml

fix: bound windows event log rules to message field

2019-11-02 11:25:29 +01:00

win_alert_ad_user_backdoors.yml

fix FP : field null value can be '-'

2019-09-06 05:14:58 -04:00

win_alert_enable_weak_encryption.yml

fix: bound windows event log rules to message field

2019-11-02 11:25:29 +01:00

win_alert_lsass_access.yml

Replace "logsource: description" with "definition" to match the specs

2018-11-15 09:00:06 +03:00

win_alert_mimikatz_keywords.yml

fix: bound windows event log rules to message field

2019-11-02 11:25:29 +01:00

win_alert_ruler.yml

add microsoft reference for events fields names

2019-09-23 05:21:30 -04:00

win_atsvc_task.yml

First Pass

2019-06-13 23:15:38 -05:00

win_av_relevant_match.yml

fix: bound windows event log rules to message field

2019-11-02 11:25:29 +01:00

win_dcsync.yml

fix: Mimikatz DC Sync rule FP description and level

2019-10-08 17:45:10 +02:00

win_disable_event_logging.yml

win_disable_event_logging.yml: typo in audit policy name;

2019-05-29 15:43:44 +03:00

win_GPO_scheduledtasks.yml

Update win_GPO_scheduledtasks.yml

2019-04-03 21:50:55 +02:00

win_hack_smbexec.yml

added missed service

2019-03-14 00:44:26 +01:00

win_impacket_secretdump.yml

Fixed wrong backslash escaping of *

2019-10-07 22:14:44 +02:00

win_lm_namedpipe.yml

Update win_lm_namedpipe.yml

2019-04-04 18:22:50 +02:00

win_mal_creddumper.yml

fix: bound windows event log rules to message field

2019-11-02 11:25:29 +01:00

win_mal_service_installs.yml

First Pass

2019-06-13 23:15:38 -05:00

win_mal_wceaux_dll.yml

Add tags to windows builtin rules

2018-07-24 07:50:32 +02:00

win_net_ntlm_downgrade.yml

Escaped '\*' to '\\*' where required

2019-02-03 00:24:57 +01:00

win_overpass_the_hash.yml

ATT&CK tagging QA

2018-09-20 12:44:44 +02:00

win_pass_the_hash_2.yml

fix PtH rule : field name in event 4624 is SubjectUserSid with null SID value (S-1-0-0)

2019-09-23 05:44:26 -04:00

win_pass_the_hash.yml

First Pass

2019-06-13 23:15:38 -05:00

win_rare_schtasks_creations.yml

First Pass

2019-06-13 23:15:38 -05:00

win_rare_service_installs.yml

First Pass

2019-06-13 23:15:38 -05:00

win_rdp_bluekeep_poc_scanner.yml

First Pass

2019-06-13 23:15:38 -05:00

win_rdp_localhost_login.yml

First Pass

2019-06-13 23:15:38 -05:00

win_rdp_potential_cve-2019-0708.yml

rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml improved

2019-07-17 06:19:18 +03:00

win_rdp_reverse_tunnel.yml

First Pass

2019-06-13 23:15:38 -05:00

win_susp_add_sid_history.yml

changed logic to detect events related to sid history adding

2019-07-17 04:28:21 +03:00

win_susp_backup_delete.yml

Add tags to windows builtin rules

2018-07-24 07:50:32 +02:00

win_susp_dhcp_config_failed.yml

docs: modification date in rule

2019-07-17 09:21:35 +02:00

win_susp_dhcp_config.yml

atc review

2019-03-06 05:25:12 +01:00

win_susp_dns_config.yml

atc review

2019-03-06 05:25:12 +01:00

win_susp_dsrm_password_change.yml

Added missing tags and some minor improvements

2019-03-05 23:25:49 +01:00

win_susp_eventlog_cleared.yml

First Pass

2019-06-13 23:15:38 -05:00

win_susp_failed_logon_reasons.yml

Expired happens too often

2019-03-02 07:20:59 +01:00

win_susp_failed_logons_single_source.yml

Add tags to windows builtin rules

2018-07-24 07:50:32 +02:00

win_susp_interactive_logons.yml

Add tags to windows builtin rules

2018-07-24 07:50:32 +02:00

win_susp_kerberos_manipulation.yml

Add tags to windows builtin rules

2018-07-24 07:50:32 +02:00

win_susp_lsass_dump.yml

Add tags to windows builtin rules

2018-07-24 07:50:32 +02:00

win_susp_mshta_execution.yml

fix: transformed rule to new proc_creation format

2019-03-12 09:03:30 +01:00

win_susp_msmpeng_crash.yml

fix: bound windows event log rules to message field

2019-11-02 11:25:29 +01:00

win_susp_net_recon_activity.yml

fixed typos

2019-06-29 15:35:59 +03:00

win_susp_ntlm_auth.yml

rules update

2019-03-06 00:43:42 +01:00

win_susp_psexec.yml

Update win_susp_psexec.yml

2019-04-03 21:50:25 +02:00

win_susp_raccess_sensitive_fext.yml

Create win_susp_raccess_sensitive_fext.yml

2019-04-03 13:22:42 +02:00

win_susp_rc4_kerberos.yml

ATT&CK tagging QA

2018-09-20 12:44:44 +02:00

win_susp_sam_dump.yml

fix: bound windows event log rules to message field

2019-11-02 11:25:29 +01:00

win_susp_samr_pwset.yml

Add tags to windows builtin rules

2018-07-24 07:50:32 +02:00

win_susp_sdelete.yml

rules update

2019-03-06 00:43:42 +01:00

win_susp_security_eventlog_cleared.yml

First Pass

2019-06-13 23:15:38 -05:00

win_susp_time_modification.yml

atc review

2019-03-06 05:25:12 +01:00

win_svcctl_remote_service.yml

Create win_svcctl_remote_service.yml

2019-04-03 13:58:20 +02:00

win_usb_device_plugged.yml

Added missing tags and some minor improvements

2019-03-05 23:25:49 +01:00

win_user_added_to_local_administrators.yml

rule: user added to local administrator: handle non english systems by using group sid instead of name

2019-09-06 06:21:42 -04:00

win_user_creation.yml

Further improved Windows user creation rule

2019-04-21 23:54:18 +02:00