Skip to content

advanced-threat-research/Expert-Rules

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits

Block_Office_Code_Execution.md

Block_Office_Code_Execution.md

 
 

Block_WindowsDefender_mpsvc.dll_sideloading.md

Block_WindowsDefender_mpsvc.dll_sideloading.md

 
 

Detect_Deletion_Of_Backup_Catalog_Using_WBADMIN.EXE.md.txt

Detect_Deletion_Of_Backup_Catalog_Using_WBADMIN.EXE.md.txt

 
 

Detect_Deletion_Of_Shadow_Copies_Using_WMIC.EXE.md.txt

Detect_Deletion_Of_Shadow_Copies_Using_WMIC.EXE.md.txt

 
 

Detect_Suspicious_Usage_Of_BCDEDIT.EXE.md.txt

Detect_Suspicious_Usage_Of_BCDEDIT.EXE.md.txt

 
 

Detect_Suspicious_Usage_Of_VSSADMIN.EXE.md.txt

Detect_Suspicious_Usage_Of_VSSADMIN.EXE.md.txt

 
 

Detect_VSS_COM_Object_Invocation_for_Shadow_Copy_Deletion.md

Detect_VSS_COM_Object_Invocation_for_Shadow_Copy_Deletion.md

 
 

File_Block_Rclone

File_Block_Rclone

 
 

LICENSE

LICENSE

 
 

Office_Lolbins

Office_Lolbins

 
 

README.md

README.md

 
 

Repository files navigation

Expert-Rules

This repository contains the set of rules that can be used with McAfee Endpoint Security in the Exploit Prevention policy.

Contributing The repository license is Apache 2.0. Making a contribution to this repository means you are licensing the contribution under the repository license.

Pull requests are accepted and encouraged so users can share their approaches for detecting different events. For the benefit of the community, authors are required to document the rules with the fields described below and place them in the COMMUNITY folder. Pull requests have to contain a markdown file for each rule in the pull request with the following fields. Any pull requests not conforming to the below best practices will be rejected.

Title: A short and descriptive title for the rule. e.g. REMOTE FILE EXECUTION PROTECTION RULE.

Author: Here is the place to add the Author's details like the name, Company / organization, etc for the version of the Expert rule (starts from version 1.0). The modification to the rule will be recorded as an increment to the minor version along with the Author details. For Example: Version 1.0 - <Author_name>, <Company/Organization_name>

Description: A deep description of the purpose of the rule, techniques covered, stuff and actions that are supposed to be blocked by the use of the rule.

Rule TCL: The rule TCL code that can be directly used in the ENS Exploit Prevention policy. Something like:

Rule { Process { Include Match_Type { -v ... } Exclude Match_Type { -v ... } } Target { Match Match_Object { Include Match_Type { -v ... } Exclude Match_Type { -v ... } Include -access ... } } } Trigger: Some steps to trigger the rule and verify that it actually works. You can put a reference here to any public and safe tool.

Tested Platforms: Provide the tested platform information like the OS version, OS architecture, Application name, Application version, Endpoint Security Product version, etc. For Example: OS: Windows 10 build 19041, Architecture: 64 bit, Application Name: Microsoft Edge, Application Version: 1.1.1.1, Endpoint Security version 10.7.0.1234

Notes: Here is the place to add some clarifications related to the rule, how it works related to the OS, limitations (if any), references to any documentation that could help to understand it, etc.

About

No description or website provided.

Topics

security threat-detection

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

17 stars

Watchers

9 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published