 Vasiliy Burov
|
0dd4324aba
|
Added svchost.exe as a parent image
Added svchost.exe as a parent image accordingly this article (https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/) and my investigations.
|
2019-12-10 19:31:12 +03:00 |
|
|
Thomas Patzke
|
0592cbb67a
|
Added UUIDs to rules
|
2019-11-12 23:12:27 +01:00 |
|
|
Florian Roth
|
0b883a90b6
|
fix: null value in separate expression
|
2019-07-02 20:14:45 +02:00 |
|
|
Florian Roth
|
ce43d600e3
|
fix: added null value / application to 4688 problem
|
2019-07-02 10:51:48 +02:00 |
|
|
Sam0x90
|
0e8a46aaf7
|
Update win_subp_svchost rule
Adding rpcnet.exe as ParentImage
|
2019-04-16 15:00:06 +02:00 |
|
|
Florian Roth
|
17470d1545
|
Rule: extended parent list for legitimate svchost starts
https://twitter.com/Sam0x90/status/1117768799816753153
|
2019-04-15 14:54:35 +02:00 |
|
|
Yugoslavskiy Daniil
|
8bec627ff1
|
fixed multiple tags issue
|
2019-03-06 06:09:37 +01:00 |
|
|
Wydra Mateusz
|
bb95347745
|
rules update
|
2019-03-06 00:43:42 +01:00 |
|
|
Thomas Patzke
|
7602309138
|
Increased indentation to 4
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
|
2019-03-02 00:14:20 +01:00 |
|
|
Thomas Patzke
|
96eb460944
|
Converted Sysmon/1 and Security/4688 to generic process creation rules
|
2019-01-16 23:36:31 +01:00 |
|