security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
04ad307e4e04871cfda2b07c018f1eb0a2525961
blue-team-tools/rules/windows/process_creation
T
History
Nasreddine Bencherchali 04ad307e4e Update proc_creation_win_susp_advancedrun_priv_user.yml 
Added cases for LocalService and NetworkService, which could be interesting to monitor:

RunAs=10 (Network Service)
RunAs=11 (Local Service)
2022-05-05 21:06:53 +01:00
..
proc_creation_win_7zip_cve_2022_29072.yml
Update proc_creation_win_7zip_cve_2022_29072.yml
2022-04-19 17:53:34 +02:00
proc_creation_win_abusing_debug_privilege.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_abusing_windows_telemetry_for_persistence.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
proc_creation_win_accesschk_usage_after_priv_escalation.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_ad_find_discovery.yml
docs: minor changes to rules
2022-03-01 16:02:22 +01:00
proc_creation_win_advanced_ip_scanner.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_advanced_port_scanner.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_alternate_data_streams.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_always_install_elevated_windows_installer.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_anydesk_silent_install.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_anydesk.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_apt_actinium_persistence.yml
Update proc_creation_win_apt_actinium_persistence.yml
2022-04-14 09:59:45 +02:00
proc_creation_win_apt_apt29_thinktanks.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_babyshark.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_bear_activity_gtr19.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_bluemashroom.yml
fix: exclude more Teams Addin variants
2022-03-02 10:36:07 +01:00
proc_creation_win_apt_chafer_mar18.yml
chore: increase rule status
2022-03-07 17:11:00 +01:00
proc_creation_win_apt_cloudhopper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_dragonfly.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
proc_creation_win_apt_elise.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_emissarypanda_sep19.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_empiremonkey.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_equationgroup_dll_u_load.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_apt_evilnum_jul20.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_gallium_sha1.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_gallium.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_greenbug_may20.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_apt_hafnium.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_hurricane_panda.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_judgement_panda_gtr19.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_ke3chang_regadd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_lazarus_activity_apr21.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_lazarus_activity_dec20.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_lazarus_loader.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_lazarus_session_highjack.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_muddywater_dnstunnel.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_mustangpanda.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_pandemic.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_revil_kaseya.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_apt_slingshot.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_sofacy.yml
chore: increase rule status
2022-03-07 17:11:00 +01:00
proc_creation_win_apt_sourgrum.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_ta17_293a_ps.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_ta505_dropper.yml
update rule to also match on original sample
2022-03-31 12:04:36 +02:00
proc_creation_win_apt_taidoor.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_tropictrooper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_turla_commands_critical.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_turla_commands_medium.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_turla_comrat_may20.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_unc2452_cmds.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_unc2452_ps.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_unidentified_nov_18.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_winnti_mal_hk_jan20.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_winnti_pipemon.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_apt_wocao.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_zxshell.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_attrib_hiding_files.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_attrib_system.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_automated_collection.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_bad_opsec_sacrificial_processes.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_base64_listing_shadowcopy.yml
fix: adjusted rules that use utf16le, extended others
2022-03-07 18:14:29 +01:00
proc_creation_win_base64_reflective_assembly_load.yml
fix: adjusted rules that use utf16le, extended others
2022-03-07 18:14:29 +01:00
proc_creation_win_bitsadmin_download.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_bootconf_mod.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_bypass_squiblytwo.yml
minor changes to description and hash values
2022-03-21 11:19:05 +01:00
proc_creation_win_c3_load_by_rundll32.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_certoc_execution.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_change_default_file_association.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cl_invocation_lolscript.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cl_mutexverifiers_lolscript.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_class_exec_xwizard.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cleanwipe.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_clip.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cmd_delete.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cmd_dosfuscation.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_cmd_redirect.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cmdkey_recon.yml
refactor: cmdkey extended coverage
2022-04-21 09:12:13 +02:00
proc_creation_win_cmstp_com_object_access.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cmstp_execution_by_creation.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cobaltstrike_load_by_rundll32.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_cobaltstrike_process_patterns.yml
minor changes to description and hash values
2022-03-21 11:19:05 +01:00
proc_creation_win_commandline_path_traversal_evasion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_commandline_path_traversal.yml
fixing spelling error
2022-03-17 17:27:11 +00:00
proc_creation_win_conti_cmd_ransomware.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_conti_sqlcmd.yml
Rename proc_creation_win_coti_sqlcmd.yml to proc_creation_win_conti_sqlcmd.yml
2022-04-06 10:46:08 -05:00
proc_creation_win_control_panel_item.yml
fix: FP with intel graphics
2022-03-31 12:04:37 +02:00
proc_creation_win_copying_sensitive_files_with_credential_data.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_crackmapexec_patterns.yml
CrackMapExec patterns
2022-03-15 18:05:04 +01:00
proc_creation_win_creation_mavinject_dll.yml
added resource and improved MITRE Subtechnique
2022-03-30 08:57:15 -04:00
proc_creation_win_creative_cloud_node_abuse.yml
feat: Add new rule for Creative Cloud node abuse
2022-04-07 10:50:50 +02:00
proc_creation_win_credential_access_via_password_filter.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_crime_fireball.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_crime_maze_ransomware.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_crime_snatch_ransomware.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_crypto_mining_monero.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cve_2021_26857_msexchange.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_data_compressed_with_rar.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_delete_systemstatebackup.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_detecting_fake_instances_of_hxtsr.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_dinjector.yml
fix: FPs
2022-03-07 17:11:00 +01:00
proc_creation_win_discover_private_keys.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_dll_sideload_xwizard.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_dns_exfiltration_tools_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_dns_serverlevelplugindll.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_dnscat2_powershell_implementation.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_dotnet.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_dsim_remove.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_dumpstack_log_evasion.yml
chore: increase rule status
2022-03-07 17:11:00 +01:00
proc_creation_win_embed_exe_lnk.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_encoded_frombase64string.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_encoded_iex.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_enumeration_for_credentials_in_registry.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_esentutl_webcache.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_etw_modification_cmdline.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_etw_trace_evasion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_evil_winrm.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_exfiltration_and_tunneling_tools_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_expand_cabinet_files.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2015_1641.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_exploit_cve_2017_0261.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2017_8759.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2017_11882.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_exploit_cve_2019_1378.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2019_1388.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_exploit_cve_2020_1048.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2020_1350.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2020_10189.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_exploit_lpe_cve_2021_41379.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_systemnightmare.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_false_sysinternalsuite.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_file_permission_modifications.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_findstr_gpp_passwords.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_fsutil_drive_enumeration.yml
Update proc_creation_win_fsutil_drive_enumeration.yml
2022-03-30 10:45:01 -04:00
proc_creation_win_fsutil_symlinkevaluation.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_gotoopener.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_grabbing_sensitive_hives_via_reg.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_hack_adcspwn.yml
fix: unlikely --> Unlikely
2022-03-16 14:16:10 +01:00
proc_creation_win_hack_bloodhound.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_hack_cube0x0_tools.yml
fix: selection identifier
2022-04-27 17:39:01 +02:00
proc_creation_win_hack_dumpert.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_hack_hydra.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_hack_koadic.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_hack_krbrelay.yml
rule: KrbRelay
2022-04-27 17:37:10 +02:00
proc_creation_win_hack_krbrelayup.yml
refactor: adding OriginalFilename for better coverage
2022-04-27 11:30:09 +02:00
proc_creation_win_hack_rubeus.yml
fix: unlikely --> Unlikely
2022-03-16 14:16:10 +01:00
proc_creation_win_hack_secutyxploded.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_hack_wce.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_hacktool_imphashes.yml
refactor: uppercase values, DropLoader imphash
2022-03-16 17:56:55 +01:00
proc_creation_win_hashcat.yml
edit because of ambiguous trailing space
2022-03-31 12:04:37 +02:00
proc_creation_win_headless_browser_file_download.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_hh_chm.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_hiding_malware_in_fonts_folder.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_high_integrity_sdclt.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_hktl_createminidump.yml
refactor: more exact imphash matching
2022-03-07 12:03:32 +01:00
proc_creation_win_hktl_uacme_uac_bypass.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_html_help_spawn.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_hwp_exploits.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_iis_http_logging.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_impacket_compiled_tools.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_impacket_lateralization.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_indirect_cmd_compatibility_assistant.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_indirect_cmd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_infdefaultinstall.yml
Update tags
2022-04-07 14:46:58 +02:00
proc_creation_win_install_reg_debugger_backdoor.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_interactive_at.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_clip.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_stdin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_var.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_via_compress.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_invoke_obfuscation_via_rundll.yml
Refactor regex
2022-03-07 19:08:30 +01:00
proc_creation_win_invoke_obfuscation_via_stdin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_via_use_clip.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_via_use_mhsta.yml
fix yaml
2022-03-08 19:14:46 +01:00
proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
Refactor regex
2022-03-08 19:07:37 +01:00
proc_creation_win_invoke_obfuscation_via_var.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lethalhta.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lobas_aspnet_compiler.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_lobas_bash.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_local_system_owner_account_discovery.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_logmein.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_lolbas_configsecuritypolicy.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml
fix: remove penetration testing as a valid false positive
2022-03-16 13:51:26 +01:00
proc_creation_win_lolbas_diantz_ads.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lolbas_diantz_remote_cab.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_lolbas_execution_of_wuauclt.yml
Change MITRE ATT&CK tactic ID
2022-04-11 10:41:46 -05:00
proc_creation_win_lolbas_extexport.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_lolbas_extrac32_ads.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_lolbas_extrac32.yml
Change ATT&CK technique
2022-04-11 10:56:03 -05:00
proc_creation_win_lolbas_offlinescannershell.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_lolbas_replace.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lolbin_execution_via_winget.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lolbin_gpscript.yml
Update proc_creation_win_lolbin_gpscript.yml
2022-05-05 07:57:31 +02:00
proc_creation_win_lolbin_jsc.yml
Update proc_creation_win_lolbin_jsc.yml
2022-05-05 07:58:25 +02:00
proc_creation_win_lolbin_pktmon.yml
Redcannary
2022-03-17 16:48:41 +01:00
proc_creation_win_lolbin_printbrm.yml
Update proc_creation_win_lolbin_printbrm.yml
2022-05-05 08:00:22 +02:00
proc_creation_win_lolbin_wlrmdr.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lolbins_by_office_applications.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml
fix: remove penetration testing as a valid false positive
2022-03-16 13:51:26 +01:00
proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_long_powershell_commandline.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lsass_dump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mailboxexport_share.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_mal_adwind.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mal_blue_mockingbird.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_mal_darkside_ransomware.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_mal_hermetic_wiper_activity.yml
rule: Hermetic Wiper group activity
2022-02-25 17:29:32 +01:00
proc_creation_win_mal_lockergoga_ransomware.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_mal_ryuk.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_malware_conti_7zip.yml
fix: copy / paste issues
2022-04-13 09:23:08 +02:00
proc_creation_win_malware_conti_shadowcopy.yml
fix: copy / paste issues
2022-04-13 09:23:08 +02:00
proc_creation_win_malware_conti.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_malware_dridex.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_malware_dtrack.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_malware_emotet.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_malware_formbook.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_malware_notpetya.yml
fix: values missed escaping
2022-03-05 10:39:15 +01:00
proc_creation_win_malware_qbot.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_malware_ryuk.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_malware_script_dropper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_malware_trickbot_recon_activity.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_malware_trickbot_wermgr.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_malware_wannacry.yml
fix: triggering on legitimate diskpart.exe usage
2022-02-28 17:50:30 +01:00
proc_creation_win_manage_bde_lolbas.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mavinject_proc_inj.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mimikatz_command_line.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mmc20_lateral_movement.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mmc_spawn_shell.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_modif_of_services_for_via_commandline.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_monitoring_for_persistence_via_bits.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
proc_creation_win_mouse_lock.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_msdeploy.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_msedge_minimized_download.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mshta_javascript.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_mshta_spawn_shell.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_msiexec_dll.yml
fix: wording on two rules
2022-04-26 16:43:44 +02:00
proc_creation_win_msiexec_embedding.yml
Update proc_creation_win_msiexec_embedding.yml
2022-04-19 17:23:45 +02:00
proc_creation_win_msiexec_execute_dll.yml
FP filter to include without quotes
2022-03-28 18:50:00 +00:00
proc_creation_win_msiexec_install_quiet.yml
Typo fix
2022-04-12 11:05:09 -05:00
proc_creation_win_mstsc.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_multiple_suspicious_cli.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_net_enum.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_net_use_admin_share.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_net_user_add.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netcat_execution.yml
ncat pattern
2022-03-15 18:05:13 +01:00
proc_creation_win_netsh_allow_port_rdp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_fw_add_susp_image.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_fw_add.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_fw_enable_group_rule.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_packet_capture.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_port_fwd_3389.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_port_fwd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_wifi_credential_harvesting.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_network_scan_loop.yml
Fix selection_tools
2022-03-12 11:15:10 +01:00
proc_creation_win_network_sniffing.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_new_service_creation.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_nltest_recon.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_non_interactive_powershell.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_non_priv_reg_or_ps.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_office_applications_spawning_wmi_commandline.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
fix: wrong mapping of Windows Audit Log EventID 4688
2022-03-30 11:24:24 +02:00
proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
fix: wrong mapping of Windows Audit Log EventID 4688
2022-03-30 11:24:24 +02:00
proc_creation_win_office_shell.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_office_spawn_exe_from_users_directory.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_office_spawning_wmi_commandline.yml
fix: wrong mapping of Windows Audit Log EventID 4688
2022-03-30 11:24:24 +02:00
proc_creation_win_outlook_shell.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_pingback_backdoor.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_plugx_susp_exe_locations.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_possible_applocker_bypass.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_amsi_bypass.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_audio_capture.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_b64_shellcode.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_powershell_bitsjob.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_cmdline_reversed_strings.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_cmdline_special_characters.yml
fix: FPs found in production environment
2022-03-09 16:22:33 +01:00
proc_creation_win_powershell_cmdline_specific_comb_methods.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_defender_base64.yml
fix: adjusted rules that use utf16le, extended others
2022-03-07 18:14:29 +01:00
proc_creation_win_powershell_defender_disable_feature.yml
fix: adjusted rules that use utf16le, extended others
2022-03-07 18:14:29 +01:00
proc_creation_win_powershell_defender_exclusion.yml
refactor: some adjustments
2022-03-04 16:34:15 +01:00
proc_creation_win_powershell_disable_windef_av.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_dll_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_downgrade_attack.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_powershell_download_patterns.yml
refactor: additional strings in powershell downloader rule
2022-03-02 11:01:28 +01:00
proc_creation_win_powershell_download.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_powershell_frombase64string.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_public_folder.yml
Update proc_creation_win_powershell_public_folder.yml
2022-04-07 18:52:45 +02:00
proc_creation_win_powershell_reverse_shell_connection.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_suspicious_parameter_variation.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_powershell_xor_commandline.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_powersploit_empire_schtasks.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_proc_dump_createdump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_proc_dump_dumpminitool.yml
refactor: extended rule
2022-04-06 17:07:51 +02:00
proc_creation_win_proc_dump_rdrleakdiag.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_proc_dump_susp_dumpminitool.yml
refactor: extended rule
2022-04-06 17:07:51 +02:00
proc_creation_win_proc_wrong_parent.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_procdump_evasion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_procdump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_process_dump_rdrleakdiag.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_process_dump_rundll32_comsvcs.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_protocolhandler_suspicious_file.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_proxy_execution_wuauclt.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_psexesvc_start.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_public_folder_parent.yml
docs: wording change
2022-02-25 17:29:16 +01:00
proc_creation_win_purplesharp_indicators.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_pypykatz.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_query_registry.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_ransom_blackbyte.yml
rules: BlackByte rule update, and some generic rules
2022-02-25 16:02:42 +01:00
proc_creation_win_rasautou_dll_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_rdp_hijack_shadowing.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_redirect_to_stream.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_redmimicry_winnti_proc.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_reg_add_run_key.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_reg_defender_exclusion.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_reg_defender_tampering.yml
rules: registry, tamper with Defender & LSA
2022-03-22 16:10:11 +01:00
proc_creation_win_reg_dump_sam.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_reg_enable_rdp.yml
new susp service installation rules
2022-03-18 16:08:40 +01:00
proc_creation_win_reg_lsass_ppl.yml
rules: registry, tamper with Defender & LSA
2022-03-22 16:10:11 +01:00
proc_creation_win_reg_service_imagepath_change.yml
refactor: more robust reg add ImagePath rule
2022-03-29 15:21:47 +02:00
proc_creation_win_regedit_export_critical_keys.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_regedit_export_keys.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_regedit_import_keys_ads.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_regedit_import_keys.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_regini_ads.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_regini.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_remote_powershell_session_process.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_remote_time_discovery.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_remove_windows_defender_definition_files.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_binary_highly_relevant.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_binary.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_jusched.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_renamed_megasync.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_paexec.yml
refactor: more exact imphash matching
2022-03-07 12:03:32 +01:00
proc_creation_win_renamed_powershell.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_renamed_procdump.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_renamed_psexec.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_whoami.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_root_certificate_installed.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_rpcss_anomalies.yml
rule: RPCSS service process anomalies
2022-04-13 15:44:10 +02:00
proc_creation_win_run_executable_invalid_extension.yml
updating to ensure match against all system32 execution path
2022-03-20 19:48:51 +00:00
proc_creation_win_run_from_zip.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_run_powershell_script_from_ads.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_run_powershell_script_from_input_stream.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_run_virtualbox.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_rundll32_installscreensaver.yml
Update proc_creation_win_rundll32_installscreensaver.yml
2022-04-28 17:31:38 +02:00
proc_creation_win_rundll32_not_from_c_drive.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_rundll32_registered_com_objects.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_rundll32_without_parameters.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_schtasks_appdata_local_system.yml
new susp service installation rules
2022-03-18 16:08:40 +01:00
proc_creation_win_schtasks_powershell_windowsapps_execution.yml
Update proc_creation_win_schtasks_powershell_windowsapps_execution.yml
2022-04-19 17:31:01 +02:00
proc_creation_win_schtasks_reg_loader.yml
new rule from thedfirreport.com
2022-03-15 16:39:12 +01:00
proc_creation_win_screenconnect_anomaly.yml
rule: ScreenConnect anomaly
2022-02-25 10:31:58 +01:00
proc_creation_win_screenconnect.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_script_event_consumer_spawn.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_sdbinst_shim_persistence.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sdclt_child_process.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_sdelete.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_service_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_service_stop.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_set_policies_to_unsecure_level.yml
fix: reduce level, many legitimate usages expected
2022-02-23 14:13:12 +01:00
proc_creation_win_shadow_copies_access_symlink.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_shadow_copies_creation.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_shadow_copies_deletion.yml
docs: known FP, but has to be checked if action was legitimately issued
2022-03-07 17:11:00 +01:00
proc_creation_win_shell_spawn_by_java.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_shell_spawn_mshta.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_shell_spawn_susp_program.yml
fix: indentation
2022-03-08 17:47:20 +01:00
proc_creation_win_silenttrinity_stage_use.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_software_discovery.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_soundrec_audio_capture.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_spn_enum.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sqlcmd_veeam_dump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sqlite_firefox_cookies.yml
Update proc_creation_win_sqlite_firefox_cookies.yml
2022-04-09 20:01:54 +02:00
proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml
Update proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml
2022-04-19 17:32:39 +02:00
proc_creation_win_stickykey_like_backdoor.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_stordiag_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sus_auditpol_usage.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_7z.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_acccheckconsole.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_add_user_remote_desktop.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_adfind_enumerate.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_adfind.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_adidnsdump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_advancedrun_priv_user.yml
Update proc_creation_win_susp_advancedrun_priv_user.yml
2022-05-05 21:06:53 +01:00
proc_creation_win_susp_advancedrun.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_atbroker.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_bcdedit.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_bginfo.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_bitstransfer.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_calc.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cdb.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_certreq_download.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_certutil_command.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_certutil_encode.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_char_in_cmd.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_child_process_as_system_.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cipher.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_cli_escape.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cmd_http_appdata.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cmd_shadowcopy_access.yml
fix: copy / paste issues
2022-04-13 09:23:08 +02:00
proc_creation_win_susp_cmdl32_lolbas.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_codepage_lookup.yml
fix: event collectors that include spaces in cmd
2022-04-21 07:54:08 +02:00
proc_creation_win_susp_codepage_switch.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_susp_commandline_chars.yml
fix: missing author
2022-04-29 16:43:18 +02:00
proc_creation_win_susp_commands_recon_activity.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_compression_params.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_comsvcs_procdump.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_conhost_option.yml
Fix: Typo in title
2022-04-07 19:30:00 -07:00
proc_creation_win_susp_conhost.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_control_cve_2021_40444.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_susp_control_dll_load.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_copy_lateral_movement.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_copy_system32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_covenant.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_crackmapexec_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_crackmapexec_flags.yml
rule: CrackMapExec flags rule
2022-02-25 11:39:19 +01:00
proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_csc_folder.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_csc.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cscript_vbs.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_csi.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_curl_download.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_curl_fileupload.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_curl_start_combo.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_curl_useragent.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_dctask64_proc_inject.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_del.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_desktopimgdownldr.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_devinit_lolbin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_devtoolslauncher.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_dir.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_direct_asep_reg_keys_modification.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_disable_eventlog.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_disable_ie_features.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_disable_raccine.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_diskshadow.yml
docs: adjustments
2022-03-11 18:13:54 +01:00
proc_creation_win_susp_ditsnap.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_dnx.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_double_extension.yml
chore: increase rule status
2022-03-07 17:11:00 +01:00
proc_creation_win_susp_download_office_domain.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_dtrace_kernel_dump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_dxcap.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_emotet_rundll32_execution.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_susp_esentutl_params.yml
Update proc_creation_win_susp_esentutl_params.yml
2022-02-24 11:52:21 -05:00
proc_creation_win_susp_eventlog_clear.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_susp_execution_path_webserver.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_execution_path.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_explorer_break_proctree.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_explorer_nouaccheck.yml
fix: FPs found in win2022 domain controller baseline
2022-04-21 10:48:59 +02:00
proc_creation_win_susp_explorer.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_file_characteristics.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_findstr_385201.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_findstr_lnk.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_findstr.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_finger_usage.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_firewall_disable.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_format.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_fsutil_usage.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_susp_ftp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_gpresult.yml
Update proc_creation_win_susp_gpresult.yml
2022-05-02 19:25:42 +02:00
proc_creation_win_susp_gup.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_hostname.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_image_missing.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_instalutil.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_iss_module_install.yml
fix: date in rule
2022-04-04 11:37:55 +02:00
proc_creation_win_susp_lsass_clone.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_machineguid.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_mounted_share_deletion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_mpcmdrun_download.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_mpiexec_lolbin.yml
refactor: more exact imphash matching
2022-03-07 12:03:32 +01:00
proc_creation_win_susp_mshta_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_mshta_pattern.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_msiexec_cwd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_msiexec_web_install.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_msoffice.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_net_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_net_use_password_plaintext.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_netsh_command.yml
Update proc_creation_win_susp_netsh_command.yml
2022-04-12 07:55:58 +02:00
proc_creation_win_susp_netsh_dll_persistence.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_network_command.yml
Update proc_creation_win_susp_network_command.yml
2022-04-11 13:45:37 -04:00
proc_creation_win_susp_network_listing_connections.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_ngrok_pua.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_nmap.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_non_exe_image.yml
fix: FPs found at prod environment
2022-04-29 15:07:58 +02:00
proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_ntdll_type_redirect.yml
rule: ntdll type redirect
2022-03-05 10:39:33 +01:00
proc_creation_win_susp_ntds.yml
fix: more lists with only one parameter
2022-03-11 20:11:06 +01:00
proc_creation_win_susp_ntdsutil.yml
docs: adjustments
2022-03-11 18:13:54 +01:00
proc_creation_win_susp_odbcconf.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_openwith.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_outlook_temp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_outlook.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_parents.yml
fix: filter null image in process creation rule
2022-03-29 08:56:47 +02:00
proc_creation_win_susp_pcwutl.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_pester.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_ping_hex_ip.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_plink_remote_forward.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_download_cradles.yml
fix: indentation
2022-03-24 11:34:00 +01:00
proc_creation_win_susp_powershell_download_iex.yml
fix: add tags
2022-04-05 13:09:43 +02:00
proc_creation_win_susp_powershell_empire_launch.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_empire_uac_bypass.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_susp_powershell_enc_cmd.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_susp_powershell_encode.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_encoded_param.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_getprocess_lsass.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_hidden_b64_cmd.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_susp_powershell_iex_patterns.yml
fix: missing timestamp
2022-04-04 11:34:26 +02:00
proc_creation_win_susp_powershell_parent_combo.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_parent_process.yml
rule: suspicious parents, susp powershell parent rule
2022-03-21 12:57:59 +01:00
proc_creation_win_susp_powershell_sam_access.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_sub_processes.yml
fix: FP with whoami child
2022-04-26 17:28:17 +02:00
proc_creation_win_susp_pressynkey_lolbin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_print.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_procdump_lsass.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_susp_procdump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_progname.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_ps_appdata.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_ps_downloadfile.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_psexec_eula.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_psexex_paexec_escalate_system.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_psexex_paexec_flags.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_psloglist.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_psr_capture_screenshots.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_radmin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rar_flags.yml
refactor: rar usage w password & compression level
2022-03-16 09:57:45 +01:00
proc_creation_win_susp_rasdial_activity.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_razorinstaller_explorer.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rclone_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_recon_activity.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_susp_recon_net_activity.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_recon.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_redir_local_admin_share.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_reg_bitlocker.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_reg_disable_sec_services.yml
Added 2 references.\nAdded modified date and author credits.\nAdded WindowsDefender Registry Key options
2022-05-05 17:05:33 +02:00
proc_creation_win_susp_reg_open_command.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_regedit_trustedinstaller.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_register_cimprovider.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_registration_via_cscript.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_susp_regsvr32_anomalies.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_regsvr32_flags_anomaly.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_regsvr32_http_pattern.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_regsvr32_image.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_regsvr32_no_dll.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_renamed_dctask64.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_renamed_debugview.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_renamed_paexec.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rpcping.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_run_folder.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_run_locations.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_activity.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_by_ordinal.yml
Merge branch 'master' into pr/2785
2022-03-08 08:43:59 +01:00
proc_creation_win_susp_rundll32_inline_vbs.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_js_runhtmlapplication.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_rundll32_keymgr.yml
docs: false positive condition added
2022-04-21 09:13:06 +02:00
proc_creation_win_susp_rundll32_no_params.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_script_run.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_spawn_explorer.yml
fix: typo
2022-04-28 17:26:49 +02:00
proc_creation_win_susp_rundll32_sys.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_runonce_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_runscripthelper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_sc_query.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_schtask_creation_temp_folder.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_schtask_creation.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_schtasks_disable.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_schtasks_env_folder.yml
fix: FP with Suspicius Schtasks rule
2022-03-11 17:04:33 +01:00
proc_creation_win_susp_schtasks_folder_combos.yml
rule: suspicious schtasks rule
2022-04-15 18:22:28 +02:00
proc_creation_win_susp_schtasks_parent.yml
fix: FPs with new task scheduler rule
2022-02-24 08:41:53 +01:00
proc_creation_win_susp_schtasks_pattern.yml
refactor: scheduled task patterns
2022-03-23 09:09:43 +01:00
proc_creation_win_susp_schtasks_user_temp.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_screenconnect_access.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_screensaver_reg.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_script_exec_from_env_folder.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_script_exec_from_temp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_script_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_service_dacl_modification.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_service_dir.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_service_modification.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_service_path_modification.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_servu_process_pattern.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_sharpview.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_susp_shell_spawn_by_java_keytool.yml
Revert "rule: suspicious PowerShell sub processes"
2022-04-26 17:05:41 +02:00
proc_creation_win_susp_shell_spawn_by_java.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_shell_spawn_from_mssql.yml
fix: unused filter
2022-03-08 08:41:53 +01:00
proc_creation_win_susp_shell_spawn_from_winrm.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_shimcache_flush.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_susp_shutdown.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_splwow64.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_spoolsv_child_processes.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
proc_creation_win_susp_sqldumper_activity.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_squirrel_lolbin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_svchost_no_cli.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_svchost.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_sysprep_appdata.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_system_user_anomaly.yml
fix: FP with SYSTEM user rule
2022-04-27 12:01:58 +02:00
proc_creation_win_susp_systeminfo.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_sysvol_access.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_susp_takeown.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_target_location_shell32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_taskkill.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_tasklist_command.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_susp_taskmgr_localsystem.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_taskmgr_parent.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_tracker_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_trolleyexpress_procdump.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_tscon_localsystem.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_tscon_rdp_redirect.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_uac_bypass_trustedpath.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_susp_use_of_csharp_console.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_use_of_sqlps_bin.yml
Fix detection
2022-02-25 15:39:26 +01:00
proc_creation_win_susp_use_of_sqltoolsps_bin.yml
Fix detection
2022-02-25 15:39:26 +01:00
proc_creation_win_susp_use_of_te_bin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_userinit_child.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_vaultcmd.yml
Update proc_creation_win_susp_vaultcmd.yml
2022-04-09 20:02:34 +02:00
proc_creation_win_susp_vboxdrvinst.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_vbscript_unc2452.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_volsnap_disable.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_web_request_cmd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_webdav_client_execution.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_where_execution.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_whoami_anomaly.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_whoami_as_param.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_whoami.yml
Update proc_creation_win_susp_whoami.yml
2022-04-25 21:11:06 +02:00
proc_creation_win_susp_winrar_dmp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_winrar_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_winrm_awl_bypass.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_winrm_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_winzip.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wmi_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wmic_eventconsumer_create.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wmic_proc_create_rundll32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wmic_security_product_uninstall.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_workfolders.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wsl_lolbin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wuauclt_cmdline.yml
rules: BlackByte rule update, and some generic rules
2022-02-25 16:02:42 +01:00
proc_creation_win_susp_wuauclt.yml
fix: wrong mapping of Windows Audit Log EventID 4688
2022-03-30 11:24:24 +02:00
proc_creation_win_susp_zip_compress.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_zipexec.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_suspicious_ad_reco.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_syncappvpublishingserver_execute_powershell.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sysinternals_eula_accepted.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sysmon_driver_unload.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sysmon_uac_bypass_eventvwr.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_system_exe_anomaly.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_tap_installer_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_task_folder_evasion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_termserv_proc_spawn.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_tool_nircmd_as_system.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_tool_nircmd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_tool_nsudo_as_system.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_tool_psexec.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_tool_runx_as_system.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_tools_relay_attacks.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_tor_browser.yml
Rename win_pc_tor_browser.yml to proc_creation_win_tor_browser.yml
2022-02-20 17:59:53 +01:00
proc_creation_win_trust_discovery.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_tttracer_mod_load.yml
Name Normalization
2022-02-27 10:58:14 +01:00
proc_creation_win_uac_bypass_changepk_slui.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_cleanmgr.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_computerdefaults.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_consent_comctl32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_dismhost.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_ieinstal.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_msconfig_gui.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_ntfs_reparse_point.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_pkgmgr_dism.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_winsat.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_wmp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_wsreset.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_cmstp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_fodhelper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_wsreset.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uninstall_crowdstrike_falcon.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uninstall_sysmon.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_using_sc_to_hide_sevices.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_using_settingsynchost_as_lolbin.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_verclsid_runs_com.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_visual_basic_compiler.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_vmtoolsd_susp_child_process.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_vul_java_remote_debugging.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_webshell_detection.yml
fix: single list element
2022-03-21 12:33:55 +01:00
proc_creation_win_webshell_hacking.yml
fix: single list element
2022-03-21 12:33:55 +01:00
proc_creation_win_webshell_recon_detection.yml
fix: single list element
2022-03-21 12:33:55 +01:00
proc_creation_win_webshell_spawn.yml
fix: single list element
2022-03-21 12:33:55 +01:00
proc_creation_win_whoami_as_priv_user.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_whoami_as_system.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_whoami_priv.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_win10_sched_task_0day.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_win_exchange_transportagent.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_win_lolbas_dump64.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_winword_dll_load.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
fix: FPs noticed with EdgeTransport sub processes
2022-03-18 10:18:40 +01:00
proc_creation_win_wmi_persistence_script_event_consumer.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_wmi_spwns_powershell.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_wmic_reconnaissance.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_wmic_remote_command.yml
Update proc_creation_win_wmic_remote_command.yml
2022-03-13 13:22:10 +01:00
proc_creation_win_wmic_remote_service.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_wmic_remove_application.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_wmiprvse_spawning_process.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_workflow_compiler.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_write_protect_for_storage_disabled.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
proc_creation_win_wsreset_uac_bypass.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_xordump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_xsl_script_processing.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
process_creation_apt_gamaredon_ultravnc.yml
docs: changed UltraVNC flags rule < Gamaredon
2022-03-09 08:17:14 +01:00
process_creation_win_arbitrary_shell_execution_via_settingcontent.yml
refactor: proposed changes from issue #2917
2022-04-14 16:57:30 +02:00
process_creation_win_asr_bypass_via_appvlp_re.yml
refactor: proposed changes from issue #2917
2022-04-14 16:57:30 +02:00