security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0bdd7ea35cfe447be818c9009d7460dd87206f42
blue-team-tools/rules/windows/process_creation
T
History
Nasreddine Bencherchali 884891746b Update proc_creation_win_powershell_amsi_bypass.yml
2022-09-02 12:02:18 +02:00
..
proc_creation_win_7zip_cve_2022_29072.yml
proc_creation_win_abusing_debug_privilege.yml
proc_creation_win_abusing_windows_telemetry_for_persistence.yml
proc_creation_win_accesschk_usage_after_priv_escalation.yml
proc_creation_win_advanced_ip_scanner.yml
proc_creation_win_advanced_port_scanner.yml
proc_creation_win_alternate_data_streams.yml
proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml
proc_creation_win_always_install_elevated_windows_installer.yml
proc_creation_win_anydesk_silent_install.yml
proc_creation_win_anydesk_susp_folder.yml
proc_creation_win_anydesk.yml
proc_creation_win_apt_actinium_persistence.yml
proc_creation_win_apt_apt29_thinktanks.yml
proc_creation_win_apt_babyshark.yml
proc_creation_win_apt_bear_activity_gtr19.yml
proc_creation_win_apt_bluemashroom.yml
proc_creation_win_apt_chafer_mar18.yml
proc_creation_win_apt_cloudhopper.yml
proc_creation_win_apt_dragonfly.yml
proc_creation_win_apt_elise.yml
proc_creation_win_apt_emissarypanda_sep19.yml
proc_creation_win_apt_empiremonkey.yml
proc_creation_win_apt_equationgroup_dll_u_load.yml
proc_creation_win_apt_evilnum_jul20.yml
proc_creation_win_apt_gallium_sha1.yml
proc_creation_win_apt_gallium.yml
proc_creation_win_apt_gamaredon_ultravnc.yml
proc_creation_win_apt_greenbug_may20.yml
proc_creation_win_apt_hafnium.yml
proc_creation_win_apt_hurricane_panda.yml
proc_creation_win_apt_judgement_panda_gtr19.yml
proc_creation_win_apt_ke3chang_regadd.yml
proc_creation_win_apt_lazarus_activity_apr21.yml
proc_creation_win_apt_lazarus_activity_dec20.yml
proc_creation_win_apt_lazarus_loader.yml
proc_creation_win_apt_lazarus_session_highjack.yml
proc_creation_win_apt_mercury.yml
proc_creation_win_apt_muddywater_dnstunnel.yml
proc_creation_win_apt_mustangpanda.yml
proc_creation_win_apt_revil_kaseya.yml
proc_creation_win_apt_slingshot.yml
proc_creation_win_apt_sofacy.yml
proc_creation_win_apt_sourgrum.yml
proc_creation_win_apt_ta17_293a_ps.yml
proc_creation_win_apt_ta505_dropper.yml
proc_creation_win_apt_taidoor.yml
proc_creation_win_apt_tropictrooper.yml
proc_creation_win_apt_turla_commands_critical.yml
proc_creation_win_apt_turla_commands_medium.yml
proc_creation_win_apt_turla_comrat_may20.yml
proc_creation_win_apt_unc2452_cmds.yml
proc_creation_win_apt_unc2452_ps.yml
proc_creation_win_apt_unidentified_nov_18.yml
proc_creation_win_apt_winnti_mal_hk_jan20.yml
proc_creation_win_apt_winnti_pipemon.yml
proc_creation_win_apt_wocao.yml
proc_creation_win_apt_zxshell.yml
proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml
proc_creation_win_archiver_iso_phishing.yml
proc_creation_win_asr_bypass_via_appvlp_re.yml
proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml
proc_creation_win_attrib_hiding_files.yml
proc_creation_win_attrib_system_susp_paths.yml
proc_creation_win_attrib_system.yml
proc_creation_win_automated_collection.yml
proc_creation_win_bad_opsec_sacrificial_processes.yml
proc_creation_win_base64_invoke_susp_cmdlets.yml
proc_creation_win_base64_listing_shadowcopy.yml
proc_creation_win_base64_reflective_assembly_load.yml
proc_creation_win_bitsadmin_download_susp_domain.yml
proc_creation_win_bitsadmin_download_susp_ext.yml
proc_creation_win_bitsadmin_download_susp_ip.yml
proc_creation_win_bitsadmin_download_susp_targetfolder.yml
proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
proc_creation_win_bitsadmin_download.yml
proc_creation_win_bootconf_mod.yml
proc_creation_win_bypass_squiblytwo.yml
proc_creation_win_c2_sliver.yml
proc_creation_win_c3_load_by_rundll32.yml
proc_creation_win_certoc_execution.yml
proc_creation_win_certutil_ntlm_coercion.yml
proc_creation_win_change_default_file_assoc_susp.yml
proc_creation_win_change_default_file_association.yml
proc_creation_win_chrome_load_extension.yml
proc_creation_win_chrome_remote_debugging.yml
proc_creation_win_cleanwipe.yml
proc_creation_win_clip.yml
proc_creation_win_cmd_delete.yml
proc_creation_win_cmd_dosfuscation.yml
proc_creation_win_cmd_read_contents.yml
proc_creation_win_cmd_redirect.yml
proc_creation_win_cmd_redirection_susp_folder.yml
proc_creation_win_cmdkey_recon.yml
proc_creation_win_cmstp_com_object_access.yml
proc_creation_win_cmstp_execution_by_creation.yml
proc_creation_win_cobaltstrike_bloopers_cmd.yml
proc_creation_win_cobaltstrike_bloopers_modules.yml
proc_creation_win_cobaltstrike_load_by_rundll32.yml
proc_creation_win_cobaltstrike_process_patterns.yml
proc_creation_win_commandline_path_traversal_evasion.yml
proc_creation_win_commandline_path_traversal.yml
proc_creation_win_conhost_path_traversal.yml
proc_creation_win_conti_cmd_ransomware.yml
proc_creation_win_conti_sqlcmd.yml
proc_creation_win_control_panel_item.yml
proc_creation_win_copying_sensitive_files_with_credential_data.yml
proc_creation_win_crackmapexec_patterns.yml
proc_creation_win_creation_mavinject_dll.yml
proc_creation_win_creative_cloud_node_abuse.yml
proc_creation_win_credential_access_via_password_filter.yml
proc_creation_win_crime_fireball.yml
proc_creation_win_crime_maze_ransomware.yml
proc_creation_win_crime_snatch_ransomware.yml
proc_creation_win_crypto_mining_monero.yml
proc_creation_win_curl_download.yml
proc_creation_win_cve_2021_26857_msexchange.yml
proc_creation_win_data_compressed_with_rar.yml
proc_creation_win_delete_systemstatebackup.yml
proc_creation_win_detecting_fake_instances_of_hxtsr.yml
proc_creation_win_deviceenroller_evasion.yml
proc_creation_win_dinjector.yml
proc_creation_win_dirlister.yml
proc_creation_win_disable_service.yml
proc_creation_win_discover_private_keys.yml
proc_creation_win_dll_sideload_defender.yml
proc_creation_win_dll_sideload_vmware_xfer.yml
proc_creation_win_dns_exfiltration_tools_execution.yml
proc_creation_win_dns_serverlevelplugindll.yml
proc_creation_win_dnscat2_powershell_implementation.yml
proc_creation_win_dnscmd_discovery.yml
proc_creation_win_dotnet.yml
proc_creation_win_dsacls_abuse_permissions.yml
proc_creation_win_dsacls_password_spray.yml
proc_creation_win_dsim_remove.yml
proc_creation_win_dumpstack_log_evasion.yml
proc_creation_win_embed_exe_lnk.yml
proc_creation_win_encoded_frombase64string.yml
proc_creation_win_encoded_iex.yml
proc_creation_win_enumeration_for_credentials_cli.yml
proc_creation_win_enumeration_for_credentials_in_registry.yml
proc_creation_win_esentutl_webcache.yml
proc_creation_win_etw_modification_cmdline.yml
proc_creation_win_etw_trace_evasion.yml
proc_creation_win_evil_winrm.yml
proc_creation_win_exfil_data_via_cli.yml
proc_creation_win_exfiltration_and_tunneling_tools_execution.yml
proc_creation_win_expand_cabinet_files.yml
proc_creation_win_exploit_cve_2015_1641.yml
proc_creation_win_exploit_cve_2017_0261.yml
proc_creation_win_exploit_cve_2017_8759.yml
proc_creation_win_exploit_cve_2017_11882.yml
proc_creation_win_exploit_cve_2019_1378.yml
proc_creation_win_exploit_cve_2019_1388.yml
proc_creation_win_exploit_cve_2020_1048.yml
proc_creation_win_exploit_cve_2020_1350.yml
proc_creation_win_exploit_cve_2020_10189.yml
proc_creation_win_exploit_lpe_cve_2021_41379.yml
proc_creation_win_exploit_systemnightmare.yml
proc_creation_win_false_sysinternalsuite.yml
proc_creation_win_file_permission_modifications.yml
proc_creation_win_findstr_gpp_passwords.yml
proc_creation_win_findstr_lsass.yml
proc_creation_win_fsutil_drive_enumeration.yml
proc_creation_win_fsutil_symlinkevaluation.yml
proc_creation_win_gotoopener.yml
proc_creation_win_grabbing_sensitive_hives_via_reg.yml
proc_creation_win_hack_adcspwn.yml
proc_creation_win_hack_bloodhound.yml
proc_creation_win_hack_cube0x0_tools.yml
proc_creation_win_hack_dumpert.yml
proc_creation_win_hack_hydra.yml
proc_creation_win_hack_koadic.yml
proc_creation_win_hack_krbrelay.yml
proc_creation_win_hack_krbrelayup.yml
proc_creation_win_hack_rubeus.yml
proc_creation_win_hack_secutyxploded.yml
proc_creation_win_hack_sharpldapwhoami.yml
proc_creation_win_hack_wce.yml
proc_creation_win_hacktool_imphashes.yml
proc_creation_win_handlekatz.yml
proc_creation_win_hashcat.yml
proc_creation_win_headless_browser_file_download.yml
proc_creation_win_hh_chm.yml
proc_creation_win_hiding_malware_in_fonts_folder.yml
proc_creation_win_high_integrity_sdclt.yml
proc_creation_win_hktl_createminidump.yml
proc_creation_win_hktl_uacme_uac_bypass.yml
proc_creation_win_html_help_spawn.yml
proc_creation_win_hwp_exploits.yml
proc_creation_win_icacls_deny.yml
proc_creation_win_iis_http_logging.yml
proc_creation_win_impacket_compiled_tools.yml
proc_creation_win_impacket_lateralization.yml
proc_creation_win_indirect_cmd.yml
proc_creation_win_infdefaultinstall.yml
proc_creation_win_inline_base64_mz_header.yml
proc_creation_win_install_reg_debugger_backdoor.yml
proc_creation_win_interactive_at.yml
proc_creation_win_invoke_obfuscation_clip.yml
proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml
proc_creation_win_invoke_obfuscation_stdin.yml
proc_creation_win_invoke_obfuscation_var.yml
proc_creation_win_invoke_obfuscation_via_compress.yml
proc_creation_win_invoke_obfuscation_via_rundll.yml
proc_creation_win_invoke_obfuscation_via_stdin.yml
proc_creation_win_invoke_obfuscation_via_use_clip.yml
proc_creation_win_invoke_obfuscation_via_use_mhsta.yml
proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
proc_creation_win_invoke_obfuscation_via_var.yml
proc_creation_win_jlaive_batch_execution.yml
proc_creation_win_lethalhta.yml
proc_creation_win_local_system_owner_account_discovery.yml
proc_creation_win_logmein.yml
proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml
proc_creation_win_lolbin_adplus.yml
proc_creation_win_lolbin_aspnet_compiler.yml
proc_creation_win_lolbin_bash.yml
proc_creation_win_lolbin_certoc_download.yml
proc_creation_win_lolbin_cl_invocation.yml
proc_creation_win_lolbin_cl_loadassembly.yml
proc_creation_win_lolbin_cl_mutexverifiers.yml
proc_creation_win_lolbin_class_exec_xwizard.yml
proc_creation_win_lolbin_cmdl32.yml
proc_creation_win_lolbin_configsecuritypolicy.yml
proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
proc_creation_win_lolbin_customshellhost.yml
proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml
proc_creation_win_lolbin_device_credential_deployment.yml
proc_creation_win_lolbin_diantz_ads.yml
proc_creation_win_lolbin_diantz_remote_cab.yml
proc_creation_win_lolbin_dll_sideload_xwizard.yml
proc_creation_win_lolbin_dump64.yml
proc_creation_win_lolbin_execution_via_winget.yml
proc_creation_win_lolbin_extexport.yml
proc_creation_win_lolbin_extrac32_ads.yml
proc_creation_win_lolbin_extrac32.yml
proc_creation_win_lolbin_findstr.yml
proc_creation_win_lolbin_forfiles.yml
proc_creation_win_lolbin_fsharp_interpreters.yml
proc_creation_win_lolbin_gpscript.yml
proc_creation_win_lolbin_ie4uinit.yml
proc_creation_win_lolbin_ieexec_download.yml
proc_creation_win_lolbin_ilasm.yml
proc_creation_win_lolbin_installutil_download.yml
proc_creation_win_lolbin_jsc.yml
proc_creation_win_lolbin_launch_vsdevshell.yml
proc_creation_win_lolbin_mftrace.yml
proc_creation_win_lolbin_msdt_answer_file.yml
proc_creation_win_lolbin_msohtmed_download.yml
proc_creation_win_lolbin_mspub_download.yml
proc_creation_win_lolbin_offlinescannershell.yml
proc_creation_win_lolbin_openconsole.yml
proc_creation_win_lolbin_pcalua.yml
proc_creation_win_lolbin_pcwrun_follina.yml
proc_creation_win_lolbin_pcwrun.yml
proc_creation_win_lolbin_pktmon.yml
proc_creation_win_lolbin_presentationhost_download.yml
proc_creation_win_lolbin_presentationhost.yml
proc_creation_win_lolbin_printbrm.yml
proc_creation_win_lolbin_pubprn.yml
proc_creation_win_lolbin_rasautou_dll_execution.yml
proc_creation_win_lolbin_regasm.yml
proc_creation_win_lolbin_register_app.yml
proc_creation_win_lolbin_remote.yml
proc_creation_win_lolbin_replace.yml
proc_creation_win_lolbin_rundll32_installscreensaver.yml
proc_creation_win_lolbin_scriptrunner.yml
proc_creation_win_lolbin_sideload_link_binary.yml
proc_creation_win_lolbin_sigverif.yml
proc_creation_win_lolbin_squirrel.yml
proc_creation_win_lolbin_susp_acccheckconsole.yml
proc_creation_win_lolbin_susp_atbroker.yml
proc_creation_win_lolbin_susp_certreq_download.yml
proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
proc_creation_win_lolbin_susp_dxcap.yml
proc_creation_win_lolbin_susp_grpconv.yml
proc_creation_win_lolbin_susp_mpcmdrun_download.yml
proc_creation_win_lolbin_susp_sqldumper_activity.yml
proc_creation_win_lolbin_susp_wsl.yml
proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
proc_creation_win_lolbin_ttdinject.yml
proc_creation_win_lolbin_tttracer_mod_load.yml
proc_creation_win_lolbin_utilityfunctions.yml
proc_creation_win_lolbin_visual_basic_compiler.yml
proc_creation_win_lolbin_visualuiaverifynative.yml
proc_creation_win_lolbin_vsiisexelauncher.yml
proc_creation_win_lolbin_wfc.yml
proc_creation_win_lolbin_winword.yml
proc_creation_win_lolbin_wlrmdr.yml
proc_creation_win_lolbins_by_office_applications.yml
proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
proc_creation_win_long_powershell_commandline.yml
proc_creation_win_lsass_dump.yml
proc_creation_win_mailboxexport_share.yml
proc_creation_win_mal_adwind.yml
proc_creation_win_mal_blue_mockingbird.yml
proc_creation_win_mal_darkside_ransomware.yml
proc_creation_win_mal_hermetic_wiper_activity.yml
proc_creation_win_mal_lockergoga_ransomware.yml
proc_creation_win_mal_ryuk.yml
proc_creation_win_malware_conti_7zip.yml
proc_creation_win_malware_conti_shadowcopy.yml
proc_creation_win_malware_conti.yml
proc_creation_win_malware_dridex.yml
proc_creation_win_malware_dtrack.yml
proc_creation_win_malware_emotet.yml
proc_creation_win_malware_formbook.yml
proc_creation_win_malware_notpetya.yml
proc_creation_win_malware_qbot.yml
proc_creation_win_malware_ryuk.yml
proc_creation_win_malware_script_dropper.yml
proc_creation_win_malware_trickbot_recon_activity.yml
proc_creation_win_malware_trickbot_wermgr.yml
proc_creation_win_malware_wannacry.yml
proc_creation_win_manage_bde_lolbas.yml
proc_creation_win_mavinject_proc_inj.yml
proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
proc_creation_win_mimikatz_command_line.yml
proc_creation_win_mmc20_lateral_movement.yml
proc_creation_win_mmc_spawn_shell.yml
proc_creation_win_modif_of_services_for_via_commandline.yml
proc_creation_win_modify_group_policy_settings.yml
proc_creation_win_monitoring_for_persistence_via_bits.yml
proc_creation_win_mouse_lock.yml
proc_creation_win_msdeploy.yml
proc_creation_win_msdt_diagcab.yml
proc_creation_win_msdt_susp_cab_options.yml
proc_creation_win_msdt_susp_parent.yml
proc_creation_win_msdt.yml
proc_creation_win_msedge_minimized_download.yml
proc_creation_win_mshta_http.yml
proc_creation_win_mshta_javascript.yml
proc_creation_win_mshta_spawn_shell.yml
proc_creation_win_msiexec_dll.yml
proc_creation_win_msiexec_embedding.yml
proc_creation_win_msiexec_execute_dll.yml
proc_creation_win_msiexec_install_quiet.yml
proc_creation_win_msra_process_injection.yml
proc_creation_win_mstsc.yml
proc_creation_win_multiple_susp_cli.yml
proc_creation_win_net_default_accounts_manipulation.yml
proc_creation_win_net_enum.yml
proc_creation_win_net_recon.yml
proc_creation_win_net_use_admin_share.yml
proc_creation_win_net_user_add_never_expire.yml
proc_creation_win_net_user_add.yml
proc_creation_win_netcat_execution.yml
proc_creation_win_netsh_allow_port_rdp.yml
proc_creation_win_netsh_fw_add_susp_image.yml
proc_creation_win_netsh_fw_add.yml
proc_creation_win_netsh_fw_delete.yml
proc_creation_win_netsh_fw_enable_group_rule.yml
proc_creation_win_netsh_packet_capture.yml
proc_creation_win_netsh_port_fwd_3389.yml
proc_creation_win_netsh_port_fwd.yml
proc_creation_win_netsh_wifi_credential_harvesting.yml
proc_creation_win_network_scan_loop.yml
proc_creation_win_network_sniffing.yml
proc_creation_win_new_network_provider.yml
proc_creation_win_new_service_creation.yml
proc_creation_win_nimgrab.yml
proc_creation_win_nltest_recon.yml
proc_creation_win_non_interactive_powershell.yml
proc_creation_win_non_priv_reg_or_ps.yml
proc_creation_win_ntfs_short_name_path_use_cli.yml
proc_creation_win_ntfs_short_name_path_use_image.yml
proc_creation_win_ntfs_short_name_use_cli.yml
proc_creation_win_ntfs_short_name_use_image.yml
proc_creation_win_obfuscated_ip_download.yml
proc_creation_win_obfuscated_ip_via_cli.yml
proc_creation_win_office_applications_spawning_wmi_commandline.yml
proc_creation_win_office_dir_traversal_cli.yml
proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
proc_creation_win_office_shell.yml
proc_creation_win_office_spawn_exe_from_users_directory.yml
proc_creation_win_office_spawning_wmi_commandline.yml
proc_creation_win_outlook_shell.yml
proc_creation_win_pdqdeploy_runner_susp_children.yml
proc_creation_win_persistence_typed_paths.yml
proc_creation_win_pingback_backdoor.yml
proc_creation_win_plugx_susp_exe_locations.yml
proc_creation_win_possible_applocker_bypass.yml
proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml
proc_creation_win_powershell_amsi_bypass.yml
proc_creation_win_powershell_audio_capture.yml
proc_creation_win_powershell_b64_shellcode.yml
proc_creation_win_powershell_bitsjob.yml
proc_creation_win_powershell_cmdline_convertto_securestring.yml
proc_creation_win_powershell_cmdline_reversed_strings.yml
proc_creation_win_powershell_cmdline_special_characters.yml
proc_creation_win_powershell_cmdline_specific_comb_methods.yml
proc_creation_win_powershell_cmdline_susp_comb_methods.yml
proc_creation_win_powershell_defender_base64.yml
proc_creation_win_powershell_defender_disable_feature.yml
proc_creation_win_powershell_defender_exclusion.yml
proc_creation_win_powershell_disable_windef_av.yml
proc_creation_win_powershell_dll_execution.yml
proc_creation_win_powershell_downgrade_attack.yml
proc_creation_win_powershell_download_patterns.yml
proc_creation_win_powershell_download.yml
proc_creation_win_powershell_frombase64string.yml
proc_creation_win_powershell_get_clipboard.yml
proc_creation_win_powershell_public_folder.yml
proc_creation_win_powershell_reverse_shell_connection.yml
proc_creation_win_powershell_snapins_hafnium.yml
proc_creation_win_powershell_susp_parameter_variation.yml
proc_creation_win_powershell_xor_commandline.yml
proc_creation_win_powersploit_empire_schtasks.yml
proc_creation_win_proc_dump_createdump.yml
proc_creation_win_proc_dump_dumpminitool.yml
proc_creation_win_proc_dump_rdrleakdiag.yml
proc_creation_win_proc_dump_susp_dumpminitool.yml
proc_creation_win_proc_wrong_parent.yml
proc_creation_win_procdump_evasion.yml
proc_creation_win_procdump.yml
proc_creation_win_process_dump_rdrleakdiag.yml
proc_creation_win_process_dump_rundll32_comsvcs.yml
proc_creation_win_protocolhandler_susp_file.yml
proc_creation_win_proxy_execution_wuauclt.yml
proc_creation_win_psexesvc_start.yml
proc_creation_win_pua_defendercheck.yml
proc_creation_win_public_folder_parent.yml
proc_creation_win_purplesharp_indicators.yml
proc_creation_win_pypykatz.yml
proc_creation_win_python_pty_spawn.yml
proc_creation_win_query_registry.yml
proc_creation_win_query_session_exfil.yml
proc_creation_win_ransom_blackbyte.yml
proc_creation_win_rdp_hijack_shadowing.yml
proc_creation_win_redirect_to_stream.yml
proc_creation_win_redmimicry_winnti_proc.yml
proc_creation_win_reg_add_run_key.yml
proc_creation_win_reg_add_safeboot.yml
proc_creation_win_reg_defender_exclusion.yml
proc_creation_win_reg_defender_tampering.yml
proc_creation_win_reg_delete_safeboot.yml
proc_creation_win_reg_delete_services.yml
proc_creation_win_reg_dump_sam.yml
proc_creation_win_reg_enable_rdp.yml
proc_creation_win_reg_import_from_suspicious_paths.yml
proc_creation_win_reg_lsass_ppl.yml
proc_creation_win_reg_service_imagepath_change.yml
proc_creation_win_regedit_export_critical_keys.yml
proc_creation_win_regedit_export_keys.yml
proc_creation_win_regedit_import_keys_ads.yml
proc_creation_win_regedit_import_keys.yml
proc_creation_win_regini_ads.yml
proc_creation_win_regini.yml
proc_creation_win_remote_powershell_session_process.yml
proc_creation_win_remote_time_discovery.yml
proc_creation_win_remove_windows_defender_definition_files.yml
proc_creation_win_renamed_binary_highly_relevant.yml
proc_creation_win_renamed_binary.yml
proc_creation_win_renamed_browsercore.yml
proc_creation_win_renamed_jusched.yml
proc_creation_win_renamed_megasync.yml
proc_creation_win_renamed_msdt.yml
proc_creation_win_renamed_paexec.yml
proc_creation_win_renamed_plink.yml
proc_creation_win_renamed_powershell.yml
proc_creation_win_renamed_procdump.yml
proc_creation_win_renamed_psexec.yml
proc_creation_win_renamed_rundll32_dllregisterserver.yml
proc_creation_win_renamed_rundll32.yml
proc_creation_win_renamed_whoami.yml
proc_creation_win_root_certificate_installed.yml
proc_creation_win_rpcss_anomalies.yml
proc_creation_win_run_executable_invalid_extension.yml
proc_creation_win_run_from_zip.yml
proc_creation_win_run_powershell_script_from_ads.yml
proc_creation_win_run_powershell_script_from_input_stream.yml
proc_creation_win_run_virtualbox.yml
proc_creation_win_rundll32_not_from_c_drive.yml
proc_creation_win_rundll32_parent_explorer.yml
proc_creation_win_rundll32_registered_com_objects.yml
proc_creation_win_rundll32_unc_path.yml
proc_creation_win_rundll32_without_parameters.yml
proc_creation_win_sc_delete_av_services.yml
proc_creation_win_schtasks_appdata_local_system.yml
proc_creation_win_schtasks_once_0000.yml
proc_creation_win_schtasks_powershell_windowsapps_execution.yml
proc_creation_win_schtasks_reg_loader.yml
proc_creation_win_schtasks_system.yml
proc_creation_win_screenconnect_anomaly.yml
proc_creation_win_screenconnect.yml
proc_creation_win_script_event_consumer_spawn.yml
proc_creation_win_sdbinst_shim_persistence.yml
proc_creation_win_sdclt_child_process.yml
proc_creation_win_sdelete.yml
proc_creation_win_sdiagnhost_susp_child.yml
proc_creation_win_selectmyparent.yml
proc_creation_win_service_execution.yml
proc_creation_win_service_stop.yml
proc_creation_win_set_policies_to_unsecure_level.yml
proc_creation_win_shadow_copies_access_symlink.yml
proc_creation_win_shadow_copies_creation.yml
proc_creation_win_shadow_copies_deletion.yml
proc_creation_win_sharpup.yml
proc_creation_win_shell_spawn_by_java.yml
proc_creation_win_shell_spawn_susp_program.yml
proc_creation_win_silenttrinity_stage_use.yml
proc_creation_win_software_discovery.yml
proc_creation_win_soundrec_audio_capture.yml
proc_creation_win_spn_enum.yml
proc_creation_win_sqlcmd_veeam_dump.yml
proc_creation_win_sqlite_firefox_cookies.yml
proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml
proc_creation_win_stickykey_like_backdoor.yml
proc_creation_win_stordiag_execution.yml
proc_creation_win_sus_auditpol_usage.yml
proc_creation_win_susp_7z.yml
proc_creation_win_susp_16bit_application.yml
proc_creation_win_susp_add_local_admin.yml
proc_creation_win_susp_add_user_remote_desktop.yml
proc_creation_win_susp_adfind_enumeration.yml
proc_creation_win_susp_adfind_usage.yml
proc_creation_win_susp_adidnsdump.yml
proc_creation_win_susp_advancedrun_priv_user.yml
proc_creation_win_susp_advancedrun.yml
proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
proc_creation_win_susp_base64_invoke.yml
proc_creation_win_susp_base64_load.yml
proc_creation_win_susp_bcdedit.yml
proc_creation_win_susp_bginfo.yml
proc_creation_win_susp_bitstransfer.yml
proc_creation_win_susp_builtin_commands_recon.yml
proc_creation_win_susp_calc.yml
proc_creation_win_susp_cdb.yml
proc_creation_win_susp_certutil_command.yml
proc_creation_win_susp_certutil_encode.yml
proc_creation_win_susp_char_in_cmd.yml
proc_creation_win_susp_child_process_as_system_.yml
proc_creation_win_susp_cipher.yml
proc_creation_win_susp_cli_escape.yml
proc_creation_win_susp_clsid_foldername.yml
proc_creation_win_susp_cmd_http_appdata.yml
proc_creation_win_susp_cmd_shadowcopy_access.yml
proc_creation_win_susp_codepage_lookup.yml
proc_creation_win_susp_codepage_switch.yml
proc_creation_win_susp_commandline_chars.yml
proc_creation_win_susp_compression_params.yml
proc_creation_win_susp_conhost_option.yml
proc_creation_win_susp_conhost.yml
proc_creation_win_susp_control_cve_2021_40444.yml
proc_creation_win_susp_control_dll_load.yml
proc_creation_win_susp_copy_lateral_movement.yml
proc_creation_win_susp_copy_system32.yml
proc_creation_win_susp_covenant.yml
proc_creation_win_susp_crackmapexec_execution.yml
proc_creation_win_susp_crackmapexec_flags.yml
proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml
proc_creation_win_susp_csc_folder.yml
proc_creation_win_susp_csc.yml
proc_creation_win_susp_cscript_vbs.yml
proc_creation_win_susp_csexec.yml
proc_creation_win_susp_csi.yml
proc_creation_win_susp_curl_download.yml
proc_creation_win_susp_curl_fileupload.yml
proc_creation_win_susp_curl_start_combo.yml
proc_creation_win_susp_curl_useragent.yml
proc_creation_win_susp_dctask64_proc_inject.yml
proc_creation_win_susp_del.yml
proc_creation_win_susp_desktopimgdownldr.yml
proc_creation_win_susp_devinit_lolbin.yml
proc_creation_win_susp_devtoolslauncher.yml
proc_creation_win_susp_dir.yml
proc_creation_win_susp_direct_asep_reg_keys_modification.yml
proc_creation_win_susp_disable_eventlog.yml
proc_creation_win_susp_disable_ie_features.yml
proc_creation_win_susp_disable_raccine.yml
proc_creation_win_susp_diskshadow.yml
proc_creation_win_susp_ditsnap.yml
proc_creation_win_susp_dllhost_no_cli.yml
proc_creation_win_susp_dnx.yml
proc_creation_win_susp_double_extension.yml
proc_creation_win_susp_download_office_domain.yml
proc_creation_win_susp_dtrace_kernel_dump.yml
proc_creation_win_susp_emotet_rundll32_execution.yml
proc_creation_win_susp_esentutl_params.yml
proc_creation_win_susp_eventlog_clear.yml
proc_creation_win_susp_execution_path_webserver.yml
proc_creation_win_susp_execution_path.yml
proc_creation_win_susp_explorer_break_proctree.yml
proc_creation_win_susp_explorer_nouaccheck.yml
proc_creation_win_susp_explorer.yml
proc_creation_win_susp_file_characteristics.yml
proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
proc_creation_win_susp_findstr_385201.yml
proc_creation_win_susp_findstr_lnk.yml
proc_creation_win_susp_finger_usage.yml
proc_creation_win_susp_firewall_disable.yml
proc_creation_win_susp_format.yml
proc_creation_win_susp_fsutil_usage.yml
proc_creation_win_susp_ftp.yml
proc_creation_win_susp_gpresult.yml
proc_creation_win_susp_gup_download.yml
proc_creation_win_susp_gup_execution.yml
proc_creation_win_susp_gup.yml
proc_creation_win_susp_hostname.yml
proc_creation_win_susp_iis_module_registration.yml
proc_creation_win_susp_image_missing.yml
proc_creation_win_susp_instalutil.yml
proc_creation_win_susp_invoke_webrequest_download.yml
proc_creation_win_susp_iss_module_install.yml
proc_creation_win_susp_lsass_clone.yml
proc_creation_win_susp_machineguid.yml
proc_creation_win_susp_missing_spaces.yml
proc_creation_win_susp_mofcomp_execution.yml
proc_creation_win_susp_mounted_share_deletion.yml
proc_creation_win_susp_mpiexec_lolbin.yml
proc_creation_win_susp_mshta_execution.yml
proc_creation_win_susp_mshta_pattern.yml
proc_creation_win_susp_mshtml_runhtmlapplication.yml
proc_creation_win_susp_msiexec_cwd.yml
proc_creation_win_susp_msiexec_web_install.yml
proc_creation_win_susp_msoffice.yml
proc_creation_win_susp_net_execution.yml
proc_creation_win_susp_net_use_password_plaintext.yml
proc_creation_win_susp_net_use.yml
proc_creation_win_susp_netsh_command.yml
proc_creation_win_susp_netsh_dll_persistence.yml
proc_creation_win_susp_network_command.yml
proc_creation_win_susp_network_listing_connections.yml
proc_creation_win_susp_new_kernel_driver_via_sc.yml
proc_creation_win_susp_new_service_creation.yml
proc_creation_win_susp_ngrok_pua.yml
proc_creation_win_susp_nmap.yml
proc_creation_win_susp_non_exe_image.yml
proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml
proc_creation_win_susp_ntdll_type_redirect.yml
proc_creation_win_susp_ntds.yml
proc_creation_win_susp_ntdsutil.yml
proc_creation_win_susp_ntlmrelay.yml
proc_creation_win_susp_odbcconf.yml
proc_creation_win_susp_openas_rundll_usage.yml
proc_creation_win_susp_openwith.yml
proc_creation_win_susp_outlook_temp.yml
proc_creation_win_susp_outlook.yml
proc_creation_win_susp_parents.yml
proc_creation_win_susp_pcwutl.yml
proc_creation_win_susp_pester_parent.yml
proc_creation_win_susp_pester.yml
proc_creation_win_susp_ping_hex_ip.yml
proc_creation_win_susp_plink_remote_forward.yml
proc_creation_win_susp_plink_usage.yml
proc_creation_win_susp_powershell_cmd_patterns.yml
proc_creation_win_susp_powershell_download_cradles.yml
proc_creation_win_susp_powershell_download_iex.yml
proc_creation_win_susp_powershell_empire_launch.yml
proc_creation_win_susp_powershell_empire_uac_bypass.yml
proc_creation_win_susp_powershell_enc_cmd.yml
proc_creation_win_susp_powershell_encode.yml
proc_creation_win_susp_powershell_encoded_param.yml
proc_creation_win_susp_powershell_getprocess_lsass.yml
proc_creation_win_susp_powershell_hidden_b64_cmd.yml
proc_creation_win_susp_powershell_iex_patterns.yml
proc_creation_win_susp_powershell_parent_combo.yml
proc_creation_win_susp_powershell_parent_process.yml
proc_creation_win_susp_powershell_sam_access.yml
proc_creation_win_susp_powershell_sub_processes.yml
proc_creation_win_susp_powershell_webclient_casing.yml
proc_creation_win_susp_pressynkey_lolbin.yml
proc_creation_win_susp_print.yml
proc_creation_win_susp_procdump_lsass.yml
proc_creation_win_susp_progname.yml
proc_creation_win_susp_ps_appdata.yml
proc_creation_win_susp_ps_downloadfile.yml
proc_creation_win_susp_ps_encoded_obfusc.yml
proc_creation_win_susp_psexec_eula.yml
proc_creation_win_susp_psexex_paexec_escalate_system.yml
proc_creation_win_susp_psexex_paexec_flags.yml
proc_creation_win_susp_psloglist.yml
proc_creation_win_susp_psr_capture_screenshots.yml
proc_creation_win_susp_radmin.yml
proc_creation_win_susp_rar_flags.yml
proc_creation_win_susp_rasdial_activity.yml
proc_creation_win_susp_razorinstaller_explorer.yml
proc_creation_win_susp_rclone_execution.yml
proc_creation_win_susp_recon_network_activity.yml
proc_creation_win_susp_recon.yml
proc_creation_win_susp_redir_local_admin_share.yml
proc_creation_win_susp_reg_add.yml
proc_creation_win_susp_reg_bitlocker.yml
proc_creation_win_susp_reg_disable_sec_services.yml
proc_creation_win_susp_reg_open_command.yml
proc_creation_win_susp_regedit_trustedinstaller.yml
proc_creation_win_susp_register_cimprovider.yml
proc_creation_win_susp_registration_via_cscript.yml
proc_creation_win_susp_regsvr32_anomalies.yml
proc_creation_win_susp_regsvr32_flags_anomaly.yml
proc_creation_win_susp_regsvr32_http_pattern.yml
proc_creation_win_susp_regsvr32_image.yml
proc_creation_win_susp_regsvr32_no_dll.yml
proc_creation_win_susp_regsvr32_spawn_explorer.yml
proc_creation_win_susp_renamed_adfind.yml
proc_creation_win_susp_renamed_dctask64.yml
proc_creation_win_susp_renamed_debugview.yml
proc_creation_win_susp_renamed_paexec.yml
proc_creation_win_susp_rpcping.yml
proc_creation_win_susp_run_folder.yml
proc_creation_win_susp_run_locations.yml
proc_creation_win_susp_rundll32_activity.yml
proc_creation_win_susp_rundll32_by_ordinal.yml
proc_creation_win_susp_rundll32_inline_vbs.yml
proc_creation_win_susp_rundll32_js_runhtmlapplication.yml
proc_creation_win_susp_rundll32_keymgr.yml
proc_creation_win_susp_rundll32_no_params.yml
proc_creation_win_susp_rundll32_script_run.yml
proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml
proc_creation_win_susp_rundll32_spawn_explorer.yml
proc_creation_win_susp_rundll32_sys.yml
proc_creation_win_susp_rundll32_user32_dll.yml
proc_creation_win_susp_runonce_execution.yml
proc_creation_win_susp_runscripthelper.yml
proc_creation_win_susp_sc_query.yml
proc_creation_win_susp_schtask_creation_temp_folder.yml
proc_creation_win_susp_schtask_creation.yml
proc_creation_win_susp_schtasks_change.yml
proc_creation_win_susp_schtasks_disable.yml
proc_creation_win_susp_schtasks_env_folder.yml
proc_creation_win_susp_schtasks_folder_combos.yml
proc_creation_win_susp_schtasks_parent.yml
proc_creation_win_susp_schtasks_pattern.yml
proc_creation_win_susp_schtasks_schedule_type.yml
proc_creation_win_susp_schtasks_user_temp.yml
proc_creation_win_susp_screenconnect_access.yml
proc_creation_win_susp_screensaver_reg.yml
proc_creation_win_susp_script_exec_from_env_folder.yml
proc_creation_win_susp_script_exec_from_temp.yml
proc_creation_win_susp_script_execution.yml
proc_creation_win_susp_service_dacl_modification.yml
proc_creation_win_susp_service_dir.yml
proc_creation_win_susp_service_modification.yml
proc_creation_win_susp_service_path_modification.yml
proc_creation_win_susp_service_stop.yml
proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
proc_creation_win_susp_servu_process_pattern.yml
proc_creation_win_susp_sharpview.yml
proc_creation_win_susp_shell_spawn_by_java_keytool.yml
proc_creation_win_susp_shell_spawn_by_java.yml
proc_creation_win_susp_shell_spawn_from_mssql.yml
proc_creation_win_susp_shell_spawn_from_winrm.yml
proc_creation_win_susp_shimcache_flush.yml
proc_creation_win_susp_shutdown.yml
proc_creation_win_susp_splwow64.yml
proc_creation_win_susp_spoolsv_child_processes.yml
proc_creation_win_susp_squirrel_lolbin.yml
proc_creation_win_susp_svchost_no_cli.yml
proc_creation_win_susp_svchost.yml
proc_creation_win_susp_sysprep_appdata.yml
proc_creation_win_susp_system_user_anomaly.yml
proc_creation_win_susp_systeminfo.yml
proc_creation_win_susp_sysvol_access.yml
proc_creation_win_susp_takeown.yml
proc_creation_win_susp_target_location_shell32.yml
proc_creation_win_susp_taskkill.yml
proc_creation_win_susp_tasklist_command.yml
proc_creation_win_susp_taskmgr_localsystem.yml
proc_creation_win_susp_taskmgr_parent.yml
proc_creation_win_susp_tracker_execution.yml
proc_creation_win_susp_trolleyexpress_procdump.yml
proc_creation_win_susp_tscon_localsystem.yml
proc_creation_win_susp_tscon_rdp_redirect.yml
proc_creation_win_susp_uac_bypass_trustedpath.yml
proc_creation_win_susp_use_of_csharp_console.yml
proc_creation_win_susp_use_of_sqlps_bin.yml
proc_creation_win_susp_use_of_sqltoolsps_bin.yml
proc_creation_win_susp_use_of_te_bin.yml
proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
proc_creation_win_susp_userinit_child.yml
proc_creation_win_susp_vaultcmd.yml
proc_creation_win_susp_vboxdrvinst.yml
proc_creation_win_susp_vbscript_unc2452.yml
proc_creation_win_susp_volsnap_disable.yml
proc_creation_win_susp_web_request_cmd.yml
proc_creation_win_susp_web_sysaidserver.yml
proc_creation_win_susp_webdav_client_execution.yml
proc_creation_win_susp_where_execution.yml
proc_creation_win_susp_whoami_anomaly.yml
proc_creation_win_susp_whoami_as_param.yml
proc_creation_win_susp_whoami.yml
proc_creation_win_susp_winrar_dmp.yml
proc_creation_win_susp_winrar_execution.yml
proc_creation_win_susp_winrm_awl_bypass.yml
proc_creation_win_susp_winrm_execution.yml
proc_creation_win_susp_winzip.yml
proc_creation_win_susp_wmic_eventconsumer_create.yml
proc_creation_win_susp_wmic_execution.yml
proc_creation_win_susp_wmic_proc_create.yml
proc_creation_win_susp_wmic_security_product_uninstall.yml
proc_creation_win_susp_workfolders.yml
proc_creation_win_susp_wuauclt_cmdline.yml
proc_creation_win_susp_wuauclt.yml
proc_creation_win_susp_zip_compress.yml
proc_creation_win_susp_zipexec.yml
proc_creation_win_suspicious_psexesvc_as_system.yml
proc_creation_win_suspicious_psexesvc_renamed.yml
proc_creation_win_suspicious_psexesvc.yml
proc_creation_win_sysinternals_eula_accepted.yml
proc_creation_win_sysinternals_psservice.yml
proc_creation_win_sysmon_driver_unload.yml
proc_creation_win_sysmon_uac_bypass_eventvwr.yml
proc_creation_win_sysnative.yml
proc_creation_win_system_exe_anomaly.yml
proc_creation_win_tamper_defender_remove_mppreference.yml
proc_creation_win_tap_installer_execution.yml
proc_creation_win_task_folder_evasion.yml
proc_creation_win_termserv_proc_spawn.yml
proc_creation_win_tool_nircmd_as_system.yml
proc_creation_win_tool_nircmd.yml
proc_creation_win_tool_nsudo_execution.yml
proc_creation_win_tool_psexec.yml
proc_creation_win_tool_runx_as_system.yml
proc_creation_win_tools_relay_attacks.yml
proc_creation_win_tools_uac_bypass_computerdefaults.yml
proc_creation_win_tor_browser.yml
proc_creation_win_trufflesnout.yml
proc_creation_win_trust_discovery.yml
proc_creation_win_uac_bypass_changepk_slui.yml
proc_creation_win_uac_bypass_cleanmgr.yml
proc_creation_win_uac_bypass_cmstp.yml
proc_creation_win_uac_bypass_consent_comctl32.yml
proc_creation_win_uac_bypass_dismhost.yml
proc_creation_win_uac_bypass_fodhelper.yml
proc_creation_win_uac_bypass_idiagnostic_profile.yml
proc_creation_win_uac_bypass_ieinstal.yml
proc_creation_win_uac_bypass_msconfig_gui.yml
proc_creation_win_uac_bypass_ntfs_reparse_point.yml
proc_creation_win_uac_bypass_pkgmgr_dism.yml
proc_creation_win_uac_bypass_winsat.yml
proc_creation_win_uac_bypass_wmp.yml
proc_creation_win_uac_bypass_wsreset_integrity_level.yml
proc_creation_win_uac_bypass_wsreset.yml
proc_creation_win_uninstall_crowdstrike_falcon.yml
proc_creation_win_uninstall_sysmon.yml
proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml
proc_creation_win_using_sc_to_hide_sevices.yml
proc_creation_win_using_settingsynchost_as_lolbin.yml
proc_creation_win_verclsid_runs_com.yml
proc_creation_win_vmtoolsd_susp_child_process.yml
proc_creation_win_vul_java_remote_debugging.yml
proc_creation_win_wab_execution_from_non_default_location.yml
proc_creation_win_wab_unusual_parents.yml
proc_creation_win_webbrowserpassview.yml
proc_creation_win_webshell_detection.yml
proc_creation_win_webshell_hacking.yml
proc_creation_win_webshell_recon_detection.yml
proc_creation_win_webshell_spawn.yml
proc_creation_win_whoami_as_priv_user.yml
proc_creation_win_whoami_as_system.yml
proc_creation_win_whoami_priv.yml
proc_creation_win_win10_sched_task_0day.yml
proc_creation_win_win_exchange_transportagent.yml
proc_creation_win_windows_terminal_susp_children.yml
proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
proc_creation_win_wmi_persistence_script_event_consumer.yml
proc_creation_win_wmi_spwns_powershell.yml
proc_creation_win_wmic_group_recon.yml
proc_creation_win_wmic_hotfix_enum.yml
proc_creation_win_wmic_reconnaissance.yml
proc_creation_win_wmic_remote_command.yml
proc_creation_win_wmic_remote_service.yml
proc_creation_win_wmic_remove_application.yml
proc_creation_win_wmic_service.yml
proc_creation_win_wmic_unquoted_service_search.yml
proc_creation_win_wmiprvse_spawning_process.yml
proc_creation_win_workflow_compiler.yml
proc_creation_win_wpbbin_persistence.yml
proc_creation_win_write_protect_for_storage_disabled.yml
proc_creation_win_wscript_shell_cli.yml
proc_creation_win_wusa_susp_cab_extraction.yml
proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml
proc_creation_win_xordump.yml
proc_creation_win_xsl_script_processing.yml