security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
19396788dbedc57249a46efed2bb1927abc376d4
blue-team-tools/rules/windows/process_creation
T
History
Nasreddine Bencherchali 19396788db Merge pull request #3831 from redsand/fp_suspicious_process_privilege 
FP: filters out erl.exe running handle.exe with elevated privileges
2022-12-28 21:18:54 +01:00
..
proc_creation_win_7zip_cve_2022_29072.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_aadinternals_cmdlets_execution.yml
fix: fp section
2022-12-23 19:24:08 +01:00
proc_creation_win_abusing_debug_privilege.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_abusing_windows_telemetry_for_persistence.yml
feat: multiple update and enhancements
2022-12-19 17:41:40 +01:00
proc_creation_win_accesschk_usage_after_priv_escalation.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_advanced_ip_scanner.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_advanced_port_scanner.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_alternate_data_streams.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_always_install_elevated_windows_installer.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_anydesk_piped_password_via_cli.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_anydesk_silent_install.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_anydesk_susp_folder.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_anydesk.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_actinium_persistence.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_apt29_thinktanks.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_babyshark.yml
fix: fix remarks after review
2022-11-15 10:01:11 +01:00
proc_creation_win_apt_bear_activity_gtr19.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_apt_bluemashroom.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_chafer_mar18.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_cloudhopper.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_apt_dragonfly.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_elise.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_emissarypanda_sep19.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_empiremonkey.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_equationgroup_dll_u_load.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_evilnum_jul20.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_gallium_sha1.yml
Update Title (#3733)
2022-11-28 06:43:17 +01:00
proc_creation_win_apt_gallium.yml
Fix related
2022-10-09 17:28:05 +02:00
proc_creation_win_apt_gamaredon_ultravnc.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_greenbug_may20.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_apt_hafnium.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_apt_hurricane_panda.yml
fix: broken single item lists
2022-12-08 16:23:58 +01:00
proc_creation_win_apt_judgement_panda_gtr19.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_ke3chang_regadd.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_lazarus_activity_apr21.yml
Update title (#3746)
2022-12-02 18:10:43 +01:00
proc_creation_win_apt_lazarus_activity_dec20.yml
Update title (#3746)
2022-12-02 18:10:43 +01:00
proc_creation_win_apt_lazarus_loader.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_lazarus_session_highjack.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_mercury.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_muddywater_dnstunnel.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_mustangpanda.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_revil_kaseya.yml
fix: detection with Windows Defender
2022-05-20 19:27:48 +02:00
proc_creation_win_apt_silence_downloader_v3.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_slingshot.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_apt_sofacy.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_sourgrum.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_apt_ta17_293a_ps.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_ta505_dropper.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_taidoor.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_tropictrooper.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_turla_commands_critical.yml
Update title (#3746)
2022-12-02 18:10:43 +01:00
proc_creation_win_apt_turla_commands_medium.yml
Update title (#3746)
2022-12-02 18:10:43 +01:00
proc_creation_win_apt_turla_comrat_may20.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_unc2452_cmds.yml
Refractor (#3794)
2022-12-18 21:00:14 +01:00
proc_creation_win_apt_unc2452_ps.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_apt_unidentified_nov_18.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_winnti_mal_hk_jan20.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_winnti_pipemon.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_apt_wocao.yml
Add missing definition section for EID 4697
2022-10-10 10:22:46 +02:00
proc_creation_win_apt_zxshell.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_archiver_iso_phishing.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_asr_bypass_via_appvlp_re.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_attrib_hiding_files.yml
fix: fix remarks after review
2022-11-15 10:01:11 +01:00
proc_creation_win_attrib_system_susp_paths.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_attrib_system.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_automated_collection.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_bad_opsec_sacrificial_processes.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_base64_invoke_susp_cmdlets.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_base64_listing_shadowcopy.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_base64_reflective_assembly_load.yml
Update proc_creation_win_base64_reflective_assembly_load.yml
2022-11-17 13:03:32 -05:00
proc_creation_win_bitsadmin_download_susp_domain.yml
feat: general updates and fixes
2022-12-02 23:16:03 +01:00
proc_creation_win_bitsadmin_download_susp_ext.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_bitsadmin_download_susp_ip.yml
fix: update logic
2022-12-13 23:49:58 +01:00
proc_creation_win_bitsadmin_download_susp_targetfolder.yml
fix: update logic
2022-12-13 23:49:58 +01:00
proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
fix: update logic
2022-12-13 23:49:58 +01:00
proc_creation_win_bitsadmin_download.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_bootconf_mod.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_browser_remote_debugging.yml
feat: updates and enhancements
2022-12-23 18:37:59 +01:00
proc_creation_win_bypass_squiblytwo.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_c2_sliver.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_c3_load_by_rundll32.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_certoc_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_certutil_ntlm_coercion.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_change_default_file_assoc_susp.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_change_default_file_association.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_chisel_usage.yml
feat: update metadata and add more cases for rules
2022-12-07 02:26:21 +01:00
proc_creation_win_chrome_load_extension.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_chromium_headless_debugging.yml
feat: updates and enhancements
2022-12-23 18:37:59 +01:00
proc_creation_win_cleanwipe.yml
Fix after review
2022-09-02 17:44:53 +02:00
proc_creation_win_clip.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_cmd_delete.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_cmd_dosfuscation.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_cmd_read_contents.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_cmd_redirect.yml
fix: more fp found in testing and enhance fp metadata
2022-12-13 11:25:23 +01:00
proc_creation_win_cmd_redirection_susp_folder.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_cmdkey_recon.yml
Remove unneeded star
2022-06-11 12:58:14 +02:00
proc_creation_win_cmstp_com_object_access.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_cmstp_execution_by_creation.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_cobaltstrike_bloopers_cmd.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_cobaltstrike_bloopers_modules.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_cobaltstrike_load_by_rundll32.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_cobaltstrike_process_patterns.yml
Fix FP
2022-11-07 12:11:30 +01:00
proc_creation_win_commandline_path_traversal_evasion.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_commandline_path_traversal.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_computer_discovery_get_adcomputer.yml
Rule Dev
2022-11-18 11:15:28 +01:00
proc_creation_win_conhost_path_traversal.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_conti_cmd_ransomware.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_conti_sqlcmd.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_control_panel_item.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_copy_browser_data.yml
fix: wrong category
2022-12-23 19:27:34 +01:00
proc_creation_win_copy_dmp_from_share.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_copying_sensitive_files_with_credential_data.yml
fix: fixed broken condition
2022-11-15 00:02:19 +01:00
proc_creation_win_crackmapexec_patterns.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_create_link_osk_cmd.yml
docs: change modified date
2022-12-21 08:57:05 +01:00
proc_creation_win_creative_cloud_node_abuse.yml
feat: Add new rule for Creative Cloud node abuse
2022-04-07 10:50:50 +02:00
proc_creation_win_credential_access_via_password_filter.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_credential_acquisition_registry_hive_dumping.yml
feat: add missing OriginalFileName field
2022-11-14 23:08:19 +01:00
proc_creation_win_crime_fireball.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_crime_maze_ransomware.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_crime_snatch_ransomware.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_crypto_mining_monero.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_curl_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_cve_2021_26857_msexchange.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_data_compressed_with_rar.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_delete_systemstatebackup.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_detecting_fake_instances_of_hxtsr.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_deviceenroller_evasion.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dinjector.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dirlister.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_disable_defender_av_security_monitoring.yml
fix: rename rule to be conform to the title
2022-11-18 17:54:13 +01:00
proc_creation_win_disable_service.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_discover_private_keys.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dll_sideload_defender.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dll_sideload_vmware_xfer.yml
Update proc_creation_win_dll_sideload_vmware_xfer.yml
2022-08-29 07:27:21 +02:00
proc_creation_win_dns_exfiltration_tools_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dns_serverlevelplugindll.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dnscat2_powershell_implementation.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dnscmd_discovery.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dotnet.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dsacls_abuse_permissions.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dsacls_password_spray.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dsim_remove.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_dumpstack_log_evasion.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_email_exfil_via_powershell.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_embed_exe_lnk.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_encoded_frombase64string.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_encoded_iex.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_enumeration_for_credentials_cli.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_enumeration_for_credentials_in_registry.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_esentutl_webcache.yml
Update proc_creation_win_esentutl_webcache.yml
2022-10-31 20:56:29 +01:00
proc_creation_win_etw_modification_cmdline.yml
fix: update title to reflect logic
2022-12-09 19:37:53 +01:00
proc_creation_win_etw_trace_evasion.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_evil_winrm.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_exfil_data_via_cli.yml
Update proc_creation_win_exfil_data_via_cli.yml
2022-08-04 10:58:56 +01:00
proc_creation_win_exfiltration_and_tunneling_tools_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_expand_cabinet_files.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_exploit_cve_2015_1641.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_exploit_cve_2017_0261.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_exploit_cve_2017_8759.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_exploit_cve_2017_11882.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_exploit_cve_2019_1378.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_exploit_cve_2019_1388.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_exploit_cve_2020_1048.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_exploit_cve_2020_1350.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_exploit_cve_2020_10189.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_exploit_lpe_cve_2021_41379.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_exploit_systemnightmare.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_false_sysinternalsuite.yml
fix: update metadata
2022-12-09 10:34:06 +01:00
proc_creation_win_file_permission_modifications.yml
fix: fix typo in title and add FP comment
2022-11-21 12:27:54 +01:00
proc_creation_win_findstr_gpp_passwords.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_findstr_lsass.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_findstr_recon_everyone.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_firewall_disabled_via_powershell.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_frombase64string_archive.yml
Apply suggestions from code review
2022-12-23 12:34:56 +01:00
proc_creation_win_frp.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_fsutil_drive_enumeration.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_fsutil_symlinkevaluation.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_get_localgroup_member_recon.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_gmer_execution.yml
change: make uppercase in Sysmon version
2022-10-06 09:27:26 +02:00
proc_creation_win_gotoopener.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_gpg4win_susp_usage.yml
Update proc_creation_win_gpg4win_susp_usage.yml
2022-12-03 13:09:50 +01:00
proc_creation_win_grabbing_sensitive_hives_via_reg.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_adcspwn.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_bloodhound.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_cube0x0_tools.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_dumpert.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_hack_htran.yml
rule: HTran / NATBypass usage
2022-12-27 11:58:44 +01:00
proc_creation_win_hack_hydra.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_inveigh.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_koadic.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_krbrelay.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_krbrelayup.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_rubeus.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_safetykatz.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_secutyxploded.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_sharpersist.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_sharpldapwhoami.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hack_sysmoneop.yml
rule: SysmonEOP
2022-12-04 14:36:04 +01:00
proc_creation_win_hack_wce.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hacktool_imphashes.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_handlekatz.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hashcat.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_headless_browser_file_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hh_chm_http.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hh_chm.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hiding_malware_in_fonts_folder.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_high_integrity_sdclt.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hktl_createminidump.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hktl_uacme_uac_bypass.yml
chore: change modified date
2022-11-19 08:48:43 +01:00
proc_creation_win_html_help_spawn.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_hwp_exploits.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_icacls_deny.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_iis_connection_strings_decryption.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_iis_http_logging.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_iis_service_account_password_dumped.yml
fix: fp found in testing
2022-12-18 15:07:47 +01:00
proc_creation_win_imaging_devices_unusual_parents.yml
New rules
2022-09-28 09:51:13 +02:00
proc_creation_win_impacket_compiled_tools.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_impacket_lateralization.yml
fix: update metadata
2022-12-09 10:34:06 +01:00
proc_creation_win_impersonate_tool.yml
Create Possible Manipulation Of Tokens on a Windows computers remotely Detected via impersonate (#3803)
2022-12-21 13:27:22 +01:00
proc_creation_win_import_cert_susp_locations.yml
Big Update
2022-09-09 15:02:31 +02:00
proc_creation_win_indirect_cmd.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_indirect_command_execution_forfiles.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_infdefaultinstall.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_inline_base64_mz_header.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_inline_win_api_access.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_install_reg_debugger_backdoor.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_interactive_at.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_invoke_obfuscation_clip.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_invoke_obfuscation_stdin.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
proc_creation_win_invoke_obfuscation_var.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
proc_creation_win_invoke_obfuscation_via_compress.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
proc_creation_win_invoke_obfuscation_via_rundll.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
proc_creation_win_invoke_obfuscation_via_stdin.yml
fix: Windows Defender detection
2022-12-28 20:52:53 +01:00
proc_creation_win_invoke_obfuscation_via_use_clip.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
proc_creation_win_invoke_obfuscation_via_use_mhsta.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
proc_creation_win_invoke_obfuscation_via_var.yml
fix: rename links from old repo to SigmaHQ
2022-12-27 21:05:16 +01:00
proc_creation_win_iox.yml
rules: refactored FRP, new IOX
2022-10-08 09:32:36 +02:00
proc_creation_win_jlaive_batch_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_ldifde_file_load.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lethalhta.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_local_system_owner_account_discovery.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_logmein.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_adplus.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_agentexecutor_susp_usage.yml
fix: broken selection
2022-12-24 14:11:32 +01:00
proc_creation_win_lolbin_agentexecutor.yml
fix: enhance logic of AgentExecutor rules
2022-12-24 14:10:21 +01:00
proc_creation_win_lolbin_aspnet_compiler.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_lolbin_bash.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_certoc_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_cl_invocation.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_lolbin_cl_loadassembly.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_cl_mutexverifiers.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_class_exec_xwizard.yml
fix: explicitly escape { to make it clear that it is a literal (#3737)
2022-11-30 11:43:49 +01:00
proc_creation_win_lolbin_cmdl32.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_configsecuritypolicy.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_customshellhost.yml
Update proc_creation_win_lolbin_customshellhost.yml
2022-08-20 10:27:40 +02:00
proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_device_credential_deployment.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_diantz_ads.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_lolbin_diantz_remote_cab.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_dll_sideload_xwizard.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_lolbin_dump64.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_lolbin_execution_via_winget.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_extexport.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_extrac32_ads.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_lolbin_extrac32.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_findstr.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_forfiles.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_fsharp_interpreters.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_ftp.yml
fix: rename ftp.exe rule to lolbin rule
2022-11-10 17:06:28 +01:00
proc_creation_win_lolbin_gpscript.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_ie4uinit.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_ieexec_download.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_ilasm.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_installutil_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_jsc.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_kavremover.yml
Update proc_creation_win_lolbin_kavremover.yml
2022-11-01 19:01:40 +01:00
proc_creation_win_lolbin_launch_vsdevshell.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_mavinject_process_injection.yml
feat: new rules and fixes (#3759)
2022-12-06 12:13:20 +01:00
proc_creation_win_lolbin_mftrace.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_msdt_answer_file.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_msohtmed_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_mspub_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_not_from_c_drive.yml
Update and rename proc_creation_win_rundll32_not_from_c_drive.yml to … (#3609)
2022-12-02 19:44:44 +01:00
proc_creation_win_lolbin_offlinescannershell.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_openconsole.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_pcalua.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_pcwrun_follina.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_pcwrun.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_pktmon.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_presentationhost_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_presentationhost.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_printbrm.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_pubprn.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_rasautou_dll_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_regasm.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_register_app.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_remote.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_replace.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_rundll32_installscreensaver.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_scriptrunner.yml
Update proc_creation_win_lolbin_scriptrunner.yml
2022-11-10 13:26:03 -05:00
proc_creation_win_lolbin_setres.yml
Update proc_creation_win_lolbin_setres.yml
2022-12-12 17:09:26 -05:00
proc_creation_win_lolbin_settingsynchost.yml
feat: rename rule to fit convention
2022-11-18 13:45:18 +01:00
proc_creation_win_lolbin_sftp.yml
fix: apply suggestions from code review
2022-11-11 10:03:24 +01:00
proc_creation_win_lolbin_sideload_link_binary.yml
Update proc_creation_win_lolbin_sideload_link_binary.yml
2022-08-22 20:17:22 +01:00
proc_creation_win_lolbin_sigverif.yml
LOLBIN Updates
2022-08-19 23:05:46 +01:00
proc_creation_win_lolbin_squirrel.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_susp_acccheckconsole.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_susp_atbroker.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_lolbin_susp_certreq_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_susp_dxcap.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_susp_grpconv.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_susp_mpcmdrun_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_susp_sqldumper_activity.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_susp_wsl.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_ttdinject.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_tttracer_mod_load.yml
Fix related
2022-10-09 17:28:05 +02:00
proc_creation_win_lolbin_type.yml
feat: new rule related to using type as lolbin
2022-12-14 15:37:46 +01:00
proc_creation_win_lolbin_utilityfunctions.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_visual_basic_compiler.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_visualuiaverifynative.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_vsiisexelauncher.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_wfc.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_winword.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbin_wlrmdr.yml
feat: new rules and fixes (#3759)
2022-12-06 12:13:20 +01:00
proc_creation_win_lolbins_by_office_applications.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_long_powershell_commandline.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_lsass_dump.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_lsass_shtinkering.yml
fix: rename rule to follow convention
2022-12-14 15:37:28 +01:00
proc_creation_win_mailboxexport_share.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mal_adwind.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_mal_blue_mockingbird.yml
Fix related
2022-10-09 17:28:05 +02:00
proc_creation_win_mal_darkside_ransomware.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mal_hermetic_wiper_activity.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mal_lockergoga_ransomware.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mal_ryuk.yml
Update title (#3746)
2022-12-02 18:10:43 +01:00
proc_creation_win_malware_conti_7zip.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_malware_conti_shadowcopy.yml
fix: update rules with more cases
2022-11-10 17:04:52 +01:00
proc_creation_win_malware_conti.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_malware_dridex.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_malware_dtrack.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_malware_emotet.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_malware_formbook.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_malware_notpetya.yml
refactor: NotPetya rule
2022-12-15 13:57:56 +01:00
proc_creation_win_malware_qbot.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_malware_ryuk.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_malware_script_dropper.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_malware_trickbot_recon_activity.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_malware_trickbot_wermgr.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_malware_wannacry.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_manage_bde_lolbas.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mimikatz_command_line.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mmc20_lateral_movement.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mmc_spawn_shell.yml
fix: broken single item lists
2022-12-08 16:23:58 +01:00
proc_creation_win_modif_of_services_for_via_commandline.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_modify_group_policy_settings.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_monitoring_for_persistence_via_bits.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mouse_lock.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_msdeploy.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_msdt_diagcab.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_msdt_susp_cab_options.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_msdt_susp_parent.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_msdt.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_msedge_minimized_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mshta_http.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mshta_javascript.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mshta_spawn_shell.yml
fix: broken single item lists
2022-12-08 16:23:58 +01:00
proc_creation_win_msiexec_dll.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_msiexec_embedding.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_msiexec_execute_dll.yml
fix: syntax error, additional comma
2022-12-08 17:34:56 +01:00
proc_creation_win_msiexec_install_quiet.yml
Update proc_creation_win_msiexec_install_quiet.yml
2022-10-28 18:03:47 +02:00
proc_creation_win_msiexec_install_remote.yml
Fix small typos
2022-10-28 23:51:43 +02:00
proc_creation_win_msra_process_injection.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_mstsc.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_multiple_susp_cli.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_net_default_accounts_manipulation.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_net_enum.yml
Update backslash
2022-08-13 09:59:31 +02:00
proc_creation_win_net_recon.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_net_use_admin_share.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_net_user_add_never_expire.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_net_user_add.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_netcat_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_netsh_allow_port_rdp.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_netsh_fw_add_susp_image.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_netsh_fw_add.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_netsh_fw_delete.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_netsh_fw_enable_group_rule.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_netsh_packet_capture.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_netsh_port_fwd_3389.yml
add another character
2022-11-14 17:06:20 +01:00
proc_creation_win_netsh_port_fwd.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_netsh_wifi_credential_harvesting.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_netsupport.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_network_scan_loop.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_network_sniffing.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_new_network_provider.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_new_service_creation.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_nimgrab.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_nltest_recon.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_node_abuse.yml
Big Update
2022-09-09 15:02:31 +02:00
proc_creation_win_non_interactive_powershell.yml
Fix typo in conditions
2022-11-08 12:10:20 +01:00
proc_creation_win_non_priv_reg_or_ps.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_nps.yml
rule: NPS tunneling tool
2022-10-08 09:49:51 +02:00
proc_creation_win_nslookup_poweshell_download.yml
fix: enhance logic and severity
2022-12-19 11:21:24 +01:00
proc_creation_win_ntdsutil_usage.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_ntfs_short_name_path_use_cli.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_ntfs_short_name_path_use_image.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_ntfs_short_name_use_cli.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_ntfs_short_name_use_image.yml
fix: fix FP found in testing
2022-12-12 13:40:55 +01:00
proc_creation_win_obfuscated_ip_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_obfuscated_ip_via_cli.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_office_applications_spawning_wmi_commandline.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_office_dir_traversal_cli.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_office_proxy_exec_wmic.yml
feat: general updates and fixes
2022-12-02 23:16:03 +01:00
proc_creation_win_office_shell.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_office_spawn_exe_from_users_directory.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_office_spawning_wmi_commandline.yml
Update title (#3746)
2022-12-02 18:10:43 +01:00
proc_creation_win_office_svchost_child.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_outlook_shell.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_pdq_deploy.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_pdqdeploy_runner_susp_children.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_persistence_typed_paths.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_pingback_backdoor.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_plugx_susp_exe_locations.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_powershell_amsi_bypass.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_audio_capture.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_b64_shellcode.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_cmdline_convertto_securestring.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_cmdline_reversed_strings.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_cmdline_special_characters.yml
Refractor (#3794)
2022-12-18 21:00:14 +01:00
proc_creation_win_powershell_cmdline_specific_comb_methods.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_cmdline_susp_comb_methods.yml
Update title (#3746)
2022-12-02 18:10:43 +01:00
proc_creation_win_powershell_defender_base64.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_defender_disable_feature.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_defender_exclusion.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_dll_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_downgrade_attack.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_download_patterns.yml
Update rules
2022-11-09 16:13:17 +01:00
proc_creation_win_powershell_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_frombase64string.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_get_clipboard.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_powershell_public_folder.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_reverse_shell_connection.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_snapins_hafnium.yml
feat: enhance pssnapin rule
2022-12-09 16:38:32 +01:00
proc_creation_win_powershell_susp_parameter_variation.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powershell_token_obfuscation.yml
PowerShell Token Obfuscation (#3825)
2022-12-27 20:03:05 +01:00
proc_creation_win_powershell_xor_commandline.yml
fix: add more filters and update image field
2022-12-16 17:59:24 +01:00
proc_creation_win_powersploit_empire_schtasks.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_powertool_execution.yml
feat: new powertool rule
2022-11-29 23:24:49 +01:00
proc_creation_win_priv_escalation_via_named_pipe.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_proc_dump_createdump.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_proc_dump_dumpminitool.yml
feat: add more clarification to the test (#3710)
2022-11-18 11:15:50 +01:00
proc_creation_win_proc_dump_rdrleakdiag.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_proc_dump_susp_dumpminitool.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_proc_wrong_parent.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_procdump_evasion.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_procdump.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_process_dump_rdrleakdiag.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_process_dump_rundll32_comsvcs.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_protocolhandler_susp_file.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_proxy_execution_wuauclt.yml
Fix related
2022-10-09 17:28:05 +02:00
proc_creation_win_ps_download_com_cradles.yml
Rules for Issue 575 (#3820)
2022-12-27 15:17:45 +01:00
proc_creation_win_ps_exec_data_file.yml
Rules for Issue 575 (#3820)
2022-12-27 15:17:45 +01:00
proc_creation_win_psexesvc_start.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_psh_amsi_bypass_pattern_nov22.yml
rule: amsi bypass
2022-11-09 09:44:31 +01:00
proc_creation_win_pua_defendercheck.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_pua_seatbelt.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_public_folder_parent.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_purplesharp_indicators.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_pypykatz.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_python_pty_spawn.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_quarks_pwdump.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_query_registry.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_query_session_exfil.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_ransom_blackbyte.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_rar_susp_greedy.yml
fix: indentation and selection names for clarity
2022-12-27 16:26:20 +01:00
proc_creation_win_raspberry_robin_single_dot_ending_file.yml
fix: fix fp in testing
2022-11-28 13:19:37 +01:00
proc_creation_win_rdp_hijack_shadowing.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_rdp_session_hijacking.yml
rewrite issue 1555 (#3818)
2022-12-27 19:28:34 +01:00
proc_creation_win_redirect_local_admin_share.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_redirect_to_stream.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_redmimicry_winnti_proc.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_reg_add_run_key.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_reg_add_safeboot.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_reg_defender_exclusion.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_reg_defender_tampering.yml
feat: update defender reg tamper rule
2022-11-18 18:11:59 +01:00
proc_creation_win_reg_delete_safeboot.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_reg_delete_services.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_reg_dump_sam.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_reg_enable_rdp.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_reg_import_from_suspicious_paths.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_reg_lsass_ppl.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_reg_service_imagepath_change.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_regedit_export_critical_keys.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_regedit_export_keys.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_regedit_import_keys_ads.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_regedit_import_keys.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_regini_ads.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_regini.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_remote_desktop_tunneling.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_remote_file_download_desktopimgdownldr.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_remote_powershell_session_process.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_remote_time_discovery.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_remove_windows_defender_definition_files.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_binary_highly_relevant.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_binary.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_browsercore.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_ftp.yml
fix: apply suggestions from code review
2022-11-11 10:03:24 +01:00
proc_creation_win_renamed_jusched.yml
Refractor (#3794)
2022-12-18 21:00:14 +01:00
proc_creation_win_renamed_mavinject.yml
feat: new rules and fixes (#3759)
2022-12-06 12:13:20 +01:00
proc_creation_win_renamed_megasync.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_renamed_msdt.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_netsupport_rat.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_office_processes.yml
Update proc_creation_win_renamed_office_processes.yml
2022-12-21 09:18:06 +01:00
proc_creation_win_renamed_paexec.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_plink.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_powershell.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_renamed_procdump.yml
fix: update metadata
2022-12-09 10:34:06 +01:00
proc_creation_win_renamed_psexec.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_rundll32_dllregisterserver.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_rundll32.yml
rule: renamed rundll32.exe
2022-06-08 17:23:29 +02:00
proc_creation_win_renamed_rurat.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_sdelete.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_vmnat.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_renamed_whoami.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_root_certificate_installed.yml
Fix related
2022-10-09 17:28:05 +02:00
proc_creation_win_rpcss_anomalies.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_run_executable_invalid_extension.yml
fix: FPs found in testing env (#3743)
2022-12-03 09:35:34 +01:00
proc_creation_win_run_from_zip.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_run_powershell_script_from_ads.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_run_powershell_script_from_input_stream.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_run_virtualbox.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_rundll32_parent_explorer.yml
Remove Windows 10 volume control false positive
2022-12-21 23:41:39 -08:00
proc_creation_win_rundll32_registered_com_objects.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_rundll32_unc_path.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_rundll32_without_parameters.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_sc_delete_av_services.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_sc_query.yml
fix: apply suggestions from code review
2022-11-11 10:03:24 +01:00
proc_creation_win_schtasks_appdata_local_system.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_schtasks_once_0000.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_schtasks_powershell_windowsapps_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_schtasks_reg_loader.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_schtasks_system.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_screenconnect_anomaly.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_screenconnect.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_script_event_consumer_spawn.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_sdbinst_shim_persistence.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_sdclt_child_process.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_sdelete.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_sdiagnhost_susp_child.yml
Add more lolbins
2022-10-31 20:57:57 +01:00
proc_creation_win_selectmyparent.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_service_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_service_stop.yml
fix: update modified field
2022-12-22 10:31:25 +01:00
proc_creation_win_set_policies_to_unsecure_level.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_shadow_copies_access_symlink.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_shadow_copies_creation.yml
fix: add missing quotes and OriginalFileName field
2022-11-10 17:03:31 +01:00
proc_creation_win_shadow_copies_deletion.yml
Rename+Metadata Update
2022-11-04 11:59:11 +01:00
proc_creation_win_shadowcopy_deletion_via_powershell.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_sharp_chisel_usage.yml
feat: update metadata and add more cases for rules
2022-12-07 02:26:21 +01:00
proc_creation_win_sharp_impersonation_tool.yml
Create proc_creation_win_SharpImpersonation_tool.yml (#3823)
2022-12-27 12:02:22 +01:00
proc_creation_win_sharpup.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_shell_spawn_by_java.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_shell_spawn_susp_program.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_silenttrinity_stage_use.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_software_discovery.yml
Fix related
2022-10-09 17:28:05 +02:00
proc_creation_win_soundrec_audio_capture.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_spn_enum.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_sqlcmd_veeam_dump.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_sqlite_chrome_cookies.yml
fix: selection name and add old path
2022-12-20 10:42:21 +01:00
proc_creation_win_sqlite_firefox_cookies.yml
T1539 Steal Web Session Cookie rules
2022-12-19 23:20:13 -05:00
proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_stickykey_like_backdoor.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_stordiag_execution.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_sus_auditpol_usage.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_3proxy_usage.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_7z.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_7zip_dmp.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_16bit_application.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_add_local_admin.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_add_user_remote_desktop.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_adfind_enumeration.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_adfind_usage.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_adidnsdump.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_advancedrun_priv_user.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_advancedrun.yml
Update proc_creation_win_susp_advancedrun.yml
2022-08-29 07:56:59 +02:00
proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_base64_invoke.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_base64_load.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_bcdedit.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_bginfo.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_bitstransfer.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_builtin_commands_recon.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_calc.yml
fix: calc rule logic
2022-11-07 15:31:38 +01:00
proc_creation_win_susp_cdb.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_certutil_command.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_certutil_encode.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_char_in_cmd.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_child_process_as_system_.yml
fix: fp found with baseline
2022-12-16 18:50:38 +01:00
proc_creation_win_susp_cipher.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_cli_escape.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_clsid_foldername.yml
fix: FP with NVIDIA driver installation
2022-12-15 18:00:07 +01:00
proc_creation_win_susp_cmd_exectution_via_wmi.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_cmd_http_appdata.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_cmd_shadowcopy_access.yml
fix: add missing quotes and additional metadata
2022-11-10 17:02:29 +01:00
proc_creation_win_susp_cmd.yml
fix: author ref
2022-12-28 18:42:47 +01:00
proc_creation_win_susp_codepage_lookup.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_susp_codepage_switch.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_command_flag_pattern.yml
fix: condition
2022-11-14 14:24:00 +01:00
proc_creation_win_susp_commandline_chars.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_compression_params.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_conhost_option.yml
Update proc_creation_win_susp_conhost_option.yml (#3763)
2022-12-09 21:13:58 +01:00
proc_creation_win_susp_conhost.yml
fix: fix FP found in testing
2022-12-07 11:52:38 +01:00
proc_creation_win_susp_control_cve_2021_40444.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_control_dll_load.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_copy_lateral_movement.yml
feat: updates and enhancements
2022-12-23 18:37:59 +01:00
proc_creation_win_susp_copy_system32.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_covenant.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_crackmapexec_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_crackmapexec_flags.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_csc_folder.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_csc.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_cscript_vbs.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_csexec.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_csi.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_curl_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_curl_fileupload.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_curl_start_combo.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_curl_useragent.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_dctask64_proc_inject.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_del.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_desktopimgdownldr.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_devinit_lolbin.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_devtoolslauncher.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_dir.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_direct_asep_reg_keys_modification.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_disable_eventlog.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_disable_ie_features.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_disable_raccine.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_diskshadow.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_ditsnap.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_dllhost_no_cli.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_dnx.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_double_extension.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_download_office_domain.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_dtrace_kernel_dump.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_electron_app_children.yml
fix: FPs noticed with Aurora
2022-11-13 20:26:03 +01:00
proc_creation_win_susp_emotet_rundll32_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_esentutl_params.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_eventlog_clear.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_execution_path_webserver.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_execution_path.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_explorer_break_proctree.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_explorer_nouaccheck.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_explorer.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_file_characteristics.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_findstr_385201.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_findstr_lnk.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_finger_usage.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_format.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_fsutil_usage.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_gpresult.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_guid_task_name.yml
Update proc_creation_win_susp_guid_task_name.yml
2022-11-01 10:22:26 +01:00
proc_creation_win_susp_gup_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_gup_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_gup.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_hostname.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_iis_module_registration.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_image_missing.yml
Removed System from CommandLine
2022-12-14 02:25:21 -08:00
proc_creation_win_susp_instalutil.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_invoke_webrequest_download.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_iss_module_install.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_logoff.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_lolbin_non_c_drive.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_lsass_clone.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_machineguid.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_microsoft_onenote_child_process.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_missing_spaces.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_susp_mofcomp_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_mounted_share_deletion.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_mpiexec_lolbin.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_msbuild.yml
Add proc_creation_win_susp_msbuild (#3708)
2022-11-18 08:29:50 +01:00
proc_creation_win_susp_mshta_execution.yml
fix: FPs with mshta execution
2022-11-07 15:22:21 +01:00
proc_creation_win_susp_mshta_pattern.yml
fix: FPs with mshta execution
2022-11-07 15:22:21 +01:00
proc_creation_win_susp_mshtml_runhtmlapplication.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_msiexec_cwd.yml
Update after merge
2022-10-28 17:42:57 +02:00
proc_creation_win_susp_msiexec_web_install.yml
Merge branch 'nasbench-rule-devel' of https://github.com/nasbench/sigma into nasbench-rule-devel
2022-10-28 17:37:54 +02:00
proc_creation_win_susp_msoffice.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_net_execution.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_net_use_password_plaintext.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_net_use.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_netsh_discovery_command.yml
Rename+Metadata Update
2022-11-04 11:59:11 +01:00
proc_creation_win_susp_netsh_dll_persistence.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_netsh_firewall_disable.yml
Rename+Metadata Update
2022-11-04 11:59:11 +01:00
proc_creation_win_susp_netsupport_rat_exec_location.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_network_command.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_network_listing_connections.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_new_kernel_driver_via_sc.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_new_service_creation.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_susp_ngrok_pua.yml
refactor: ngrok rule
2022-12-03 09:13:37 +01:00
proc_creation_win_susp_nmap.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_non_exe_image.yml
Add System to list of built-in Windows processes
2022-12-14 02:06:40 -08:00
proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_ntdll_type_redirect.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_ntds.yml
fix: update rules with more cases
2022-11-10 17:04:52 +01:00
proc_creation_win_susp_ntdsutil_usage.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_ntlmrelay.yml
Update title (#3746)
2022-12-02 18:10:43 +01:00
proc_creation_win_susp_odbcconf.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_office_token_search.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_openwith.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_outlook_temp.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_outlook.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_parent_of_conhost.yml
fix: FPs found in testing env (#3743)
2022-12-03 09:35:34 +01:00
proc_creation_win_susp_parents.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_pchunter.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_pcwutl.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_pester_parent.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_pester.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_ping_del.yml
Create proc_creation_win_susp_ping_del.yml (#3671)
2022-11-09 09:42:33 +01:00
proc_creation_win_susp_ping_hex_ip.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_plink_port_forward.yml
Rename Plink Port Forward Rule
2022-10-12 11:24:28 +02:00
proc_creation_win_susp_plink_usage.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powercfg.yml
Add proc_creation_win_susp_powercfg
2022-11-18 11:26:04 +01:00
proc_creation_win_susp_powershell_cmd_patterns.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powershell_download_cradles.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powershell_download_iex.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powershell_empire_launch.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powershell_empire_uac_bypass.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powershell_enc_cmd.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powershell_encode.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powershell_encoded_param.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powershell_getprocess_lsass.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_powershell_hidden_b64_cmd.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powershell_iex_patterns.yml
feat: enhance duplicate test (#3736)
2022-11-29 13:47:09 +01:00
proc_creation_win_susp_powershell_parent_combo.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powershell_parent_process.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_susp_powershell_sam_access.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_powershell_sub_processes.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_powershell_webclient_casing.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_pressynkey_lolbin.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_print.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_procdump_lsass.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_process_hacker.yml
Update rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml
2022-11-19 08:45:58 +01:00
proc_creation_win_susp_progname.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_ps_appdata.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_ps_downloadfile.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_ps_encoded_obfusc.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_psexec_eula.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_psexesvc_as_system.yml
Update proc_creation_win_susp_psexesvc_as_system.yml
2022-09-27 13:45:53 -04:00
proc_creation_win_susp_psexesvc_renamed.yml
Renamed suspicious in rules file names to susp
2022-09-09 15:12:47 +02:00
proc_creation_win_susp_psexesvc.yml
Renamed suspicious in rules file names to susp
2022-09-09 15:12:47 +02:00
proc_creation_win_susp_psexex_paexec_escalate_system.yml
docs: add another FP condition
2022-12-15 13:58:33 +01:00
proc_creation_win_susp_psexex_paexec_flags.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_psloglist.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_psr_capture_screenshots.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_radmin.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_rar_flags.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_rasdial_activity.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_razorinstaller_explorer.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_rcedit_execution.yml
fix: rename files to follow convention
2022-12-20 22:25:49 +01:00
proc_creation_win_susp_rclone_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_recon_network_activity.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_recon.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_reg_add.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_reg_bitlocker.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_reg_disable_sec_services.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_reg_open_command.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_regedit_trustedinstaller.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_register_cimprovider.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_registration_via_cscript.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_regsvr32_anomalies.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_regsvr32_flags_anomaly.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_regsvr32_http_pattern.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_regsvr32_image.yml
Update rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml
2022-11-01 10:31:50 +01:00
proc_creation_win_susp_regsvr32_no_dll.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_regsvr32_remote_share.yml
New Rules
2022-10-31 20:59:33 +01:00
proc_creation_win_susp_regsvr32_spawn_explorer.yml
Update 3
2022-07-28 01:05:04 +01:00
proc_creation_win_susp_renamed_adfind.yml
fix: dysfunctional renamed adfind rule
2022-11-01 14:58:02 +01:00
proc_creation_win_susp_renamed_createdump.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_renamed_dctask64.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_renamed_debugview.yml
feat: enhance duplicate test (#3736)
2022-11-29 13:47:09 +01:00
proc_creation_win_susp_renamed_paexec.yml
Add/Update PAExec Rules
2022-10-26 23:27:17 +02:00
proc_creation_win_susp_rpcping.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_run_locations.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_rundll32_activity.yml
chore: update submodule cti
2022-11-22 16:21:25 +01:00
proc_creation_win_susp_rundll32_by_ordinal.yml
fix: FPs
2022-12-04 14:36:22 +01:00
proc_creation_win_susp_rundll32_inline_vbs.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_rundll32_js_runhtmlapplication.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_rundll32_keymgr.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_rundll32_no_params.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_rundll32_script_run.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_rundll32_spawn_explorer.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_rundll32_sys.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_rundll32_user32_dll.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_runonce_execution.yml
fix: remove filter
2022-12-14 11:09:46 +01:00
proc_creation_win_susp_runscripthelper.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_rurat_exec_location.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_schtask_creation_temp_folder.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_schtask_creation.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_schtasks_change.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_susp_schtasks_delete_all.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_schtasks_delete.yml
feat: new rules and fixes (#3759)
2022-12-06 12:13:20 +01:00
proc_creation_win_susp_schtasks_disable.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_schtasks_env_folder.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_schtasks_folder_combos.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_susp_schtasks_parent.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_schtasks_pattern.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_susp_schtasks_schedule_type_system.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_schtasks_schedule_type.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_schtasks_user_temp.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_screenconnect_access.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_screensaver_reg.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_script_exec_from_env_folder.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_script_exec_from_temp.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_script_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_secedit.yml
Create proc_creation_win_susp_secedit.yml (#3725)
2022-12-02 13:21:36 +01:00
proc_creation_win_susp_service_dacl_modification_set_service.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_service_dacl_modification.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_service_dir.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_service_modification.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_service_path_modification.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_susp_service_stop.yml
feat: enhance duplicate test (#3736)
2022-11-29 13:47:09 +01:00
proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
Refractor (#3794)
2022-12-18 21:00:14 +01:00
proc_creation_win_susp_servu_process_pattern.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_sharpview.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_shell_spawn_by_java_keytool.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_shell_spawn_by_java.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_shell_spawn_from_mssql.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_shell_spawn_from_winrm.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_shellexec_rundll_usage.yml
fix: modified should change on title changes
2022-10-31 11:44:16 +01:00
proc_creation_win_susp_shimcache_flush.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_shutdown.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_splwow64.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_spoolsv_child_processes.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_squirrel_lolbin.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_ssh_port_forward.yml
New SSH.EXE rules
2022-10-12 11:24:54 +02:00
proc_creation_win_susp_ssh_usage.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_svchost_no_cli.yml
Update rules syntax
2022-06-28 22:21:46 +01:00
proc_creation_win_susp_svchost.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_sysprep_appdata.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_system_user_anomaly.yml
fix: FPs on Azure
2022-09-27 00:17:53 +02:00
proc_creation_win_susp_systeminfo.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_sysvol_access.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_takeown.yml
fix: fix typo in title and add FP comment
2022-11-21 12:27:54 +01:00
proc_creation_win_susp_target_location_shell32.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_taskkill.yml
fix: more fp found in testing and enhance fp metadata
2022-12-13 11:25:23 +01:00
proc_creation_win_susp_tasklist_command.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_taskmgr_localsystem.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_taskmgr_parent.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_tracker_execution.yml
fix: field value
2022-11-12 09:39:25 +01:00
proc_creation_win_susp_trolleyexpress_procdump.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_tscon_localsystem.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_susp_tscon_rdp_redirect.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_uac_bypass_trustedpath.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_susp_use_of_csharp_console.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_use_of_sqlps_bin.yml
feat: update detection section
2022-12-09 19:18:09 +01:00
proc_creation_win_susp_use_of_sqltoolsps_bin.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_use_of_te_bin.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_userinit_child.yml
Fix the filter
2022-12-09 11:27:28 +05:00
proc_creation_win_susp_vaultcmd.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_vboxdrvinst.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_vbscript_unc2452.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_volsnap_disable.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_vslsagent_agentextensionpath_load.yml
Update proc_creation_win_susp_vslsagent_agentextensionpath_load.yml
2022-10-31 08:49:16 +01:00
proc_creation_win_susp_web_sysaidserver.yml
rule: sysaidserver child
2022-08-26 18:03:14 +02:00
proc_creation_win_susp_webdav_client_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_wermgr.yml
feat: updates and enhancements
2022-12-16 16:52:12 +01:00
proc_creation_win_susp_where_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_whoami_anomaly.yml
fix: wrong condition in whoami rule
2022-10-04 16:11:03 +02:00
proc_creation_win_susp_whoami_as_param.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_whoami.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_winrar_dmp.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_winrar_execution.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_winrm_awl_bypass.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_susp_winrm_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_winzip.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_wmic_eventconsumer_create.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_wmic_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_wmic_proc_create.yml
feat: add missing /r to cmd
2022-11-18 13:45:01 +01:00
proc_creation_win_susp_wmic_security_product_uninstall.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_workfolders.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_susp_wuauclt_cmdline.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_susp_wuauclt.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_zip_compress.yml
Fix related
2022-10-09 17:28:05 +02:00
proc_creation_win_susp_zipexec.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_sysinternals_eula_accepted.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_sysinternals_psservice.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_sysmon_disable_sharpevtmute.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_sysmon_driver_unload.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_sysmon_exploitation.yml
feat: updates and enhancements
2022-12-16 16:52:12 +01:00
proc_creation_win_sysmon_uac_bypass_eventvwr.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_sysnative.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_system_exe_anomaly.yml
Update proc_creation_win_system_exe_anomaly.yml
2022-10-14 00:39:12 +02:00
proc_creation_win_tamper_defender_remove_mppreference.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_tap_installer_execution.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_task_folder_evasion.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_win_taskkill_sep.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_teams_suspicious_command_line_cred_access.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_termserv_proc_spawn.yml
Update proc_creation_win_termserv_proc_spawn.yml
2022-11-25 17:07:52 +01:00
proc_creation_win_tool_nircmd_as_system.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_tool_nircmd.yml
feat: general updates and fixes
2022-12-02 23:16:03 +01:00
proc_creation_win_tool_nsudo_execution.yml
feat: update nsudo rule
2022-11-18 17:53:16 +01:00
proc_creation_win_tool_psexec.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_tool_runx_as_system.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_tools_relay_attacks.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_tools_uac_bypass_computerdefaults.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_tor_browser.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_trufflesnout.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_trust_discovery.yml
Fix related
2022-10-09 17:28:05 +02:00
proc_creation_win_uac_bypass_changepk_slui.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_uac_bypass_cleanmgr.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_uac_bypass_cmstp.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_uac_bypass_consent_comctl32.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_uac_bypass_dismhost.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_uac_bypass_eventvwr.yml
feat: general fixes
2022-11-22 01:22:36 +01:00
proc_creation_win_uac_bypass_fodhelper.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_uac_bypass_icmluautil.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_uac_bypass_idiagnostic_profile.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_uac_bypass_ieinstal.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_uac_bypass_msconfig_gui.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_uac_bypass_ntfs_reparse_point.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_uac_bypass_pkgmgr_dism.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_uac_bypass_winsat.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_uac_bypass_wmp.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_uac_bypass_wsreset_integrity_level.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_win_uac_bypass_wsreset.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_ultraviewer.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_ultravnc.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_uninstall_crowdstrike_falcon.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_uninstall_sysmon.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_unusual_child_process_of_dns_exe.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_unusual_parent_for_cmd.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_user_discovery_get_aduser.yml
Rule Dev
2022-11-18 11:15:28 +01:00
proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_using_sc_to_hide_sevices.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_using_set_service_to_hide_services.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_verclsid_runs_com.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_vmtoolsd_susp_child_process.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_vul_java_remote_debugging.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_w32tm.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wab_execution_from_non_default_location.yml
Updates
2022-09-28 09:50:56 +02:00
proc_creation_win_wab_unusual_parents.yml
Updates
2022-09-28 09:50:56 +02:00
proc_creation_win_weak_or_abused_passwords.yml
no need to update the modified date here
2022-11-09 18:33:13 +01:00
proc_creation_win_web_request_cmd_and_cmdlets.yml
Rules for Issue 575 (#3820)
2022-12-27 15:17:45 +01:00
proc_creation_win_webbrowserpassview.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_webshell_chopper.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_webshell_detection.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_webshell_hacking.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_webshell_recon_detection.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_webshell_spawn.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wevtutil_recon.yml
Big Update
2022-09-09 15:02:31 +02:00
proc_creation_win_whoami_as_priv_user.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_whoami_as_system.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_whoami_priv.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_win10_sched_task_0day.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_win_exchange_transportagent.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_windows_terminal_susp_children.yml
feat: add missing /r
2022-11-18 13:46:51 +01:00
proc_creation_win_winpeas_tool.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmi_persistence_script_event_consumer.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmi_spwns_powershell.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmic_computersystem_recon.yml
Update Title (#3739)
2022-11-30 11:44:15 +01:00
proc_creation_win_wmic_group_recon.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmic_hotfix_enum.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmic_reconnaissance.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmic_remote_command.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmic_remote_service.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmic_remove_application.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmic_service.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmic_tamper_defender.yml
feat: filename test enhancements (#3812)
2022-12-23 09:25:16 +01:00
proc_creation_win_wmic_unquoted_service_search.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wmiprvse_spawning_process.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_workflow_compiler.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wpbbin_persistence.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_write_protect_for_storage_disabled.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wscript_shell_cli.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_wsudo_susp_execution.yml
feat: general updates and fixes
2022-12-02 23:16:03 +01:00
proc_creation_win_wusa_susp_cab_extraction.yml
New rules
2022-08-04 19:11:16 +01:00
proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml
Update
2022-08-05 10:18:07 +01:00
proc_creation_win_x509enrollment.yml
Add more ref
2022-12-23 13:22:50 +01:00
proc_creation_win_xordump.yml
order yaml
2022-10-28 15:06:36 +02:00
proc_creation_win_xsl_script_processing.yml
order yaml
2022-10-28 15:06:36 +02:00