security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
562d29c432d8cf2e6edb0b8216af7f14c50da75b
blue-team-tools/rules/windows/process_creation
T
History
memory-shards 562d29c432 Create proc_creation_win_lolbin_agentexecutor.yml 
Proposed rule for lolbin AgentExecutor that doesn't have much coverage. Rule created as final project for Detection Engineering with Sigma course final project.
2022-07-31 12:46:52 -04:00
..
proc_creation_win_7zip_cve_2022_29072.yml
Update rules syntax
2022-06-28 22:21:46 +01:00
proc_creation_win_abusing_debug_privilege.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_abusing_windows_telemetry_for_persistence.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
proc_creation_win_accesschk_usage_after_priv_escalation.yml
Update Ref+Selection
2022-07-11 14:11:53 +01:00
proc_creation_win_ad_find_discovery.yml
docs: minor changes to rules
2022-03-01 16:02:22 +01:00
proc_creation_win_advanced_ip_scanner.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_advanced_port_scanner.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_alternate_data_streams.yml
Update Ref+Selection
2022-07-11 14:11:53 +01:00
proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_always_install_elevated_windows_installer.yml
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
proc_creation_win_anydesk_silent_install.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_anydesk_susp_folder.yml
Update Ref+Selection
2022-07-11 14:11:53 +01:00
proc_creation_win_anydesk.yml
Update Ref+Selection
2022-07-11 14:11:53 +01:00
proc_creation_win_apt_actinium_persistence.yml
Update proc_creation_win_apt_actinium_persistence.yml
2022-04-14 09:59:45 +02:00
proc_creation_win_apt_apt29_thinktanks.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_babyshark.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_bear_activity_gtr19.yml
Update rules syntax
2022-06-28 22:21:46 +01:00
proc_creation_win_apt_bluemashroom.yml
fix: FPs found in testing
2022-07-06 15:38:31 +02:00
proc_creation_win_apt_chafer_mar18.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_cloudhopper.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_dragonfly.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_apt_elise.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_emissarypanda_sep19.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_empiremonkey.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_equationgroup_dll_u_load.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_apt_evilnum_jul20.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_gallium_sha1.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_apt_gallium.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_apt_gamaredon_ultravnc.yml
fix issue
2022-06-30 08:48:31 +02:00
proc_creation_win_apt_greenbug_may20.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_apt_hafnium.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_hurricane_panda.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_judgement_panda_gtr19.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_ke3chang_regadd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_lazarus_activity_apr21.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_lazarus_activity_dec20.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_apt_lazarus_loader.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_lazarus_session_highjack.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_apt_muddywater_dnstunnel.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_apt_mustangpanda.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_revil_kaseya.yml
fix: detection with Windows Defender
2022-05-20 19:27:48 +02:00
proc_creation_win_apt_slingshot.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_sofacy.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_apt_sourgrum.yml
Update Ref+Selection
2022-07-11 14:11:53 +01:00
proc_creation_win_apt_ta17_293a_ps.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_ta505_dropper.yml
update rule to also match on original sample
2022-03-31 12:04:36 +02:00
proc_creation_win_apt_taidoor.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_tropictrooper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_turla_commands_critical.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_apt_turla_commands_medium.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_turla_comrat_may20.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_unc2452_cmds.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_apt_unc2452_ps.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_apt_unidentified_nov_18.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_winnti_mal_hk_jan20.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_winnti_pipemon.yml
chore: test rules: check for all modifier with single item
2022-05-11 11:06:09 +02:00
proc_creation_win_apt_wocao.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_apt_zxshell.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml
fix issue
2022-06-30 08:48:31 +02:00
proc_creation_win_archiver_iso_phishing.yml
fix: condition
2022-06-10 13:46:19 +02:00
proc_creation_win_asr_bypass_via_appvlp_re.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_attrib_hiding_files.yml
chore: test rules: capitalization on FP list entries
2022-05-09 16:07:44 +02:00
proc_creation_win_attrib_system_susp_paths.yml
Changes From Meeting
2022-06-29 15:25:50 +01:00
proc_creation_win_attrib_system.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_automated_collection.yml
Update Ref+Selection
2022-07-11 14:11:53 +01:00
proc_creation_win_bad_opsec_sacrificial_processes.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_base64_invoke_susp_cmdlets.yml
new rules
2022-06-01 11:50:34 +02:00
proc_creation_win_base64_listing_shadowcopy.yml
Update proc_creation_win_base64_listing_shadowcopy.yml
2022-07-11 18:19:46 +01:00
proc_creation_win_base64_reflective_assembly_load.yml
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
proc_creation_win_bitsadmin_download_susp_domain.yml
rules: bitsadmin coverage
2022-06-28 15:16:52 +02:00
proc_creation_win_bitsadmin_download_susp_ext.yml
rules: bitsadmin coverage
2022-06-28 15:16:52 +02:00
proc_creation_win_bitsadmin_download_susp_ip.yml
rules: bitsadmin coverage
2022-06-28 15:16:52 +02:00
proc_creation_win_bitsadmin_download_susp_targetfolder.yml
rule: bitsadmin coverage
2022-06-28 15:34:19 +02:00
proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
rules: bitsadmin coverage
2022-06-28 15:16:52 +02:00
proc_creation_win_bitsadmin_download.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_bootconf_mod.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_bypass_squiblytwo.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_c3_load_by_rundll32.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_certoc_execution.yml
Rule Update (Batch 2)
2022-05-16 22:02:41 +01:00
proc_creation_win_change_default_file_assoc_susp.yml
Changes From Meeting
2022-06-29 15:25:50 +01:00
proc_creation_win_change_default_file_association.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_chrome_load_extension.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_chrome_remote_debugging.yml
new rules: browser remote debugging
2022-07-28 15:48:59 +02:00
proc_creation_win_cleanwipe.yml
Update rules syntax
2022-06-28 22:21:46 +01:00
proc_creation_win_clip.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_cmd_delete.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_cmd_dosfuscation.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_cmd_redirect.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_cmd_redirection_susp_folder.yml
DFIR Report - SELECT XMRig FROM SQLServer
2022-07-12 01:27:51 +01:00
proc_creation_win_cmdkey_recon.yml
Remove unneeded star
2022-06-11 12:58:14 +02:00
proc_creation_win_cmstp_com_object_access.yml
Update
2022-07-03 19:43:03 +01:00
proc_creation_win_cmstp_execution_by_creation.yml
Update rules syntax
2022-06-28 22:21:46 +01:00
proc_creation_win_cobaltstrike_bloopers_cmd.yml
rule cleanup and new rules
2022-06-27 16:35:22 +02:00
proc_creation_win_cobaltstrike_bloopers_modules.yml
rule cleanup and new rules
2022-06-27 16:35:22 +02:00
proc_creation_win_cobaltstrike_load_by_rundll32.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_cobaltstrike_process_patterns.yml
minor changes to description and hash values
2022-03-21 11:19:05 +01:00
proc_creation_win_commandline_path_traversal_evasion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_commandline_path_traversal.yml
fixing spelling error
2022-03-17 17:27:11 +00:00
proc_creation_win_conhost_path_traversal.yml
Create proc_creation_win_conhost_path_traversal.yml
2022-06-14 17:39:52 +01:00
proc_creation_win_conti_cmd_ransomware.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_conti_sqlcmd.yml
Rename proc_creation_win_coti_sqlcmd.yml to proc_creation_win_conti_sqlcmd.yml
2022-04-06 10:46:08 -05:00
proc_creation_win_control_panel_item.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_copying_sensitive_files_with_credential_data.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_crackmapexec_patterns.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_creation_mavinject_dll.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_creative_cloud_node_abuse.yml
feat: Add new rule for Creative Cloud node abuse
2022-04-07 10:50:50 +02:00
proc_creation_win_credential_access_via_password_filter.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_crime_fireball.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_crime_maze_ransomware.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_crime_snatch_ransomware.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_crypto_mining_monero.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_curl_download.yml
refactor: curl refactoring
2022-07-04 14:50:44 +02:00
proc_creation_win_cve_2021_26857_msexchange.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_data_compressed_with_rar.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_delete_systemstatebackup.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_detecting_fake_instances_of_hxtsr.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_dinjector.yml
fix: FPs
2022-03-07 17:11:00 +01:00
proc_creation_win_discover_private_keys.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_dns_exfiltration_tools_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_dns_serverlevelplugindll.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_dnscat2_powershell_implementation.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_dotnet.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_dsacls_abuse_permissions.yml
New Rules
2022-06-21 11:47:18 +01:00
proc_creation_win_dsacls_password_spray.yml
New Rules
2022-06-21 11:47:18 +01:00
proc_creation_win_dsim_remove.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_dumpstack_log_evasion.yml
Add missing "contains" modifier
2022-06-17 14:06:14 +01:00
proc_creation_win_embed_exe_lnk.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_encoded_frombase64string.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_encoded_iex.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_enumeration_for_credentials_cli.yml
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
proc_creation_win_enumeration_for_credentials_in_registry.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_esentutl_webcache.yml
Updated Rules to Use OriginalFileName
2022-05-12 23:27:48 +01:00
proc_creation_win_etw_modification_cmdline.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_etw_trace_evasion.yml
Fix Error
2022-06-28 22:40:42 +01:00
proc_creation_win_evil_winrm.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_exfiltration_and_tunneling_tools_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_expand_cabinet_files.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_exploit_cve_2015_1641.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_exploit_cve_2017_0261.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2017_8759.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2017_11882.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_exploit_cve_2019_1378.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_cve_2019_1388.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_exploit_cve_2020_1048.yml
Update proc_creation_win_exploit_cve_2020_1048.yml
2022-07-07 20:16:30 +01:00
proc_creation_win_exploit_cve_2020_1350.yml
fix: found on several systems in prod environment
2022-07-12 16:41:10 +02:00
proc_creation_win_exploit_cve_2020_10189.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_exploit_lpe_cve_2021_41379.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_exploit_systemnightmare.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_false_sysinternalsuite.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_file_permission_modifications.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_findstr_gpp_passwords.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_fsutil_drive_enumeration.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_fsutil_symlinkevaluation.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_gotoopener.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_grabbing_sensitive_hives_via_reg.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_hack_adcspwn.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_hack_bloodhound.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_hack_cube0x0_tools.yml
fix: selection identifier
2022-04-27 17:39:01 +02:00
proc_creation_win_hack_dumpert.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_hack_hydra.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_hack_koadic.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_hack_krbrelay.yml
fix: casing of OriginalFileName
2022-06-08 17:14:49 +02:00
proc_creation_win_hack_krbrelayup.yml
fix: casing of OriginalFileName
2022-06-08 17:14:49 +02:00
proc_creation_win_hack_rubeus.yml
some rule improvements
2022-07-21 18:16:22 +02:00
proc_creation_win_hack_secutyxploded.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_hack_wce.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_hacktool_imphashes.yml
refactor: uppercase values, DropLoader imphash
2022-03-16 17:56:55 +01:00
proc_creation_win_hashcat.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_headless_browser_file_download.yml
Add status
2022-05-15 16:17:02 +02:00
proc_creation_win_hh_chm.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_hiding_malware_in_fonts_folder.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_high_integrity_sdclt.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_hktl_createminidump.yml
refactor: more exact imphash matching
2022-03-07 12:03:32 +01:00
proc_creation_win_hktl_uacme_uac_bypass.yml
fix: another list with 1 element
2022-07-27 12:14:18 +02:00
proc_creation_win_html_help_spawn.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_hwp_exploits.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_icacls_deny.yml
Update proc_creation_win_icacls_deny.yml
2022-07-20 14:05:06 +02:00
proc_creation_win_iis_http_logging.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_impacket_compiled_tools.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_impacket_lateralization.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_indirect_cmd.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_infdefaultinstall.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_inline_base64_mz_header.yml
Update proc_creation_win_inline_base64_mz_header.yml
2022-07-12 17:33:04 +02:00
proc_creation_win_install_reg_debugger_backdoor.yml
chore: test rules: check for all modifier with single item
2022-05-11 11:06:09 +02:00
proc_creation_win_interactive_at.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_invoke_obfuscation_clip.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_invoke_obfuscation_stdin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_var.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_via_compress.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_invoke_obfuscation_via_rundll.yml
Refactor regex
2022-03-07 19:08:30 +01:00
proc_creation_win_invoke_obfuscation_via_stdin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_via_use_clip.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_invoke_obfuscation_via_use_mhsta.yml
fix yaml
2022-03-08 19:14:46 +01:00
proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
Refactor regex
2022-03-08 19:07:37 +01:00
proc_creation_win_invoke_obfuscation_via_var.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_jlaive_batch_execution.yml
Fix after review
2022-07-14 19:34:59 +01:00
proc_creation_win_lethalhta.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_local_system_owner_account_discovery.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_logmein.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml
FP: citrix icast default userinit logon script.
2022-05-31 21:53:13 +00:00
proc_creation_win_lolbin_adplus.yml
Update proc_creation_win_lolbin_adplus.yml
2022-06-09 16:15:28 +01:00
proc_creation_win_lolbin_agentexecutor.yml
Create proc_creation_win_lolbin_agentexecutor.yml
2022-07-31 12:46:52 -04:00
proc_creation_win_lolbin_aspnet_compiler.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_bash.yml
fix: FPs found in testing
2022-07-06 15:38:31 +02:00
proc_creation_win_lolbin_certoc_download.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_cl_invocation.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_lolbin_cl_loadassembly.yml
Renamed LOLBIN Rules 2
2022-06-12 21:37:42 +01:00
proc_creation_win_lolbin_cl_mutexverifiers.yml
Update rules syntax
2022-06-28 22:21:46 +01:00
proc_creation_win_lolbin_class_exec_xwizard.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_cmdl32.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_configsecuritypolicy.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_diantz_ads.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_diantz_remote_cab.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_dll_sideload_xwizard.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_dump64.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_execution_via_winget.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_lolbin_extexport.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_extrac32_ads.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_extrac32.yml
Fix detection
2022-07-08 18:20:37 +02:00
proc_creation_win_lolbin_findstr.yml
Update proc_creation_win_lolbin_findstr.yml
2022-06-21 15:37:39 +01:00
proc_creation_win_lolbin_forfiles.yml
Update proc_creation_win_lolbin_forfiles.yml
2022-06-14 18:18:14 +01:00
proc_creation_win_lolbin_fsharp_interpreters.yml
Update proc_creation_win_lolbin_fsharp_interpreters.yml
2022-06-02 17:15:15 +02:00
proc_creation_win_lolbin_gpscript.yml
Rule Update (Batch 2)
2022-05-16 22:02:41 +01:00
proc_creation_win_lolbin_ie4uinit.yml
Rule Update (Batch 2)
2022-05-16 22:02:41 +01:00
proc_creation_win_lolbin_ieexec_download.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_ilasm.yml
Rule Update (Batch 2)
2022-05-16 22:02:41 +01:00
proc_creation_win_lolbin_jsc.yml
Update proc_creation_win_lolbin_jsc.yml
2022-05-05 07:58:25 +02:00
proc_creation_win_lolbin_mftrace.yml
Update proc_creation_win_lolbin_mftrace.yml
2022-06-09 18:52:32 +01:00
proc_creation_win_lolbin_msdt_answer_file.yml
Update MSDT Rules
2022-06-13 14:30:35 +01:00
proc_creation_win_lolbin_offlinescannershell.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_openconsole.yml
Update proc_creation_win_lolbin_openconsole.yml
2022-06-16 23:41:57 +01:00
proc_creation_win_lolbin_pcalua.yml
Update proc_creation_win_lolbin_pcalua.yml
2022-06-14 17:41:09 +01:00
proc_creation_win_lolbin_pcwrun_follina.yml
Update MSDT Rules
2022-06-13 14:30:35 +01:00
proc_creation_win_lolbin_pcwrun.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_pktmon.yml
Redcannary
2022-03-17 16:48:41 +01:00
proc_creation_win_lolbin_presentationhost.yml
Update proc_creation_win_lolbin_presentationhost.yml
2022-07-01 20:18:15 +01:00
proc_creation_win_lolbin_printbrm.yml
Update proc_creation_win_lolbin_printbrm.yml
2022-05-05 08:00:22 +02:00
proc_creation_win_lolbin_pubprn.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_rasautou_dll_execution.yml
Removed "modified" date
2022-06-13 11:31:47 +01:00
proc_creation_win_lolbin_remote.yml
Update proc_creation_win_lolbin_remote.yml
2022-06-02 09:00:22 -04:00
proc_creation_win_lolbin_replace.yml
Added alternative cmd format
2022-06-22 10:16:39 +05:45
proc_creation_win_lolbin_rundll32_installscreensaver.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_scriptrunner.yml
New Rules
2022-07-01 16:56:45 +01:00
proc_creation_win_lolbin_squirrel.yml
Update proc_creation_win_lolbin_squirrel.yml
2022-06-09 15:58:22 +01:00
proc_creation_win_lolbin_susp_acccheckconsole.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_susp_atbroker.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_susp_certreq_download.yml
Update proc_creation_win_lolbin_susp_certreq_download.yml
2022-06-13 18:27:56 +02:00
proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_susp_dxcap.yml
Fix field name
2022-07-03 20:24:10 +01:00
proc_creation_win_lolbin_susp_grpconv.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_susp_mpcmdrun_download.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_lolbin_susp_sqldumper_activity.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_lolbin_susp_wsl.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_lolbin_ttdinject.yml
Update proc_creation_win_lolbin_ttdinject.yml
2022-05-16 16:53:41 +02:00
proc_creation_win_lolbin_tttracer_mod_load.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_utilityfunctions.yml
Renamed LOLBIN Rules
2022-06-12 21:36:52 +01:00
proc_creation_win_lolbin_visual_basic_compiler.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_lolbin_visualuiaverifynative.yml
Update proc_creation_win_lolbin_visualuiaverifynative.yml
2022-06-02 13:43:01 +02:00
proc_creation_win_lolbin_vsiisexelauncher.yml
New/Update LOLBIN Rules
2022-06-09 15:56:33 +01:00
proc_creation_win_lolbin_wfc.yml
Update proc_creation_win_lolbin_wfc.yml
2022-06-02 13:47:11 +02:00
proc_creation_win_lolbin_winword.yml
Update proc_creation_win_lolbin_winword.yml
2022-07-25 17:53:23 +01:00
proc_creation_win_lolbin_wlrmdr.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_lolbins_by_office_applications.yml
Update proc_creation_win_lolbins_by_office_applications.yml
2022-07-20 19:53:53 +07:00
proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
proc_creation_win_long_powershell_commandline.yml
Reducing level due to it being a minor indicator and not strong enough to warrant an investigation on its own.
2022-07-01 01:43:42 +00:00
proc_creation_win_lsass_dump.yml
Update proc_creation_win_lsass_dump.yml
2022-07-11 18:22:50 +01:00
proc_creation_win_mailboxexport_share.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_mal_adwind.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mal_blue_mockingbird.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_mal_darkside_ransomware.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_mal_hermetic_wiper_activity.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_mal_lockergoga_ransomware.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_mal_ryuk.yml
chore: test rules: check for all modifier with single item
2022-05-11 11:06:09 +02:00
proc_creation_win_malware_conti_7zip.yml
fix: copy / paste issues
2022-04-13 09:23:08 +02:00
proc_creation_win_malware_conti_shadowcopy.yml
fix: copy / paste issues
2022-04-13 09:23:08 +02:00
proc_creation_win_malware_conti.yml
chore: promote status of rules
2022-03-30 11:24:24 +02:00
proc_creation_win_malware_dridex.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_malware_dtrack.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_malware_emotet.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_malware_formbook.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_malware_notpetya.yml
fix: values missed escaping
2022-03-05 10:39:15 +01:00
proc_creation_win_malware_qbot.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_malware_ryuk.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_malware_script_dropper.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_malware_trickbot_recon_activity.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_malware_trickbot_wermgr.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_malware_wannacry.yml
fix: triggering on legitimate diskpart.exe usage
2022-02-28 17:50:30 +01:00
proc_creation_win_manage_bde_lolbas.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_mavinject_proc_inj.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mimikatz_command_line.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_mmc20_lateral_movement.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_mmc_spawn_shell.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_modif_of_services_for_via_commandline.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_monitoring_for_persistence_via_bits.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
proc_creation_win_mouse_lock.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_msdeploy.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_msdt_diagcab.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_msdt_susp_cab_options.yml
New Rule (https://twitter.com/nas_bench/status/1537919885031772161)
2022-06-21 19:13:53 +01:00
proc_creation_win_msdt_susp_parent.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_msdt.yml
Update proc_creation_win_msdt.yml
2022-06-13 16:36:19 +01:00
proc_creation_win_msedge_minimized_download.yml
Add status
2022-05-15 16:17:02 +02:00
proc_creation_win_mshta_javascript.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_mshta_spawn_shell.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_msiexec_dll.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_msiexec_embedding.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_msiexec_execute_dll.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_msiexec_install_quiet.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_msra_process_injection.yml
Update proc_creation_win_msra_process_injection.yml
2022-06-25 08:47:36 +02:00
proc_creation_win_mstsc.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_multiple_susp_cli.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_net_enum.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_net_use_admin_share.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_net_user_add_never_expire.yml
DFIR Report - SELECT XMRig FROM SQLServer
2022-07-12 01:27:51 +01:00
proc_creation_win_net_user_add.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_netcat_execution.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_netsh_allow_port_rdp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_fw_add_susp_image.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_fw_add.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_netsh_fw_enable_group_rule.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_netsh_packet_capture.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_port_fwd_3389.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_port_fwd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_netsh_wifi_credential_harvesting.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_network_scan_loop.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_network_sniffing.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_new_service_creation.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_nltest_recon.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_non_interactive_powershell.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_non_priv_reg_or_ps.yml
Fix typos
2022-07-27 12:52:51 +01:00
proc_creation_win_office_applications_spawning_wmi_commandline.yml
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
proc_creation_win_office_dir_traversal_cli.yml
new rule for office directory traversal
2022-06-03 12:17:33 +02:00
proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
proc_creation_win_office_shell.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_office_spawn_exe_from_users_directory.yml
add more suspicious child processes / relevant parent processes
2022-06-03 12:17:33 +02:00
proc_creation_win_office_spawning_wmi_commandline.yml
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
proc_creation_win_outlook_shell.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_pdqdeploy_runner_susp_children.yml
Update proc_creation_win_pdqdeploy_runner_susp_children.yml
2022-07-23 13:04:27 +01:00
proc_creation_win_pingback_backdoor.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_plugx_susp_exe_locations.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_possible_applocker_bypass.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_amsi_bypass.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_powershell_audio_capture.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_powershell_b64_shellcode.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_powershell_bitsjob.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_powershell_cmdline_convertto_securestring.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_powershell_cmdline_reversed_strings.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_powershell_cmdline_special_characters.yml
Fix after review
2022-07-14 19:34:59 +01:00
proc_creation_win_powershell_cmdline_specific_comb_methods.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_powershell_cmdline_susp_comb_methods.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_powershell_defender_base64.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_powershell_defender_disable_feature.yml
fix: adjusted rules that use utf16le, extended others
2022-03-07 18:14:29 +01:00
proc_creation_win_powershell_defender_exclusion.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_powershell_disable_windef_av.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_powershell_dll_execution.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_powershell_downgrade_attack.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_powershell_download_patterns.yml
refactor: additional strings in powershell downloader rule
2022-03-02 11:01:28 +01:00
proc_creation_win_powershell_download.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_powershell_frombase64string.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_powershell_get_clipboard.yml
New Rules
2022-06-21 11:47:18 +01:00
proc_creation_win_powershell_public_folder.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_powershell_reverse_shell_connection.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_powershell_snapins_hafnium.yml
Fix after review
2022-07-14 19:34:59 +01:00
proc_creation_win_powershell_susp_parameter_variation.yml
Update proc_creation_win_powershell_susp_parameter_variation.yml
2022-07-14 17:43:04 +01:00
proc_creation_win_powershell_xor_commandline.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_powersploit_empire_schtasks.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_proc_dump_createdump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_proc_dump_dumpminitool.yml
refactor: extended rule
2022-04-06 17:07:51 +02:00
proc_creation_win_proc_dump_rdrleakdiag.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_proc_dump_susp_dumpminitool.yml
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
proc_creation_win_proc_wrong_parent.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_procdump_evasion.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_procdump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_process_dump_rdrleakdiag.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_process_dump_rundll32_comsvcs.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_protocolhandler_susp_file.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_proxy_execution_wuauclt.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_psexesvc_start.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_public_folder_parent.yml
docs: wording change
2022-02-25 17:29:16 +01:00
proc_creation_win_purplesharp_indicators.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_pypykatz.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_python_pty_spawn.yml
windows and linux python pty spawning
2022-06-03 12:17:33 +02:00
proc_creation_win_query_registry.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_ransom_blackbyte.yml
rules: BlackByte rule update, and some generic rules
2022-02-25 16:02:42 +01:00
proc_creation_win_rdp_hijack_shadowing.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_redirect_to_stream.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_redmimicry_winnti_proc.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_reg_add_run_key.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_reg_defender_exclusion.yml
Updates 2
2022-07-28 00:38:33 +01:00
proc_creation_win_reg_defender_tampering.yml
chore: test rules: check for unused selections
2022-05-10 11:07:40 +02:00
proc_creation_win_reg_dump_sam.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_reg_enable_rdp.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_reg_lsass_ppl.yml
chore: test rules: check for unused selections
2022-05-10 11:07:40 +02:00
proc_creation_win_reg_service_imagepath_change.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_regedit_export_critical_keys.yml
Update
2022-07-07 15:37:28 +01:00
proc_creation_win_regedit_export_keys.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_regedit_import_keys_ads.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_regedit_import_keys.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_regini_ads.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_regini.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_remote_powershell_session_process.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_remote_time_discovery.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_remove_windows_defender_definition_files.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_renamed_binary_highly_relevant.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_renamed_binary.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_renamed_browsercore.yml
feat: Add rule for renamed browser core execution
2022-06-02 14:17:02 +01:00
proc_creation_win_renamed_jusched.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_renamed_megasync.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_msdt.yml
Update proc_creation_win_renamed_msdt.yml
2022-06-03 17:03:33 +02:00
proc_creation_win_renamed_paexec.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_renamed_plink.yml
Update proc_creation_win_renamed_plink.yml
2022-06-07 10:43:23 +02:00
proc_creation_win_renamed_powershell.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_renamed_procdump.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_renamed_psexec.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_renamed_rundll32.yml
rule: renamed rundll32.exe
2022-06-08 17:23:29 +02:00
proc_creation_win_renamed_whoami.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_root_certificate_installed.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_rpcss_anomalies.yml
rule: RPCSS service process anomalies
2022-04-13 15:44:10 +02:00
proc_creation_win_run_executable_invalid_extension.yml
fix: wrong modifier
2022-07-27 14:58:27 +02:00
proc_creation_win_run_from_zip.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_run_powershell_script_from_ads.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_run_powershell_script_from_input_stream.yml
Fix after review
2022-07-14 19:34:59 +01:00
proc_creation_win_run_virtualbox.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_rundll32_not_from_c_drive.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_rundll32_parent_explorer.yml
Update proc_creation_win_rundll32_parent_explorer.yml
2022-05-23 16:49:40 -04:00
proc_creation_win_rundll32_registered_com_objects.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_rundll32_without_parameters.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_schtasks_appdata_local_system.yml
Update proc_creation_win_schtasks_appdata_local_system.yml
2022-07-28 10:28:57 +01:00
proc_creation_win_schtasks_powershell_windowsapps_execution.yml
Update proc_creation_win_schtasks_powershell_windowsapps_execution.yml
2022-04-19 17:31:01 +02:00
proc_creation_win_schtasks_reg_loader.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_schtasks_system.yml
Qbot rules
2022-07-28 19:33:09 +02:00
proc_creation_win_screenconnect_anomaly.yml
Updates
2022-07-27 23:41:11 +01:00
proc_creation_win_screenconnect.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_script_event_consumer_spawn.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_sdbinst_shim_persistence.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_sdclt_child_process.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_sdelete.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_sdiagnhost_susp_child.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_selectmyparent.yml
Renamed SelectMyParent Rule
2022-07-27 22:43:49 +01:00
proc_creation_win_service_execution.yml
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
proc_creation_win_service_stop.yml
Update proc_creation_win_service_stop.yml
2022-06-21 11:46:32 +01:00
proc_creation_win_set_policies_to_unsecure_level.yml
fix: reduce level, many legitimate usages expected
2022-02-23 14:13:12 +01:00
proc_creation_win_shadow_copies_access_symlink.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_shadow_copies_creation.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_shadow_copies_deletion.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_shell_spawn_by_java.yml
Updates
2022-07-27 23:41:11 +01:00
proc_creation_win_shell_spawn_susp_program.yml
Updates
2022-07-27 23:41:11 +01:00
proc_creation_win_silenttrinity_stage_use.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_software_discovery.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_soundrec_audio_capture.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_spn_enum.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sqlcmd_veeam_dump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sqlite_firefox_cookies.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml
Update proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml
2022-04-19 17:32:39 +02:00
proc_creation_win_stickykey_like_backdoor.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_stordiag_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sus_auditpol_usage.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_7z.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_16bit_application.yml
Fix modified
2022-07-16 20:56:13 +02:00
proc_creation_win_susp_ad_reco.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_add_user_remote_desktop.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_adfind_enumerate.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_adfind.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_adidnsdump.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_advancedrun_priv_user.yml
Update proc_creation_win_susp_advancedrun_priv_user.yml
2022-05-05 21:06:53 +01:00
proc_creation_win_susp_advancedrun.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_base64_invoke.yml
new rules
2022-06-01 11:50:34 +02:00
proc_creation_win_susp_base64_load.yml
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
proc_creation_win_susp_bcdedit.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_bginfo.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_bitstransfer.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_calc.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cdb.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_certutil_command.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_certutil_encode.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_char_in_cmd.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_child_process_as_system_.yml
fix: specify for local system user
2022-05-27 15:46:56 +02:00
proc_creation_win_susp_cipher.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_cli_escape.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cmd_http_appdata.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cmd_shadowcopy_access.yml
fix: copy / paste issues
2022-04-13 09:23:08 +02:00
proc_creation_win_susp_codepage_lookup.yml
fix: event collectors that include spaces in cmd
2022-04-21 07:54:08 +02:00
proc_creation_win_susp_codepage_switch.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_susp_commandline_chars.yml
docs: rules adjusted
2022-06-21 17:21:55 +02:00
proc_creation_win_susp_commands_recon_activity.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_compression_params.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_comsvcs_procdump.yml
New Rules
2022-07-29 14:07:14 +02:00
proc_creation_win_susp_conhost_option.yml
Update proc_creation_win_susp_conhost_option.yml
2022-06-01 09:39:03 +08:00
proc_creation_win_susp_conhost.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_control_cve_2021_40444.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_control_dll_load.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_copy_lateral_movement.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_copy_system32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_covenant.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_crackmapexec_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_crackmapexec_flags.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_csc_folder.yml
chore: test rules: capitalization on FP list entries
2022-05-09 16:07:44 +02:00
proc_creation_win_susp_csc.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_cscript_vbs.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_csi.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_curl_download.yml
New Rules
2022-07-29 14:07:14 +02:00
proc_creation_win_susp_curl_fileupload.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_curl_start_combo.yml
refactor: curl changes
2022-07-04 17:08:23 +02:00
proc_creation_win_susp_curl_useragent.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_dctask64_proc_inject.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_del.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_desktopimgdownldr.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_devinit_lolbin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_devtoolslauncher.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_dir.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_direct_asep_reg_keys_modification.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_disable_eventlog.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_disable_ie_features.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_disable_raccine.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_diskshadow.yml
docs: adjustments
2022-03-11 18:13:54 +01:00
proc_creation_win_susp_ditsnap.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_dllhost_no_cli.yml
Changes From Meeting
2022-06-29 15:25:50 +01:00
proc_creation_win_susp_dnx.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_double_extension.yml
chore: increase rule status
2022-03-07 17:11:00 +01:00
proc_creation_win_susp_download_office_domain.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_dtrace_kernel_dump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_emotet_rundll32_execution.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_esentutl_params.yml
Update proc_creation_win_susp_esentutl_params.yml
2022-02-24 11:52:21 -05:00
proc_creation_win_susp_eventlog_clear.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_execution_path_webserver.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_execution_path.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_explorer_break_proctree.yml
Update proc_creation_win_susp_explorer_break_proctree.yml
2022-06-14 19:31:25 +01:00
proc_creation_win_susp_explorer_nouaccheck.yml
fix: FPs found in win2022 domain controller baseline
2022-04-21 10:48:59 +02:00
proc_creation_win_susp_explorer.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_file_characteristics.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_findstr_385201.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_findstr_lnk.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_finger_usage.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_firewall_disable.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_format.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_fsutil_usage.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_ftp.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_gpresult.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_gup_download.yml
GUP LOLBIN Rules + Update AccCheckConsole Rule
2022-06-10 19:07:25 +01:00
proc_creation_win_susp_gup_execution.yml
Update proc_creation_win_susp_gup_execution.yml
2022-06-10 19:08:30 +01:00
proc_creation_win_susp_gup.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_hostname.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_image_missing.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_instalutil.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_iss_module_install.yml
Typo Fix. Added additional reference
2022-07-27 10:27:46 -04:00
proc_creation_win_susp_lsass_clone.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_machineguid.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_mofcomp_execution.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_mounted_share_deletion.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_mpiexec_lolbin.yml
refactor: more exact imphash matching
2022-03-07 12:03:32 +01:00
proc_creation_win_susp_mshta_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_mshta_pattern.yml
Fix after review
2022-07-14 19:34:59 +01:00
proc_creation_win_susp_msiexec_cwd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_msiexec_web_install.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_msoffice.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_net_execution.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_net_use_password_plaintext.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_netsh_command.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_netsh_dll_persistence.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_network_command.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_network_listing_connections.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_new_kernel_driver_via_sc.yml
Create proc_creation_win_susp_new_kernel_driver_via_sc.yml
2022-07-28 12:40:26 +01:00
proc_creation_win_susp_new_service_creation.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_ngrok_pua.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_nmap.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_non_exe_image.yml
fix: FPs found in testing environment
2022-06-20 16:17:54 +02:00
proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_ntdll_type_redirect.yml
rule: ntdll type redirect
2022-03-05 10:39:33 +01:00
proc_creation_win_susp_ntds.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_ntdsutil.yml
docs: adjustments
2022-03-11 18:13:54 +01:00
proc_creation_win_susp_ntlmrelay.yml
Update proc_creation_win_susp_ntlmrelay.yml
2022-05-06 19:46:24 +02:00
proc_creation_win_susp_odbcconf.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_openwith.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_outlook_temp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_outlook.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_parents.yml
fix: FPs with notepad.exe as parent
2022-07-08 19:28:43 +02:00
proc_creation_win_susp_pcwutl.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_pester.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_ping_hex_ip.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_plink_remote_forward.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_cmd_patterns.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_powershell_download_cradles.yml
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
proc_creation_win_susp_powershell_download_iex.yml
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
proc_creation_win_susp_powershell_empire_launch.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_powershell_empire_uac_bypass.yml
chore: promote status of rules
2022-03-31 12:04:37 +02:00
proc_creation_win_susp_powershell_enc_cmd.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_powershell_encode.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_powershell_encoded_param.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_getprocess_lsass.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_powershell_hidden_b64_cmd.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_powershell_iex_patterns.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_powershell_parent_combo.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_powershell_parent_process.yml
fix: FPs noticed with Aurora
2022-07-28 16:58:24 +02:00
proc_creation_win_susp_powershell_sam_access.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_powershell_sub_processes.yml
Merge pull request #3225 from nasbench/master
2022-07-14 21:58:01 +02:00
proc_creation_win_susp_powershell_webclient_casing.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_pressynkey_lolbin.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_print.yml
Update selections
2022-07-07 20:55:19 +01:00
proc_creation_win_susp_procdump_lsass.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_procdump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_progname.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_ps_appdata.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_ps_downloadfile.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_ps_encoded_obfusc.yml
rule: suspicious PS encoded & obfuscated
2022-07-11 18:23:34 +02:00
proc_creation_win_susp_psexec_eula.yml
rule cleanup and new rules
2022-06-27 16:35:22 +02:00
proc_creation_win_susp_psexex_paexec_escalate_system.yml
Update proc_creation_win_susp_psexex_paexec_escalate_system.yml
2022-07-21 21:24:16 +01:00
proc_creation_win_susp_psexex_paexec_flags.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_psloglist.yml
Small Update and New Rule
2022-06-16 23:37:50 +01:00
proc_creation_win_susp_psr_capture_screenshots.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_radmin.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_rar_flags.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_rasdial_activity.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_razorinstaller_explorer.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rclone_execution.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_recon_activity.yml
Update modified
2022-06-09 13:27:07 +02:00
proc_creation_win_susp_recon_net_activity.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_recon.yml
Update Ref+Selection
2022-07-11 14:11:53 +01:00
proc_creation_win_susp_redir_local_admin_share.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_reg_bitlocker.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_reg_disable_sec_services.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_reg_open_command.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_regedit_trustedinstaller.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_register_cimprovider.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_registration_via_cscript.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_susp_regsvr32_anomalies.yml
False positive when box app uses regsvr32
2022-07-20 18:47:26 +00:00
proc_creation_win_susp_regsvr32_flags_anomaly.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_regsvr32_http_pattern.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_regsvr32_image.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_susp_regsvr32_no_dll.yml
Update proc_creation_win_susp_regsvr32_no_dll.yml
2022-06-29 12:52:04 +01:00
proc_creation_win_susp_regsvr32_spawn_explorer.yml
Update 3
2022-07-28 01:05:04 +01:00
proc_creation_win_susp_renamed_dctask64.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_renamed_debugview.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_renamed_paexec.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rpcping.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_run_folder.yml
MS Update FP
2022-07-27 08:09:11 +02:00
proc_creation_win_susp_run_locations.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_activity.yml
fix: FPs with Rundll32 rule
2022-07-20 12:53:24 +02:00
proc_creation_win_susp_rundll32_by_ordinal.yml
Merge branch 'master' into pr/2785
2022-03-08 08:43:59 +01:00
proc_creation_win_susp_rundll32_inline_vbs.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_js_runhtmlapplication.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_rundll32_keymgr.yml
docs: false positive condition added
2022-04-21 09:13:06 +02:00
proc_creation_win_susp_rundll32_no_params.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_rundll32_script_run.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_rundll32_spawn_explorer.yml
Update 3
2022-07-28 01:05:04 +01:00
proc_creation_win_susp_rundll32_sys.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_susp_rundll32_user32_dll.yml
Update proc_creation_win_susp_rundll32_user32_dll.yml
2022-06-04 13:29:37 +02:00
proc_creation_win_susp_runonce_execution.yml
Update proc_creation_win_susp_runonce_execution.yml
2022-07-11 18:21:46 +01:00
proc_creation_win_susp_runscripthelper.yml
Update proc_creation_win_susp_runscripthelper.yml
2022-07-11 18:24:17 +01:00
proc_creation_win_susp_sc_query.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_schtask_creation_temp_folder.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_schtask_creation.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_susp_schtasks_change.yml
Qbot rules
2022-07-28 19:33:09 +02:00
proc_creation_win_susp_schtasks_disable.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_schtasks_env_folder.yml
Updates 2
2022-07-28 00:38:33 +01:00
proc_creation_win_susp_schtasks_folder_combos.yml
Updates 2
2022-07-28 00:38:33 +01:00
proc_creation_win_susp_schtasks_parent.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_susp_schtasks_pattern.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_susp_schtasks_user_temp.yml
Add "\" to "Image|endswith" modifier
2022-06-02 13:39:07 +01:00
proc_creation_win_susp_screenconnect_access.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_screensaver_reg.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_script_exec_from_env_folder.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_script_exec_from_temp.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_script_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_service_dacl_modification.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_service_dir.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_service_modification.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_service_path_modification.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_servu_process_pattern.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_sharpview.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_shell_spawn_by_java_keytool.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_shell_spawn_by_java.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_shell_spawn_from_mssql.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_shell_spawn_from_winrm.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_shimcache_flush.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_susp_shutdown.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_splwow64.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_spoolsv_child_processes.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_squirrel_lolbin.yml
fix: FPs noticed with Aurora
2022-07-20 13:02:49 +02:00
proc_creation_win_susp_svchost_no_cli.yml
Update rules syntax
2022-06-28 22:21:46 +01:00
proc_creation_win_susp_svchost.yml
Update rules syntax
2022-06-28 22:21:46 +01:00
proc_creation_win_susp_sysprep_appdata.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_system_user_anomaly.yml
fix: FPs with Visual Studio
2022-07-07 18:20:10 +02:00
proc_creation_win_susp_systeminfo.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_sysvol_access.yml
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
proc_creation_win_susp_takeown.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_target_location_shell32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_taskkill.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_tasklist_command.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_taskmgr_localsystem.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_susp_taskmgr_parent.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_tracker_execution.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_trolleyexpress_procdump.yml
Fix Requested Changes
2022-05-13 15:28:22 +01:00
proc_creation_win_susp_tscon_localsystem.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_susp_tscon_rdp_redirect.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_uac_bypass_trustedpath.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_susp_use_of_csharp_console.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_susp_use_of_sqlps_bin.yml
Fix detection
2022-02-25 15:39:26 +01:00
proc_creation_win_susp_use_of_sqltoolsps_bin.yml
Update proc_creation_win_susp_use_of_sqltoolsps_bin.yml
2022-07-11 18:27:06 +01:00
proc_creation_win_susp_use_of_te_bin.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_userinit_child.yml
fix: FP with explorer.exe
2022-06-29 13:22:35 +02:00
proc_creation_win_susp_vaultcmd.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_vboxdrvinst.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_vbscript_unc2452.yml
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
proc_creation_win_susp_volsnap_disable.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_web_request_cmd.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_webdav_client_execution.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_where_execution.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_whoami_anomaly.yml
some rule improvements
2022-07-21 18:16:22 +02:00
proc_creation_win_susp_whoami_as_param.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_whoami.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_winrar_dmp.yml
Add missing "contains" modifier
2022-06-17 14:06:14 +01:00
proc_creation_win_susp_winrar_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_winrm_awl_bypass.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_winrm_execution.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_winzip.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_wmi_execution.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_wmic_eventconsumer_create.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wmic_proc_create_rundll32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wmic_security_product_uninstall.yml
Rules Update
2022-06-03 20:29:59 +01:00
proc_creation_win_susp_workfolders.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_susp_wuauclt_cmdline.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_wuauclt.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_susp_zip_compress.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_susp_zipexec.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_suspicious_psexesvc_as_system.yml
refactor: new PSEXEC related rule ideas
2022-07-23 11:27:29 +02:00
proc_creation_win_suspicious_psexesvc_renamed.yml
refactor: new PSEXEC related rule ideas
2022-07-23 11:27:29 +02:00
proc_creation_win_suspicious_psexesvc.yml
refactor: new PSEXEC related rule ideas
2022-07-23 11:27:29 +02:00
proc_creation_win_sysinternals_eula_accepted.yml
Update proc_creation_win_sysinternals_eula_accepted.yml
2022-06-16 14:49:17 +08:00
proc_creation_win_sysinternals_psservice.yml
Small Update and New Rule
2022-06-16 23:37:50 +01:00
proc_creation_win_sysmon_driver_unload.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_sysmon_uac_bypass_eventvwr.yml
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
proc_creation_win_system_exe_anomaly.yml
Update 3
2022-07-28 01:05:04 +01:00
proc_creation_win_tap_installer_execution.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_task_folder_evasion.yml
Update selections and indentation
2022-07-07 20:13:45 +01:00
proc_creation_win_termserv_proc_spawn.yml
fix: FPs in testing environment
2022-06-27 08:47:27 +02:00
proc_creation_win_tool_nircmd_as_system.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_tool_nircmd.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_tool_nsudo_execution.yml
Update proc_creation_win_tool_nsudo_execution.yml
2022-06-07 17:00:35 +01:00
proc_creation_win_tool_psexec.yml
refactor condition
2022-06-03 15:35:24 +02:00
proc_creation_win_tool_runx_as_system.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_tools_relay_attacks.yml
chore: increase rule status
2022-03-07 17:10:59 +01:00
proc_creation_win_tools_uac_bypass_computerdefaults.yml
add UACMe reference Id
2022-07-27 11:13:48 +02:00
proc_creation_win_tor_browser.yml
Rename win_pc_tor_browser.yml to proc_creation_win_tor_browser.yml
2022-02-20 17:59:53 +01:00
proc_creation_win_trust_discovery.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_uac_bypass_changepk_slui.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_cleanmgr.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_cmstp.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_uac_bypass_consent_comctl32.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_dismhost.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_fodhelper.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_uac_bypass_idiagnostic_profile.yml
Update proc_creation_win_uac_bypass_idiagnostic_profile.yml
2022-07-03 20:16:43 +01:00
proc_creation_win_uac_bypass_ieinstal.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_msconfig_gui.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_ntfs_reparse_point.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_pkgmgr_dism.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_winsat.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_wmp.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_uac_bypass_wsreset_integrity_level.yml
Renamed LOLBIN rules + Other
2022-06-12 23:59:25 +01:00
proc_creation_win_uac_bypass_wsreset.yml
Delete duplicate rule + merge
2022-07-27 22:53:58 +01:00
proc_creation_win_uninstall_crowdstrike_falcon.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_uninstall_sysmon.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_using_sc_to_hide_sevices.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_using_settingsynchost_as_lolbin.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_verclsid_runs_com.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_vmtoolsd_susp_child_process.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_vul_java_remote_debugging.yml
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
proc_creation_win_webshell_detection.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_webshell_hacking.yml
fix: single list element
2022-03-21 12:33:55 +01:00
proc_creation_win_webshell_recon_detection.yml
Updates
2022-07-27 23:41:11 +01:00
proc_creation_win_webshell_spawn.yml
Updates
2022-07-27 23:41:11 +01:00
proc_creation_win_whoami_as_priv_user.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_whoami_as_system.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_whoami_priv.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_win10_sched_task_0day.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_win_exchange_transportagent.yml
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
proc_creation_win_windows_terminal_susp_children.yml
Fix typos
2022-07-27 12:52:51 +01:00
proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
fix: FPs noticed with EdgeTransport sub processes
2022-03-18 10:18:40 +01:00
proc_creation_win_wmi_persistence_script_event_consumer.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_wmi_spwns_powershell.yml
New Rules + Update
2022-07-14 17:35:50 +01:00
proc_creation_win_wmic_hotfix_enum.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_wmic_reconnaissance.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_wmic_remote_command.yml
Quick Fix
2022-05-13 11:52:31 +01:00
proc_creation_win_wmic_remote_service.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_wmic_remove_application.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_wmic_service.yml
New Rules
2022-06-21 11:47:18 +01:00
proc_creation_win_wmic_unquoted_service_search.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_wmiprvse_spawning_process.yml
chore: harmonization of generic 'nt system' user checks
2022-05-27 15:16:31 +02:00
proc_creation_win_workflow_compiler.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00
proc_creation_win_wpbbin_persistence.yml
UEFI Persistence - wpbbin
2022-07-18 12:45:44 +01:00
proc_creation_win_write_protect_for_storage_disabled.yml
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
proc_creation_win_xordump.yml
Normalization of rule names
2022-02-22 11:16:31 +01:00
proc_creation_win_xsl_script_processing.yml
Update Ref+Selection 2
2022-07-11 17:48:40 +01:00