security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6df2ba31bab3bb8104c4dad729b56c4cbef0afb4
blue-team-tools/rules/windows/process_creation
T
History
Matt Anderson 6df2ba31ba Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC 
new: Headless Process Launched Via Conhost.EXE
new: Potential BOINC Software Execution (UC-Berkeley Signature)
new: Powershell Executed From Headless ConHost Process
new: Process Launched Without Image Name
new: Renamed BOINC Client Execution 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-07-23 15:06:26 +02:00
..
proc_creation_win_7zip_exfil_dmp_files.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_7zip_password_compression.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_addinutil_suspicious_cmdline.yml
Merge PR #4452 from @SILJAEUROPA - Add New Rules To AddInUtil Potential Abuse
2023-10-05 13:07:50 +02:00
proc_creation_win_addinutil_uncommon_child_process.yml
Merge PR #4452 from @SILJAEUROPA - Add New Rules To AddInUtil Potential Abuse
2023-10-05 13:07:50 +02:00
proc_creation_win_addinutil_uncommon_cmdline.yml
Merge PR #4452 from @SILJAEUROPA - Add New Rules To AddInUtil Potential Abuse
2023-10-05 13:07:50 +02:00
proc_creation_win_addinutil_uncommon_dir_exec.yml
Merge PR #4452 from @SILJAEUROPA - Add New Rules To AddInUtil Potential Abuse
2023-10-05 13:07:50 +02:00
proc_creation_win_adplus_memory_dump.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_agentexecutor_potential_abuse.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_agentexecutor_susp_usage.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_appvlp_uncommon_child_process.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_aspnet_compiler_exectuion.yml
feat: aspnet compile + agentexecutor rename
2023-08-14 14:38:25 +02:00
proc_creation_win_aspnet_compiler_susp_child_process.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_aspnet_compiler_susp_paths.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_at_interactive_execution.yml
feat: more updates
2023-03-10 23:32:32 +01:00
proc_creation_win_atbroker_uncommon_ats_execution.yml
Merge PR #4755 from @snajafov - Fix false positives with AT usage rule
2024-03-06 17:47:17 +01:00
proc_creation_win_attrib_hiding_files.yml
Merge PR #4853 from @nasbench - Add some cosmetic changes and small updates
2024-05-13 16:59:44 +02:00
proc_creation_win_attrib_system_susp_paths.yml
Merge PR #4853 from @nasbench - Add some cosmetic changes and small updates
2024-05-13 16:59:44 +02:00
proc_creation_win_auditpol_nt_resource_kit_usage.yml
fix: apply suggestions from code review
2023-03-13 10:48:08 +01:00
proc_creation_win_auditpol_susp_execution.yml
fix: apply suggestions from code review
2023-03-13 10:48:08 +01:00
proc_creation_win_bash_command_execution.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_bash_file_execution.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_bcdedit_boot_conf_tamper.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_bcdedit_susp_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_bginfo_suspicious_child_process.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_bginfo_uncommon_child_process.yml
Update rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml
2023-08-18 15:15:52 +02:00
proc_creation_win_bitlockertogo_execution.yml
Merge PR #4902 from @joshnck - Add BitlockerTogo.EXE Execution
2024-07-11 20:22:59 +02:00
proc_creation_win_bitsadmin_download_direct_ip.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_bitsadmin_download_file_sharing_domains.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_bitsadmin_download_susp_extensions.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_bitsadmin_download_susp_targetfolder.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_bitsadmin_download.yml
fix: remove unrelated bitsadmin selection
2023-02-15 21:18:38 +01:00
proc_creation_win_bitsadmin_potential_persistence.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_browsers_chromium_headless_debugging.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_browsers_chromium_headless_exec.yml
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04 19:06:57 +02:00
proc_creation_win_browsers_chromium_headless_file_download.yml
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04 19:06:57 +02:00
proc_creation_win_browsers_chromium_load_extension.yml
Merge PR #4598 from @joshnck - Add New Generic Chromium Load-Extension Rule
2023-11-28 10:53:25 +01:00
proc_creation_win_browsers_chromium_mockbin_abuse.yml
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04 19:06:57 +02:00
proc_creation_win_browsers_chromium_susp_load_extension.yml
Merge PR #4598 from @joshnck - Add New Generic Chromium Load-Extension Rule
2023-11-28 10:53:25 +01:00
proc_creation_win_browsers_inline_file_download.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_browsers_remote_debugging.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_browsers_tor_execution.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_calc_uncommon_exec.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_cdb_arbitrary_command_execution.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_certmgr_certificate_installation.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_certoc_download_direct_ip.yml
Merge PR #4491 from @nasbench - Rule Updates & Fixes
2023-10-23 10:35:57 +02:00
proc_creation_win_certoc_download.yml
Merge PR #4491 from @nasbench - Rule Updates & Fixes
2023-10-23 10:35:57 +02:00
proc_creation_win_certoc_load_dll_susp_locations.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_certoc_load_dll.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_certutil_certificate_installation.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_certutil_decode.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_certutil_download_direct_ip.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_certutil_download_file_sharing_domains.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_certutil_download.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_certutil_encode_susp_extensions.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_certutil_encode_susp_location.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_certutil_encode.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_certutil_export_pfx.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_certutil_ntlm_coercion.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_chcp_codepage_lookup.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_chcp_codepage_switch.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_cipher_overwrite_deleted_data.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_citrix_trolleyexpress_procdump.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_clip_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_cloudflared_portable_execution.yml
Merge PR #4628 from @ssnkhan - New: Detect Creation of Cloudflared Quick Tunnels
2023-12-21 12:32:08 +01:00
proc_creation_win_cloudflared_quicktunnel_execution.yml
Merge PR #4628 from @ssnkhan - New: Detect Creation of Cloudflared Quick Tunnels
2023-12-21 12:32:08 +01:00
proc_creation_win_cloudflared_tunnel_cleanup.yml
Merge PR #4628 from @ssnkhan - New: Detect Creation of Cloudflared Quick Tunnels
2023-12-21 12:32:08 +01:00
proc_creation_win_cloudflared_tunnel_run.yml
Merge PR #4628 from @ssnkhan - New: Detect Creation of Cloudflared Quick Tunnels
2023-12-21 12:32:08 +01:00
proc_creation_win_cmd_assoc_execution.yml
feat: update cmd based rules
2023-03-07 14:13:57 +01:00
proc_creation_win_cmd_assoc_tamper_exe_file_association.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_cmd_copy_dmp_from_share.yml
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04 19:06:57 +02:00
proc_creation_win_cmd_curl_download_exec_combo.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_cmd_del_execution.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_cmd_del_greedy_deletion.yml
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04 19:06:57 +02:00
proc_creation_win_cmd_dir_execution.yml
Merge PR #4813 from @frack113 - Add Image to avoid FP
2024-04-15 13:42:32 +02:00
proc_creation_win_cmd_dosfuscation.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_cmd_http_appdata.yml
feat: update cmd based rules
2023-03-07 14:13:57 +01:00
proc_creation_win_cmd_mklink_osk_cmd.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml
feat: update cmd based rules
2023-03-07 14:13:57 +01:00
proc_creation_win_cmd_net_use_and_exec_combo.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_cmd_no_space_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_cmd_ntdllpipe_redirect.yml
fix: apply suggestions from code review
2023-03-07 17:07:12 +01:00
proc_creation_win_cmd_path_traversal.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_cmd_ping_copy_combined_execution.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_cmd_ping_del_combined_execution.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_cmd_redirection_susp_folder.yml
Merge PR #4774 from @nasbench - Fix and update multiple rules
2024-03-26 19:09:21 +01:00
proc_creation_win_cmd_rmdir_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_cmd_shadowcopy_access.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_cmd_stdin_redirect.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml
fix: add missing modified date
2023-03-07 17:50:14 +01:00
proc_creation_win_cmd_sticky_keys_replace.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_cmd_type_arbitrary_file_download.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_cmd_unusual_parent.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_cmdkey_adding_generic_creds.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_cmdkey_recon.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_cmdl32_arbitrary_file_download.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_cmstp_execution_by_creation.yml
proc_creation_win_configsecuritypolicy_download_file.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_conhost_headless_powershell.yml
Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC
2024-07-23 15:06:26 +02:00
proc_creation_win_conhost_legacy_option.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_conhost_path_traversal.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_conhost_susp_child_process.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_conhost_uncommon_parent.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_control_panel_item.yml
Merge PR #4476 From @phantinuss - Fix False Positives Found In Testing
2023-10-12 12:47:45 +02:00
proc_creation_win_createdump_lolbin_execution.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_csc_susp_dynamic_compilation.yml
Merge PR #4860 from @CR-OfirTal - Fix a typo in the regex of some rules
2024-05-27 14:27:34 +02:00
proc_creation_win_csc_susp_parent.yml
Merge PR #4860 from @CR-OfirTal - Fix a typo in the regex of some rules
2024-05-27 14:27:34 +02:00
proc_creation_win_csi_execution.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_csi_use_of_csharp_console.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_csvde_export.yml
Merge PR #4807 from @frack113 - Update ATT&CK tags
2024-04-15 10:46:47 +02:00
proc_creation_win_curl_cookie_hijacking.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_curl_custom_user_agent.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_curl_download_direct_ip_exec.yml
Merge PR #4491 from @nasbench - Rule Updates & Fixes
2023-10-23 10:35:57 +02:00
proc_creation_win_curl_download_direct_ip_susp_extensions.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_curl_download_susp_file_sharing_domains.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_curl_insecure_connection.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_curl_insecure_porxy_or_doh.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_curl_local_file_read.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_curl_susp_download.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_defaultpack_uncommon_child_process.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_desktopimgdownldr_remote_file_download.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_desktopimgdownldr_susp_execution.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_deviceenroller_dll_sideloading.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_devinit_lolbin_usage.yml
fix: typos
2023-04-14 11:54:04 +02:00
proc_creation_win_dfsvc_suspicious_child_processes.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_dirlister_execution.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_diskshadow_child_process_susp.yml
Merge PR #4718 from @qasimqlf - Update ATT&CK Mapping For Some Rules
2024-02-26 17:09:30 +01:00
proc_creation_win_diskshadow_script_mode_susp_ext.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_diskshadow_script_mode_susp_location.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_dll_sideload_vmware_xfer.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_dllhost_no_cli_execution.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_dns_exfiltration_tools_execution.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_dns_susp_child_process.yml
Merge PR #4776 from @security-companion - Fix broken reference links
2024-03-21 02:38:12 +01:00
proc_creation_win_dnscmd_discovery.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml
fix: multiple typos
2023-02-06 12:28:45 +01:00
proc_creation_win_dnx_execute_csharp_code.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_dotnet_trace_lolbin_execution.yml
Merge PR #4643 from @bohops - Adding dotnet-trace LOLBIN
2024-01-10 13:58:15 +01:00
proc_creation_win_dotnetdump_memory_dump.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_driverquery_recon.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_driverquery_usage.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_dsacls_abuse_permissions.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_dsacls_password_spray.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_dsim_remove.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_dsquery_domain_trust_discovery.yml
feat: multiple updates and fixes
2023-02-03 02:22:28 +01:00
proc_creation_win_dtrace_kernel_dump.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_dump64_defender_av_bypass_rename.yml
Update Rules (#4872)
2024-06-25 11:26:45 +02:00
proc_creation_win_dumpminitool_execution.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_dumpminitool_susp_execution.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_esentutl_params.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_esentutl_sensitive_file_copy.yml
Update Rules (#4872)
2024-06-25 11:26:45 +02:00
proc_creation_win_esentutl_webcache.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_eventvwr_susp_child_process.yml
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04 19:06:57 +02:00
proc_creation_win_expand_cabinet_files.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_explorer_break_process_tree.yml
Update Rules (#4872)
2024-06-25 11:26:45 +02:00
proc_creation_win_explorer_nouaccheck.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_findstr_download.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_findstr_gpp_passwords.yml
Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing
2023-11-15 15:35:43 +01:00
proc_creation_win_findstr_lnk.yml
Merge PR #4674 from @Neo23x0 - Increase hack tool coverage
2024-01-15 15:24:03 +01:00
proc_creation_win_findstr_lsass.yml
Update Rules (#4872)
2024-06-25 11:26:45 +02:00
proc_creation_win_findstr_recon_everyone.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_findstr_recon_pipe_output.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_findstr_security_keyword_lookup.yml
Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing
2023-11-15 15:35:43 +01:00
proc_creation_win_findstr_subfolder_search.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml
Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing
2023-11-15 15:35:43 +01:00
proc_creation_win_finger_execution.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_fltmc_unload_driver_sysmon.yml
fix: apply suggestions from code review
2023-02-16 10:46:29 +01:00
proc_creation_win_fltmc_unload_driver.yml
Update Rules (#4872)
2024-06-25 11:26:45 +02:00
proc_creation_win_forfiles_child_process_masquerading.yml
Merge PR #4661 from @Tuutaans - Suspicious forfiles Child processes
2024-01-10 14:44:05 +01:00
proc_creation_win_forfiles_proxy_execution_.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_format_uncommon_filesystem_load.yml
Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard
2024-05-13 12:10:33 +02:00
proc_creation_win_fsi_fsharp_code_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_fsutil_drive_enumeration.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_fsutil_symlinkevaluation.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_fsutil_usage.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_ftp_arbitrary_command_execution.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml
Merge PR #4491 from @nasbench - Rule Updates & Fixes
2023-10-23 10:35:57 +02:00
proc_creation_win_git_susp_clone.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_googleupdate_susp_child_process.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_gpg4win_decryption.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_gpg4win_encryption.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_gpg4win_portable_execution.yml
Merge PR #4560 from @nasbench - Fix FP Found In Testing & Other Rule Updates
2023-11-10 17:32:28 +01:00
proc_creation_win_gpg4win_susp_location.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_gpresult_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_gup_arbitrary_binary_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_gup_download.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_gup_suspicious_execution.yml
chore: renames with new sigma convention
2023-03-03 00:21:25 +01:00
proc_creation_win_hh_chm_execution.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_hh_chm_remote_download_or_execution.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_hh_html_help_susp_child_process.yml
feat: update hh.exe related rules
2023-04-12 16:12:33 +02:00
proc_creation_win_hh_susp_execution.yml
feat: update hh.exe related rules
2023-04-12 16:12:33 +02:00
proc_creation_win_hktl_adcspwn.yml
feat: additional updates and fixes
2023-02-04 21:06:47 +01:00
proc_creation_win_hktl_bloodhound_sharphound.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_hktl_c3_rundll32_pattern.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_hktl_certify.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_hktl_certipy.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_hktl_cobaltstrike_process_patterns.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_hktl_coercedpotato.yml
Merge PR #4798 from @PiRomant - Update Hashes field to use contains modifier
2024-04-15 16:43:49 +02:00
proc_creation_win_hktl_covenant.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_hktl_crackmapexec_execution_patterns.yml
Merge PR #4543 from @X-Junior - Add & Update Multiple Rules
2023-11-06 14:13:31 +01:00
proc_creation_win_hktl_crackmapexec_execution.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
proc_creation_win_hktl_crackmapexec_patterns.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_hktl_createminidump.yml
feat: additional updates and fixes
2023-02-04 21:06:47 +01:00
proc_creation_win_hktl_dinjector.yml
feat: more fixes and updates
2023-02-05 21:46:22 +01:00
proc_creation_win_hktl_dumpert.yml
feat: additional updates and fixes
2023-02-04 21:06:47 +01:00
proc_creation_win_hktl_edrsilencer.yml
Merge PR #4648 from @danielgottt - EDRSilencer Execution
2024-01-10 14:21:40 +01:00
proc_creation_win_hktl_empire_powershell_launch.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_hktl_empire_powershell_uac_bypass.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_hktl_evil_winrm.yml
Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard
2024-05-13 12:10:33 +02:00
proc_creation_win_hktl_execution_via_imphashes.yml
Merge PR #4703 from @Neo23x0 - Add EventLogCrasher imphash
2024-02-07 14:05:12 +01:00
proc_creation_win_hktl_execution_via_pe_metadata.yml
Merge PR #4674 from @Neo23x0 - Increase hack tool coverage
2024-01-15 15:24:03 +01:00
proc_creation_win_hktl_gmer.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_handlekatz.yml
Merge PR #4798 from @PiRomant - Update Hashes field to use contains modifier
2024-04-15 16:43:49 +02:00
proc_creation_win_hktl_hashcat.yml
feat: additional updates and fixes
2023-02-04 21:06:47 +01:00
proc_creation_win_hktl_htran_or_natbypass.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_hktl_hydra.yml
feat: additional updates and fixes
2023-02-04 21:06:47 +01:00
proc_creation_win_hktl_impacket_lateral_movement.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_hktl_impacket_tools.yml
Merge PR #4597 from @nasbench - Update Process Access Rules
2023-12-04 01:14:15 +01:00
proc_creation_win_hktl_impersonate.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_inveigh.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_hktl_invoke_obfuscation_clip.yml
Merge PR #4803 from @frack113 - Update regex based rules
2024-04-15 16:37:15 +02:00
proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_hktl_invoke_obfuscation_stdin.yml
Merge PR #4803 from @frack113 - Update regex based rules
2024-04-15 16:37:15 +02:00
proc_creation_win_hktl_invoke_obfuscation_var.yml
Merge PR #4803 from @frack113 - Update regex based rules
2024-04-15 16:37:15 +02:00
proc_creation_win_hktl_invoke_obfuscation_via_compress.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml
Merge PR #4819 from @fukusuket - Fix regex escape
2024-04-16 12:57:45 +02:00
proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml
Merge PR #4803 from @frack113 - Update regex based rules
2024-04-15 16:37:15 +02:00
proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_hktl_invoke_obfuscation_via_var.yml
Merge PR #4803 from @frack113 - Update regex based rules
2024-04-15 16:37:15 +02:00
proc_creation_win_hktl_jlaive_batch_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_koadic.yml
feat: add missing OriginalFileName field
2023-02-11 23:04:18 +05:00
proc_creation_win_hktl_krbrelay_remote.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_hktl_krbrelay.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_hktl_krbrelayup.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_hktl_lazagne.yml
Update Rules (#4872)
2024-06-25 11:26:45 +02:00
proc_creation_win_hktl_localpotato.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_meterpreter_getsystem.yml
fix: shorten filenames
2023-03-06 00:55:03 +01:00
proc_creation_win_hktl_mimikatz_command_line.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_hktl_pchunter.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_powersploit_empire_default_schtasks.yml
fix: update rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml
2023-03-07 17:49:21 +01:00
proc_creation_win_hktl_powertool.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_hktl_purplesharp_indicators.yml
feat: more fixes and updates
2023-02-05 21:46:22 +01:00
proc_creation_win_hktl_pypykatz.yml
fix: multiple typos
2023-02-06 12:28:45 +01:00
proc_creation_win_hktl_quarks_pwdump.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_redmimicry_winnti_playbook.yml
chore: renames with new sigma convention
2023-03-03 00:21:25 +01:00
proc_creation_win_hktl_relay_attacks_tools.yml
feat: updates and enhancements
2023-02-14 00:51:20 +01:00
proc_creation_win_hktl_rubeus.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_hktl_safetykatz.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_hktl_secutyxploded.yml
feat: additional updates and fixes
2023-02-04 21:06:47 +01:00
proc_creation_win_hktl_selectmyparent.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_hktl_sharp_chisel.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_sharp_dpapi_execution.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_hktl_sharp_impersonation.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_sharp_ldap_monitor.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_sharpersist.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_hktl_sharpevtmute.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_sharpldapwhoami.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_hktl_sharpmove.yml
Merge PR #4686 from @CrimpSec - Add new rule for SharpMove based on PE metadata and CLI options
2024-01-29 12:03:08 +01:00
proc_creation_win_hktl_sharpup.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_sharpview.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_silenttrinity_stager.yml
feat: updates and fixes
2023-02-17 17:51:44 +01:00
proc_creation_win_hktl_sliver_c2_execution_pattern.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_stracciatella_execution.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_hktl_sysmoneop.yml
Merge PR #4798 from @PiRomant - Update Hashes field to use contains modifier
2024-04-15 16:43:49 +02:00
proc_creation_win_hktl_trufflesnout.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_hktl_uacme.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_hktl_wce.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_hktl_winpeas.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_hktl_winpwn.yml
Merge PR #4529 from @swachchhanda000 - Add New Rules Related To WinPwn Execution
2023-12-04 14:24:19 +01:00
proc_creation_win_hktl_wmiexec_default_powershell.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_hktl_xordump.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_hktl_zipexec.yml
chore: renames with new sigma convention
2023-03-03 00:21:25 +01:00
proc_creation_win_hostname_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_hwp_exploits.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_hxtsr_masquerading.yml
Merge PR #4715 from @Neo23x0 - Use Image field in filter
2024-02-08 16:19:01 +01:00
proc_creation_win_icacls_deny.yml
Merge PR #4853 from @nasbench - Add some cosmetic changes and small updates
2024-05-13 16:59:44 +02:00
proc_creation_win_ieexec_download.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_iexpress_susp_execution.yml
Update Rules (#4872)
2024-06-25 11:26:45 +02:00
proc_creation_win_iis_appcmd_http_logging.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_iis_appcmd_service_account_password_dumped.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_iis_appcmd_susp_module_install.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_iis_appcmd_susp_rewrite_rule.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_iis_connection_strings_decryption.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_iis_susp_module_registration.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
proc_creation_win_ilasm_il_code_compilation.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_imagingdevices_unusual_parents.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_imewbdld_download.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_infdefaultinstall_execute_sct_scripts.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_installutil_download.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_instalutil_no_log_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_java_keytool_susp_child_process.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_java_manageengine_susp_child_process.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_java_remote_debugging.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_java_susp_child_process_2.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_java_susp_child_process.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_java_sysaidserver_susp_child_process.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_jsc_execution.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_kavremover_uncommon_execution.yml
Update Rules (#4872)
2024-06-25 11:26:45 +02:00
proc_creation_win_kd_execution.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_keyscrambler_susp_child_process.yml
Merge PR #4818 from @swachchhanda000 - Add Potentially Suspicious Child Process Of KeyScrambler.exe
2024-05-13 13:48:35 +02:00
proc_creation_win_ksetup_password_change_computer.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_ksetup_password_change_user.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_ldifde_export.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_ldifde_file_load.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_link_uncommon_parent_process.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_lodctr_performance_counter_tampering.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_logman_disable_eventlog.yml
fix: apply suggestions from 2nd code review
2023-02-22 12:15:49 +01:00
proc_creation_win_lolbin_customshellhost.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_lolbin_device_credential_deployment.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_devtoolslauncher.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_lolbin_diantz_ads.yml
fix: remove unneeded backslash escape in character class.
2022-12-31 00:33:00 +09:00
proc_creation_win_lolbin_diantz_remote_cab.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_extexport.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_extrac32_ads.yml
fix: add missing modified date
2022-12-30 20:56:21 +01:00
proc_creation_win_lolbin_extrac32.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_gather_network_info.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_lolbin_gpscript.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_lolbin_ie4uinit.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_launch_vsdevshell.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_manage_bde.yml
fix: add missing modified and small fixes to selections
2023-02-04 11:44:33 +01:00
proc_creation_win_lolbin_mavinject_process_injection.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_mpiexec.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_lolbin_msdeploy.yml
Merge PR #4718 from @qasimqlf - Update ATT&CK Mapping For Some Rules
2024-02-26 17:09:30 +01:00
proc_creation_win_lolbin_msdt_answer_file.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_openconsole.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_openwith.yml
chore: renames with new sigma convention
2023-03-03 00:21:25 +01:00
proc_creation_win_lolbin_pcalua.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_lolbin_pcwrun_follina.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_pcwrun.yml
proc_creation_win_lolbin_pcwutl.yml
feat: add missing OriginalFileName field (#4026)
2023-02-09 15:09:23 +01:00
proc_creation_win_lolbin_pester_1.yml
Merge PR #4559 from @fukusuket - Fix unescaped wildcard character
2023-11-09 13:37:48 +01:00
proc_creation_win_lolbin_pester.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_printbrm.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_pubprn.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_rasautou_dll_execution.yml
proc_creation_win_lolbin_register_app.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_remote.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_replace.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_lolbin_runexehelper.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_lolbin_runscripthelper.yml
chore: renames with new sigma convention
2023-03-03 00:21:25 +01:00
proc_creation_win_lolbin_scriptrunner.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_settingsynchost.yml
proc_creation_win_lolbin_sftp.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_sigverif.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_ssh.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_lolbin_susp_acccheckconsole.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_lolbin_susp_certreq_download.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_lolbin_susp_dxcap.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_lolbin_susp_grpconv.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_susp_sqldumper_activity.yml
proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_tracker.yml
feat: updates and enhancements
2023-01-10 00:13:37 +01:00
proc_creation_win_lolbin_ttdinject.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_tttracer_mod_load.yml
proc_creation_win_lolbin_unregmp2.yml
Update Rules (#4872)
2024-06-25 11:26:45 +02:00
proc_creation_win_lolbin_utilityfunctions.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_visual_basic_compiler.yml
proc_creation_win_lolbin_visualuiaverifynative.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_lolbin_vsiisexelauncher.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_lolbin_wfc.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_lolbin_workflow_compiler.yml
feat: even more updates
2023-02-03 20:17:09 +01:00
proc_creation_win_lolscript_register_app.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_lsass_process_clone.yml
Merge PR #4406 from @nasbench - Multiple Updates & Additions
2023-09-07 11:42:15 +02:00
proc_creation_win_mftrace_child_process.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_mmc_mmc20_lateral_movement.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_mmc_susp_child_process.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_mode_codepage_russian.yml
Merge PR #4682 from @jstnk9 - Add new rules related to MODE.COM usage in changing code pages
2024-01-22 11:37:16 +01:00
proc_creation_win_mofcomp_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_mpcmdrun_dll_sideload_defender.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_mpcmdrun_download_arbitrary_file.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml
refactor: increased level
2023-07-18 14:09:12 +02:00
proc_creation_win_msbuild_susp_parent_process.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_msdt_arbitrary_command_execution.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_msdt_susp_cab_options.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_msdt_susp_parent.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_msedge_proxy_download.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_mshta_http.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_mshta_inline_vbscript.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_mshta_javascript.yml
fix: apply suggestions from code review
2023-02-07 18:44:26 +01:00
proc_creation_win_mshta_lethalhta_technique.yml
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
2023-10-28 13:15:09 +02:00
proc_creation_win_mshta_susp_child_processes.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_mshta_susp_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_mshta_susp_pattern.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_msiexec_dll.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_msiexec_embedding.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_msiexec_execute_dll.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_msiexec_install_quiet.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_msiexec_install_remote.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_msiexec_masquerading.yml
fix: apply suggestions from 2nd code review
2023-02-22 12:15:49 +01:00
proc_creation_win_msiexec_web_install.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_msohtmed_download.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_mspub_download.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_msra_process_injection.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_mssql_sqlps_susp_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_mssql_sqltoolsps_susp_execution.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_mssql_susp_child_process.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_mssql_veaam_susp_child_processes.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_mstsc_rdp_hijack_shadowing.yml
feat: more fixes and updates
2023-02-05 21:46:22 +01:00
proc_creation_win_mstsc_remote_connection.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_mstsc_run_local_rdp_file.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_msxsl_execution.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_msxsl_remote_execution.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_net_groups_and_accounts_recon.yml
Merge PR #4735 from @nasbench - Slash&Grab Exploitation Related Rule Updates
2024-02-23 23:57:44 +01:00
proc_creation_win_net_share_unmount.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_net_start_service.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_net_stop_service.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_net_use_mount_admin_share.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_net_use_mount_internet_share.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_net_use_mount_share.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_net_use_network_connections_discovery.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_net_use_password_plaintext.yml
Merge PR #4727 from @frack113 - Refactor the condition field to align with the standard
2024-02-26 21:51:24 +01:00
proc_creation_win_net_user_add_never_expire.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_net_user_add.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_net_user_default_accounts_manipulation.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_net_view_share_and_sessions_enum.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_netsh_fw_add_rule.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_netsh_fw_allow_program_in_susp_location.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_netsh_fw_allow_rdp.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_netsh_fw_delete_rule.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_netsh_fw_disable.yml
feat: updates and enhancements
2023-02-14 00:51:20 +01:00
proc_creation_win_netsh_fw_enable_group_rule.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_netsh_fw_rules_discovery.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_netsh_fw_set_rule.yml
fix: typos
2023-07-20 14:13:13 +02:00
proc_creation_win_netsh_helper_dll_persistence.yml
Merge PR #4602 from @nasbench - Update Netsh DLL Helper Abuse Rules
2023-11-28 16:24:00 +01:00
proc_creation_win_netsh_packet_capture.yml
feat: updates and enhancements
2023-02-14 00:51:20 +01:00
proc_creation_win_netsh_port_forwarding_3389.yml
fix: apply suggestions from code review
2023-02-16 10:46:29 +01:00
proc_creation_win_netsh_port_forwarding.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_netsh_wifi_credential_harvesting.yml
feat: updates and enhancements
2023-02-14 00:51:20 +01:00
proc_creation_win_nltest_execution.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_nltest_recon.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_node_abuse.yml
Merge PR #4912 from @nasbench - update pySigma-validators-sigmahq to version 0.7.0 and sigma_cli_conf.yml
2024-07-11 11:24:01 +02:00
proc_creation_win_node_adobe_creative_cloud_abuse.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_nslookup_domain_discovery.yml
Merge PR #4727 from @frack113 - Refactor the condition field to align with the standard
2024-02-26 21:51:24 +01:00
proc_creation_win_nslookup_poweshell_download.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_ntdsutil_susp_usage.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_ntdsutil_usage.yml
proc_creation_win_odbcconf_driver_install_susp.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_odbcconf_driver_install.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_odbcconf_exec_susp_locations.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_odbcconf_register_dll_regsvr_susp.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_odbcconf_register_dll_regsvr.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_odbcconf_response_file_susp.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_odbcconf_response_file.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_odbcconf_uncommon_child_process.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_office_arbitrary_cli_download.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_office_excel_dcom_lateral_movement.yml
Merge PR #4534 from @AaronS97 - Possible Excel DCOM Lateral Movement
2023-11-14 09:32:29 +01:00
proc_creation_win_office_exec_from_trusted_locations.yml
Merge PR #4491 from @nasbench - Rule Updates & Fixes
2023-10-23 10:35:57 +02:00
proc_creation_win_office_onenote_susp_child_processes.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml
fix: duplicate titles
2023-02-09 16:06:09 +01:00
proc_creation_win_office_outlook_execution_from_temp.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_office_outlook_susp_child_processes_remote.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_office_outlook_susp_child_processes.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_office_spawn_exe_from_users_directory.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_office_susp_child_processes.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_office_winword_dll_load.yml
feat: new rules, updates and fp fixes (#4136)
2023-04-03 12:06:14 +02:00
proc_creation_win_offlinescannershell_mpclient_sideloading.yml
feat: more updates
2023-08-03 18:50:16 +02:00
proc_creation_win_pdqdeploy_execution.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_pdqdeploy_runner_susp_children.yml
Merge PR #4853 from @nasbench - Add some cosmetic changes and small updates
2024-05-13 16:59:44 +02:00
proc_creation_win_perl_inline_command_execution.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_php_inline_command_execution.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_ping_hex_ip.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_pktmon_execution.yml
feat: new rules & updates (#4328)
2023-07-13 10:01:05 +02:00
proc_creation_win_plink_port_forwarding.yml
feat: more fixes and updates
2023-02-05 21:46:22 +01:00
proc_creation_win_plink_susp_tunneling.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_powercfg_execution.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_aadinternals_cmdlets_execution.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_powershell_active_directory_module_dll_import.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_powershell_add_windows_capability.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_powershell_amsi_init_failed_bypass.yml
fix: add missing modified and small fixes to selections
2023-02-04 11:44:33 +01:00
proc_creation_win_powershell_amsi_null_bits_bypass.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_powershell_audio_capture.yml
feat: new rules, updates and fp fixes (#4162)
2023-04-11 13:04:22 +02:00
proc_creation_win_powershell_base64_encoded_cmd_patterns.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_powershell_base64_encoded_cmd.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_base64_encoded_obfusc.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_powershell_base64_frombase64string.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_base64_hidden_flag.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_powershell_base64_iex.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_base64_invoke.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_base64_mppreference.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml
feat: new rules, updates and fp fixes (#4162)
2023-04-11 13:04:22 +02:00
proc_creation_win_powershell_base64_reflection_assembly_load.yml
feat: new rules, updates and fp fixes (#4162)
2023-04-11 13:04:22 +02:00
proc_creation_win_powershell_base64_wmi_classes.yml
Merge PR #4859 from @vburov - Update casing of Win32_ShadowCopy for multiple rules
2024-05-27 14:33:46 +02:00
proc_creation_win_powershell_cl_invocation.yml
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
2023-10-28 13:15:09 +02:00
proc_creation_win_powershell_cl_loadassembly.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_powershell_cl_mutexverifiers.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_powershell_cmdline_convertto_securestring.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_cmdline_reversed_strings.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_cmdline_special_characters.yml
Merge PR #4803 from @frack113 - Update regex based rules
2024-04-15 16:37:15 +02:00
proc_creation_win_powershell_computer_discovery_get_adcomputer.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_create_service.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_powershell_decode_gzip.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_powershell_decrypt_pattern.yml
Merge PR #4614 from @X-Junior - updates for multiple rules 4-12-2023
2023-12-11 10:42:44 +01:00
proc_creation_win_powershell_defender_disable_feature.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_powershell_defender_exclusion.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_powershell_disable_defender_av_security_monitoring.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_disable_firewall.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_powershell_disable_ie_features.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_powershell_downgrade_attack.yml
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
proc_creation_win_powershell_download_com_cradles.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_powershell_download_cradles.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_powershell_download_dll.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_powershell_download_iex.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_powershell_download_patterns.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_powershell_download_susp_file_sharing_domains.yml
Merge PR #4783 from @nasbench - Update registry rules logic and fix some false positives
2024-03-26 13:28:49 +01:00
proc_creation_win_powershell_dsinternals_cmdlets.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_powershell_email_exfil.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_powershell_enable_susp_windows_optional_feature.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_powershell_encode.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_powershell_encoding_patterns.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_exec_data_file.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_powershell_export_certificate.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_powershell_frombase64string_archive.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_powershell_frombase64string.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_powershell_get_clipboard.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
proc_creation_win_powershell_get_localgroup_member_recon.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_powershell_getprocess_lsass.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_powershell_hide_services_via_set_service.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_powershell_iex_patterns.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_powershell_import_cert_susp_locations.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_powershell_import_module_susp_dirs.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_powershell_install_unsigned_appx_packages.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_powershell_invocation_specific.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_powershell_invoke_webrequest_direct_ip.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_powershell_invoke_webrequest_download.yml
Merge PR #4735 from @nasbench - Slash&Grab Exploitation Related Rule Updates
2024-02-23 23:57:44 +01:00
proc_creation_win_powershell_mailboxexport_share.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_powershell_malicious_cmdlets.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_powershell_msexchange_transport_agent.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_powershell_non_interactive_execution.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_obfuscation_via_utf8.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_powershell_public_folder.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml
feat: new rules, updates and goofy guineapig stuff (#4229)
2023-05-15 15:53:39 +02:00
proc_creation_win_powershell_remove_mppreference.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_powershell_reverse_shell_connection.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_run_script_from_ads.yml
feat: more updates
2023-02-03 19:03:51 +01:00
proc_creation_win_powershell_run_script_from_input_stream.yml
feat: more updates
2023-02-03 19:03:51 +01:00
proc_creation_win_powershell_sam_access.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_powershell_script_engine_parent.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_powershell_service_dacl_modification_set_service.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_powershell_set_acl_susp_location.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_set_acl.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_set_policies_to_unsecure_level.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_powershell_set_service_disabled.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_powershell_shadowcopy_deletion.yml
Merge PR #4859 from @vburov - Update casing of Win32_ShadowCopy for multiple rules
2024-05-27 14:33:46 +02:00
proc_creation_win_powershell_snapins_hafnium.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_powershell_stop_service.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_powershell_susp_download_patterns.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_powershell_susp_parameter_variation.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_powershell_susp_parent_process.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_susp_ps_appdata.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_powershell_susp_ps_downloadfile.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_powershell_token_obfuscation.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_powershell_user_discovery_get_aduser.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_webclient_casing.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_powershell_x509enrollment.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_powershell_xor_commandline.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_powershell_zip_compress.yml
Merge PR #4631 from @nasbench - add rules related to CISA aa23-347a advisory and other updates
2023-12-18 16:46:46 +01:00
proc_creation_win_presentationhost_download.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_presentationhost_uncommon_location_exec.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_pressanykey_lolbin_execution.yml
fix: typos
2023-04-14 11:54:04 +02:00
proc_creation_win_print_remote_file_copy.yml
chore: renames with new sigma convention
2023-03-03 00:21:25 +01:00
proc_creation_win_protocolhandler_download.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_provlaunch_potential_abuse.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_provlaunch_susp_child_process.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_psr_capture_screenshots.yml
Merge PR #4641 from @Tuutaans - Update some rules with additional cases
2024-01-10 13:34:35 +01:00
proc_creation_win_pua_3proxy_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_adfind_enumeration.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_adfind_susp_usage.yml
Merge PR #4591 from @frack113 - Update tests to pySigma 0.10.9
2023-11-27 09:08:01 +01:00
proc_creation_win_pua_advanced_ip_scanner.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_advanced_port_scanner.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_advancedrun_priv_user.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_advancedrun.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_chisel.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_cleanwipe.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_crassus.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_pua_csexec.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_defendercheck.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_pua_ditsnap.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_pua_frp.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_pua_iox.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_mouselock_execution.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_pua_netcat.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_netscan.yml
Merge PR #4824 from @dan21san - New PUA SoftPerfect
2024-04-25 15:18:58 +02:00
proc_creation_win_pua_ngrok.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_pua_nimgrab.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_nircmd_as_system.yml
feat: updates and enhancements
2023-02-14 00:51:20 +01:00
proc_creation_win_pua_nircmd.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_nmap_zenmap.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_pua_nps.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_pua_nsudo.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_pingcastle_script_parent.yml
Merge PR #4530 from @frack113 - Pingcastle PUA
2024-01-12 12:06:49 +01:00
proc_creation_win_pua_pingcastle.yml
Merge PR #4530 from @frack113 - Pingcastle PUA
2024-01-12 12:06:49 +01:00
proc_creation_win_pua_process_hacker.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_pua_radmin.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_pua_rcedit_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_rclone_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_runxcmd.yml
fix: apply suggestions from code review
2023-02-14 13:24:09 +01:00
proc_creation_win_pua_seatbelt.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_pua_system_informer.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_pua_webbrowserpassview.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_pua_wsudo_susp_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_python_adidnsdump.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_python_inline_command_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_python_pty_spawn.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_qemu_suspicious_execution.yml
Merge PR #4778 from @faisalusuf - Add new rule covering suspicious usage of Qemu
2024-06-03 14:23:51 +02:00
proc_creation_win_query_session_exfil.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_rar_compress_data.yml
fix: multiple typos
2023-02-06 12:28:45 +01:00
proc_creation_win_rar_compression_with_password.yml
chore: renames with new sigma convention
2023-03-03 00:21:25 +01:00
proc_creation_win_rar_susp_greedy_compression.yml
Merge PR #4654 from @qasimqlf - replace hardcoded C: with wildcard
2024-01-10 14:51:26 +01:00
proc_creation_win_rasdial_execution.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_rdrleakdiag_process_dumping.yml
fix: merge rules and update detection
2023-04-24 19:24:19 +02:00
proc_creation_win_reg_add_run_key.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_reg_add_safeboot.yml
Merge PR #4774 from @nasbench - Fix and update multiple rules
2024-03-26 19:09:21 +01:00
proc_creation_win_reg_bitlocker.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_reg_credential_access_via_password_filter.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_reg_defender_exclusion.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_reg_delete_safeboot.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_reg_delete_services.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_reg_desktop_background_change.yml
Merge PR #4633 from @slincoln-aiq - New Rules Related To Desktop Background Change
2023-12-21 11:44:52 +01:00
proc_creation_win_reg_direct_asep_registry_keys_modification.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_reg_disable_sec_services.yml
Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard
2024-05-13 12:10:33 +02:00
proc_creation_win_reg_dumping_sensitive_hives.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_reg_enable_windows_recall.yml
Merge PR #4869 from @ssnkhan - Add new rules detecting Windows Recall feature enabling
2024-06-03 12:13:50 +02:00
proc_creation_win_reg_enumeration_for_credentials_in_registry.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_reg_import_from_suspicious_paths.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_reg_lsa_disable_restricted_admin.yml
Merge PR #4631 from @nasbench - add rules related to CISA aa23-347a advisory and other updates
2023-12-18 16:46:46 +01:00
proc_creation_win_reg_lsa_ppl_protection_disabled.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_reg_machineguid.yml
chore: renames with new sigma convention
2023-03-03 00:21:25 +01:00
proc_creation_win_reg_modify_group_policy_settings.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_reg_nolmhash.yml
Merge PR #4636 from @slincoln-aiq - Fix Typo In Enable LM Hash Storage - ProcCreation
2023-12-22 03:03:32 +01:00
proc_creation_win_reg_open_command.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_reg_query_registry.yml
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04 19:06:57 +02:00
proc_creation_win_reg_rdp_keys_tamper.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_reg_screensaver.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_reg_service_imagepath_change.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_reg_software_discovery.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_reg_susp_paths.yml
Merge PR #4631 from @nasbench - add rules related to CISA aa23-347a advisory and other updates
2023-12-18 16:46:46 +01:00
proc_creation_win_reg_volsnap_disable.yml
Merge PR #4631 from @nasbench - add rules related to CISA aa23-347a advisory and other updates
2023-12-18 16:46:46 +01:00
proc_creation_win_reg_windows_defender_tamper.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_reg_write_protect_for_storage_disabled.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_regedit_export_critical_keys.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_regedit_export_keys.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_regedit_import_keys_ads.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_regedit_import_keys.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_regedit_trustedinstaller.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_regini_ads.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_regini_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_registry_cimprovider_dll_load.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_registry_enumeration_for_credentials_cli.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_registry_install_reg_debugger_backdoor.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_registry_logon_script.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_registry_new_network_provider.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_registry_privilege_escalation_via_service_key.yml
fix: shorten filenames
2023-03-06 00:55:03 +01:00
proc_creation_win_registry_provlaunch_provisioning_command.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_registry_set_unsecure_powershell_policy.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_registry_typed_paths_persistence.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_regsvr32_flags_anomaly.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_regsvr32_http_ip_pattern.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_regsvr32_network_pattern.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_regsvr32_remote_share.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_regsvr32_susp_child_process.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_regsvr32_susp_exec_path_1.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_regsvr32_susp_exec_path_2.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_regsvr32_susp_extensions.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_regsvr32_susp_parent.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_regsvr32_uncommon_extension.yml
feat: apply suggestions from code review
2023-05-30 11:17:52 +02:00
proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml
Merge PR #4712 from @prashanthpulisetti - Add a rule for Anydesk execution with known compromised certificate
2024-02-08 16:58:59 +01:00
proc_creation_win_remote_access_tools_anydesk_silent_install.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_remote_access_tools_anydesk_susp_exec.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_remote_access_tools_anydesk.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_remote_access_tools_gotoopener.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_remote_access_tools_logmein.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_remote_access_tools_netsupport_susp_exec.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_remote_access_tools_netsupport.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_remote_access_tools_rurat_non_default_location.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml
Merge PR from #4736 @RG9n - Add/Update ScreenConnect RMM Related Rules
2024-02-26 16:55:58 +01:00
proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml
Merge PR #4743 from @nasbench - Increase Coverage For SC Related Rule
2024-02-28 17:22:33 +01:00
proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml
Merge PR from #4736 @RG9n - Add/Update ScreenConnect RMM Related Rules
2024-02-26 16:55:58 +01:00
proc_creation_win_remote_access_tools_screenconnect_webshell.yml
Merge PR from #4736 @RG9n - Add/Update ScreenConnect RMM Related Rules
2024-02-26 16:55:58 +01:00
proc_creation_win_remote_access_tools_screenconnect.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_remote_access_tools_simple_help.yml
Merge PR #4735 from @nasbench - Slash&Grab Exploitation Related Rule Updates
2024-02-23 23:57:44 +01:00
proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml
Merge PR #4759 from @joshnck - Add new rules covering incoming TeamViewer connection activity
2024-03-15 21:41:29 +01:00
proc_creation_win_remote_access_tools_ultraviewer.yml
Merge PR #4759 from @joshnck - Add new rules covering incoming TeamViewer connection activity
2024-03-15 21:41:29 +01:00
proc_creation_win_remote_time_discovery.yml
proc_creation_win_renamed_adfind.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_renamed_autohotkey.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_renamed_autoit.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_renamed_binary_highly_relevant.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_renamed_binary.yml
Update proc_creation_win_renamed_binary.yml
2023-06-20 14:30:05 -04:00
proc_creation_win_renamed_boinc.yml
Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC
2024-07-23 15:06:26 +02:00
proc_creation_win_renamed_browsercore.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_renamed_cloudflared.yml
Merge PR #4628 from @ssnkhan - New: Detect Creation of Cloudflared Quick Tunnels
2023-12-21 12:32:08 +01:00
proc_creation_win_renamed_createdump.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_renamed_curl.yml
Merge PR #4477 from @Neo23x0 - CoercedPotato activity
2023-10-12 12:52:45 +02:00
proc_creation_win_renamed_dctask64.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_renamed_ftp.yml
feat: more updates
2023-02-07 17:12:26 +01:00
proc_creation_win_renamed_gpg4win.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_renamed_jusched.yml
fix: multiple typos
2023-02-06 12:28:45 +01:00
proc_creation_win_renamed_mavinject.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_renamed_megasync.yml
fix: multiple typos
2023-02-06 12:28:45 +01:00
proc_creation_win_renamed_msdt.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_renamed_msteams.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_renamed_netsupport_rat.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_renamed_nircmd.yml
Merge PR #4760 from @X-Junior - Add new rule Renamed NirCmd.EXE Execution
2024-03-11 13:46:55 +01:00
proc_creation_win_renamed_office_processes.yml
Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing
2023-11-15 15:35:43 +01:00
proc_creation_win_renamed_paexec.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_renamed_pingcastle.yml
Merge PR #4530 from @frack113 - Pingcastle PUA
2024-01-12 12:06:49 +01:00
proc_creation_win_renamed_plink.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_renamed_pressanykey.yml
fix: update filter
2023-04-14 12:00:22 +02:00
proc_creation_win_renamed_rundll32_dllregisterserver.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_renamed_rurat.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_renamed_sysinternals_debugview.yml
feat: rename rules for conventions
2023-02-24 19:33:24 +01:00
proc_creation_win_renamed_sysinternals_procdump.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_renamed_sysinternals_psexec_service.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_renamed_sysinternals_sdelete.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_renamed_vmnat.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_renamed_whoami.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_rpcping_credential_capture.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_ruby_inline_command_execution.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_rundll32_ads_stored_dll_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_rundll32_inline_vbs.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_rundll32_installscreensaver.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_rundll32_keymgr.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_rundll32_mshtml_runhtmlapplication.yml
Merge PR #4719 from @joshnck - Update Rules Related To RunHTMLApplication Abuse
2024-02-26 11:37:37 +01:00
proc_creation_win_rundll32_no_params.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_rundll32_ntlmrelay.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_rundll32_obfuscated_ordinal_call.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_rundll32_parent_explorer.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_rundll32_process_dump_via_comsvcs.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_rundll32_registered_com_objects.yml
feat: add missing OriginalFileName field (#4026)
2023-02-09 15:09:23 +01:00
proc_creation_win_rundll32_run_locations.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_rundll32_setupapi_installhinfsection.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_rundll32_shell32_susp_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_rundll32_shelldispatch_potential_abuse.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_rundll32_spawn_explorer.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_rundll32_susp_activity.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_rundll32_susp_control_dll_load.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_rundll32_susp_execution_with_image_extension.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_rundll32_susp_shellexec_execution.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_rundll32_susp_shimcache_flush.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_rundll32_sys.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_rundll32_unc_path.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_rundll32_uncommon_dll_extension.yml
Merge PR #4802 from @phantinuss - FP Fixes
2024-04-05 08:47:18 +02:00
proc_creation_win_rundll32_user32_dll.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_rundll32_webdav_client_execution.yml
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04 19:06:57 +02:00
proc_creation_win_rundll32_webdav_client_susp_execution.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_rundll32_without_parameters.yml
feat: add new rules related to CVE-2023-23397
2023-03-16 19:17:48 +01:00
proc_creation_win_runonce_execution.yml
chore: renames with new sigma convention
2023-03-03 00:21:25 +01:00
proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml
feat: more rules updates
2023-02-14 19:30:18 +01:00
proc_creation_win_sc_create_service.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_sc_disable_service.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_sc_new_kernel_driver.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_sc_query_interesting_services.yml
Merge PR #4698 from @swachchhanda000 - Added rules that detect possible activities associated with services and modules enumeration
2024-02-12 14:45:36 +01:00
proc_creation_win_sc_sdset_allow_service_changes.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_sc_sdset_deny_service_access.yml
fix: apply typo fix suggestions from code review
2023-02-28 16:55:40 +01:00
proc_creation_win_sc_sdset_hide_sevices.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_sc_sdset_modification.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_sc_service_path_modification.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_sc_service_tamper_for_persistence.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_sc_stop_service.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_schtasks_appdata_local_system.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_schtasks_change.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_schtasks_creation_temp_folder.yml
Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard
2024-05-13 12:10:33 +02:00
proc_creation_win_schtasks_creation.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_schtasks_delete_all.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_schtasks_delete.yml
Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard
2024-05-13 12:10:33 +02:00
proc_creation_win_schtasks_disable.yml
Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard
2024-05-13 12:10:33 +02:00
proc_creation_win_schtasks_env_folder.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_schtasks_folder_combos.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_schtasks_guid_task_name.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_schtasks_one_time_only_midnight_task.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_schtasks_persistence_windows_telemetry.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_schtasks_powershell_persistence.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_schtasks_reg_loader_encoded.yml
feat: add more rules
2023-07-20 13:47:30 +02:00
proc_creation_win_schtasks_reg_loader.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_schtasks_schedule_type_system.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_schtasks_schedule_type.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_schtasks_susp_pattern.yml
Merge PR #4774 from @nasbench - Fix and update multiple rules
2024-03-26 19:09:21 +01:00
proc_creation_win_schtasks_system.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_scrcons_susp_child_process.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_sdbinst_shim_persistence.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_sdbinst_susp_extension.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_sdclt_child_process.yml
fix: resolves #4015
2023-02-07 14:33:56 +01:00
proc_creation_win_sdiagnhost_susp_child.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_secedit_execution.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_servu_susp_child_process.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_setres_uncommon_child_process.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_setspn_spn_enumeration.yml
Merge PR #4501 from @EzLucky - Update Coverage For Potential SPN Enumeration Via Setspn.EXE
2023-10-23 19:37:39 +02:00
proc_creation_win_shutdown_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_shutdown_logoff.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_sndvol_susp_child_processes.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_soundrecorder_audio_capture.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_splwow64_cli_anomaly.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_spoolsv_susp_child_processes.yml
chore: renames with new sigma convention
2023-03-03 00:21:25 +01:00
proc_creation_win_sqlcmd_veeam_db_recon.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_sqlcmd_veeam_dump.yml
feat: updates and enhancements
2023-02-14 00:51:20 +01:00
proc_creation_win_sqlite_chromium_profile_data.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_sqlite_firefox_gecko_profile_data.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_squirrel_download.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_squirrel_proxy_execution.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_ssh_port_forward.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_ssh_rdp_tunneling.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_ssm_agent_abuse.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_stordiag_susp_child_process.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_susp_16bit_application.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_susp_abusing_debug_privilege.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_add_user_local_admin_group.yml
Merge PR #4735 from @nasbench - Slash&Grab Exploitation Related Rule Updates
2024-02-23 23:57:44 +01:00
proc_creation_win_susp_add_user_privileged_group.yml
Merge PR #4735 from @nasbench - Slash&Grab Exploitation Related Rule Updates
2024-02-23 23:57:44 +01:00
proc_creation_win_susp_add_user_remote_desktop_group.yml
Merge PR #4735 from @nasbench - Slash&Grab Exploitation Related Rule Updates
2024-02-23 23:57:44 +01:00
proc_creation_win_susp_alternate_data_streams.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_susp_always_install_elevated_windows_installer.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_susp_appx_execution.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_susp_archiver_iso_phishing.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_susp_automated_collection.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_susp_bad_opsec_sacrificial_processes.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_susp_browser_launch_from_document_reader_process.yml
Merge PR #4840 from @skaynum - Add new rules related to MySQL daemon and potential phishing attempts
2024-05-27 16:48:54 +02:00
proc_creation_win_susp_child_process_as_system_.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_susp_cli_obfuscation_escape_char.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_susp_cli_obfuscation_unicode.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_susp_commandline_path_traversal_evasion.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_susp_copy_browser_data.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_susp_copy_lateral_movement.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_susp_copy_system_dir_lolbin.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_susp_copy_system_dir.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_crypto_mining_monero.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_susp_data_exfiltration_via_cli.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_susp_disable_raccine.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_susp_double_extension_parent.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_susp_double_extension.yml
fix: update modifiers
2023-02-28 18:27:41 +01:00
proc_creation_win_susp_download_office_domain.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_dumpstack_log_evasion.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_susp_elavated_msi_spawned_shell.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_electron_app_children.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_susp_electron_execution_proxy.yml
Merge PR #4783 from @nasbench - Update registry rules logic and fix some false positives
2024-03-26 13:28:49 +01:00
proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_susp_embed_exe_lnk.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_susp_etw_modification_cmdline.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_susp_etw_trace_evasion.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_susp_eventlog_clear.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_susp_eventlog_content_recon.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_susp_execution_from_public_folder_as_parent.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_susp_execution_path.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_susp_file_characteristics.yml
proc_creation_win_susp_gather_network_info_execution.yml
fix: remove duplicate title
2023-02-08 20:04:46 +01:00
proc_creation_win_susp_hidden_dir_index_allocation.yml
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
2023-10-28 13:15:09 +02:00
proc_creation_win_susp_hiding_malware_in_fonts_folder.yml
Merge PR #4597 from @nasbench - Update Process Access Rules
2023-12-04 01:14:15 +01:00
proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_susp_image_missing.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_inline_base64_mz_header.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_susp_inline_win_api_access.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_susp_local_system_owner_account_discovery.yml
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_lsass_dmp_cli_keywords.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_ms_appinstaller_download.yml
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14 09:46:39 +01:00
proc_creation_win_susp_network_command.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_susp_network_scan_loop.yml
fix:F multiple 404 links in references (#4332)
2023-06-26 10:10:04 +01:00
proc_creation_win_susp_network_sniffing.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_susp_no_image_name.yml
Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC
2024-07-23 15:06:26 +02:00
proc_creation_win_susp_non_exe_image.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_susp_non_priv_reg_or_ps.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_susp_ntds.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_nteventlogfile_usage.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_susp_ntfs_short_name_path_use_cli.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_susp_ntfs_short_name_path_use_image.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_susp_ntfs_short_name_use_cli.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_susp_ntfs_short_name_use_image.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_susp_obfuscated_ip_download.yml
Merge PR #4522 from @X-Junior - updating multiple rules
2023-11-06 17:07:33 +01:00
proc_creation_win_susp_obfuscated_ip_via_cli.yml
Merge PR #4522 from @X-Junior - updating multiple rules
2023-11-06 17:07:33 +01:00
proc_creation_win_susp_office_token_search.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_susp_parents.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_susp_powershell_execution_via_dll.yml
Merge PR #4744 from @CrimpSec - Update DLL loading related rules
2024-03-07 13:42:05 +01:00
proc_creation_win_susp_priv_escalation_via_named_pipe.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_susp_private_keys_recon.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_privilege_escalation_cli_patterns.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_susp_proc_wrong_parent.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_progname.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_recon.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_recycle_bin_fake_execution.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_susp_redirect_local_admin_share.yml
Merge PR #4644 from @qasimqlf - Add Missing CommandLine Field Selection
2023-12-28 19:52:05 +01:00
proc_creation_win_susp_remote_desktop_tunneling.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_susp_right_to_left_override.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_susp_script_exec_from_env_folder.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_script_exec_from_temp.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_susp_sensitive_file_access_shadowcopy.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_susp_service_creation.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_susp_service_dir.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_susp_service_tamper.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_susp_shadow_copies_creation.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_shadow_copies_deletion.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_shell_spawn_susp_program.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_sysnative.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_susp_system_exe_anomaly.yml
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17 11:04:05 +02:00
proc_creation_win_susp_system_user_anomaly.yml
Merge PR #4627 from @phantinuss - Add additional filters to cover both program file folders
2023-12-14 19:50:25 +01:00
proc_creation_win_susp_sysvol_access.yml
proc_creation_win_susp_task_folder_evasion.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_susp_use_of_te_bin.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_susp_userinit_child.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_susp_weak_or_abused_passwords.yml
Merge PR #4735 from @nasbench - Slash&Grab Exploitation Related Rule Updates
2024-02-23 23:57:44 +01:00
proc_creation_win_susp_web_request_cmd_and_cmdlets.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_susp_whoami_as_param.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_susp_workfolders.yml
feat: updates and enhancements
2023-02-14 00:51:20 +01:00
proc_creation_win_svchost_execution_with_no_cli_flags.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_svchost_termserv_proc_spawn.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_svchost_uncommon_parent_process.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_sysinternals_accesschk_check_permissions.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_sysinternals_adexplorer_execution.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_sysinternals_adexplorer_susp_execution.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_sysinternals_eula_accepted.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_sysinternals_livekd_execution.yml
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
2024-04-01 15:14:10 +02:00
proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_sysinternals_procdump_evasion.yml
feat: new rules, updates and goofy guineapig stuff (#4229)
2023-05-15 15:53:39 +02:00
proc_creation_win_sysinternals_procdump_lsass.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_sysinternals_procdump.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_sysinternals_psexec_execution.yml
feat: more updates and fixes
2023-02-28 15:22:25 +01:00
proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_sysinternals_psexec_remote_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_sysinternals_psexesvc_as_system.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_sysinternals_psexesvc.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_sysinternals_psloglist.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_sysinternals_psservice.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_sysinternals_pssuspend_execution.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_win_sysinternals_pssuspend_susp_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_sysinternals_sdelete.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_sysinternals_sysmon_config_update.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_sysinternals_sysmon_uninstall.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_sysinternals_tools_masquerading.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_sysprep_appdata.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_systeminfo_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_win_takeown_recursive_own.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_tapinstall_execution.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_tar_compression.yml
Merge PR #4626 from @AdmU3 - Add New Rules Related To tar.exe Usage
2023-12-20 12:28:51 +01:00
proc_creation_win_tar_extraction.yml
Merge PR #4626 from @AdmU3 - Add New Rules Related To tar.exe Usage
2023-12-20 12:28:51 +01:00
proc_creation_win_taskkill_sep.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_tasklist_module_enumeration.yml
Merge PR #4767 from @frack113 - Update additional rules to use the windash modifier
2024-03-15 21:40:15 +01:00
proc_creation_win_taskmgr_localsystem.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_taskmgr_susp_child_process.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_teams_suspicious_command_line_cred_access.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_tscon_localsystem.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_tscon_rdp_redirect.yml
feat: multiple updates and new rules (#4242)
2023-05-17 17:21:59 +02:00
proc_creation_win_tscon_rdp_session_hijacking.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_win_uac_bypass_changepk_slui.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_uac_bypass_cleanmgr.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_uac_bypass_cmstp_com_object_access.yml
feat: new rules, updates and fp fixes (#4162)
2023-04-11 13:04:22 +02:00
proc_creation_win_uac_bypass_cmstp.yml
proc_creation_win_uac_bypass_computerdefaults.yml
feat: updates and enhancements
2023-02-14 00:51:20 +01:00
proc_creation_win_uac_bypass_consent_comctl32.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_uac_bypass_dismhost.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_uac_bypass_eventvwr_recentviews.yml
feat: updates and enhancements
2023-02-14 00:51:20 +01:00
proc_creation_win_uac_bypass_fodhelper.yml
proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_uac_bypass_icmluautil.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_uac_bypass_idiagnostic_profile.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_uac_bypass_ieinstal.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_uac_bypass_msconfig_gui.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_uac_bypass_ntfs_reparse_point.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_uac_bypass_pkgmgr_dism.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_uac_bypass_sdclt.yml
feat: more updates
2023-02-14 01:08:25 +01:00
proc_creation_win_uac_bypass_trustedpath.yml
feat: more rules updates
2023-02-14 19:30:18 +01:00
proc_creation_win_uac_bypass_winsat.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_uac_bypass_wmp.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_uac_bypass_wsreset_integrity_level.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_win_uac_bypass_wsreset.yml
proc_creation_win_ultravnc_susp_execution.yml
feat: update and fixes
2023-03-09 22:10:42 +01:00
proc_creation_win_ultravnc.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_uninstall_crowdstrike_falcon.yml
feat: update and fixes
2023-03-09 22:10:42 +01:00
proc_creation_win_userinit_uncommon_child_processes.yml
Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing
2023-11-15 15:35:43 +01:00
proc_creation_win_vaultcmd_list_creds.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_verclsid_runs_com.yml
proc_creation_win_virtualbox_execution.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_virtualbox_vboxdrvinst_execution.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_vmware_toolbox_cmd_persistence.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_vmware_vmtoolsd_susp_child_process.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_vscode_child_processes_anomalies.yml
Merge PR #4463 from @citronninja - Add New Rules Related to VsCode Tunnel Usage & Abuse
2023-10-28 12:42:55 +02:00
proc_creation_win_vscode_tunnel_execution.yml
Merge PR #4463 from @citronninja - Add New Rules Related to VsCode Tunnel Usage & Abuse
2023-10-28 12:42:55 +02:00
proc_creation_win_vscode_tunnel_remote_shell_.yml
Merge PR #4463 from @citronninja - Add New Rules Related to VsCode Tunnel Usage & Abuse
2023-10-28 12:42:55 +02:00
proc_creation_win_vscode_tunnel_renamed_execution.yml
Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard
2024-05-13 12:10:33 +02:00
proc_creation_win_vscode_tunnel_service_install.yml
Merge PR #4463 from @citronninja - Add New Rules Related to VsCode Tunnel Usage & Abuse
2023-10-28 12:42:55 +02:00
proc_creation_win_vsdiagnostics_execution_proxy.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_vslsagent_agentextensionpath_load.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_w32tm.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_wab_execution_from_non_default_location.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_wab_unusual_parents.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_wbadmin_delete_all_backups.yml
Merge PR #4830 from @frack113 - Enhance Wbadmin based rules
2024-05-13 11:15:30 +02:00
proc_creation_win_wbadmin_delete_backups.yml
Merge PR #4830 from @frack113 - Enhance Wbadmin based rules
2024-05-13 11:15:30 +02:00
proc_creation_win_wbadmin_dump_sensitive_files.yml
Merge PR #4830 from @frack113 - Enhance Wbadmin based rules
2024-05-13 11:15:30 +02:00
proc_creation_win_wbadmin_restore_file.yml
Merge PR #4830 from @frack113 - Enhance Wbadmin based rules
2024-05-13 11:15:30 +02:00
proc_creation_win_wbadmin_restore_sensitive_files.yml
Merge PR #4830 from @frack113 - Enhance Wbadmin based rules
2024-05-13 11:15:30 +02:00
proc_creation_win_webdav_lnk_execution.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_webshell_chopper.yml
Merge PR #4555 from @nasbench - New ET Rules Related To Lace Tempest / SysAid CVE-2023-47246 Exploitation
2023-11-10 12:00:08 +01:00
proc_creation_win_webshell_hacking.yml
Merge PR #4555 from @nasbench - New ET Rules Related To Lace Tempest / SysAid CVE-2023-47246 Exploitation
2023-11-10 12:00:08 +01:00
proc_creation_win_webshell_recon_commands_and_processes.yml
Merge PR #4555 from @nasbench - New ET Rules Related To Lace Tempest / SysAid CVE-2023-47246 Exploitation
2023-11-10 12:00:08 +01:00
proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
Merge PR #4563 from @YamatoSecurity - Remove erroneous extra asterisk
2023-11-11 19:16:51 +01:00
proc_creation_win_webshell_tool_recon.yml
Merge PR #4555 from @nasbench - New ET Rules Related To Lace Tempest / SysAid CVE-2023-47246 Exploitation
2023-11-10 12:00:08 +01:00
proc_creation_win_werfault_lsass_shtinkering.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_werfault_reflect_debugger_exec.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_wermgr_susp_child_process.yml
Update Rules (#4872)
2024-06-25 11:26:45 +02:00
proc_creation_win_wermgr_susp_exec_location.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_wget_download_direct_ip.yml
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
2024-06-03 10:29:22 +02:00
proc_creation_win_wget_download_susp_file_sharing_domains.yml
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12 12:29:36 +01:00
proc_creation_win_wget_download_susp_locations.yml
Merge PR #4735 from @nasbench - Slash&Grab Exploitation Related Rule Updates
2024-02-23 23:57:44 +01:00
proc_creation_win_where_browser_data_recon.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_whoami_all_execution.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_whoami_execution_from_high_priv_process.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_whoami_execution.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_whoami_groups_discovery.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_whoami_output.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_whoami_parent_anomaly.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_whoami_priv_discovery.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_windows_terminal_susp_children.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_winget_add_custom_source.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_winget_add_insecure_custom_source.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_win_winget_add_susp_custom_source.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_winget_local_install_via_manifest.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_winrar_exfil_dmp_files.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_winrar_susp_child_process.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_winrar_uncommon_folder_execution.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_winrm_awl_bypass.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_winrm_remote_powershell_session_process.yml
feat: more updates
2023-03-06 00:39:26 +01:00
proc_creation_win_winrm_susp_child_process.yml
Merge PR #4681 from @nasbench - Add Missing Ref & Tags
2024-01-29 13:37:20 +01:00
proc_creation_win_winzip_password_compression.yml
chore: renames with new sigma convention
2023-03-03 00:21:25 +01:00
proc_creation_win_wlrmdr_uncommon_child_process.yml
Merge PR #4753 from @defensivedepth - Update Wlrmdr.EXE Uncommon Argument Or Child Process
2024-03-06 18:09:21 +01:00
proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
fix: FP found in prod environment
2023-02-08 17:58:35 +01:00
proc_creation_win_wmi_persistence_script_event_consumer.yml
proc_creation_win_wmic_eventconsumer_creation.yml
fix: apply suggestions from code review
2023-02-16 11:05:38 +01:00
proc_creation_win_wmic_namespace_defender.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_wmic_process_creation.yml
feat: update reference proc_creation_win_wmic_process_creation.yml (#4315)
2023-06-16 10:24:50 +02:00
proc_creation_win_wmic_recon_computersystem.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_wmic_recon_csproduct.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_wmic_recon_group.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_wmic_recon_hotfix.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_wmic_recon_process.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_wmic_recon_product_class.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_wmic_recon_product.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_wmic_recon_service.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_wmic_recon_system_info_uncommon.yml
Merge PR #4615 from @jstnk9 - Update WMIC Discovery Rule + New System Discovery Rules For MacOS
2023-12-21 11:09:47 +01:00
proc_creation_win_wmic_recon_unquoted_service_search.yml
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04 19:06:57 +02:00
proc_creation_win_wmic_recon_volume.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_wmic_remote_execution.yml
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02 12:00:11 +02:00
proc_creation_win_wmic_service_manipulation.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_wmic_squiblytwo_bypass.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_wmic_susp_execution_via_office_process.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_wmic_susp_process_creation.yml
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04 19:06:57 +02:00
proc_creation_win_wmic_terminate_application.yml
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04 19:06:57 +02:00
proc_creation_win_wmic_uninstall_application.yml
Merge PR #4894 from @rahulchandran19 - Fix broken logic with Application Removed Via Wmic.EXE
2024-07-02 12:06:46 +02:00
proc_creation_win_wmic_uninstall_security_products.yml
feat: update wmic rules
2023-02-14 19:30:18 +01:00
proc_creation_win_wmic_xsl_script_processing.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_win_wmiprvse_spawning_process.yml
feat: new rules, updates and fp fixes (#4136)
2023-04-03 12:06:14 +02:00
proc_creation_win_wmiprvse_spawns_powershell.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_win_wmiprvse_susp_child_processes.yml
Merge PR #4560 from @nasbench - Fix FP Found In Testing & Other Rule Updates
2023-11-10 17:32:28 +01:00
proc_creation_win_wpbbin_potential_persistence.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_wscript_cscript_dropper.yml
Merge PR #4697 from @frack113 - Fix errors in rule status and logsource
2024-01-31 00:56:01 +01:00
proc_creation_win_wscript_cscript_susp_child_processes.yml
Merge PR #4650 from @ahouspan - Process Creation Cmdline Matches Patterns Observed in Pikabot Infections
2024-01-10 14:37:20 +01:00
proc_creation_win_wscript_cscript_uncommon_extension_exec.yml
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
2024-05-02 10:34:25 +02:00
proc_creation_win_wsl_child_processes_anomalies.yml
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
2024-07-01 10:42:32 +02:00
proc_creation_win_wsl_lolbin_execution.yml
chore: fix typo of lowercase Windows in description
2023-06-21 09:52:43 +02:00
proc_creation_win_wsl_windows_binaries_execution.yml
chore: promote older rules status from experimental to test (#4651)
2024-01-01 09:00:51 +01:00
proc_creation_win_wuauclt_dll_loading.yml
Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing
2023-11-15 15:35:43 +01:00
proc_creation_win_wuauclt_no_cli_flags_execution.yml
Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing
2023-11-15 15:35:43 +01:00
proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21 21:04:18 +01:00
proc_creation_win_wusa_cab_files_extraction.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_win_wusa_susp_parent_execution.yml
Merge PR #4586 from @X-Junior - suspicious WUSA and IME registry keys
2023-11-28 14:33:15 +01:00
proc_creation_win_xwizard_execution_non_default_location.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00
proc_creation_win_xwizard_runwizard_com_object_exec.yml
Merge PR #4832 from @nasbench - Update LOLBIN rules
2024-04-26 13:40:11 +02:00