security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6f7aecbe069fa8dbe7eb65a27d6cc570a2cbf1d1
blue-team-tools/rules/windows/process_creation
T
History
Cian Heasley 023bf76363 Add files via upload 
Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
2020-07-22 09:05:50 +01:00
..
win_advanced_ip_scanner.yml
fix: typo in contains
2020-05-13 12:38:54 +02:00
win_apt_apt29_thinktanks.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_babyshark.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_bear_activity_gtr19.yml
Eliminate title collision
2020-03-26 09:13:52 -05:00
win_apt_bluemashroom.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_apt_chafer_mar18.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_cloudhopper.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_dragonfly.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_elise.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_emissarypanda_sep19.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_empiremonkey.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_equationgroup_dll_u_load.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_gallium.yml
logsource change
2020-02-07 15:47:27 +01:00
win_apt_greenbug_may20.yml
refactor: slightly improved Greenbug rule
2020-05-21 13:38:11 +02:00
win_apt_hurricane_panda.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_judgement_panda_gtr19.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_mustangpanda.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_apt_slingshot.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_sofacy.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_ta17_293a_ps.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_tropictrooper.yml
MDATP schema changes
2020-03-09 17:12:41 +01:00
win_apt_turla_commands.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_turla_comrat_may20.yml
rule: Turla ComRAT report
2020-05-26 14:19:22 +02:00
win_apt_unidentified_nov_18.yml
MDATP schema changes
2020-03-09 17:12:41 +01:00
win_apt_winnti_mal_hk_jan20.yml
additional execution observed
2020-02-02 08:07:00 +01:00
win_apt_wocao.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_zxshell.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_attrib_hiding_files.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_bootconf_mod.yml
Fix a bad CommandLine search
2020-05-13 11:32:05 +02:00
win_bypass_squiblytwo.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_change_default_file_association.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_cmdkey_recon.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_cmstp_com_object_access.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_control_panel_item.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_copying_sensitive_files_with_credential_data.yml
fixing false positives
2020-02-26 09:33:55 +01:00
win_crime_fireball.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_crime_maze_ransomware.yml
rule: Maze ransomware
2020-05-11 10:46:26 +02:00
win_data_compressed_with_rar.yml
Merge branch 'master' into oscd
2019-12-19 23:15:15 +01:00
win_dns_exfiltration_tools_execution.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_dsquery_domain_trust_discovery.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_encoded_frombase64string.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_encoded_iex.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_etw_modification_cmdline.yml
merged Cyb3rWarD0g's rules
2020-06-06 15:42:22 +02:00
win_etw_trace_evasion.yml
Add missing status and falsepositives
2020-03-24 19:53:41 +01:00
win_exfiltration_and_tunneling_tools_execution.yml
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine
2020-05-15 12:35:32 -04:00
win_exploit_cve_2015_1641.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_exploit_cve_2017_0261.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_exploit_cve_2017_8759.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_exploit_cve_2017_11882.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_exploit_cve_2019_1378.yml
rule: Exploiting SetupComplete.cmd CVE-2019-1378
2019-11-15 00:26:18 +01:00
win_exploit_cve_2019_1388.yml
rule: another reference for CVE-2019-1388 rule
2019-11-20 15:09:30 +01:00
win_exploit_cve_2020_1048.yml
refactor: simplified and extended expression in CVE-2020-1048 rule
2020-05-23 09:16:19 +02:00
win_exploit_cve_2020_10189.yml
fix: MITRE tags in rule
2020-03-25 18:11:04 +01:00
win_file_permission_modifications.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_grabbing_sensitive_hives_via_reg.yml
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine
2020-05-15 12:35:32 -04:00
win_hack_bloodhound.yml
rule: modified Bloodhound rule
2019-12-21 21:22:13 +01:00
win_hack_koadic.yml
level increased
2020-02-26 09:42:31 +01:00
win_hack_rubeus.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_hack_secutyxploded.yml
rule: SecurityXploded tool
2019-12-30 14:25:29 +01:00
win_hh_chm.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_hktl_createminidump.yml
rule: CreateMiniDump
2019-12-22 08:29:12 +01:00
win_html_help_spawn.yml
Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml
2020-04-03 16:50:48 +02:00
win_hwp_exploits.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_impacket_lateralization.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_indirect_cmd.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_install_reg_debugger_backdoor.yml
Added new sticky key attack binary
2020-01-24 15:31:06 +01:00
win_interactive_at.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_invoke_obfuscation_obfuscated_iex_commandline.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
Revert "Moved rules with enrichments into unsupported"
2020-02-15 22:52:06 +01:00
win_lethalhta.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_local_system_owner_account_discovery.yml
Fixed rules that likely will cause false negatives by fix
2020-03-01 23:14:53 +01:00
win_lsass_dump.yml
OSCD QA wave 1
2020-01-11 00:11:27 +01:00
win_mal_adwind.yml
fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon
2020-03-04 12:47:42 -05:00
win_malware_dridex.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_dtrack.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_emotet.yml
Merge pull request #492 from booberry46/master
2020-01-30 14:27:30 +01:00
win_malware_formbook.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_notpetya.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_malware_qbot.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_ryuk.yml
rule: ryuk ransomware
2019-12-16 20:33:12 +01:00
win_malware_script_dropper.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_malware_trickbot_recon_activity.yml
Date typo.
2020-04-02 09:53:09 +02:00
win_malware_wannacry.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_mavinject_proc_inj.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
remove false positives with cmd as child of services.exe (not specifically related to meterpreter/cobaltstrike)
2020-05-15 04:45:25 -04:00
win_mimikatz_command_line.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_mmc_spawn_shell.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_mshta_javascript.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_mshta_spawn_shell.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_multiple_suspicious_cli.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_net_enum.yml
OSCD QA wave 1
2020-01-11 00:11:27 +01:00
win_net_user_add.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_netsh_allow_port_rdp.yml
rule: Netsh RDP port opening
2020-05-23 14:19:52 +02:00
win_netsh_fw_add_susp_image.yml
Create win_netsh_fw_add_susp_image.yml
2020-05-25 09:50:47 +02:00
win_netsh_fw_add.yml
Update win_netsh_fw_add.yml
2020-05-25 10:13:26 +02:00
win_netsh_packet_capture.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_netsh_port_fwd_3389.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_netsh_port_fwd.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_netsh_wifi_credential_harvesting.yml
Improve netsh wifi rule another time due to arg shortcut
2020-04-20 16:40:03 +02:00
win_network_sniffing.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_new_service_creation.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_non_interactive_powershell.yml
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
win_office_shell.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_office_spawn_exe_from_users_directory.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_plugx_susp_exe_locations.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_possible_applocker_bypass.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_possible_privilege_escalation_using_rotten_potato.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_powershell_amsi_bypass.yml
Wrong indentation falsepositives
2020-03-24 19:55:41 +01:00
win_powershell_audio_capture.yml
UUIDs + moved unsupported logic
2019-12-19 23:56:36 +01:00
win_powershell_b64_shellcode.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_powershell_bitsjob.yml
OSCD QA wave 1
2020-01-11 00:11:27 +01:00
win_powershell_dll_execution.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_powershell_downgrade_attack.yml
fix incorrect use of global
2020-05-06 23:00:45 +02:00
win_powershell_download.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_powershell_frombase64string.yml
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
win_powershell_suspicious_parameter_variation.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_powershell_xor_commandline.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_powersploit_empire_schtasks.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_proc_wrong_parent.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_process_creation_bitsadmin_download.yml
rule: fixed and extended bitsadmin rule
2019-12-06 13:39:04 +01:00
win_process_dump_rundll32_comsvcs.yml
fix: fixing too restrictive rule
2020-02-18 10:43:22 +01:00
win_psexesvc_start.yml
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine
2020-05-15 12:35:32 -04:00
win_query_registry.yml
Converted to Unix line end
2019-12-15 23:30:42 +01:00
win_rdp_hijack_shadowing.yml
fix missing status & description in status field
2020-02-25 16:30:41 -05:00
win_remote_powershell_session_process.yml
fix: reduced level due to false positives
2020-03-17 20:40:28 +01:00
win_remote_time_discovery.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_renamed_binary_highly_relevant.yml
rule: split up renamed binary rule
2020-01-24 15:31:07 +01:00
win_renamed_binary.yml
Add netsh to renamed binary rule
2020-04-20 17:12:25 +02:00
win_renamed_jusched.yml
move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule)
2020-05-23 07:17:56 -04:00
win_renamed_paexec.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_renamed_powershell.yml
move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule)
2020-05-23 07:17:56 -04:00
win_renamed_procdump.yml
move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule)
2020-05-23 07:17:56 -04:00
win_renamed_psexec.yml
move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule)
2020-05-23 07:17:56 -04:00
win_run_powershell_script_from_ads.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_sdbinst_shim_persistence.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_service_execution.yml
fix: simplified rule with RE
2019-12-03 11:24:06 +01:00
win_service_stop.yml
fix false positive on taskkill.exe not related to service stop at all
2020-02-24 03:03:46 -05:00
win_shadow_copies_access_symlink.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_shadow_copies_creation.yml
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine
2020-05-15 12:35:32 -04:00
win_shadow_copies_deletion.yml
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine
2020-05-15 12:35:32 -04:00
win_shell_spawn_susp_program.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_silenttrinity_stage_use.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_soundrec_audio_capture.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_spn_enum.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_bcdedit.yml
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine
2020-05-15 12:35:32 -04:00
win_susp_bginfo.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_calc.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_cdb.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_certutil_command.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_certutil_encode.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_cli_escape.yml
rule should be wildcard AND had a prepended ^ in one of the CommandLine conditions that would have caused to not trigger
2020-03-14 15:00:42 -04:00
win_susp_cmd_http_appdata.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_codepage_switch.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_commands_recon_activity.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_compression_params.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_comsvcs_procdump.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_control_dll_load.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_copy_lateral_movement.yml
rule: copy from admin share - lateral movement
2019-12-30 14:25:43 +01:00
win_susp_covenant.yml
rule: Covenant launchers
2020-06-05 11:03:28 +02:00
win_susp_crackmapexec_execution.yml
Added CrachMapExec rules
2020-05-22 00:50:37 +02:00
win_susp_crackmapexec_powershell_obfuscation.yml
Added CrachMapExec rules
2020-05-22 00:50:37 +02:00
win_susp_csc_folder.yml
rule: updating csc.exe rule
2019-12-17 13:45:40 +01:00
win_susp_csc.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_curl_start_combo.yml
fix: converted CRLF line break to LF
2020-03-25 14:36:34 +01:00
win_susp_dctask64_proc_inject.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_devtoolslauncher.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_direct_asep_reg_keys_modification.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_susp_dnx.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_double_extension.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_dxcap.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_eventlog_clear.yml
Fixed rules that likely will cause false negatives by fix
2020-03-01 23:14:53 +01:00
win_susp_exec_folder.yml
Added some suspicious locations
2019-12-10 20:17:40 +03:00
win_susp_execution_path_webserver.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_execution_path.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_file_characteristics.yml
move rule where needed
2020-05-23 10:07:55 -04:00
win_susp_firewall_disable.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_fsutil_usage.yml
Fixed rules that likely will cause false negatives by fix
2020-03-01 23:14:53 +01:00
win_susp_gup.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_iss_module_install.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_msiexec_cwd.yml
fix: fixed broken condition
2019-11-14 10:15:18 +01:00
win_susp_msiexec_web_install.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_msoffice.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_net_execution.yml
Merge branch 'master' into oscd
2020-02-03 23:13:16 +01:00
win_susp_netsh_dll_persistence.yml
Update rules to follow the Sigma state specification
2020-04-24 20:50:31 +02:00
win_susp_ntdsutil.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_odbcconf.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_openwith.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_outlook_temp.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_outlook.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_ping_hex_ip.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_powershell_empire_launch.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_powershell_empire_uac_bypass.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_powershell_enc_cmd.yml
style: minor changes
2019-12-20 14:59:26 +01:00
win_susp_powershell_hidden_b64_cmd.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_powershell_parent_combo.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_procdump.yml
rule: changed lsass process dump to level high
2020-02-18 10:03:25 +01:00
win_susp_process_creations.yml
Further fixes and deduplications
2020-02-16 14:03:07 +01:00
win_susp_prog_location_process_starts.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_ps_appdata.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_ps_downloadfile.yml
rule: powershell downloadfile
2020-03-25 14:58:14 +01:00
win_susp_psr_capture_screenshots.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_rasdial_activity.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_recon_activity.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_regsvr32_anomalies.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_renamed_dctask64.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_renamed_debugview.yml
rule: moved DebugView rule to process creation category
2020-05-28 10:13:38 +02:00
win_susp_run_locations.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_rundll32_activity.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_rundll32_by_ordinal.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_schtask_creation.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_script_execution.yml
Widen the search as it gives too many false negatives
2020-05-13 16:20:23 +02:00
win_susp_service_path_modification.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_susp_squirrel_lolbin.yml
fix non ascii character in rule
2020-02-24 02:58:34 -05:00
win_susp_svchost_no_cli.yml
Date typos...more than I thought...
2020-04-02 10:00:00 +02:00
win_susp_svchost.yml
Added svchost.exe as a parent image
2019-12-10 19:31:12 +03:00
win_susp_sysprep_appdata.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_sysvol_access.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_taskmgr_localsystem.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_taskmgr_parent.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_tscon_localsystem.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_tscon_rdp_redirect.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_use_of_csharp_console.yml
fix: fixed several issues
2020-03-09 17:43:16 +01:00
win_susp_userinit_child.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_whoami.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_wmi_execution.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_sysmon_driver_unload.yml
Change falsepositives to array
2020-03-24 19:59:54 +01:00
win_system_exe_anomaly.yml
Add path with lowercase system32
2020-03-24 19:48:24 +01:00
win_tap_installer_execution.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_task_folder_evasion.yml
Remove duplicate 'CommandLine' in fields
2020-05-20 11:54:47 +02:00
win_termserv_proc_spawn.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_trust_discovery.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_uac_cmstp.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_uac_fodhelper.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_uac_wsreset.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_using_sc_to_change_sevice_image_path_by_non_admin.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_vul_java_remote_debugging.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_webshell_detection.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_webshell_recon_detection.yml
Add files via upload
2020-07-22 09:05:50 +01:00
win_webshell_spawn.yml
rule: extended web shell spawn rule
2020-03-25 14:02:39 +01:00
win_whoami_as_system.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_win10_sched_task_0day.yml
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine
2020-05-15 12:35:32 -04:00
win_wmi_backdoor_exchange_transport_agent.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_wmi_persistence_script_event_consumer.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_wmi_spwns_powershell.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_wmiprvse_spawning_process.yml
wmiprvse subprocess: add fallback check on username instead of only logonid
2020-02-24 09:25:20 -05:00
win_workflow_compiler.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_wsreset_uac_bypass.yml
rule: wsreset.exe UAC bypass
2020-01-30 18:05:47 +01:00
win_xsl_script_processing.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00