security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
87df79302d58f605104841c477254f534a4de28b
blue-team-tools/rules/windows/process_creation
T
History
webboy2015 87df79302d Update win_lolbas_execution_of_nltest.exe 
Changed condition as follows:
   detection:
       selection:
          EventID: 4689
          ProcessName|endswith: nltest.exe
          Status: "0x0"
     condition: selection

Included  field - SubjectDomainName
2021-10-01 12:55:37 -07:00
..
file_event_executable_and_script_creation_by_office_using_file_ext.yml
fix filename
2021-09-22 18:45:08 +02:00
process_creation_abusing_windows_telemetry_for_persistence.yml
Split global sysmon rules
2021-09-09 16:11:41 +02:00
process_creation_advanced_ip_scanner.yml
Update process_creation_advanced_ip_scanner.yml
2021-09-12 08:53:10 +02:00
process_creation_alternate_data_streams.yml
Findstr covert by win_susp_findstr.yml
2021-09-02 14:22:59 +02:00
process_creation_apt_gallium_sha1.yml
split win_apt_gallium.yml
2021-09-19 11:24:17 +02:00
process_creation_apt_gallium.yml
split win_apt_gallium.yml
2021-09-19 11:24:17 +02:00
process_creation_apt_pandemic.yml
split sysmon_apt_pandemic
2021-09-12 09:42:11 +02:00
process_creation_apt_slingshot.yml
fix: typo in filename
2021-09-27 22:37:20 +02:00
process_creation_apt_turla_commands_critical.yml
split win_apt_turla_commands.yml
2021-09-19 11:17:50 +02:00
process_creation_apt_turla_commands_medium.yml
split win_apt_turla_commands.yml
2021-09-19 11:17:50 +02:00
process_creation_apt_wocao.yml
split win_apt_wocao.yml
2021-09-19 11:07:24 +02:00
process_creation_automated_collection.yml
add process_creation_automated_collection.yml
2021-07-28 13:17:40 +02:00
process_creation_c3_load_by_rundll32.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
process_creation_clip.yml
add process_creation_clip.yml
2021-07-27 08:50:03 +02:00
process_creation_cobaltstrike_load_by_rundll32.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
process_creation_command_execution_by_office_applications.yml
fix condition operator case
2021-09-10 13:51:52 +02:00
process_creation_coti_sqlcmd.yml
fix very bad cut and paste
2021-08-16 11:22:50 +02:00
process_creation_discover_private_keys.yml
fix files_with_incorrect_mitre_tags
2021-07-20 12:22:31 +02:00
process_creation_dns_serverlevelplugindll.yml
split sysmon_dns_serverlevelplugindll.yml
2021-09-12 09:53:20 +02:00
process_creation_dotnet.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
process_creation_hack_dumpert.yml
split global sysmon_hack_dumpert.yml
2021-09-21 10:43:42 +02:00
process_creation_infdefaultinstall.yml
fix Error: [colons] too many spaces before colon
2021-07-13 10:09:52 +02:00
process_creation_lolbins_by_office_applications.yml
fix filename
2021-09-22 18:45:08 +02:00
process_creation_lolbins_with_wmiprvse_parent_process.yml
fix filename
2021-09-22 18:45:08 +02:00
process_creation_msdeploy.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
process_creation_office_applications_spawning_wmi_commandline.yml
fix filename
2021-09-22 16:27:05 +02:00
process_creation_office_from_proxy_executing_regsvr32_payload2.yml
fix filename
2021-09-22 18:45:08 +02:00
process_creation_office_from_proxy_executing_regsvr32_payload.yml
fix filename
2021-09-22 18:45:08 +02:00
process_creation_office_spawning_wmi_commandline.yml
fix filename
2021-09-22 18:45:08 +02:00
process_creation_pingback_backdoor.yml
Split global sysmon rules
2021-09-09 16:11:41 +02:00
process_creation_powershell_web_request.yml
split global win_powershell_web_request
2021-09-21 13:44:19 +02:00
process_creation_protocolhandler_suspicious_file.yml
Add process_creation_protocolhandler_suspicious_file.yml
2021-07-13 12:19:07 +02:00
process_creation_root_certificate_installed.yml
split global win_root_certificate_installed.yml
2021-09-21 13:34:32 +02:00
process_creation_sdelete.yml
renamed files: lowercase
2021-09-27 22:33:30 +02:00
process_creation_software_discovery.yml
split global win_software_discovery.yml
2021-09-21 13:28:47 +02:00
process_creation_stickykey_like_backdoor.yml
split sysmon_stickykey_like_backdoor.yml
2021-09-12 09:58:43 +02:00
process_creation_susp_7z.yml
Update process_creation_susp_7z.yml
2021-07-27 16:02:09 +02:00
process_creation_susp_athremotefxvgpudisablementcommand.yml
Split global rules
2021-09-07 13:30:32 +02:00
process_creation_susp_recon.yml
add process_creation_susp_recon.yml
2021-07-30 08:15:13 +02:00
process_creation_susp_winzip.yml
forget date field
2021-07-27 11:09:35 +02:00
process_creation_susp_zip_compress.yml
Split global rules
2021-09-07 13:30:32 +02:00
process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
Clean SyncAppvPublishingServer rules
2021-09-12 07:46:35 +02:00
process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
Clean SyncAppvPublishingServer rules
2021-09-12 07:46:35 +02:00
process_creation_sysinternals_eula_accepted.yml
split sysinternals eula and uac bypass
2021-09-12 09:38:05 +02:00
process_creation_sysmon_uac_bypass_eventvwr.yml
split sysinternals eula and uac bypass
2021-09-12 09:38:05 +02:00
process_creation_tool_psexec.yml
split global win_tool_psexec.yml
2021-09-21 10:10:48 +02:00
process_creation_win_exchange_transportagent.yml
split win_apt_turla_commands.yml
2021-09-19 11:17:50 +02:00
process_creationn_apt_chafer_mar18.yml
split win_apt_chafer_mar18.yml
2021-09-19 11:48:20 +02:00
process_mailboxexport_share.yml
Update process_mailboxexport_share.yml
2021-09-08 20:21:02 +02:00
process_susp_esentutl_params.yml
fix file name
2021-08-07 15:54:43 +02:00
sysmon_abusing_debug_privilege.yml
Update sysmon_abusing_debug_privilege.yml
2021-08-26 12:46:15 +00:00
sysmon_accesschk_usage_after_priv_escalation.yml
Spelling Errors on Rules
2021-08-18 18:58:20 +00:00
sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
sysmon_always_install_elevated_windows_installer.yml
Update sysmon_always_install_elevated_windows_installer.yml
2021-08-26 12:48:59 +00:00
sysmon_apt_muddywater_dnstunnel.yml
Merge pull request #989 from oscd-initiative/master
2020-09-08 13:27:58 +02:00
sysmon_apt_sourgrum.yml
fix product sysmon_apt_sourgrum.yml
2021-07-30 16:02:38 +02:00
sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
Update sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
2021-09-22 22:24:24 -05:00
sysmon_cmstp_execution_by_creation.yml
fix 3 times the same name file
2021-07-02 11:01:07 +02:00
sysmon_creation_mavinject_dll.yml
update ref in sysmon_creation_mavinject_dll.yml
2021-07-30 08:31:37 +02:00
sysmon_cve_2021_26857_msexchange.yml
Update cve tags
2021-08-24 10:50:01 +02:00
sysmon_expand_cabinet_files.yml
Added -F option support
2021-08-31 13:02:53 +05:45
sysmon_hack_wce.yml
fix: FP with WCE and Windows Cluster Service
2021-07-15 12:09:28 +02:00
sysmon_high_integrity_sdclt.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
sysmon_logon_scripts_userinitmprlogonscript_proc.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
sysmon_long_powershell_commandline.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
sysmon_netcat_execution.yml
increased level to high
2021-07-23 09:51:00 +02:00
sysmon_proxy_execution_wuauclt.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
sysmon_rclone_execution.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
sysmon_remove_windows_defender_definition_files.yml
Add 2 defense-evasion T1562.001 rules
2021-07-07 15:43:55 +02:00
sysmon_sdclt_child_process.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
sysmon_susp_plink_remote_forward.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
sysmon_susp_service_modification.yml
Add 2 defense-evasion T1562.001 rules
2021-07-07 15:43:55 +02:00
sysmon_susp_webdav_client_execution.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
sysmon_uninstall_crowdstrike_falcon.yml
test 21 to 24 from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
2021-07-12 10:54:44 +02:00
win_ad_find_discovery.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_anydesk_silent_install.yml
fix: condition
2021-08-06 18:45:38 +02:00
win_apt_apt29_thinktanks.yml
Update win_apt_apt29_thinktanks.yml - Links
2021-07-07 20:21:41 +08:00
win_apt_babyshark.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_bear_activity_gtr19.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_bluemashroom.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_cloudhopper.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_dragonfly.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_elise.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_emissarypanda_sep19.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_empiremonkey.yml
Update global id
2021-09-03 06:50:00 +02:00
win_apt_equationgroup_dll_u_load.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_evilnum_jul20.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_greenbug_may20.yml
win-apt-greenbug-fix amend b64 value of /server= as seen in IOC
2021-09-22 10:33:04 -04:00
win_apt_hafnium.yml
add missing tags
2021-09-08 20:14:49 +02:00
win_apt_hurricane_panda.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_judgement_panda_gtr19.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_ke3chang_regadd.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_lazarus_activity_apr21.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_lazarus_activity_dec20.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_lazarus_loader.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_lazarus_session_highjack.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_mustangpanda.yml
add missing tags
2021-09-07 17:45:41 +02:00
win_apt_revil_kaseya.yml
rule: more Kaseya patterns
2021-07-05 12:03:35 +02:00
win_apt_sofacy.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_ta17_293a_ps.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_ta505_dropper.yml
TA505 Loader Rule
2020-12-08 10:15:30 +01:00
win_apt_taidoor.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_tropictrooper.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_turla_comrat_may20.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_unc2452_cmds.yml
Fix invalid tags
2021-08-25 09:15:57 +02:00
win_apt_unc2452_ps.yml
Fix invalid tags
2021-08-25 09:15:57 +02:00
win_apt_unidentified_nov_18.yml
split win_apt_unidentified_nov_18.yml
2021-09-19 11:11:04 +02:00
win_apt_winnti_mal_hk_jan20.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_apt_winnti_pipemon.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_apt_zxshell.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_attrib_hiding_files.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_bad_opsec_sacrificial_processes.yml
fix: remove single value lists
2021-09-02 14:09:03 +02:00
win_bootconf_mod.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:30:57 +08:00
win_bypass_squiblytwo.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_change_default_file_association.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:30:57 +08:00
win_cl_invocation_lolscript.yml
fix file name case
2021-08-26 11:15:33 +02:00
win_cl_mutexverifiers_lolscript.yml
fix file name case
2021-08-26 11:15:33 +02:00
win_class_exec_xwizard.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_cmdkey_recon.yml
refactor: changed cmdkey rule
2021-07-07 14:45:03 +02:00
win_cmstp_com_object_access.yml
add System IntegrityLevel to uac bypass rules, the level is not used most of the time, but might
2021-08-31 16:18:05 +02:00
win_cobaltstrike_process_patterns.yml
rules: cobalt strike rules refactored
2021-08-30 15:10:30 +02:00
win_commandline_path_traversal.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_control_panel_item.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_copying_sensitive_files_with_credential_data.yml
fixing test runner issues
2020-09-15 15:45:33 -06:00
win_credential_access_via_password_filter.yml
Replace old mitre techniques by new one
2021-08-22 13:57:56 +02:00
win_crime_fireball.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_crime_maze_ransomware.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_crime_snatch_ransomware.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_data_compressed_with_rar.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_detecting_fake_instances_of_hxtsr.yml
Various fixes
2021-09-07 23:38:07 +02:00
win_dll_sideload_xwizard.yml
Update win_dll_sideload_xwizard.yml
2021-09-20 10:56:37 +02:00
win_dns_exfiltration_tools_execution.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_dnscat2_powershell_implementation.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_encoded_frombase64string.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_encoded_iex.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_etw_modification_cmdline.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_etw_trace_evasion.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_exchange_proxylogon_oabvirtualdir.yml
add missing tags
2021-09-07 17:45:41 +02:00
win_exfiltration_and_tunneling_tools_execution.yml
fix tags
2020-08-29 21:34:20 +02:00
win_exploit_cve_2015_1641.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_exploit_cve_2017_0261.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_exploit_cve_2017_8759.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_exploit_cve_2017_11882.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_exploit_cve_2019_1378.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_exploit_cve_2019_1388.yml
Update win_exploit_cve_2019_1388.yml
2021-08-26 12:41:36 +00:00
win_exploit_cve_2020_1048.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_exploit_cve_2020_1350.yml
fix: more FPs based on feedback
2020-07-15 12:05:50 +02:00
win_exploit_cve_2020_10189.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_exploit_systemnightmare.yml
rule: SystemNightmare
2021-08-11 10:10:30 +02:00
win_file_permission_modifications.yml
Convert ART reference links from .yaml to .md
2021-07-06 17:56:38 +08:00
win_grabbing_sensitive_hives_via_reg.yml
Update win_grabbing_sensitive_hives_via_reg.yml
2021-07-24 18:17:27 -05:00
win_hack_adcspwn.yml
rule: ADCSPwn
2021-07-31 10:18:21 +02:00
win_hack_bloodhound.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_hack_koadic.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_hack_rubeus.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_hack_secutyxploded.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_hh_chm.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_hiding_malware_in_fonts_folder.yml
Various fixes
2021-09-07 23:38:07 +02:00
win_hktl_createminidump.yml
split win_hktl_createminidump.yml
2021-09-19 10:19:34 +02:00
win_hktl_uacme_uac_bypass.yml
chore: move level/falsepositives to bottom
2021-09-02 14:55:17 +02:00
win_html_help_spawn.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_hwp_exploits.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_impacket_compiled_tools.yml
fix: adding experimental status
2021-07-24 12:34:33 +02:00
win_impacket_lateralization.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_indirect_cmd_compatibility_assistant.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_indirect_cmd.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_install_reg_debugger_backdoor.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_interactive_at.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:30:57 +08:00
win_invoke_obfuscation_clip.yml
fix filename
2021-09-22 18:45:08 +02:00
win_invoke_obfuscation_obfuscated_iex_commandline.yml
Various fixes
2021-09-07 23:38:07 +02:00
win_invoke_obfuscation_stdin.yml
fix filename
2021-09-22 18:45:08 +02:00
win_invoke_obfuscation_var.yml
fix filename
2021-09-22 16:21:07 +02:00
win_invoke_obfuscation_via_compress.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_invoke_obfuscation_via_rundll.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_invoke_obfuscation_via_stdin.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_invoke_obfuscation_via_use_clip.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_invoke_obfuscation_via_use_mhsta.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_invoke_obfuscation_via_use_rundll32.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_invoke_obfuscation_via_var.yml
fix filename
2021-09-22 16:21:07 +02:00
win_lethalhta.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_local_system_owner_account_discovery.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_lolbas_execution_of_nltest.exe
Update win_lolbas_execution_of_nltest.exe
2021-10-01 12:55:37 -07:00
win_lolbas_execution_of_wuauclt.yml
Replace old mitre techniques by new one
2021-08-22 13:57:56 +02:00
win_lolbin_execution_via_winget.yml
Spelling Errors on Rules
2021-08-18 18:58:20 +00:00
win_lsass_dump.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_mal_adwind.yml
split win_hktl_createminidump.yml
2021-09-19 10:19:34 +02:00
win_malware_conti_7zip.yml
add missing tags
2021-09-08 20:14:49 +02:00
win_malware_conti_shadowcopy.yml
Add missing tags
2021-09-02 09:59:19 +02:00
win_malware_conti.yml
add missing tags
2021-09-07 17:45:41 +02:00
win_malware_dridex.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_malware_dtrack.yml
Add missing tags
2021-09-02 09:59:19 +02:00
win_malware_emotet.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_malware_formbook.yml
add missing tags
2021-09-08 20:14:49 +02:00
win_malware_notpetya.yml
Fix NotPetya Ransomware rule
2021-08-27 11:53:50 -04:00
win_malware_qbot.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_malware_ryuk.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_malware_script_dropper.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_malware_trickbot_recon_activity.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_malware_trickbot_wermgr.yml
New Trickbot wermgr rule
2020-11-26 09:54:27 +01:00
win_malware_wannacry.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_manage_bde_lolbas.yml
fix filename
2021-09-22 16:27:05 +02:00
win_mavinject_proc_inj.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_mimikatz_command_line.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_mmc_spawn_shell.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_modif_of_services_for_via_commandline.yml
Replace old mitre techniques by new one
2021-08-22 13:57:56 +02:00
win_monitoring_for_persistence_via_bits.yml
escape / in regex
2021-07-15 08:13:49 +02:00
win_mouse_lock.yml
Add missing product in logsource
2020-12-23 15:45:00 -05:00
win_mshta_javascript.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_mshta_spawn_shell.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_multiple_suspicious_cli.yml
Update win_multiple_suspicious_cli.yml
2021-06-14 08:54:07 +02:00
win_net_enum.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_net_user_add.yml
Updated ART reference links from .yaml
2021-07-06 17:39:25 +08:00
win_netsh_allow_port_rdp.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_netsh_fw_add_susp_image.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_netsh_fw_add.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_netsh_packet_capture.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_netsh_port_fwd_3389.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_netsh_port_fwd.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_netsh_wifi_credential_harvesting.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_network_sniffing.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_new_service_creation.yml
Updated ART reference links from .yaml
2021-07-06 17:39:25 +08:00
win_nltest_recon.yml
Added alternative command parameter
2021-09-28 17:39:21 +02:00
win_non_interactive_powershell.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_non_priv_reg_or_ps.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_office_shell.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_office_spawn_exe_from_users_directory.yml
fix tags
2021-08-24 12:36:31 +02:00
win_plugx_susp_exe_locations.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_possible_applocker_bypass.yml
update references
2021-08-23 13:30:46 +02:00
win_possible_privilege_escalation_via_service_registry_permissions.yml
fix filename
2021-09-22 18:45:08 +02:00
win_powershell_amsi_bypass.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_powershell_audio_capture.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_powershell_b64_shellcode.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_powershell_bitsjob.yml
win_powershell_cmdline_reversed_strings.yml
Cleanup PS rules
2021-08-21 09:58:58 +02:00
win_powershell_cmdline_special_characters.yml
Cleanup PS rules
2021-08-21 09:58:58 +02:00
win_powershell_cmdline_specific_comb_methods.yml
Cleanup PS rules
2021-08-21 09:58:58 +02:00
win_powershell_defender_exclusion.yml
test 21 to 24 from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
2021-07-12 10:54:44 +02:00
win_powershell_disable_windef_av.yml
Replace old mitre techniques by new one
2021-08-22 13:57:56 +02:00
win_powershell_dll_execution.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_powershell_downgrade_attack.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_powershell_download.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_powershell_frombase64string.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_powershell_reverse_shell_connection.yml
Replace old mitre techniques by new one
2021-08-22 13:57:56 +02:00
win_powershell_suspicious_parameter_variation.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_powershell_xor_commandline.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_powersploit_empire_schtasks.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_proc_wrong_parent.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_procdump.yml
fix duplicate uuid
2021-08-16 15:50:14 +02:00
win_process_creation_bitsadmin_download.yml
fix: bug in author field (cannot be a list)
2021-07-27 10:14:53 +02:00
win_process_dump_rdrleakdiag.yml
The issues have been fixed
2021-09-24 22:18:00 +02:00
win_process_dump_rundll32_comsvcs.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_psexesvc_start.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_purplesharp_indicators.yml
add missing tags
2021-09-07 17:45:41 +02:00
win_query_registry.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_rasautou_dll_execution.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_rdp_hijack_shadowing.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_redmimicry_winnti_proc.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_reg_add_run_key.yml
add missing tags
2021-09-08 20:14:49 +02:00
win_regedit_export_critical_keys.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_regedit_export_keys.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_regedit_import_keys_ads.yml
Various fixes
2021-09-07 23:38:07 +02:00
win_regedit_import_keys.yml
Various fixes
2021-09-07 23:38:07 +02:00
win_regini_ads.yml
Various fixes
2021-09-07 23:38:07 +02:00
win_regini.yml
Various fixes
2021-09-07 23:38:07 +02:00
win_remote_powershell_session_process.yml
Update win_remote_powershell_session_process.yml
2021-07-15 11:20:25 +08:00
win_remote_time_discovery.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_renamed_binary_highly_relevant.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_renamed_binary.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_renamed_jusched.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_renamed_megasync.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_renamed_paexec.yml
fix tags
2021-08-24 12:36:31 +02:00
win_renamed_powershell.yml
Tune detection in win_renamed_powershell.yml
2021-07-03 15:18:01 +02:00
win_renamed_procdump.yml
refactoring: procdump rules
2021-08-16 13:55:00 +02:00
win_renamed_psexec.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_renamed_whoami.yml
rule: renamed whoami
2021-08-12 13:27:51 +02:00
win_run_powershell_script_from_ads.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_run_powershell_script_from_input_stream.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_run_virtualbox.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_rundll32_without_parameters.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_script_event_consumer_spawn.yml
Spelling Errors on Rules
2021-08-18 18:58:20 +00:00
win_sdbinst_shim_persistence.yml
Fix selection with only 1 element
2021-08-14 09:54:27 +02:00
win_service_execution.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_service_stop.yml
Fix selection with only 1 element
2021-08-14 09:54:27 +02:00
win_shadow_copies_access_symlink.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_shadow_copies_creation.yml
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
win_shadow_copies_deletion.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_shell_spawn_mshta.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_shell_spawn_susp_program.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_silenttrinity_stage_use.yml
split win_silenttrinity_stage_use.yml
2021-09-19 10:02:05 +02:00
win_soundrec_audio_capture.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_spn_enum.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_sticky_keys_unauthenticated_privileged_console_access.yml
fixed date: switched day/month
2021-09-03 12:03:38 +02:00
win_sus_auditpol_usage.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_adfind.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_atbroker.yml
Fix selection with only 1 element
2021-08-14 09:54:27 +02:00
win_susp_bcdedit.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_bginfo.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_bitstransfer.yml
Update win_susp_bitstransfer.yml
2021-08-19 22:24:23 -05:00
win_susp_calc.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_cdb.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_certutil_command.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_certutil_encode.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_cli_escape.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_cmd_http_appdata.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_cmd_shadowcopy_access.yml
add missing tags
2021-09-01 20:01:03 +02:00
win_susp_codepage_switch.yml
add missing tags
2021-09-07 17:45:41 +02:00
win_susp_commands_recon_activity.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_compression_params.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_comsvcs_procdump.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_conhost.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_control_cve_2021_40444.yml
Revert "refactor: exclude case in which upper ticks are used"
2021-09-10 18:13:36 +02:00
win_susp_control_dll_load.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_copy_lateral_movement.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_copy_system32.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_covenant.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_crackmapexec_execution.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_crackmapexec_powershell_obfuscation.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_csc_folder.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_csc.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_csi.yml
Spelling Errors on Rules
2021-08-18 18:58:20 +00:00
win_susp_curl_download.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_curl_fileupload.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_curl_start_combo.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_dctask64_proc_inject.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_desktopimgdownldr.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_devtoolslauncher.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_direct_asep_reg_keys_modification.yml
Updated ART reference links from .yaml
2021-07-06 17:39:25 +08:00
win_susp_disable_eventlog.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_disable_ie_features.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_disable_raccine.yml
refactor: improved Raccine uninstall rule
2021-07-14 09:56:35 +02:00
win_susp_diskshadow.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_ditsnap.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_dnx.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_double_extension.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_dxcap.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_emotet_rudll32_execution.yml
Update win_susp_emotet_rudll32_execution.yml
2020-12-25 09:05:55 +01:00
win_susp_eventlog_clear.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:30:57 +08:00
win_susp_execution_path_webserver.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_execution_path.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_explorer_break_proctree.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_explorer.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_file_characteristics.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_file_download_via_gfxdownloadwrapper.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_findstr_lnk.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_findstr.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_finger_usage.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_firewall_disable.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_fsutil_usage.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_susp_ftp.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_gup.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_iss_module_install.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_mounted_share_deletion.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_mpcmdrun_download.yml
fix tags
2021-09-29 08:26:05 +02:00
win_susp_mshta_pattern.yml
mispelled 'mshta.exe' in selection_base
2021-09-29 07:47:12 -05:00
win_susp_msiexec_cwd.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_msiexec_web_install.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_msoffice.yml
win_susp_net_execution.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_netsh_dll_persistence.yml
Add win_susp_screensaver_reg.yml
2021-08-19 13:55:09 +02:00
win_susp_ngrok_pua.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_ntdsutil.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_odbcconf.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_openwith.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_outlook_temp.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_outlook.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_pcwutl.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_pester.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_ping_hex_ip.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_powershell_empire_launch.yml
refactor: widened PS1 Empire cmdlines rule
2021-07-20 11:26:22 +02:00
win_susp_powershell_empire_uac_bypass.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_powershell_enc_cmd.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_powershell_encoded_param.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_powershell_getprocess_lsass.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_powershell_hidden_b64_cmd.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_powershell_parent_combo.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_powershell_parent_process.yml
refactor: level of suspicious parent for powershell rule
2021-08-24 12:30:40 +02:00
win_susp_powershell_sam_access.yml
SeriousSAM PowerShell rule
2021-07-29 18:12:10 +02:00
win_susp_print.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_procdump_lsass.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_procdump.yml
fix: missing "|all" modifier
2021-08-16 16:14:48 +02:00
win_susp_ps_appdata.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_ps_downloadfile.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_psexec_eula.yml
Update win_susp_psexec_eula.yml
2020-11-29 17:45:29 +05:30
win_susp_psexex_paexec_flags.yml
add missing tags
2021-09-08 20:14:49 +02:00
win_susp_psr_capture_screenshots.yml
update ref win_susp_psr_capture_screenshots.yml
2021-07-30 08:40:21 +02:00
win_susp_rar_flags.yml
update detection
2021-07-27 10:34:46 +02:00
win_susp_rasdial_activity.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_razorinstaller_explorer.yml
fix: error in modifier
2021-08-24 15:03:23 +02:00
win_susp_rclone_exec.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_recon_activity.yml
fix: Correct incorrect message / keyword usage
2021-08-12 16:28:07 +02:00
win_susp_reg_disable_sec_services.yml
rule: reg disable security services
2021-07-14 15:52:35 +02:00
win_susp_regedit_trustedinstaller.yml
add missing tags
2021-09-07 17:45:41 +02:00
win_susp_register_cimprovider.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_regsvr32_anomalies.yml
fix: bug in regsvr anomaly rule
2021-07-18 12:59:31 +02:00
win_susp_regsvr32_flags_anomaly.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_regsvr32_no_dll.yml
regsvr32 anomaly rule update
2021-07-20 21:14:48 +02:00
win_susp_renamed_dctask64.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_renamed_debugview.yml
add missing tags
2021-09-08 20:14:49 +02:00
win_susp_renamed_paexec.yml
add missing tags
2021-09-08 20:14:49 +02:00
win_susp_rpcping.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_run_locations.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_rundll32_activity.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_rundll32_by_ordinal.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_rundll32_inline_vbs.yml
add missing tags
2021-09-01 20:01:03 +02:00
win_susp_rundll32_no_params.yml
add missing tags
2021-09-08 20:14:49 +02:00
win_susp_rundll32_setupapi_installhinfsection.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_rundll32_sys.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_runonce_execution.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_runscripthelper.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_schtask_creation_temp_folder.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_schtask_creation.yml
Update win_susp_schtask_creation.yml
2021-08-26 12:45:24 +00:00
win_susp_screenconnect_access.yml
add missing tags
2021-09-01 20:01:03 +02:00
win_susp_screensaver_reg.yml
Add win_susp_screensaver_reg.yml
2021-08-19 13:55:09 +02:00
win_susp_script_exec_from_temp.yml
fix modified value
2021-08-10 19:09:34 +02:00
win_susp_script_execution.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_service_dacl_modification.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_service_dir.yml
add missing tags
2021-09-08 20:14:49 +02:00
win_susp_service_path_modification.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
win_susp_servu_exploitation_cve_2021_35211.yml
Fix invalid tags
2021-08-25 09:15:57 +02:00
win_susp_servu_process_pattern.yml
Update cve tags
2021-08-24 10:27:27 +02:00
win_susp_shell_spawn_from_mssql.yml
Replace old mitre techniques by new one
2021-08-22 13:57:56 +02:00
win_susp_shimcache_flush.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_splwow64.yml
add missing tags
2021-09-08 20:14:49 +02:00
win_susp_spoolsv_child_processes.yml
New rule: suspicious spoolsv child process
2021-07-12 08:48:59 +02:00
win_susp_sqldumper_activity.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_squirrel_lolbin.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_svchost_no_cli.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_svchost.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_sysprep_appdata.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_sysvol_access.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_taskmgr_localsystem.yml
Update win_susp_taskmgr_localsystem.yml
2021-08-26 12:44:35 +00:00
win_susp_taskmgr_parent.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_tracker_execution.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_tscon_localsystem.yml
Update win_susp_tscon_localsystem.yml
2021-08-26 12:50:24 +00:00
win_susp_tscon_rdp_redirect.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_uac_bypass_trustedpath.yml
rule: UAC bypass by mocking dirs
2021-08-27 18:12:21 +02:00
win_susp_use_of_csharp_console.yml
win_susp_use_of_sqlps_bin.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_use_of_sqltoolsps_bin.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_use_of_te_bin.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_use_of_vsjitdebugger_bin.yml
childimage do not exist in sysmon schema
2021-07-06 09:26:43 +02:00
win_susp_userinit_child.yml
add missing tags
2021-09-01 20:01:03 +02:00
win_susp_vboxdrvinst.yml
renamed files: lowercase
2021-09-27 22:33:30 +02:00
win_susp_vbscript_unc2452.yml
fix duplicate tags
2021-09-08 20:16:53 +02:00
win_susp_volsnap_disable.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_whoami_anomaly.yml
fix: null cannot be used in a list with other values
2021-08-26 13:54:18 +02:00
win_susp_whoami.yml
refactor: removed OriginalFileName from rule to improve compatibilty
2021-08-12 13:28:24 +02:00
win_susp_winrm_awl_bypass.yml
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel
2021-09-27 22:34:30 +02:00
win_susp_winrm_execution.yml
Spelling Errors on Rules
2021-08-18 18:58:20 +00:00
win_susp_wmi_execution.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_wmic_eventconsumer_create.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_wmic_proc_create_rundll32.yml
fix: rule title casing
2020-10-12 09:51:35 +02:00
win_susp_wmic_security_product_uninstall.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_wsl_lolbin.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_susp_wuauclt.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_sysmon_driver_unload.yml
Update win_sysmon_driver_unload.yml
2021-09-27 23:30:30 -05:00
win_system_exe_anomaly.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_tap_installer_execution.yml
win_task_folder_evasion.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_termserv_proc_spawn.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_tools_relay_attacks.yml
HiveNightmare and Relay attack tools adjustments
2021-07-26 10:59:35 +02:00
win_trust_discovery.yml
combines 2 rules
2021-07-09 16:41:03 +02:00
win_uac_bypass_changepk_slui.yml
add System IntegrityLevel to uac bypass rules, the level is not used most of the time, but might
2021-08-31 16:18:05 +02:00
win_uac_bypass_cleanmgr.yml
chore: move level/falsepositives to bottom
2021-09-02 14:55:17 +02:00
win_uac_bypass_computerdefaults.yml
additional UAC bypass rule
2021-08-31 16:23:32 +02:00
win_uac_bypass_consent_comctl32.yml
chore: move level/falsepositives to bottom
2021-09-02 14:55:17 +02:00
win_uac_bypass_dismhost.yml
chore: move level/falsepositives to bottom
2021-09-02 14:55:17 +02:00
win_uac_bypass_ieinstal.yml
chore: move level/falsepositives to bottom
2021-09-02 14:55:17 +02:00
win_uac_bypass_msconfig_gui.yml
chore: move level/falsepositives to bottom
2021-09-02 14:55:17 +02:00
win_uac_bypass_ntfs_reparse_point.yml
chore: move level/falsepositives to bottom
2021-09-02 14:55:17 +02:00
win_uac_bypass_pkgmgr_dism.yml
add System IntegrityLevel to uac bypass rules, the level is not used most of the time, but might
2021-08-31 16:18:05 +02:00
win_uac_bypass_winsat.yml
chore: move level/falsepositives to bottom
2021-09-02 14:55:17 +02:00
win_uac_bypass_wmp.yml
chore: move level/falsepositives to bottom
2021-09-02 14:55:17 +02:00
win_uac_bypass_wsreset.yml
add System IntegrityLevel to uac bypass rules, the level is not used most of the time, but might
2021-08-31 16:18:05 +02:00
win_uac_cmstp.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_uac_fodhelper.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_uac_wsreset.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_using_sc_to_change_sevice_image_path_by_non_admin.yml
fixed typo in tag
2020-08-29 20:19:46 +03:00
win_using_settingsynchost_as_lolbin.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_verclsid_runs_com.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_visual_basic_compiler.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_vul_java_remote_debugging.yml
add missing tags
2021-09-07 17:45:41 +02:00
win_webshell_detection.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_webshell_recon_detection.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_webshell_spawn.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_whoami_as_system.yml
Update win_whoami_as_system.yml
2021-08-26 12:43:33 +00:00
win_whoami_priv.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_win10_sched_task_0day.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_winword_dll_load.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_wmi_backdoor_exchange_transport_agent.yml
Merging upstream updates
2021-07-01 12:18:30 +05:45
win_wmi_persistence_script_event_consumer.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_wmi_spwns_powershell.yml
Spelling Errors on Rules
2021-08-18 18:58:20 +00:00
win_wmiprvse_spawning_process.yml
Update win_wmiprvse_spawning_process.yml
2021-08-26 12:42:47 +00:00
win_workflow_compiler.yml
update win_workflow_compiler.yml
2021-07-13 13:55:27 +02:00
win_write_protect_for_storage_disabled.yml
Various fixes
2021-09-07 23:38:07 +02:00
win_wsreset_uac_bypass.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_xsl_script_processing.yml
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00