security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ca09ae5039f5a75a7d35a2c736abdd83e9b4c0e9
blue-team-tools/rules/windows/process_creation
T
History
OpalSec ca09ae5039 Modification of search logic per advice from @zinint 
Edited suggested searches to improve performance:

VAR+
16ms:	.*cmd.*(?:\/c|\/r).*set.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

6ms:  .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"

STDIN+
7ms:    .*cmd.*(?:\/c|\/r).*powershell.+(?:\$\{?input}?|noexit).*\"

3ms:    .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"

CLIP+
28ms:    .*cmd.*(?:\/c|\/r).*\|.*clip(?:\.exe)?.*&&.*clipboard]::\(\s\\\"\{\d\}.*\-f.*\"

11ms:    .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
2020-10-18 21:15:43 +11:00
..
sysmon_apt_muddywater_dnstunnel.yml
Merge pull request #989 from oscd-initiative/master
2020-09-08 13:27:58 +02:00
sysmon_hack_wce.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
sysmon_logon_scripts_userinitmprlogonscript_proc.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_advanced_ip_scanner.yml
fix: typo in contains
2020-05-13 12:38:54 +02:00
win_apt_apt29_thinktanks.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_babyshark.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_bear_activity_gtr19.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_bluemashroom.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_chafer_mar18.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_cloudhopper.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_dragonfly.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_elise.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_emissarypanda_sep19.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_empiremonkey.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_equationgroup_dll_u_load.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_evilnum_jul20.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_gallium.yml
logsource change
2020-02-07 15:47:27 +01:00
win_apt_greenbug_may20.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_hurricane_panda.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
win_apt_judgement_panda_gtr19.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_ke3chang_regadd.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_lazarus_session_highjack.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_mustangpanda.yml
Fix rules with incorrect escaping of wildcars
2020-06-15 13:38:18 -04:00
win_apt_slingshot.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_sofacy.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_ta17_293a_ps.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_taidoor.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_tropictrooper.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_turla_commands.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_turla_comrat_may20.yml
att&ck tags review: windows/process_creation part 1, network
2020-08-27 20:43:47 +03:00
win_apt_unidentified_nov_18.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_apt_winnti_mal_hk_jan20.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_apt_winnti_pipemon.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_apt_wocao.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_apt_zxshell.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_attrib_hiding_files.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_bootconf_mod.yml
Fix a bad CommandLine search
2020-05-13 11:32:05 +02:00
win_bypass_squiblytwo.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_change_default_file_association.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_cmdkey_recon.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_cmstp_com_object_access.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_commandline_path_traversal.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_control_panel_item.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_copying_sensitive_files_with_credential_data.yml
fixing test runner issues
2020-09-15 15:45:33 -06:00
win_crime_fireball.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_crime_maze_ransomware.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_crime_snatch_ransomware.yml
fix: 1 of them / one selection
2020-09-02 12:34:35 +02:00
win_data_compressed_with_rar.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_dns_exfiltration_tools_execution.yml
fix tags
2020-08-29 21:34:20 +02:00
win_dnscat2_powershell_implementation.yml
style: removed lists where unnecessary
2020-08-17 15:01:52 +02:00
win_dsquery_domain_trust_discovery.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_encoded_frombase64string.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_encoded_iex.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_etw_modification_cmdline.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_etw_trace_evasion.yml
fix typos, update tags
2020-09-13 15:46:45 +02:00
win_exfiltration_and_tunneling_tools_execution.yml
fix tags
2020-08-29 21:34:20 +02:00
win_exploit_cve_2015_1641.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_exploit_cve_2017_0261.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_exploit_cve_2017_8759.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_exploit_cve_2017_11882.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_exploit_cve_2019_1378.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_exploit_cve_2019_1388.yml
rule: another reference for CVE-2019-1388 rule
2019-11-20 15:09:30 +01:00
win_exploit_cve_2020_1048.yml
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
win_exploit_cve_2020_1350.yml
fix: more FPs based on feedback
2020-07-15 12:05:50 +02:00
win_exploit_cve_2020_10189.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_file_permission_modifications.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_grabbing_sensitive_hives_via_reg.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_hack_bloodhound.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_hack_koadic.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_hack_rubeus.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_hack_secutyxploded.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_hh_chm.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_hktl_createminidump.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_html_help_spawn.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_hwp_exploits.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_impacket_lateralization.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_indirect_cmd_compatibility_assistant.yml
Pcwrun.exe detection added
2020-10-12 13:52:49 +03:00
win_indirect_cmd.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_install_reg_debugger_backdoor.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_interactive_at.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_invoke_obfuscation_clip+.yml
Modification of search logic per advice from @zinint
2020-10-18 21:15:43 +11:00
win_invoke_obfuscation_obfuscated_iex_commandline.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_invoke_obfuscation_stdin+.yml
Modification of search logic per advice from @zinint
2020-10-18 21:15:43 +11:00
win_invoke_obfuscation_var+.yml
Modification of search logic per advice from @zinint
2020-10-18 21:15:43 +11:00
win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
Revert "Moved rules with enrichments into unsupported"
2020-02-15 22:52:06 +01:00
win_lethalhta.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_local_system_owner_account_discovery.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_lsass_dump.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_mal_adwind.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_malware_dridex.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_malware_dtrack.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_emotet.yml
fix duplication of key modified in win_malware_emotet.yml
2020-09-01 17:09:54 +00:00
win_malware_formbook.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_notpetya.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_malware_qbot.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_malware_ryuk.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_malware_script_dropper.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_malware_trickbot_recon_activity.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_malware_wannacry.yml
att&ck tags review: windows/process_creation part 3
2020-09-01 17:02:59 +00:00
win_mavinject_proc_inj.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_mimikatz_command_line.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_mmc_spawn_shell.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_mouse_lock.yml
fix: syntax bug in rule
2020-09-03 09:18:28 +02:00
win_mshta_javascript.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_mshta_spawn_shell.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_multiple_suspicious_cli.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_net_enum.yml
Fix match for double-backslash
2020-06-15 13:39:50 -04:00
win_net_user_add.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_netsh_allow_port_rdp.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_netsh_fw_add_susp_image.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_netsh_fw_add.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_netsh_packet_capture.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_netsh_port_fwd_3389.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_netsh_port_fwd.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_netsh_wifi_credential_harvesting.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_network_sniffing.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_new_service_creation.yml
Merge pull request #989 from oscd-initiative/master
2020-09-08 13:27:58 +02:00
win_non_interactive_powershell.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_office_shell.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_office_spawn_exe_from_users_directory.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_plugx_susp_exe_locations.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_possible_applocker_bypass.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_possible_privilege_escalation_using_rotten_potato.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_powershell_amsi_bypass.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_powershell_audio_capture.yml
UUIDs + moved unsupported logic
2019-12-19 23:56:36 +01:00
win_powershell_b64_shellcode.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_powershell_bitsjob.yml
OSCD QA wave 1
2020-01-11 00:11:27 +01:00
win_powershell_dll_execution.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_powershell_downgrade_attack.yml
review windows/process_creation part 4
2020-09-02 02:34:34 +02:00
win_powershell_download.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_powershell_frombase64string.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_powershell_suspicious_parameter_variation.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_powershell_xor_commandline.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_powersploit_empire_schtasks.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_proc_wrong_parent.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_process_creation_bitsadmin_download.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_process_dump_rundll32_comsvcs.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_psexesvc_start.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_query_registry.yml
Converted to Unix line end
2019-12-15 23:30:42 +01:00
win_rdp_hijack_shadowing.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_redmimicry_winnti_proc.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_remote_powershell_session_process.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_remote_time_discovery.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_renamed_binary_highly_relevant.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_renamed_binary.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_renamed_jusched.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_renamed_paexec.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_renamed_powershell.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_renamed_procdump.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_renamed_psexec.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_run_powershell_script_from_ads.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_sdbinst_shim_persistence.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_service_execution.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_service_stop.yml
fix false positive on taskkill.exe not related to service stop at all
2020-02-24 03:03:46 -05:00
win_shadow_copies_access_symlink.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_shadow_copies_creation.yml
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
win_shadow_copies_deletion.yml
fix: rules with duplicate tags
2020-07-27 11:44:47 +02:00
win_shell_spawn_susp_program.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_silenttrinity_stage_use.yml
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
win_soundrec_audio_capture.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_spn_enum.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_adfind.yml
added tags and corrected image condition format
2020-10-12 17:00:57 +05:30
win_susp_bcdedit.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_bginfo.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_calc.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_cdb.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_certutil_command.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_certutil_encode.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_cli_escape.yml
rule should be wildcard AND had a prepended ^ in one of the CommandLine conditions that would have caused to not trigger
2020-03-14 15:00:42 -04:00
win_susp_cmd_http_appdata.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_codepage_switch.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_commands_recon_activity.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_compression_params.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_comsvcs_procdump.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_control_dll_load.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_copy_lateral_movement.yml
Update win_susp_copy_lateral_movement.yml
2020-10-07 08:18:09 +11:00
win_susp_copy_system32.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_covenant.yml
fix typos, update tags
2020-09-13 15:46:45 +02:00
win_susp_crackmapexec_execution.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_crackmapexec_powershell_obfuscation.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_csc_folder.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_csc.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_curl_download.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_curl_fileupload.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_curl_start_combo.yml
att&ck tags review: windows/process_creation part 6
2020-09-05 20:35:21 +03:00
win_susp_dctask64_proc_inject.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_desktopimgdownldr.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_devtoolslauncher.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_direct_asep_reg_keys_modification.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_disable_ie_features.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_ditsnap.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_dnx.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_double_extension.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_dxcap.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_eventlog_clear.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_exec_folder.yml
Added some suspicious locations
2019-12-10 20:17:40 +03:00
win_susp_execution_path_webserver.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_execution_path.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_explorer_break_proctree.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_explorer.yml
Deleted a part of an already-defined rule
2020-10-11 21:08:17 +03:00
win_susp_file_characteristics.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_findstr_lnk.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_findstr.yml
Fixed OSCD wording
2020-10-09 09:26:01 +03:00
win_susp_finger.yml
finger executable suspicious execution
2020-10-12 13:28:52 +05:30
win_susp_firewall_disable.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_fsutil_usage.yml
fix: rules with duplicate tags
2020-07-27 11:44:47 +02:00
win_susp_gup.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_iss_module_install.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_mpcmdrun_download.yml
Update win_susp_mpcmdrun_download.yml
2020-09-04 16:50:57 +02:00
win_susp_msiexec_cwd.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_msiexec_web_install.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_msoffice.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_net_execution.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_netsh_dll_persistence.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_ntdsutil.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_odbcconf.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_openwith.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_outlook_temp.yml
att&ck tags review: windows/process_creation part 7
2020-08-30 19:17:38 +03:00
win_susp_outlook.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_ping_hex_ip.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_powershell_empire_launch.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_powershell_empire_uac_bypass.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_powershell_enc_cmd.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_powershell_encoded_param.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_powershell_hidden_b64_cmd.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_powershell_parent_combo.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_powershell_parent_process.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_presentationhost_execution.yml
Created rule win_susp_presentationhost_execution.yml
2020-10-08 13:24:59 +03:00
win_susp_print.yml
Fixed OSCD wording
2020-10-09 11:59:08 +03:00
win_susp_procdump.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_prog_location_process_starts.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_ps_appdata.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_ps_downloadfile.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_psr_capture_screenshots.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_rar_flags.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_rasdial_activity.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_recon_activity.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_regsvr32_anomalies.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_regsvr32_flags_anomaly.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_renamed_dctask64.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_renamed_debugview.yml
rule: moved DebugView rule to process creation category
2020-05-28 10:13:38 +02:00
win_susp_run_locations.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_susp_rundll32_activity.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_rundll32_by_ordinal.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_schtask_creation.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_script_execution.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_service_path_modification.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_squirrel_lolbin.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_svchost_no_cli.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_svchost.yml
att&ck tags review: windows/process_creation part 8
2020-08-28 17:14:26 +03:00
win_susp_sysprep_appdata.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_sysvol_access.yml
Removed extra space that broke tests
2020-08-29 04:46:12 +00:00
win_susp_taskmgr_localsystem.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_taskmgr_parent.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_tscon_localsystem.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_tscon_rdp_redirect.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_susp_use_of_csharp_console.yml
fix: fixed several issues
2020-03-09 17:43:16 +01:00
win_susp_userinit_child.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_whoami.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_wmi_execution.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
win_susp_wsl_lolbin.yml
Update win_susp_wsl_lolbin.yml
2020-10-07 08:12:51 +11:00
win_syncappvpublishingserver_exe.yml
[OSCD] win_syncappvpublishingserver_exe.yml added
2020-10-06 19:22:16 +03:00
win_sysmon_driver_unload.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_system_exe_anomaly.yml
Extended Windows processes
2020-05-26 13:56:51 +02:00
win_tap_installer_execution.yml
Rule fixes
2020-02-20 23:00:16 +01:00
win_task_folder_evasion.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_termserv_proc_spawn.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_trust_discovery.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
win_uac_cmstp.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_uac_fodhelper.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_uac_wsreset.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_using_sc_to_change_sevice_image_path_by_non_admin.yml
fixed typo in tag
2020-08-29 20:19:46 +03:00
win_vul_java_remote_debugging.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_webshell_detection.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_webshell_recon_detection.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_webshell_spawn.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_whoami_as_system.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_win10_sched_task_0day.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_wmi_backdoor_exchange_transport_agent.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_wmi_persistence_script_event_consumer.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_wmi_spwns_powershell.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_wmiprvse_spawning_process.yml
Fixing typo in rule: Username to User
2020-07-16 10:09:29 -04:00
win_workflow_compiler.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
win_wsreset_uac_bypass.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00
win_xsl_script_processing.yml
att&ck tags review: windows/process_creation part 9
2020-08-29 19:22:09 +03:00