security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ca8e778476b3e643ddc72baf7641f299d0b42567
blue-team-tools/regression_data/rules/windows/process_creation
T
History
Swachchhanda Shrawan Poudel 180991bc81 Merge PR #5827 from @swachchhanda000 - Update Wmic Service Tampering Rules 
new: Service Startup Type Change Via Wmic.EXE
update: Service Reconnaissance Via Wmic.EXE - Add filters to exclude out legitimate service manipulation cases.

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
2026-04-27 22:43:22 +02:00
..
proc_creation_win_amsi_registry_tampering
Merge PR #5813 from @swachchhanda000 - Add New AMSI Tampering Rules
2026-01-29 12:38:48 +01:00
proc_creation_win_bitsadmin_download
Merge PR #5802 from @swachchhanda000 - Update Bitsadmin Rules With Regresstion Data
2026-01-29 12:37:55 +01:00
proc_creation_win_bitsadmin_download_direct_ip
Merge PR #5802 from @swachchhanda000 - Update Bitsadmin Rules With Regresstion Data
2026-01-29 12:37:55 +01:00
proc_creation_win_bitsadmin_download_file_sharing_domains
Merge PR #5802 from @swachchhanda000 - Update Bitsadmin Rules With Regresstion Data
2026-01-29 12:37:55 +01:00
proc_creation_win_bitsadmin_download_susp_extensions
Merge PR #5802 from @swachchhanda000 - Update Bitsadmin Rules With Regresstion Data
2026-01-29 12:37:55 +01:00
proc_creation_win_bitsadmin_download_susp_targetfolder
Merge PR #5802 from @swachchhanda000 - Update Bitsadmin Rules With Regresstion Data
2026-01-29 12:37:55 +01:00
proc_creation_win_browsers_chromium_headless_file_download
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_browsers_chromium_load_extension
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_browsers_chromium_mockbin_abuse
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_browsers_chromium_susp_load_extension
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_browsers_inline_file_download
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_browsers_tor_execution
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_certutil_certificate_installation
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_certutil_decode
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_certutil_download
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_certutil_download_direct_ip
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_certutil_download_file_sharing_domains
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_certutil_encode
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_certutil_encode_susp_extensions
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_certutil_encode_susp_location
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_certutil_export_pfx
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_certutil_ntlm_coercion
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_chcp_codepage_lookup
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_chcp_codepage_switch
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_cipher_overwrite_deleted_data
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_clip_execution
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_cmd_assoc_execution
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_cmd_dir_execution
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_cmd_launched_with_hidden_start_flag
Merge PR #5767 from @vl43den - Add Cmd Launched with Hidden Start Flags to Suspicious Targets
2026-01-26 20:02:52 +01:00
proc_creation_win_cmd_mklink_osk_cmd
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_cmd_rmdir_execution
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_cmdkey_adding_generic_creds
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_cmdkey_recon
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_conhost_headless_powershell
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_credential_guard_registry_tampering
Merge PR #5814 from @swachchhanda000 - Add New Credential Guard Tampering Rules
2026-01-29 12:52:08 +01:00
proc_creation_win_curl_cookie_hijacking
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
proc_creation_win_curl_custom_user_agent
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
proc_creation_win_curl_download_direct_ip_exec
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
proc_creation_win_curl_download_direct_ip_susp_extensions
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
proc_creation_win_curl_download_susp_file_sharing_domains
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
proc_creation_win_curl_insecure_connection
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
proc_creation_win_curl_insecure_proxy_or_doh
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
proc_creation_win_curl_local_file_read
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
proc_creation_win_curl_susp_download
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_devcon_disable_vmci_driver
Merge PR #5834 from @MATTANDERS0N - Add Devcon and KDU Execution Rules
2026-01-24 12:36:29 +01:00
proc_creation_win_dirlister_execution
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_discovery_via_reg_queries
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_dism_remove
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_driverquery_recon
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_driverquery_usage
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_dsquery_domain_trust_discovery
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_dtrace_kernel_dump
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_explorer_folder_shortcut_via_shell_binary
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_findstr_gpp_passwords
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_findstr_lsass
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_findstr_recon_everyone
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_findstr_recon_pipe_output
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_findstr_security_keyword_lookup
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_finger_execution
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_github_self_hosted_runner
Merge PR #5782 from @Koifman - Add Github Self-Hosted Runner Execution
2025-12-04 00:55:53 +01:00
proc_creation_win_gpresult_execution
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_hh_chm_execution
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_hktl_edr_freeze
Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules
2025-12-10 15:29:38 +01:00
proc_creation_win_hktl_netexec
Merge PR #5922 from @CHIRAG-DAMANI-08 - Hacktool - NetExec Execution
2026-04-23 15:02:24 +02:00
proc_creation_win_hktl_wsass
Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules
2025-12-10 15:29:38 +01:00
proc_creation_win_hvci_registry_tampering
Merge PR #5811 from @swachchhanda000 - Add New Vulnerable Driver Blocklist and HVCI Tampering Based Rules
2026-01-26 23:53:42 +01:00
proc_creation_win_lolbin_sftp_indirect_cmd_execution
Merge PR #5414 from @swachchhanda000 - Add Indirect Command Execution via SFTP ProxyCommand
2026-04-27 22:26:12 +02:00
proc_creation_win_pua_adfind_enumeration
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_pua_adfind_execution
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_pua_adfind_susp_usage
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_pua_advanced_ip_scanner
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_pua_advanced_port_scanner
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_pua_advancedrun
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_pua_advancedrun_priv_user
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_pua_kdu_driver_tool
Merge PR #5834 from @MATTANDERS0N - Add Devcon and KDU Execution Rules
2026-01-24 12:36:29 +01:00
proc_creation_win_pua_memprocfs
Merge PR #5829 from @swachchhanda000 - Add PUA - Memory Dump Mount Via MemProcFS
2026-04-27 22:30:50 +02:00
proc_creation_win_pua_trufflehog
Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules
2026-03-29 14:58:59 +02:00
proc_creation_win_python_base64_encoded_execution
Merge PR #5899 from @HueCodes - new: Python Base64 Encoded Inline Command Execution
2026-04-23 14:37:28 +02:00
proc_creation_win_reg_add_run_key
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_reg_add_safeboot
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_reg_system_language_discovery
Merge PR #5845 from @marcopedrinazzi - Add System Language Discovery via Reg.Exe
2026-03-01 03:55:40 +01:00
proc_creation_win_registry_special_accounts_hide_user
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_renamed_adfind
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_renamed_binary
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_renamed_binary_highly_relevant
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_renamed_curl
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_renamed_ftp
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_renamed_msdt
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_sc_stop_service
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
2025-11-26 11:08:11 +01:00
proc_creation_win_susp_eventlog_content_recon
Merge PR #5788 from @swachchhanda000 - Recon via RDP Logging Event
2025-12-09 08:48:59 +05:45
proc_creation_win_susp_right_to_left_override
Merge PR #5910 from @EzLucky - Update RTLO Related Rules With Additional Coverage
2026-04-01 13:57:31 +02:00
proc_creation_win_susp_script_interpretor_spawn_credential_scanner
Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules
2026-03-29 14:58:59 +02:00
proc_creation_win_susp_system_exe_anomaly
Merge PR #5856 from @swachchhanda000 - Add CPL sideloading and Fsquirt entries
2026-02-28 14:21:29 +01:00
proc_creation_win_svchost_masqueraded_execution
Merge PR #5856 from @swachchhanda000 - Add CPL sideloading and Fsquirt entries
2026-02-28 14:21:29 +01:00
proc_creation_win_user_shell_folders_registry_modification
Merge PR #5857 from @swachchhanda000 - chore: add missing json logs
2026-03-03 12:01:07 +01:00
proc_creation_win_vulnerable_driver_blocklist_registry_tampering
Merge PR #5811 from @swachchhanda000 - Add New Vulnerable Driver Blocklist and HVCI Tampering Based Rules
2026-01-26 23:53:42 +01:00
proc_creation_win_werfaultsecure_abuse
Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules
2025-12-10 15:29:38 +01:00
proc_creation_win_wmic_service_startup_change
Merge PR #5827 from @swachchhanda000 - Update Wmic Service Tampering Rules
2026-04-27 22:43:22 +02:00