security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d27d120401dba7168da4cd49a153e8146437b540
blue-team-tools/rules/windows/process_creation
T
History
Swachchhanda Shrawan Poudel d27d120401
Create Release / Create Release (push) Has been cancelled
Details
Merge PR #5183 from @swachchhanda000 - add rules for malware abusing grimresource and RTLO techniques 
new: MMC Loading Script Engines DLLs
new: Potentially Suspicious Child Processes Spawned by ConHost
new: Scheduled Task Creation Masquerading as System Processes
new: Schtasks Curl Download and Powershell Execution Combination
new: MMC Executing Files with Reversed Extensions Using RTLO Abuse
update: Potential Defense Evasion Via Right-to-Left Override - add `[U+202E]`
update: Potential File Extension Spoofing Using Right-to-Left Override - add `[U+202E]` and more extensions

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2025-10-01 14:16:23 +02:00
..
proc_creation_win_7zip_exfil_dmp_files.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_7zip_password_compression.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_acccheckconsole_execution.yml
Merge PR #4937 from @nasbench - Multiple updates and fixes
2024-08-29 14:43:32 +02:00
proc_creation_win_addinutil_suspicious_cmdline.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_addinutil_uncommon_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_addinutil_uncommon_cmdline.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_addinutil_uncommon_dir_exec.yml
Merge PR #5208 from @swachchhanda000 - Fix FPs and added coverage for ARM based windows dotnet paths
2025-06-04 17:44:31 +02:00
proc_creation_win_adplus_memory_dump.yml
Merge PR #5258 from @david-syk - Update Potential Adplus.EXE Abuse tags
2025-04-17 00:40:41 +02:00
proc_creation_win_agentexecutor_potential_abuse.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_agentexecutor_susp_usage.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_appvlp_uncommon_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_aspnet_compiler_exectuion.yml
Merge PR #5208 from @swachchhanda000 - Fix FPs and added coverage for ARM based windows dotnet paths
2025-06-04 17:44:31 +02:00
proc_creation_win_aspnet_compiler_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_aspnet_compiler_susp_paths.yml
Merge PR #5208 from @swachchhanda000 - Fix FPs and added coverage for ARM based windows dotnet paths
2025-06-04 17:44:31 +02:00
proc_creation_win_at_interactive_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_atbroker_uncommon_ats_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_attrib_hiding_files.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_attrib_system_susp_paths.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_auditpol_nt_resource_kit_usage.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_auditpol_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_autorun_registry_modified_via_wmic.yml
Merge PR #5196 from @swachchhanda000 - Updated and Added rules related to Autorun Registry
2025-05-12 13:28:51 +02:00
proc_creation_win_bash_command_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_bash_file_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_bcdedit_boot_conf_tamper.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_bcdedit_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_bcp_export_data.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_bginfo_suspicious_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_bginfo_uncommon_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_bitlockertogo_execution.yml
Merge PR #5448 from @nasbench - Promote older rules status from experimental to test
2025-06-02 13:29:48 +02:00
proc_creation_win_bitsadmin_download_direct_ip.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_bitsadmin_download_file_sharing_domains.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_bitsadmin_download_susp_extensions.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_bitsadmin_download_susp_targetfolder.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_bitsadmin_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_bitsadmin_potential_persistence.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_browsers_chromium_headless_debugging.yml
Merge PR #5579 from @Liran017 - Update MITRE ATT&CK tags for multiple rules
2025-08-14 14:08:21 +02:00
proc_creation_win_browsers_chromium_headless_exec.yml
Merge PR #5579 from @Liran017 - Update MITRE ATT&CK tags for multiple rules
2025-08-14 14:08:21 +02:00
proc_creation_win_browsers_chromium_headless_file_download.yml
Merge PR #5579 from @Liran017 - Update MITRE ATT&CK tags for multiple rules
2025-08-14 14:08:21 +02:00
proc_creation_win_browsers_chromium_load_extension.yml
Merge PR #5579 from @Liran017 - Update MITRE ATT&CK tags for multiple rules
2025-08-14 14:08:21 +02:00
proc_creation_win_browsers_chromium_mockbin_abuse.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_browsers_chromium_susp_load_extension.yml
Merge PR #5579 from @Liran017 - Update MITRE ATT&CK tags for multiple rules
2025-08-14 14:08:21 +02:00
proc_creation_win_browsers_inline_file_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_browsers_remote_debugging.yml
Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags
2025-05-20 23:09:23 +02:00
proc_creation_win_browsers_tor_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_calc_uncommon_exec.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cdb_arbitrary_command_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_certmgr_certificate_installation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_certoc_download_direct_ip.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_win_certoc_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_certoc_load_dll_susp_locations.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_certoc_load_dll.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_certutil_certificate_installation.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_certutil_decode.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_certutil_download_direct_ip.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_certutil_download_file_sharing_domains.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_certutil_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_certutil_encode_susp_extensions.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_certutil_encode_susp_location.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_certutil_encode.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_certutil_export_pfx.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_certutil_ntlm_coercion.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_chcp_codepage_lookup.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_chcp_codepage_switch.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cipher_overwrite_deleted_data.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_citrix_trolleyexpress_procdump.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_clip_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cloudflared_portable_execution.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_cloudflared_quicktunnel_execution.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_cloudflared_tunnel_cleanup.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_cloudflared_tunnel_run.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_cmd_assoc_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_assoc_tamper_exe_file_association.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_copy_dmp_from_share.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_curl_download_exec_combo.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_cmd_del_execution.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_cmd_del_greedy_deletion.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_dir_execution.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_cmd_dosfuscation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_http_appdata.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_mklink_osk_cmd.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_net_use_and_exec_combo.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_no_space_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_ntdllpipe_redirect.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_path_traversal.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_ping_copy_combined_execution.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_cmd_ping_del_combined_execution.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_cmd_redirection_susp_folder.yml
Merge PR #5177 from @nasbench - promote older rules status from experimental to test
2025-02-03 18:23:12 +01:00
proc_creation_win_cmd_rmdir_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_shadowcopy_access.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_stdin_redirect.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_sticky_keys_replace.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_type_arbitrary_file_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmd_unusual_parent.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_cmdkey_adding_generic_creds.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_cmdkey_recon.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_cmdl32_arbitrary_file_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_cmstp_execution_by_creation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_configsecuritypolicy_download_file.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_conhost_headless_powershell.yml
Merge PR #5579 from @Liran017 - Update MITRE ATT&CK tags for multiple rules
2025-08-14 14:08:21 +02:00
proc_creation_win_conhost_legacy_option.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_conhost_path_traversal.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_conhost_susp_child_process.yml
Merge PR #5183 from @swachchhanda000 - add rules for malware abusing grimresource and RTLO techniques
2025-10-01 14:16:23 +02:00
proc_creation_win_conhost_susp_winshell_child_process.yml
Merge PR #5183 from @swachchhanda000 - add rules for malware abusing grimresource and RTLO techniques
2025-10-01 14:16:23 +02:00
proc_creation_win_conhost_uncommon_parent.yml
Merge PR #5224 from @swachchhanda000 - Fix Multiple FPs
2025-04-07 11:05:53 +02:00
proc_creation_win_control_panel_item.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_createdump_lolbin_execution.yml
Merge PR #5380 from @david-syk - Update MITRE ATT&CK tags 2nd batch
2025-04-25 21:01:12 +02:00
proc_creation_win_csc_susp_dynamic_compilation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_csc_susp_parent.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_csi_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_csi_use_of_csharp_console.yml
Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags
2025-05-20 23:09:50 +02:00
proc_creation_win_csvde_export.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_curl_cookie_hijacking.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_curl_custom_user_agent.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_curl_download_direct_ip_exec.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_win_curl_download_direct_ip_susp_extensions.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_curl_download_susp_file_sharing_domains.yml
Merge PR #5637 from @nasbench - Promote older rules status from experimental to test
2025-09-22 11:41:37 +02:00
proc_creation_win_curl_insecure_connection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_curl_insecure_porxy_or_doh.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_curl_local_file_read.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_curl_susp_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml
Merge PR #5168 from @defensivedepth - Prepend algo to hash values
2025-01-22 22:29:33 +01:00
proc_creation_win_defaultpack_uncommon_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_defender_default_action_modified.yml
Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion
2025-07-28 13:25:23 +02:00
proc_creation_win_defender_remove_context_menu.yml
Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion
2025-07-28 13:25:23 +02:00
proc_creation_win_desktopimgdownldr_remote_file_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_desktopimgdownldr_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_deviceenroller_dll_sideloading.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
proc_creation_win_devinit_lolbin_usage.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dfsvc_suspicious_child_processes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dirlister_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_discovery_via_reg_queries.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_diskshadow_child_process_susp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_diskshadow_script_mode_susp_ext.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_diskshadow_script_mode_susp_location.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_dism_enable_powershell_web_access_feature.yml
Merge PR #4997 from @MHaggis - Add rules related to PowerShell Web Access
2024-09-03 22:17:47 +02:00
proc_creation_win_dism_remove.yml
Merge PR #4997 from @MHaggis - Add rules related to PowerShell Web Access
2024-09-03 22:17:47 +02:00
proc_creation_win_dll_sideload_vmware_xfer.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
proc_creation_win_dllhost_no_cli_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dns_exfiltration_tools_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dns_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dnscmd_discovery.yml
Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags
2025-05-20 23:05:21 +02:00
proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
proc_creation_win_dnx_execute_csharp_code.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dotnet_trace_lolbin_execution.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_dotnetdump_memory_dump.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_driverquery_recon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_driverquery_usage.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dsacls_abuse_permissions.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dsacls_password_spray.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dsquery_domain_trust_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dtrace_kernel_dump.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dump64_defender_av_bypass_rename.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_dumpminitool_execution.yml
Merge PR #5380 from @david-syk - Update MITRE ATT&CK tags 2nd batch
2025-04-25 21:01:12 +02:00
proc_creation_win_dumpminitool_susp_execution.yml
Merge PR #5380 from @david-syk - Update MITRE ATT&CK tags 2nd batch
2025-04-25 21:01:12 +02:00
proc_creation_win_dxcap_arbitrary_binary_execution.yml
Merge PR #4937 from @nasbench - Multiple updates and fixes
2024-08-29 14:43:32 +02:00
proc_creation_win_esentutl_params.yml
Merge PR #5451 from @frack113 - chore: cleanup metadata
2025-06-04 13:33:36 +02:00
proc_creation_win_esentutl_sensitive_file_copy.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_esentutl_webcache.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_event_logging_disable_via_key_minint.yml
Merge PR #5257 from @swachchhanda000 - Security Event Logging Disabled Via MiniNt Registry Key
2025-10-01 14:04:22 +02:00
proc_creation_win_eventvwr_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_expand_cabinet_files.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_explorer_break_process_tree.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_explorer_nouaccheck.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_filefix_browsers.yml
Merge PR #5503 from @ajpc500 - include cmd.exe child process
2025-07-01 10:21:27 +02:00
proc_creation_win_findstr_download.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_findstr_gpp_passwords.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_findstr_lnk.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_findstr_lsass.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_findstr_recon_everyone.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_findstr_recon_pipe_output.yml
Merge PR #5397 from @nasbench - Promote older rules status from experimental to test
2025-05-20 22:58:46 +02:00
proc_creation_win_findstr_security_keyword_lookup.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_findstr_subfolder_search.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_finger_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_fltmc_unload_driver_sysmon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_fltmc_unload_driver.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_forfiles_child_process_masquerading.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_forfiles_proxy_execution_.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_format_uncommon_filesystem_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_fsi_fsharp_code_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_fsutil_drive_enumeration.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_fsutil_symlinkevaluation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_fsutil_usage.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ftp_arbitrary_command_execution.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_git_susp_clone.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_googleupdate_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_gpg4win_decryption.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_gpg4win_encryption.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_gpg4win_portable_execution.yml
Merge PR #5451 from @frack113 - chore: cleanup metadata
2025-06-04 13:33:36 +02:00
proc_creation_win_gpg4win_susp_location.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_gpresult_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_gup_arbitrary_binary_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_gup_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_gup_suspicious_execution.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
proc_creation_win_hh_chm_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hh_chm_remote_download_or_execution.yml
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
2024-12-01 13:40:32 +01:00
proc_creation_win_hh_html_help_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hh_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_adcspwn.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_bloodhound_sharphound.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_c3_rundll32_pattern.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_certify.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_certipy.yml
Merge PR #5008 from @BlackB0lt - Update HackTool - Certipy Execution
2024-10-08 22:37:23 +02:00
proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_cobaltstrike_process_patterns.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_coercedpotato.yml
Merge PR #5666 from @nasbench - chore: promote older rules status from experimental to test
2025-10-01 10:03:28 +02:00
proc_creation_win_hktl_covenant.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_crackmapexec_execution_patterns.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_crackmapexec_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_crackmapexec_patterns.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_createminidump.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_hktl_dinjector.yml
Merge PR #5007 from @fukusuket - Fix unreachable GitHub URL references
2024-09-13 11:14:11 +02:00
proc_creation_win_hktl_doppelganger.yml
Merge PR #5509 from @swachchhanda000 - Doppelganger Cloning and Dumping LSASS
2025-07-03 11:55:58 +02:00
proc_creation_win_hktl_dumpert.yml
Merge PR #5168 from @defensivedepth - Prepend algo to hash values
2025-01-22 22:29:33 +01:00
proc_creation_win_hktl_edrsilencer.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_hktl_empire_powershell_launch.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_empire_powershell_uac_bypass.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_evil_winrm.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_execution_via_imphashes.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_hktl_execution_via_pe_metadata.yml
Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags
2025-05-20 23:05:21 +02:00
proc_creation_win_hktl_gmer.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_hktl_handlekatz.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_hktl_hashcat.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_hollowreaper.yml
Merge PR #5509 from @swachchhanda000 - Doppelganger Cloning and Dumping LSASS
2025-07-03 11:55:58 +02:00
proc_creation_win_hktl_htran_or_natbypass.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_hydra.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_impacket_lateral_movement.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_impacket_tools.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_hktl_impersonate.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_hktl_inveigh.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_invoke_obfuscation_clip.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_invoke_obfuscation_stdin.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_invoke_obfuscation_var.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_invoke_obfuscation_via_compress.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_invoke_obfuscation_via_var.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_jlaive_batch_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_koadic.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_krbrelay_remote.yml
Merge PR #5397 from @nasbench - Promote older rules status from experimental to test
2025-05-20 22:58:46 +02:00
proc_creation_win_hktl_krbrelay.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_krbrelayup.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_lazagne.yml
Merge PR #5599 from @swachchhanda000 - fix FPs around pyinstaller
2025-10-01 11:46:41 +02:00
proc_creation_win_hktl_localpotato.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_hktl_meterpreter_getsystem.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_mimikatz_command_line.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_pchunter.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_hktl_powersploit_empire_default_schtasks.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_powertool.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_purplesharp_indicators.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_pypykatz.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_quarks_pwdump.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_redmimicry_winnti_playbook.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_relay_attacks_tools.yml
Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags
2025-05-20 23:09:23 +02:00
proc_creation_win_hktl_rubeus.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_safetykatz.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_secutyxploded.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_selectmyparent.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_hktl_sharp_chisel.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_sharp_dpapi_execution.yml
Merge PR #5397 from @nasbench - Promote older rules status from experimental to test
2025-05-20 22:58:46 +02:00
proc_creation_win_hktl_sharp_impersonation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_sharp_ldap_monitor.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_sharpersist.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_sharpevtmute.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_sharpldapwhoami.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_sharpmove.yml
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
2024-12-01 13:40:32 +01:00
proc_creation_win_hktl_sharpsuccessor_execution.yml
Merge PR #5471 from @swachchhanda000 - feat: BadSuccessor Exploits Detection
2025-06-12 12:51:36 +02:00
proc_creation_win_hktl_sharpup.yml
Merge PR #5381 from @david-syk - Update MITRE ATT&CK tags
2025-04-25 20:55:51 +02:00
proc_creation_win_hktl_sharpview.yml
Merge PR #5451 from @frack113 - chore: cleanup metadata
2025-06-04 13:33:36 +02:00
proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_hktl_silenttrinity_stager.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_sliver_c2_execution_pattern.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_soaphound_execution.yml
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
2024-12-01 13:40:32 +01:00
proc_creation_win_hktl_stracciatella_execution.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_hktl_sysmoneop.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_hktl_trufflesnout.yml
Merge PR #5451 from @frack113 - chore: cleanup metadata
2025-06-04 13:33:36 +02:00
proc_creation_win_hktl_uacme.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_hktl_wce.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_hktl_winpeas.yml
Merge PR #5381 from @david-syk - Update MITRE ATT&CK tags
2025-04-25 20:55:51 +02:00
proc_creation_win_hktl_winpwn.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_hktl_wmiexec_default_powershell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hktl_xordump.yml
Merge PR #5380 from @david-syk - Update MITRE ATT&CK tags 2nd batch
2025-04-25 21:01:12 +02:00
proc_creation_win_hktl_zipexec.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hostname_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hwp_exploits.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_hxtsr_masquerading.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_icacls_deny.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ieexec_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_iexpress_susp_execution.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_iis_appcmd_http_logging.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_iis_appcmd_service_account_password_dumped.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_iis_appcmd_susp_module_install.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_iis_appcmd_susp_rewrite_rule.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_iis_connection_strings_decryption.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_iis_susp_module_registration.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ilasm_il_code_compilation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_imagingdevices_unusual_parents.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_imewbdld_download.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_infdefaultinstall_execute_sct_scripts.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_installutil_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_instalutil_no_log_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_java_keytool_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_java_manageengine_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_java_remote_debugging.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_java_susp_child_process_2.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_java_susp_child_process.yml
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
2024-12-01 13:40:32 +01:00
proc_creation_win_java_sysaidserver_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_jsc_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_kavremover_uncommon_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_kd_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml
Merge PR #5492 from @swachchhanda000 - Kerberos Coercion Via DNS SPN Spoofing
2025-07-08 11:35:45 +02:00
proc_creation_win_keyscrambler_susp_child_process.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
proc_creation_win_ksetup_password_change_computer.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ksetup_password_change_user.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ldifde_export.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ldifde_file_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_link_uncommon_parent_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lodctr_performance_counter_tampering.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_logman_disable_eventlog.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_customshellhost.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_device_credential_deployment.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_devtoolslauncher.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_diantz_ads.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_diantz_remote_cab.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_extrac32_ads.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_extrac32.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_gather_network_info.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_gpscript.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_ie4uinit.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_launch_vsdevshell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_manage_bde.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_mavinject_process_injection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_mpiexec.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_lolbin_msdeploy.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_msdt_answer_file.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_openconsole.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_openwith.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_pcalua.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_pcwrun_follina.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_pcwrun.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_pcwutl.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_pester_1.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_pester.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_printbrm.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_pubprn.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_rasautou_dll_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_register_app.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_remote.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_replace.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_lolbin_runexehelper.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_runscripthelper.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_scriptrunner.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_settingsynchost.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_sftp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_susp_certreq_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_susp_grpconv.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_susp_sqldumper_activity.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_tracker.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_ttdinject.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_tttracer_mod_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_unregmp2.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_lolbin_utilityfunctions.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_visual_basic_compiler.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_visualuiaverifynative.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_vsiisexelauncher.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolbin_wfc.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lolscript_register_app.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_lsass_process_clone.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mftrace_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mmc_mmc20_lateral_movement.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_mmc_rlo_abuse_pattern.yml
Merge PR #5183 from @swachchhanda000 - add rules for malware abusing grimresource and RTLO techniques
2025-10-01 14:16:23 +02:00
proc_creation_win_mmc_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mode_codepage_russian.yml
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
2024-12-01 13:40:32 +01:00
proc_creation_win_mofcomp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mpcmdrun_dll_sideload_defender.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
proc_creation_win_mpcmdrun_download_arbitrary_file.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_msbuild_susp_parent_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_msdt_arbitrary_command_execution.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_msdt_susp_cab_options.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_msdt_susp_parent.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_msedge_proxy_download.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_mshta_http.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mshta_inline_vbscript.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mshta_javascript.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mshta_lethalhta_technique.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mshta_susp_child_processes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mshta_susp_execution.yml
Merge PR #5413 from @swachchhanda000 - feat: Mshta more susp extension added
2025-06-11 11:30:31 +02:00
proc_creation_win_mshta_susp_pattern.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_msiexec_dll.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_msiexec_embedding.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_msiexec_execute_dll.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_msiexec_install_quiet.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_msiexec_install_remote.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_msiexec_masquerading.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_msiexec_web_install.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_msohtmed_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mspub_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_msra_process_injection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mssql_sqlps_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mssql_sqltoolsps_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mssql_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mssql_veaam_susp_child_processes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mstsc_rdp_hijack_shadowing.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_mstsc_remote_connection.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_mstsc_run_local_rdp_file.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml
Merge PR #5451 from @frack113 - chore: cleanup metadata
2025-06-04 13:33:36 +02:00
proc_creation_win_msxsl_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_msxsl_remote_execution.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_net_groups_and_accounts_recon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_share_unmount.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_start_service.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_stop_service.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_use_mount_admin_share.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_use_mount_internet_share.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_use_mount_share.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_use_network_connections_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_use_password_plaintext.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_user_add_never_expire.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_user_add.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_user_default_accounts_manipulation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_net_view_share_and_sessions_enum.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_fw_add_rule.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_fw_allow_program_in_susp_location.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_fw_allow_rdp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_fw_delete_rule.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_fw_disable.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_fw_enable_group_rule.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_fw_rules_discovery.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_netsh_fw_set_rule.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_helper_dll_persistence.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_packet_capture.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_port_forwarding_3389.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_port_forwarding.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_netsh_wifi_credential_harvesting.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_nltest_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_nltest_recon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_node_abuse.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_node_adobe_creative_cloud_abuse.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_notepad_local_passwd_discovery.yml
Merge PR #5198 from @DFIR-Detection - Add Notepad Password Files Discovery
2025-03-05 00:24:11 +01:00
proc_creation_win_nslookup_domain_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_nslookup_poweshell_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ntdsutil_susp_usage.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ntdsutil_usage.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_odbcconf_driver_install_susp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_odbcconf_driver_install.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_odbcconf_exec_susp_locations.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_odbcconf_register_dll_regsvr_susp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_odbcconf_register_dll_regsvr.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_odbcconf_response_file_susp.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_odbcconf_response_file.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_odbcconf_uncommon_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_office_arbitrary_cli_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_office_excel_dcom_lateral_movement.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_office_exec_from_trusted_locations.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_win_office_onenote_embedded_script_execution.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_win_office_onenote_susp_child_processes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml
Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags
2025-05-20 23:09:50 +02:00
proc_creation_win_office_outlook_execution_from_temp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_office_outlook_susp_child_processes_remote.yml
Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags
2025-05-20 23:09:50 +02:00
proc_creation_win_office_outlook_susp_child_processes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_office_spawn_exe_from_users_directory.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_office_susp_child_processes.yml
Merge PR #5451 from @frack113 - chore: cleanup metadata
2025-06-04 13:33:36 +02:00
proc_creation_win_office_winword_dll_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_offlinescannershell_mpclient_sideloading.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pdqdeploy_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pdqdeploy_runner_susp_children.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_perl_inline_command_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_php_inline_command_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ping_hex_ip.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pktmon_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_plink_port_forwarding.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_plink_susp_tunneling.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powercfg_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_aadinternals_cmdlets_execution.yml
Merge PR #5186 from @swachchhanda000 - Increase coverage of AADinternals rules
2025-02-17 12:11:55 +01:00
proc_creation_win_powershell_active_directory_module_dll_import.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_add_windows_capability.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_amsi_init_failed_bypass.yml
Merge PR #4961 from @tsale - Add multiples rules and updates
2024-08-29 19:21:47 +02:00
proc_creation_win_powershell_amsi_null_bits_bypass.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_audio_capture.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_base64_encoded_cmd_patterns.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_base64_encoded_cmd.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_base64_encoded_obfusc.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_base64_frombase64string.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_base64_hidden_flag.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_base64_iex.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_base64_invoke.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_base64_mppreference.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_base64_reflection_assembly_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_base64_wmi_classes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_cl_invocation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_cl_loadassembly.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_cl_mutexverifiers.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_cmdline_convertto_securestring.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_cmdline_reversed_strings.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_cmdline_special_characters.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_comobject_msi_remote.yml
Merge PR #5466 from @vx3r - PowerShell MSI Install via WindowsInstaller COM From Remote Location
2025-06-25 11:44:02 +02:00
proc_creation_win_powershell_comobject_msi.yml
Merge PR #5436 from @vx3r - Obfuscated PowerShell MSI Install via WindowsInstaller COM
2025-06-04 13:50:39 +02:00
proc_creation_win_powershell_computer_discovery_get_adcomputer.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_console_history_file_access.yml
Merge PR #5253 from @EzLucky - Potential PowerShell Console History File Access Attempt
2025-09-22 12:53:59 +02:00
proc_creation_win_powershell_create_service.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_decode_gzip.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_decrypt_pattern.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_powershell_defender_disable_feature.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_defender_exclusion.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_disable_defender_av_security_monitoring.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_disable_firewall.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_disable_ie_features.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_downgrade_attack.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_download_com_cradles.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_download_cradle_obfuscated.yml
Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules
2025-04-17 21:42:17 +02:00
proc_creation_win_powershell_download_dll.yml
Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules
2025-07-28 13:32:57 +02:00
proc_creation_win_powershell_download_iex.yml
Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules
2025-07-28 13:32:57 +02:00
proc_creation_win_powershell_download_patterns.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_download_susp_file_sharing_domains.yml
Merge PR #5637 from @nasbench - Promote older rules status from experimental to test
2025-09-22 11:41:37 +02:00
proc_creation_win_powershell_dsinternals_cmdlets.yml
Merge PR #5397 from @nasbench - Promote older rules status from experimental to test
2025-05-20 22:58:46 +02:00
proc_creation_win_powershell_email_exfil.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_enable_susp_windows_optional_feature.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_encode.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_encoding_patterns.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_exec_data_file.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_export_certificate.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_frombase64string_archive.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_frombase64string.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_powershell_get_clipboard.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_get_localgroup_member_recon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_getprocess_lsass.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_hide_services_via_set_service.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_iex_patterns.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_import_cert_susp_locations.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_import_module_susp_dirs.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_install_unsigned_appx_packages.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_invocation_specific.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_invoke_webrequest_direct_ip.yml
Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules
2025-07-28 13:32:57 +02:00
proc_creation_win_powershell_invoke_webrequest_download.yml
Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules
2025-07-28 13:32:57 +02:00
proc_creation_win_powershell_mailboxexport_share.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_malicious_cmdlets.yml
Merge PR #5515 from @X-Junior - coverage for Invoke-PowerDPAPI
2025-07-07 12:19:55 +02:00
proc_creation_win_powershell_msexchange_transport_agent.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_non_interactive_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_obfuscation_via_utf8.yml
Merge PR #5219 from @nikstuckenbrock - Update Potential PowerShell Obfuscation Via WCHAR/CHAR
2025-06-04 17:39:06 +02:00
proc_creation_win_powershell_public_folder.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_remove_mppreference.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_reverse_shell_connection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_run_script_from_ads.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_run_script_from_input_stream.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_sam_access.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_script_engine_parent.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_service_dacl_modification_set_service.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_set_acl_susp_location.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_set_acl.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_set_policies_to_unsecure_level.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_set_service_disabled.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_shadowcopy_deletion.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_snapins_hafnium.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_stop_service.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_susp_download_patterns.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_susp_parameter_variation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_susp_parent_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_susp_ps_appdata.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_susp_ps_downloadfile.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_token_obfuscation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_uninstall_defender_feature.yml
Merge PR #5619 from @YxinMiracle - Suspicious Uninstall of Windows Defender Feature via PowerShell
2025-10-01 10:54:12 +02:00
proc_creation_win_powershell_user_discovery_get_aduser.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_webclient_casing.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_x509enrollment.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_xor_commandline.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_powershell_zip_compress.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_presentationhost_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_presentationhost_uncommon_location_exec.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pressanykey_lolbin_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_print_remote_file_copy.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_protocolhandler_download.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_provlaunch_potential_abuse.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_provlaunch_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_psr_capture_screenshots.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_3proxy_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_adfind_enumeration.yml
Merge PR #5203 from @swachchhanda000 - Update AdFind rules
2025-05-20 23:03:13 +02:00
proc_creation_win_pua_adfind_execution.yml
Merge PR #5203 from @swachchhanda000 - Update AdFind rules
2025-05-20 23:03:13 +02:00
proc_creation_win_pua_adfind_susp_usage.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_advanced_ip_scanner.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_advanced_port_scanner.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_advancedrun_priv_user.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_advancedrun.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_chisel.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_cleanwipe.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_crassus.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_pua_csexec.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_defendercheck.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_ditsnap.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_frp.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_pua_iox.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_pua_mouselock_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_netcat.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_netscan.yml
Merge PR #5216 from @nasbench - Promote older rules status from experimental to test
2025-03-05 00:23:27 +01:00
proc_creation_win_pua_ngrok.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_nimgrab.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_pua_nimscan.yml
Merge PR #5184 from @swachchhanda000 - Add PUA - NimScan Execution
2025-02-17 12:07:45 +01:00
proc_creation_win_pua_nircmd_as_system.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_nircmd.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_nmap_zenmap.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_nps.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_pua_nsudo.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_pingcastle_script_parent.yml
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
2024-12-01 13:40:32 +01:00
proc_creation_win_pua_pingcastle.yml
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
2024-12-01 13:40:32 +01:00
proc_creation_win_pua_process_hacker.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_pua_radmin.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_rcedit_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_rclone_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_runxcmd.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_seatbelt.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_system_informer.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_pua_webbrowserpassview.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_pua_wsudo_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_python_adidnsdump.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_python_inline_command_execution.yml
Merge PR #5173 from @X-Junior - New rule additions and some fixes
2025-02-22 23:57:41 +01:00
proc_creation_win_python_pty_spawn.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_qemu_suspicious_execution.yml
Merge PR #5249 from @nasbench - Promote older rules status from experimental to test
2025-04-17 00:41:35 +02:00
proc_creation_win_query_session_exfil.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_quickassist_execution.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_rar_compress_data.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rar_compression_with_password.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rar_susp_greedy_compression.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_rasdial_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rdrleakdiag_process_dumping.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_reagentc_disable_windows_recovery_environment.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_reg_add_run_key.yml
Merge PR #5196 from @swachchhanda000 - Updated and Added rules related to Autorun Registry
2025-05-12 13:28:51 +02:00
proc_creation_win_reg_add_safeboot.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_bitlocker.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_credential_access_via_password_filter.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_defender_exclusion.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_delete_safeboot.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_delete_services.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_desktop_background_change.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_reg_direct_asep_registry_keys_modification.yml
Merge PR #5196 from @swachchhanda000 - Updated and Added rules related to Autorun Registry
2025-05-12 13:28:51 +02:00
proc_creation_win_reg_disable_defender_wmi_autologger.yml
Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion
2025-07-28 13:25:23 +02:00
proc_creation_win_reg_disable_sec_services.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_dumping_sensitive_hives.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_enable_windows_recall.yml
Merge PR #5249 from @nasbench - Promote older rules status from experimental to test
2025-04-17 00:41:35 +02:00
proc_creation_win_reg_enumeration_for_credentials_in_registry.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_import_from_suspicious_paths.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_lsa_disable_restricted_admin.yml
Merge PR #5631 from @ david-syk - remove trailing slash
2025-09-22 12:15:35 +02:00
proc_creation_win_reg_lsa_ppl_protection_disabled.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_machineguid.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_modify_group_policy_settings.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_nolmhash.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_open_command.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_query_registry.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_rdp_keys_tamper.yml
Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules
2025-04-17 21:42:17 +02:00
proc_creation_win_reg_screensaver.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_service_imagepath_change.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_reg_software_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_susp_paths.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_volsnap_disable.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_reg_windows_defender_tamper.yml
Merge PR #5557 from @phantinuss - Bump pySigma-validators-sigmahq to 0.10
2025-08-14 14:29:11 +02:00
proc_creation_win_reg_write_protect_for_storage_disabled.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regasm_no_flag_or_dll_execution.yml
Merge PR #4901 from @frack113 - Regasm Without CommandLine
2025-06-11 11:25:56 +02:00
proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regedit_export_critical_keys.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_regedit_export_keys.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_regedit_import_keys_ads.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_regedit_import_keys.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_regedit_trustedinstaller.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regini_ads.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regini_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_registry_cimprovider_dll_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_registry_enumeration_for_credentials_cli.yml
Merge PR #5429 from @swachchhanda000 - Katz stealer malware
2025-05-26 10:33:24 +02:00
proc_creation_win_registry_export_of_thirdparty_creds.yml
Merge PR #5429 from @swachchhanda000 - Katz stealer malware
2025-05-26 10:33:24 +02:00
proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_registry_install_reg_debugger_backdoor.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_registry_logon_script.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_registry_new_network_provider.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_registry_office_disable_python_security_warnings.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_win_registry_privilege_escalation_via_service_key.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_registry_provlaunch_provisioning_command.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_registry_set_unsecure_powershell_policy.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_registry_special_accounts_hide_user.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_registry_typed_paths_persistence.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regsvr32_flags_anomaly.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_regsvr32_http_ip_pattern.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regsvr32_network_pattern.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regsvr32_remote_share.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regsvr32_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regsvr32_susp_exec_path_1.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regsvr32_susp_exec_path_2.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regsvr32_susp_extensions.yml
Merge PR #5629 from @swachchhanda000 - increase rule coverage
2025-09-22 12:18:11 +02:00
proc_creation_win_regsvr32_susp_parent.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_regsvr32_uncommon_extension.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml
Merge PR #5149 from @nasbench - Promote older rules status from experimental to test
2025-01-06 15:36:19 +01:00
proc_creation_win_remote_access_tools_anydesk_silent_install.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_remote_access_tools_anydesk_susp_exec.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_remote_access_tools_anydesk.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_remote_access_tools_gotoopener.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_remote_access_tools_logmein.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_remote_access_tools_meshagent_arguments.yml
Merge PR #5426 from @norbert791 - New rules: Remote Access Tool MeshAgent
2025-06-24 11:19:53 +02:00
proc_creation_win_remote_access_tools_meshagent_exec.yml
Merge PR #5572 from @nasbench - Promote older rules status from experimental to test
2025-08-14 14:05:46 +02:00
proc_creation_win_remote_access_tools_netsupport_susp_exec.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_remote_access_tools_netsupport.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml
Merge PR #5426 from @norbert791 - New rules: Remote Access Tool MeshAgent
2025-06-24 11:19:53 +02:00
proc_creation_win_remote_access_tools_rurat_non_default_location.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml
Merge PR #5149 from @nasbench - Promote older rules status from experimental to test
2025-01-06 15:36:19 +01:00
proc_creation_win_remote_access_tools_screenconnect_webshell.yml
Merge PR #5149 from @nasbench - Promote older rules status from experimental to test
2025-01-06 15:36:19 +01:00
proc_creation_win_remote_access_tools_screenconnect.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_remote_access_tools_simple_help.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_remote_access_tools_tacticalrmm_agent_registration_via_cli.yml
Merge PR #5442 from @egycondor - TacticalRMM Agent Registration to Potential Attacker-Controlled Server
2025-09-22 12:47:36 +02:00
proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml
Merge PR #5177 from @nasbench - promote older rules status from experimental to test
2025-02-03 18:23:12 +01:00
proc_creation_win_remote_access_tools_ultraviewer.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_remote_time_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_adfind.yml
Merge PR #5203 from @swachchhanda000 - Update AdFind rules
2025-05-20 23:03:13 +02:00
proc_creation_win_renamed_autohotkey.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_autoit.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_renamed_binary_highly_relevant.yml
Merge PR #5107 from @mgreen27 - Update Potential Defense Evasion Via Rename Of Highly Relevant Binaries
2024-12-03 22:14:54 +01:00
proc_creation_win_renamed_binary.yml
Merge PR #5524 from @swachchhanda000 - add 7za to Renamed 7-Zip Execution
2025-07-16 13:34:33 +02:00
proc_creation_win_renamed_boinc.yml
Merge PR #5448 from @nasbench - Promote older rules status from experimental to test
2025-06-02 13:29:48 +02:00
proc_creation_win_renamed_browsercore.yml
Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags
2025-05-20 23:09:50 +02:00
proc_creation_win_renamed_cloudflared.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_renamed_createdump.yml
Merge PR #5380 from @david-syk - Update MITRE ATT&CK tags 2nd batch
2025-04-25 21:01:12 +02:00
proc_creation_win_renamed_curl.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_win_renamed_dctask64.yml
Merge PR #5168 from @defensivedepth - Prepend algo to hash values
2025-01-22 22:29:33 +01:00
proc_creation_win_renamed_ftp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_gpg4win.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_jusched.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_mavinject.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_megasync.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_msdt.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_msteams.yml
Merge PR #5448 from @nasbench - Promote older rules status from experimental to test
2025-06-02 13:29:48 +02:00
proc_creation_win_renamed_netsupport_rat.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_renamed_nircmd.yml
Merge PR #5177 from @nasbench - promote older rules status from experimental to test
2025-02-03 18:23:12 +01:00
proc_creation_win_renamed_office_processes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_paexec.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_renamed_pingcastle.yml
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
2024-12-01 13:40:32 +01:00
proc_creation_win_renamed_plink.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_pressanykey.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_rundll32_dllregisterserver.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_rurat.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_sysinternals_debugview.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_sysinternals_procdump.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_renamed_sysinternals_psexec_service.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_sysinternals_sdelete.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_renamed_vmnat.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
proc_creation_win_renamed_whoami.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rpcping_credential_capture.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_ruby_inline_command_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_ads_stored_dll_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_inline_vbs.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_installscreensaver.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_keymgr.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_mshtml_runhtmlapplication.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_no_params.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_ntlmrelay.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_obfuscated_ordinal_call.yml
Merge PR #5202 from @swachchhanda000 - Added coverage rundll32 ordinal obfuscation attempts.
2025-02-25 22:32:55 +01:00
proc_creation_win_rundll32_parent_explorer.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_process_dump_via_comsvcs.yml
Merge PR #5202 from @swachchhanda000 - Added coverage rundll32 ordinal obfuscation attempts.
2025-02-25 22:32:55 +01:00
proc_creation_win_rundll32_registered_com_objects.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_run_locations.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_setupapi_installhinfsection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_shell32_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_shelldispatch_potential_abuse.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_spawn_explorer.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_susp_activity.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_susp_control_dll_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_susp_execution_with_image_extension.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_susp_shellexec_execution.yml
Merge PR #5082 from @swachchhanda000 - Add Suspicious ShellExec_RunDLL Call Via Ordinal
2024-12-01 17:32:36 +01:00
proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml
Merge PR #5666 from @nasbench - chore: promote older rules status from experimental to test
2025-10-01 10:03:28 +02:00
proc_creation_win_rundll32_susp_shimcache_flush.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_sys.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_udl_exec.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_rundll32_unc_path.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_rundll32_uncommon_dll_extension.yml
Merge PR #5177 from @nasbench - promote older rules status from experimental to test
2025-02-03 18:23:12 +01:00
proc_creation_win_rundll32_user32_dll.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_webdav_client_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_webdav_client_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_rundll32_without_parameters.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_runonce_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_sc_create_service.yml
Merge PR #5639 from @swachchhanda000 - Fix some more fps found in prod
2025-09-22 11:46:48 +02:00
proc_creation_win_sc_disable_service.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sc_new_kernel_driver.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sc_query_interesting_services.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_sc_sdset_allow_service_changes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sc_sdset_deny_service_access.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sc_sdset_hide_sevices.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sc_sdset_modification.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sc_service_path_modification.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sc_service_tamper_for_persistence.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sc_stop_service.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_appdata_local_system.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_change.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_creation_temp_folder.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_creation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_curl_and_powershell_combo.yml
Merge PR #5183 from @swachchhanda000 - add rules for malware abusing grimresource and RTLO techniques
2025-10-01 14:16:23 +02:00
proc_creation_win_schtasks_delete_all.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_delete.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_disable.yml
Merge PR #4982 from @X-Junior - Update scheduled task related rules
2024-08-26 10:20:57 +02:00
proc_creation_win_schtasks_env_folder.yml
Merge PR #5060 from @MalGamy12 - Update Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
2024-10-28 12:25:02 +01:00
proc_creation_win_schtasks_folder_combos.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_guid_task_name.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_one_time_only_midnight_task.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_openssh_tunnelling.yml
Merge PR #5146 from @resp404nse - Potential SSH Tunnel Persistence Install Using A Scheduled Task
2025-07-14 11:14:40 +02:00
proc_creation_win_schtasks_persistence_windows_telemetry.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_powershell_persistence.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_reg_loader_encoded.yml
Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules
2025-04-17 21:42:17 +02:00
proc_creation_win_schtasks_reg_loader.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_schedule_type_system.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_schedule_type.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_schtasks_susp_pattern.yml
Merge PR #5177 from @nasbench - promote older rules status from experimental to test
2025-02-03 18:23:12 +01:00
proc_creation_win_schtasks_system_process.yml
Merge PR #5183 from @swachchhanda000 - add rules for malware abusing grimresource and RTLO techniques
2025-10-01 14:16:23 +02:00
proc_creation_win_schtasks_system.yml
Merge PR #5195 from @X-Junior - Fix Schtasks Creation Or Modification With SYSTEM Privileges
2025-02-17 12:04:28 +01:00
proc_creation_win_scrcons_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sdbinst_shim_persistence.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sdbinst_susp_extension.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sdclt_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sdiagnhost_susp_child.yml
Merge PR #4961 from @tsale - Add multiples rules and updates
2024-08-29 19:21:47 +02:00
proc_creation_win_secedit_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_security_susp_node_js_execution.yml
Merge PR #5379 from @swachchhanda000 - NodeJS Execution of JavaScript
2025-10-01 12:18:11 +02:00
proc_creation_win_servu_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_setres_uncommon_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_setspn_spn_enumeration.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_setup16_custom_lst_execution.yml
Merge PR #5666 from @nasbench - chore: promote older rules status from experimental to test
2025-10-01 10:03:28 +02:00
proc_creation_win_shutdown_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_shutdown_logoff.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sigverif_uncommon_child_process.yml
Merge PR #4937 from @nasbench - Multiple updates and fixes
2024-08-29 14:43:32 +02:00
proc_creation_win_sndvol_susp_child_processes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_soundrecorder_audio_capture.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_splwow64_cli_anomaly.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_spoolsv_susp_child_processes.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_sqlcmd_veeam_db_recon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sqlcmd_veeam_dump.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sqlite_chromium_profile_data.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sqlite_firefox_gecko_profile_data.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_squirrel_download.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_squirrel_proxy_execution.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_ssh_port_forward.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_ssh_proxy_execution.yml
Merge PR #5181 from @swachchhanda000 - update SSH proxy execution rule
2025-07-03 09:40:29 +02:00
proc_creation_win_ssh_rdp_tunneling.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ssm_agent_abuse.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_stordiag_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_16bit_application.yml
Merge PR #5451 from @frack113 - chore: cleanup metadata
2025-06-04 13:33:36 +02:00
proc_creation_win_susp_abusing_debug_privilege.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_add_user_local_admin_group.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_add_user_privileged_group.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_add_user_remote_desktop_group.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_alternate_data_streams.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_always_install_elevated_windows_installer.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_susp_appx_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_archiver_iso_phishing.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_automated_collection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_bad_opsec_sacrificial_processes.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_susp_browser_launch_from_document_reader_process.yml
Merge PR #5249 from @nasbench - Promote older rules status from experimental to test
2025-04-17 00:41:35 +02:00
proc_creation_win_susp_child_process_as_system_.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_susp_cli_obfuscation_escape_char.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_cli_obfuscation_unicode_img.yml
Merge PR #5445 from @swachchhanda000 - feat: add coverage for Unicode Space Character Obfuscation
2025-06-05 13:29:46 +02:00
proc_creation_win_susp_commandline_path_traversal_evasion.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_copy_browser_data.yml
Merge PR #5239 from @swachchhanda000 - Update Potential Browser Data Stealing
2025-04-17 00:43:26 +02:00
proc_creation_win_susp_copy_lateral_movement.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_copy_system_dir_lolbin.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_copy_system_dir.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_crypto_mining_monero.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_data_exfiltration_via_cli.yml
Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules
2025-07-28 13:32:57 +02:00
proc_creation_win_susp_disable_raccine.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_double_extension_parent.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_double_extension.yml
Merge PR #5445 from @swachchhanda000 - feat: add coverage for Unicode Space Character Obfuscation
2025-06-05 13:29:46 +02:00
proc_creation_win_susp_download_office_domain.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_susp_dumpstack_log_evasion.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_elavated_msi_spawned_shell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_electron_app_children.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_electron_execution_proxy.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml
Merge PR #5224 from @swachchhanda000 - Fix Multiple FPs
2025-04-07 11:05:53 +02:00
proc_creation_win_susp_embed_exe_lnk.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_emoji_usage_in_cli_1.yml
Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules
2025-04-17 21:42:17 +02:00
proc_creation_win_susp_emoji_usage_in_cli_2.yml
Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules
2025-04-17 21:42:17 +02:00
proc_creation_win_susp_emoji_usage_in_cli_3.yml
Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules
2025-04-17 21:42:17 +02:00
proc_creation_win_susp_emoji_usage_in_cli_4.yml
Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules
2025-04-17 21:42:17 +02:00
proc_creation_win_susp_etw_modification_cmdline.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_etw_trace_evasion.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_eventlog_clear.yml
Merge PR #5228 from @swachchhanda000 - Update Eventlog clearing related rules
2025-04-17 00:45:10 +02:00
proc_creation_win_susp_eventlog_content_recon.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_susp_execution_from_public_folder_as_parent.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_execution_path.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_file_characteristics.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_gather_network_info_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_hidden_dir_index_allocation.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_win_susp_hiding_malware_in_fonts_folder.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_image_missing.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_inline_base64_mz_header.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_inline_node_js_execution.yml
Merge PR #5379 from @swachchhanda000 - NodeJS Execution of JavaScript
2025-10-01 12:18:11 +02:00
proc_creation_win_susp_inline_win_api_access.yml
Merge PR #5224 from @swachchhanda000 - Fix Multiple FPs
2025-04-07 11:05:53 +02:00
proc_creation_win_susp_jwt_token_search.yml
Merge PR #5012 from @ionsor - Update Potentially Suspicious JWT Token Search Via CLI
2024-10-06 23:03:54 +02:00
proc_creation_win_susp_lnk_exec_hidden_cmd.yml
Merge PR #5240 from @swachchhanda000 - Add Suspicious LNK Command-Line Padding with Whitespace Characters
2025-04-17 00:42:11 +02:00
proc_creation_win_susp_local_system_owner_account_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_lsass_dmp_cli_keywords.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_ms_appinstaller_download.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_susp_network_command.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_network_scan_loop.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_network_sniffing.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_no_image_name.yml
Merge PR #5448 from @nasbench - Promote older rules status from experimental to test
2025-06-02 13:29:48 +02:00
proc_creation_win_susp_non_exe_image.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_susp_non_priv_reg_or_ps.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_susp_ntds.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_nteventlogfile_usage.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_ntfs_short_name_path_use_cli.yml
Merge PR #5513 from @swachchhanda000 - fix FPs observed via Aurora
2025-07-08 10:29:01 +02:00
proc_creation_win_susp_ntfs_short_name_path_use_image.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_ntfs_short_name_use_cli.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_ntfs_short_name_use_image.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_obfuscated_ip_download.yml
Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules
2025-07-28 13:32:57 +02:00
proc_creation_win_susp_obfuscated_ip_via_cli.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_win_susp_parents.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_powershell_execution_via_dll.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_priv_escalation_via_named_pipe.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_private_keys_recon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_privilege_escalation_cli_patterns.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_proc_wrong_parent.yml
Merge PR #5224 from @swachchhanda000 - Fix Multiple FPs
2025-04-07 11:05:53 +02:00
proc_creation_win_susp_progname.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_recon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_recycle_bin_fake_execution.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_susp_redirect_local_admin_share.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_remote_desktop_tunneling.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_right_to_left_override.yml
Merge PR #5183 from @swachchhanda000 - add rules for malware abusing grimresource and RTLO techniques
2025-10-01 14:16:23 +02:00
proc_creation_win_susp_script_exec_from_env_folder.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_script_exec_from_temp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_sensitive_file_access_shadowcopy.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_service_creation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_service_dir.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_service_tamper.yml
Merge PR #5629 from @swachchhanda000 - increase rule coverage
2025-09-22 12:18:11 +02:00
proc_creation_win_susp_shadow_copies_creation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_shadow_copies_deletion.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_shell_spawn_susp_program.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_sysnative.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_system_exe_anomaly.yml
Merge PR #5520 from @swachchhanda000 - Fix Logic in some rules that were causing FPs and FNs
2025-07-14 12:04:39 +02:00
proc_creation_win_susp_system_user_anomaly.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_susp_sysvol_access.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_task_folder_evasion.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
proc_creation_win_susp_use_of_te_bin.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_userinit_child.yml
Merge PR #5513 from @swachchhanda000 - fix FPs observed via Aurora
2025-07-08 10:29:01 +02:00
proc_creation_win_susp_velociraptor_child_process.yml
Merge PR #5635 from @swachchhanda000 - velociraptor abusing vscode tunneling
2025-09-22 12:13:07 +02:00
proc_creation_win_susp_weak_or_abused_passwords.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_web_request_cmd_and_cmdlets.yml
Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules
2025-07-28 13:32:57 +02:00
proc_creation_win_susp_whoami_as_param.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_susp_workfolders.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_svchost_execution_with_no_cli_flags.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_svchost_masqueraded_execution.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_svchost_termserv_proc_spawn.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_svchost_uncommon_parent_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sysinternals_accesschk_check_permissions.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_sysinternals_adexplorer_execution.yml
Merge PR #5557 from @phantinuss - Bump pySigma-validators-sigmahq to 0.10
2025-08-14 14:29:11 +02:00
proc_creation_win_sysinternals_adexplorer_susp_execution.yml
Merge PR #5557 from @phantinuss - Bump pySigma-validators-sigmahq to 0.10
2025-08-14 14:29:11 +02:00
proc_creation_win_sysinternals_eula_accepted.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_sysinternals_livekd_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_sysinternals_procdump_evasion.yml
Merge PR #5380 from @david-syk - Update MITRE ATT&CK tags 2nd batch
2025-04-25 21:01:12 +02:00
proc_creation_win_sysinternals_procdump_lsass.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_sysinternals_procdump.yml
Merge PR #5380 from @david-syk - Update MITRE ATT&CK tags 2nd batch
2025-04-25 21:01:12 +02:00
proc_creation_win_sysinternals_psexec_execution.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_sysinternals_psexec_remote_execution.yml
Merge PR #5639 from @swachchhanda000 - Fix some more fps found in prod
2025-09-22 11:46:48 +02:00
proc_creation_win_sysinternals_psexesvc_as_system.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sysinternals_psexesvc.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sysinternals_psloglist.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_sysinternals_psservice.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sysinternals_pssuspend_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sysinternals_pssuspend_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sysinternals_sdelete.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_sysinternals_sysmon_config_update.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_sysinternals_sysmon_uninstall.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_sysinternals_tools_masquerading.yml
Merge PR #5264 from @swachchhanda000 - Update Potential Binary Impersonating Sysinternals Tools
2025-04-17 00:39:23 +02:00
proc_creation_win_sysprep_appdata.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_systeminfo_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_takeown_recursive_own.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_tapinstall_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_tar_compression.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_tar_extraction.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_taskkill_sep.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_tasklist_module_enumeration.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_taskmgr_localsystem.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_taskmgr_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_teams_suspicious_command_line_cred_access.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_tscon_localsystem.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_tscon_rdp_redirect.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_tscon_rdp_session_hijacking.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_changepk_slui.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_cleanmgr.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_cmstp_com_object_access.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_cmstp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_uac_bypass_computerdefaults.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_consent_comctl32.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_dismhost.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_eventvwr_recentviews.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_uac_bypass_fodhelper.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_uac_bypass_icmluautil.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_uac_bypass_idiagnostic_profile.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_ieinstal.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_msconfig_gui.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_ntfs_reparse_point.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_pkgmgr_dism.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_sdclt.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_trustedpath.yml
Merge PR #5488 from @swachchhanda000 - Trusted path bypass
2025-06-24 12:35:51 +02:00
proc_creation_win_uac_bypass_winsat.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_wmp.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_wsreset_integrity_level.yml
Merge PR #5106 from @nasbench - Add SID version of integrity levels
2024-12-01 23:29:17 +01:00
proc_creation_win_uac_bypass_wsreset.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ultravnc_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_ultravnc.yml
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
proc_creation_win_uninstall_crowdstrike_falcon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_userinit_uncommon_child_processes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_vaultcmd_list_creds.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_verclsid_runs_com.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_virtualbox_execution.yml
Merge PR #5557 from @phantinuss - Bump pySigma-validators-sigmahq to 0.10
2025-08-14 14:29:11 +02:00
proc_creation_win_virtualbox_vboxdrvinst_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_vmware_toolbox_cmd_persistence.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_vmware_vmtoolsd_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_vscode_child_processes_anomalies.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_win_vscode_tunnel_execution.yml
Merge PR #5635 from @swachchhanda000 - velociraptor abusing vscode tunneling
2025-09-22 12:13:07 +02:00
proc_creation_win_vscode_tunnel_remote_shell_.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_win_vscode_tunnel_renamed_execution.yml
Merge PR #5635 from @swachchhanda000 - velociraptor abusing vscode tunneling
2025-09-22 12:13:07 +02:00
proc_creation_win_vscode_tunnel_service_install.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_win_vsdiagnostics_execution_proxy.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_vshadow_exec.yml
Merge PR #5478 from @kivi280 - add rule to detect vshadow.exe with -exec parameter
2025-07-03 11:57:48 +02:00
proc_creation_win_vslsagent_agentextensionpath_load.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_w32tm.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wab_execution_from_non_default_location.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wab_unusual_parents.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wbadmin_delete_all_backups.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wbadmin_delete_backups.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wbadmin_dump_sensitive_files.yml
Merge PR #5249 from @nasbench - Promote older rules status from experimental to test
2025-04-17 00:41:35 +02:00
proc_creation_win_wbadmin_restore_file.yml
Merge PR #5249 from @nasbench - Promote older rules status from experimental to test
2025-04-17 00:41:35 +02:00
proc_creation_win_wbadmin_restore_sensitive_files.yml
Merge PR #5249 from @nasbench - Promote older rules status from experimental to test
2025-04-17 00:41:35 +02:00
proc_creation_win_webdav_lnk_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_webshell_chopper.yml
Merge PR #5381 from @david-syk - Update MITRE ATT&CK tags
2025-04-25 20:55:51 +02:00
proc_creation_win_webshell_hacking.yml
Merge PR #5381 from @david-syk - Update MITRE ATT&CK tags
2025-04-25 20:55:51 +02:00
proc_creation_win_webshell_recon_commands_and_processes.yml
Merge PR #5381 from @david-syk - Update MITRE ATT&CK tags
2025-04-25 20:55:51 +02:00
proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_webshell_tool_recon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_werfault_lsass_shtinkering.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_werfault_reflect_debugger_exec.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_werfaultsecure_process_freeze.yml
Merge PR #5656 from @0xbcf - Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
2025-09-25 09:56:37 +02:00
proc_creation_win_wermgr_susp_child_process.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_wermgr_susp_exec_location.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wget_download_direct_ip.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wget_download_susp_file_sharing_domains.yml
Merge PR #5637 from @nasbench - Promote older rules status from experimental to test
2025-09-22 11:41:37 +02:00
proc_creation_win_wget_download_susp_locations.yml
Merge PR #5149 from @nasbench - Promote older rules status from experimental to test
2025-01-06 15:36:19 +01:00
proc_creation_win_where_browser_data_recon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_whoami_all_execution.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_whoami_execution_from_high_priv_process.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_whoami_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_whoami_groups_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_whoami_output.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_whoami_parent_anomaly.yml
Merge PR #5224 from @swachchhanda000 - Fix Multiple FPs
2025-04-07 11:05:53 +02:00
proc_creation_win_whoami_priv_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_windows_terminal_susp_children.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_winget_add_custom_source.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_winget_add_insecure_custom_source.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_winget_add_susp_custom_source.yml
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
2024-10-01 14:56:09 +02:00
proc_creation_win_winget_local_install_via_manifest.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_winrar_exfil_dmp_files.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_winrar_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_winrar_uncommon_folder_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_winrm_awl_bypass.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_winrm_remote_powershell_session_process.yml
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
proc_creation_win_winrm_susp_child_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_winzip_password_compression.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wlrmdr_uncommon_child_process.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmi_password_never_expire.yml
Merge PR #5568 from @Koifman - Password Never Expires Set via WMI
2025-07-31 12:28:06 +02:00
proc_creation_win_wmi_persistence_script_event_consumer.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_eventconsumer_creation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_namespace_defender.yml
Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags
2025-05-20 23:05:21 +02:00
proc_creation_win_wmic_process_creation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_recon_computersystem.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_recon_csproduct.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_recon_group.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_recon_hotfix.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_recon_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_recon_product_class.yml
Merge PR #5234 from @swachchhanda000 - Update Potential Product Class Reconnaissance Via Wmic.EXE
2025-04-17 00:44:13 +02:00
proc_creation_win_wmic_recon_product.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_recon_service.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_recon_system_info_uncommon.yml
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
2024-11-01 10:21:04 +01:00
proc_creation_win_wmic_recon_unquoted_service_search.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_recon_volume.yml
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
2024-12-01 13:40:32 +01:00
proc_creation_win_wmic_remote_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_service_manipulation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_squiblytwo_bypass.yml
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
2024-11-25 09:30:14 +01:00
proc_creation_win_wmic_stdregprov_reg_modification.yml
Merge PR #5567 from @ Koifman - Registry Manipulation via WMI Stdregprov
2025-09-22 12:35:38 +02:00
proc_creation_win_wmic_susp_execution_via_office_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_susp_process_creation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_terminate_application.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_uninstall_application.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_uninstall_security_products.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmic_xsl_script_processing.yml
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28 20:11:57 +02:00
proc_creation_win_wmiprvse_spawning_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmiprvse_spawns_powershell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wmiprvse_susp_child_processes.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wpbbin_potential_persistence.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wscript_cscript_dropper.yml
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
2024-12-01 13:40:32 +01:00
proc_creation_win_wscript_cscript_susp_child_processes.yml
Merge PR #5451 from @frack113 - chore: cleanup metadata
2025-06-04 13:33:36 +02:00
proc_creation_win_wscript_cscript_uncommon_extension_exec.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wsl_child_processes_anomalies.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wsl_windows_binaries_execution.yml
Merge PR #4937 from @nasbench - Multiple updates and fixes
2024-08-29 14:43:32 +02:00
proc_creation_win_wuauclt_dll_loading.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wuauclt_no_cli_flags_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml
Merge PR #4937 from @nasbench - Multiple updates and fixes
2024-08-29 14:43:32 +02:00
proc_creation_win_wusa_susp_parent_execution.yml
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
2025-07-01 10:34:38 +02:00
proc_creation_win_xwizard_execution_non_default_location.yml
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
2025-05-15 12:17:10 +02:00
proc_creation_win_xwizard_runwizard_com_object_exec.yml
Merge PR #4937 from @nasbench - Multiple updates and fixes
2024-08-29 14:43:32 +02:00