security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f8e022a709c9be0b4a674428f7a62d22962e5f1a
blue-team-tools/rules/windows/process_creation
T
History
Florian Roth d2122b6b83 Merge pull request #594 from sreemanshanker/master 
Sigma rule to Monitor for writing of malicious files to system32 and syswow64 folders
2020-01-30 09:14:58 +01:00
..
win_apt_bluemashroom.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_apt_mustangpanda.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_attrib_hiding_files.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_bypass_squiblytwo.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_change_default_file_association.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_cmdkey_recon.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_cmstp_com_object_access.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_control_panel_item.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_data_compressed_with_rar.yml
Data Compressed duplciate titles
2019-12-09 16:24:10 +00:00
win_encoded_frombase64string.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_encoded_iex.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_etw_trace_evasion.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_exploit_cve_2015_1641.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_exploit_cve_2017_0261.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_exploit_cve_2017_8759.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_exploit_cve_2017_11882.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_exploit_cve_2019_1378.yml
rule: Exploiting SetupComplete.cmd CVE-2019-1378
2019-11-15 00:26:18 +01:00
win_exploit_cve_2019_1388.yml
rule: another reference for CVE-2019-1388 rule
2019-11-20 15:09:30 +01:00
win_hack_bloodhound.yml
rule: modified Bloodhound rule
2019-12-21 21:22:13 +01:00
win_hack_rubeus.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_hack_secutyxploded.yml
rule: SecurityXploded tool
2019-12-30 14:25:29 +01:00
win_hktl_createminidump.yml
rule: CreateMiniDump
2019-12-22 08:29:12 +01:00
win_hwp_exploits.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_impacket_lateralization.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_install_reg_debugger_backdoor.yml
Added new sticky key attack binary
2020-01-24 15:31:06 +01:00
win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_lethalhta.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_local_system_owner_account_discovery.yml
style: fixed title
2019-12-03 11:24:06 +01:00
win_mal_adwind.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_dridex.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_dtrack.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_emotet.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_formbook.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_notpetya.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_qbot.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_ryuk.yml
rule: ryuk ransomware
2019-12-16 20:33:12 +01:00
win_malware_script_dropper.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_malware_trickbot_recon_activity.yml
svchost spawned without cli
2020-01-24 15:31:06 +01:00
win_malware_wannacry.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_mavinject_proc_inj.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_mmc_spawn_shell.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_mshta_spawn_shell.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_multiple_suspicious_cli.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_netsh_fw_add.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_netsh_packet_capture.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_netsh_port_fwd_3389.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_netsh_port_fwd.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_network_sniffing.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_office_shell.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_office_spawn_exe_from_users_directory.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_plugx_susp_exe_locations.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_possible_applocker_bypass.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_powershell_amsi_bypass.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_powershell_b64_shellcode.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_powershell_dll_execution.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_powershell_download.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_powershell_frombase64string.yml
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
win_powershell_suspicious_parameter_variation.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_powershell_xor_commandline.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_powersploit_empire_schtasks.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_proc_wrong_parent.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_process_creation_bitsadmin_download.yml
rule: fixed and extended bitsadmin rule
2019-12-06 13:39:04 +01:00
win_psexesvc_start.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_query_registry.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_ransomware_shadowcopy.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_rdp_hijack_shadowing.yml
rule: mstsc shadowing
2020-01-24 16:18:19 +01:00
win_renamed_binary_highly_relevant.yml
rule: split up renamed binary rule
2020-01-24 15:31:07 +01:00
win_renamed_binary.yml
rule: split up renamed binary rule
2020-01-24 15:31:07 +01:00
win_renamed_paexec.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_sdbinst_shim_persistence.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_service_execution.yml
fix: simplified rule with RE
2019-12-03 11:24:06 +01:00
win_shell_spawn_susp_program.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_silenttrinity_stage_use.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_spn_enum.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_bcdedit.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_bginfo.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_calc.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_cdb.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_certutil_command.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_certutil_encode.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_cli_escape.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_cmd_http_appdata.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_codepage_switch.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_commands_recon_activity.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_compression_params.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_comsvcs_procdump.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_control_dll_load.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_copy_lateral_movement.yml
rule: copy from admin share - lateral movement
2019-12-30 14:25:43 +01:00
win_susp_csc_folder.yml
rule: updating csc.exe rule
2019-12-17 13:45:40 +01:00
win_susp_csc.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_curl_start_combo.yml
fix: filename
2020-01-30 08:18:29 +01:00
win_susp_dctask64_proc_inject.yml
rule: dctask64.exe evasion techniques
2020-01-28 11:29:24 +01:00
win_susp_devtoolslauncher.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_dnx.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_double_extension.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_dxcap.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_eventlog_clear.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_exec_folder.yml
Added some suspicious locations
2019-12-10 20:17:40 +03:00
win_susp_execution_path_webserver.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_execution_path.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_firewall_disable.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_fsutil_usage.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_gup.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_iss_module_install.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_msiexec_cwd.yml
fix: fixed broken condition
2019-11-14 10:15:18 +01:00
win_susp_msiexec_web_install.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_msoffice.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_net_execution.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_ntdsutil.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_odbcconf.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_openwith.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_outlook_temp.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_outlook.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_ping_hex_ip.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_powershell_empire_launch.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_powershell_empire_uac_bypass.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_powershell_enc_cmd.yml
style: minor changes
2019-12-20 14:59:26 +01:00
win_susp_powershell_hidden_b64_cmd.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_powershell_parent_combo.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_procdump.yml
fix: line break in description
2019-11-18 15:26:55 +01:00
win_susp_process_creations.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_prog_location_process_starts.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_ps_appdata.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_psr_capture_screenshots.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_rasdial_activity.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_recon_activity.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_regsvr32_anomalies.yml
Merge pull request #537 from webhead404/webhead404-contrib-sigma
2019-12-13 21:50:01 +01:00
win_susp_renamed_dctask64.yml
rule: dctask64.exe evasion techniques
2020-01-28 11:29:24 +01:00
win_susp_run_locations.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_rundll32_activity.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_rundll32_by_ordinal.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_schtask_creation.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_script_execution.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_squirrel_lolbin.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_svchost_no_cli.yml
svchost spawned without cli
2020-01-24 15:31:06 +01:00
win_susp_svchost.yml
Added svchost.exe as a parent image
2019-12-10 19:31:12 +03:00
win_susp_sysprep_appdata.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_sysvol_access.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_taskmgr_localsystem.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_taskmgr_parent.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_tscon_localsystem.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_tscon_rdp_redirect.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_userinit_child.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_vssadmin_ntds_activity.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_whoami_localsystem.yml
fix: SCCM false positives with whoami.exe rule
2020-01-07 12:13:47 +01:00
win_susp_whoami.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_wmi_execution.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_sysmon_driver_unload.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_system_exe_anomaly.yml
Update win_system_exe_anomaly.yml
2020-01-24 15:31:06 +01:00
win_task_folder_evasion.yml
changed file name
2020-01-30 08:07:56 +01:00
win_termserv_proc_spawn.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_vul_java_remote_debugging.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_webshell_detection.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_webshell_spawn.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_win10_sched_task_0day.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_wmi_backdoor_exchange_transport_agent.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_wmi_persistence_script_event_consumer.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_wmi_spwns_powershell.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_workflow_compiler.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_xsl_script_processing.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00