012e88601e
[New Rule] Email Reported by User as Malware or Phish ( #1699 )
...
* Email Reported by User as Malware or Phish Initial Rule
* Update initial_access_o365_user_reported_phish_malware.toml
* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 189c2b152c
2022-01-27 19:33:20 +00:00
239f7f9324
[New Rule] MS Office Macro Security Registry Modifications ( #1696 )
...
* "MS Office Macro Security Registry Modifications" Initial Rule
* Update rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b6cbdbd416
2022-01-27 19:27:12 +00:00
c300fce9f7
[New Rule] OneDrive Malware File Upload ( #1693 )
...
* "OneDrive Malware File Upload" Initial Rule
* bump severity
(cherry picked from commit f7bc13b437
2022-01-27 19:22:11 +00:00
b0b52abbd5
[New Rule] SharePoint Malware File Upload ( #1691 )
...
* "SharePoint Malware File Upload" Initial Rule
* s/onedrive/sharepoint
* bump severity
(cherry picked from commit 1676844640
2022-01-27 19:15:20 +00:00
c8671b4a1e
[New Rule] Potential Privileged Escalation via SamAccountName Spoofing ( #1660 )
...
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing
Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.
https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac
EQL
```
iam where event.action == "renamed-user-account" and
/* machine account name renamed to user like account name */
winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```
* Create privilege_escalation_samaccountname_spoofing_attack.toml
* Update non-ecs-schema.json
* extra ref
* toml linted
* ref for MS kb5008102
* more ref
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 26fb8e83a5
2022-01-27 14:49:15 +00:00
71c382b1f5
[New Rule] Global Administrator Role Assigned ( #1686 )
...
* Initial Global Administrator Role Assigned Rules
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 14252d45ee
2022-01-27 12:55:30 +00:00
15d6244331
Create credential_access_mfa_push_brute_force.toml ( #1682 )
...
(cherry picked from commit 7e4325dd7a
2022-01-27 12:40:11 +00:00
b753a05c72
[Rule Tuning] GCP Kubernetes Rolebindings Created or Patched ( #1718 )
...
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 38ae64f729
2022-01-27 12:34:30 +00:00
a5b1ac9e0e
Update credential_access_suspicious_lsass_access_memdump.toml ( #1714 )
...
(cherry picked from commit 1699f50beb
2022-01-27 12:30:41 +00:00
45946dbf3e
Update source.ip condition ( #1712 )
...
(cherry picked from commit 4ac824192f
2022-01-27 12:27:38 +00:00
042f9cfaa1
[Rule Tuning] Fix event.outcome condition on O365 failed logon related rules ( #1687 )
...
* Tune rule query
* Update credential_access_microsoft_365_potential_password_spraying_attack.toml
* Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml
* Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml"
This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.
(cherry picked from commit 0a23d820c9
2022-01-27 12:25:02 +00:00
51dbef8321
[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created ( #1683 )
...
* Inbox Rule Tuning
* Add RedirectTo
* Update non-ecs-schema.json
(cherry picked from commit 50c7d5f262
2022-01-27 12:23:36 +00:00
9fd1c14450
[Rule Tuning] Azure Virtual Network Device Modified or Deleted ( #1679 )
...
* Update impact_virtual_network_device_modified.toml
* Change case
(cherry picked from commit fdeb8cb1de
2022-01-27 12:19:33 +00:00
9e5c68a04c
[New Rule] Potential Privilege Escalation via PKEXEC ( #1727 )
...
* [New Rule] Potential Privilege Escalation via PKEXEC
Identifies attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user :
* Update privilege_escalation_pkexec_envar_hijack.toml
* removed = sign
(cherry picked from commit b9edc5464e
2022-01-27 09:44:06 +00:00
646e920ac1
Revert "[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )" ( #1731 )
...
This reverts commit 625d1df2bf84d55c829d
2022-01-26 20:43:37 +00:00
b6d1c1476b
[Rule Tuning] Update Google Workspace rules to remove compatibility with deprecated gsuite integration ( #1706 )
...
* Adjust queries and min_stack_version
* Update reference to the filebeat module
* adjust min_stack_version
2022-01-25 16:51:20 -09:00
9c43151da4
[Deprecate Rule] Threat Intel Filebeat Module (v7.x) Indicator Match ( #1703 )
2022-01-25 16:46:49 -09:00
b564fa13fb
MacOS FolderActionScripts Process List Update ( #1723 )
...
* update and expand process list
* fix query
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-25 14:27:27 -06:00
cfd4d431dd
MacOS Launch Daemon Creation Rule - Query Fix ( #1722 )
...
* launch daemon creation syntax fix
* change updated date
2022-01-25 12:47:51 -06:00
95e3b87faf
[New Rule] Startup/Logon Script added to Group Policy Object ( #1607 )
...
* "Startup/Logon Script added to Group Policy Object" Initial Rule
* Change severity
* nest non-ecs schema and move logs-system to winlogbeat
* format query and remove quotes
* Update rules/windows/privilege_escalation_group_policy_iniscript.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add rule_ids and false_positives instance
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-01-20 09:11:23 -03:00
49854aaae2
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules ( #1610 )
...
* Add Investigation Guide and config to Suspicious Portable Executable Encoded in Powershell Script
* Add Investigation Guide and config to "PowerShell Suspicious Discovery Related Windows API Functions" rule
* Add Investigation Guide and Config to "PowerShell MiniDump Script" rule
* Add logging policy reference
* Add Investigation Guide/Config to "PowerShell Suspicious Script with Audio Capture Capabilities"
* Add Related Rules GUIDs
* Add Investigation Guide/config for "Potential Process Injection via PowerShell"
* Adjust Response and remediation
* Add Investigation Guide/config for "PowerShell Keylogging Script"
* bump updated_date
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions
* Revise line from investigation guides
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-01-20 08:56:53 -03:00
7fa0c0f719
[New Rule] Potential Priivilege Escalation via InstallerFileTakeOver ( #1629 )
...
* Create privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update rules/windows/privilege_escalation_installertakeover.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/privilege_escalation_installertakeover.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update description and change OFN from : to ==
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-20 08:53:58 -03:00
625d1df2bf
[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )
...
* Update execution_python_tty_shell.toml
* Update EQL query to sequence
* Remove auditbeat index
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-20 08:50:30 -03:00
96ada9e223
[New Rule] Azure Suppression Rule Created ( #1666 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Moved to correct directory.
* Suppression Rule Created
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-20 08:46:24 -03:00
d7116485f3
[New Rule] Group Policy Abuse for Privilege Addition ( #1603 )
...
* "Group Policy Abuse for Privilege Addition" Initial Rule
* Update privilege_escalation_group_policy_privileged_groups.toml
* Add related rules
* fix missing comma
* Update non-ecs-schema.json
* Remove duplicated entries
* update note with code format
* Update rules/windows/privilege_escalation_group_policy_privileged_groups.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-20 08:40:52 -03:00
101b781bef
[Rule Tuning] O365 Excessive Single Sign-On Logon Errors ( #1680 )
...
* Change event.category to authentication
The original had the event.category as "web" the correct value is "authentication"
* Changed updated_date to todays date
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-20 08:32:30 -03:00
865771886e
[New Rule] Scheduled Task Execution at Scale via GPO ( #1605 )
...
* "Scheduled Task Execution at Scale via GPO" Initial Rule
* Update non-ecs-schema.json
2022-01-19 16:06:48 -09:00
7bbeaf3053
[New Rule] PowerShell PSReflect Script ( #1558 )
2022-01-19 15:31:08 -09:00
6a0164cbd3
[Rule Tuning] Connection to Commonly Abused Web Services ( #1708 )
...
Added Discord domains often abused to stage malicious files.
2022-01-17 14:52:26 -03:00
fd824d1fd5
[New Rule] Microsoft Defender Tampering ( #1575 )
...
* Create defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-01-13 19:50:01 -03:00
af354dc7e8
[New Rule] Mailbox Audit Logging Bypass ( #1702 )
...
* "Mailbox Audit Logging Bypass" Initial Rule
* Add reference
* Update rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-13 17:33:08 -03:00
cbf0798646
[Rule Tuning] Change Rules to use Source.ip instead of source.address ( #1704 )
...
* Replace source.address to source.ip for compatibility
* Change query
* Missing and condition
2022-01-13 16:40:10 -03:00
25327134a6
[New Rule] Shadowcopy via Symlink ( #1675 )
...
* Create credential_access_shadowcopy_via_symlink.toml
* Update credential_access_shadowcopy_via_symlink.toml
* Update and rename credential_access_shadowcopy_via_symlink.toml to credential_access_shadowcopy_via_mklink.toml
* Update credential_access_shadowcopy_via_mklink.toml
* Update rules/windows/credential_access_shadowcopy_via_mklink.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_shadowcopy_via_mklink.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_shadowcopy_via_mklink.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_shadowcopy_via_mklink.toml
* Rename credential_access_shadowcopy_via_mklink.toml to credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml
* Update credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-01-12 07:52:37 -03:00
899642dd78
[New Rule] PowerShell Suspicious Script with Screenshot Capabilities ( #1581 )
...
* Create collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update rules/windows/collection_posh_screen_grabber.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update query condition
* lint
* Update execution_python_tty_shell.toml
* Revert "Update execution_python_tty_shell.toml"
This reverts commit d2d72ea5726415caca8786d59446b6dd60dcee54.
* Update collection_posh_screen_grabber.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-14 19:30:45 -03:00
f2a28e49fb
[New Rules] PowerShell Suspicious Payload Encoded and Compressed ( #1580 )
...
* Create defense_evasion_posh_compressed.toml
* Update defense_evasion_posh_compressed.toml
* Add GzipStream, cover common variations withou using wildcard
* Update defense_evasion_posh_compressed.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add false_positives
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-14 19:25:11 -03:00
9cc342dab7
[Rule Tuning] Bump max_signals on Endgame Promotion Rules ( #1662 )
...
* bump endgame max_signals to 10000
* bump updated_date
2021-12-14 11:52:12 -03:00
9a60d7a26a
[Rule tuning] fix name for GCP Kubernetes Rolebindings Created or Patched ( #1661 )
2021-12-13 08:59:56 -09:00
410d4e5929
[Rule Tuning] Suspicious JAR Child Process ( #1657 )
...
* [Rule Tuning] Suspicious JAR Child Process
Expand rule coverage by removing the process.args containing a jar file requirement which may help detect also exploitation attempt via command injection vulnerabilities on server apps running JAVA.
* Update rules/cross-platform/execution_suspicious_jar_child_process.toml
2021-12-10 16:04:35 -09:00
d4e06beee6
[New Rule] PowerShell Reflection Assembly Load ( #1559 )
...
* Create defense_evasion_posh_assembly_load.toml
* Update defense_evasion_posh_assembly_load.toml
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Change event.code to event.category
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-08 17:59:17 -03:00
ee548328d5
[Rule Tuning] Powershell Defender Exclusion ( #1644 )
...
* Split process.args condition
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-08 11:51:32 -03:00
b85818f49c
[New Rule] Enumeration of Privileged Local Groups Membership ( #1557 )
...
* [New Rule] Enumeration of Privileged Local Groups Membership
* Update non-ecs-schema.json
* Update discovery_privileged_localgroup_membership.toml
* removed endpoint index (not needed)
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-08 11:23:42 +01:00
434e2d0426
[New Rule] Privilege Escalation via Rogue Named Pipe Impersonation ( #1544 )
...
* [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_via_rogue_named_pipe.toml
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-08 11:21:04 +01:00
e3b76b7cf7
[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot ( #1632 )
...
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot
Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).
* adding extra ref url
2021-12-08 11:16:14 +01:00
851c566730
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules ( #1620 )
...
* Replaces event.code with event.category
* bump updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-07 21:32:39 -09:00
b7b5449033
Add issue to min_stack_comment ( #1652 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-12-07 15:52:38 -09:00
14c46f50b9
[Rule Tuning] updates from documentation review for 7.16 ( #1645 )
2021-12-07 15:42:58 -09:00
c21337fe4f
Add min_stack and indexes back ( #1648 )
2021-12-07 10:00:58 -03:00
7b0383ffe2
[Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL ( #1651 )
...
* Update command_and_control_download_rar_powershell_from_internet.toml
* bump updated_date
2021-12-07 09:09:03 -03:00
f6a2437cf8
Limit index to logs-endpoint.events ( #1647 )
2021-12-06 13:45:12 -03:00
d43e3d8e4e
[New Rule] Suspicious Process Creation CallTrace ( #1588 )
...
* [New Rule] Suspicious Process Creation CallTrace
* Update non-ecs-schema.json
* added min stack vers
* min_stack_vers not needed
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-11-30 21:35:43 +01:00
Jonhnathan