From b71a02a05ac19bf63fd7416fdba047452c3fbe6c Mon Sep 17 00:00:00 2001 From: Olaf Hartong <8149899+olafhartong@users.noreply.github.com> Date: Sat, 14 Apr 2018 20:48:50 +0200 Subject: [PATCH] revocation check added --- .gitignore | 1 + 10_process_access/exclude_lsass_noise.xml | 3 +- .../include_general_commment.xml | 1 + 10_process_access/include_mimikatz_inmem.xml | 1 + 11_file_create/exclude_dell_process.xml | 1 + 11_file_create/exclude_intel_gfx_service.xml | 1 + .../exclude_microsoft_click2run.xml | 1 + 11_file_create/exclude_microsoft_services.xml | 1 + .../exclude_microsoft_windows_update.xml | 1 + 11_file_create/include_appc_shim.xml | 3 +- 11_file_create/include_batch_files.xml | 1 + .../include_default_profile_changes.xml | 1 + 11_file_create/include_downloaded_files.xml | 1 + 11_file_create/include_drivers_added.xml | 1 + 11_file_create/include_executables.xml | 1 + .../include_group_policy_changes.xml | 1 + 11_file_create/include_hta_scripts.xml | 1 + .../include_microsoft_clickonce.xml | 1 + .../include_microsoft_msbuild_scripts.xml | 1 + ...nclude_ms_office_documents_with_macros.xml | 1 + .../include_outlook_attachments.xml | 1 + 11_file_create/include_powershell_changes.xml | 1 + 11_file_create/include_powershell_scripts.xml | 1 + .../include_scheduled_task_changes.xml | 1 + 11_file_create/include_start_menu_items.xml | 1 + 11_file_create/include_startup_items.xml | 1 + .../include_system_driver_files.xml | 1 + .../include_visual_basic_scripts.xml | 1 + 11_file_create/include_wmi_changes.xml | 1 + .../exclude_internet_explorer_settings.xml | 1 + 12_13_14_registry_event/exclude_webroot.xml | 1 + .../exclude_widcomm_bt_driver.xml | 1 + .../exclude_windows_bootup_control.xml | 1 + .../exclude_windows_file_exts.xml | 1 + .../exclude_windows_generic_binaries.xml | 1 + .../exclude_windows_misc.xml | 1 + .../exclude_windows_service_autostart.xml | 1 + .../include_accessibility_features.xml | 3 +- 12_13_14_registry_event/include_appc_shim.xml | 3 +- .../include_authentication_package.xml | 3 +- .../include_autoruns_and_startup_keys.xml | 1 + .../include_bypass_uac.xml | 3 +- .../include_com_hijack.xml | 1 + .../include_disable_password_change.xml | 3 +- ...nclude_dll_injection_at_process_launch.xml | 1 + .../include_dns_serverdll_injection.xml | 3 +- .../include_group_policy_integrity.xml | 1 + ...xplorer_extentions_helpers_or_toolbars.xml | 1 + .../include_local_port_monitor.xml | 3 +- 12_13_14_registry_event/include_netsh.xml | 1 + .../include_office_clickonce.xml | 1 + .../include_office_oulook_addins.xml | 1 + .../include_rdp_logon_execution.xml | 3 +- .../include_remote_execution_services.xml | 3 +- .../include_security_support_provider.xml | 1 + .../include_terminal_service_execution.xml | 1 + .../include_windows_app_path_hijack.xml | 1 + .../include_windows_com_objects.xml | 1 + .../include_windows_credential_providers.xml | 1 + .../include_windows_defender_tampering.xml | 1 + .../include_windows_firewall_tampering.xml | 1 + .../include_windows_integrity_monitoring.xml | 1 + .../include_windows_networking.xml | 1 + ...lude_windows_security_center_tampering.xml | 1 + .../include_windows_shell_hijack.xml | 1 + .../include_windows_thumbnail_autostart.xml | 1 + .../include_windows_uac_tampering.xml | 1 + .../include_windowsupdate_autostart.xml | 3 +- 12_13_14_registry_event/include_winsock.xml | 1 + .../include_wmi_implant.xml | 3 +- .../include_7zip_extractions.xml | 1 + .../include_batch_scripts.xml | 1 + .../include_downloads.xml | 1 + .../include_general_commment.xml | 1 + .../include_hta_scripts.xml | 1 + .../include_lnk_shortcuts.xml | 1 + .../include_outlook_attachments.xml | 1 + .../include_powershell_scripts.xml | 1 + .../include_registry_file.xml | 1 + .../include_visual_basic_scripts.xml | 1 + 17_18_pipe_event/include_general_commment.xml | 1 + 19_20_21_wmi_event/include_wmi_create.xml | 3 +- 1_process_creation/exclude_adobe_acrobat.xml | 1 + .../exclude_adobe_creative_cloud.xml | 1 + 1_process_creation/exclude_adobe_flash.xml | 1 + .../exclude_adobe_supporting_processes.xml | 1 + .../exclude_cisco_anyconnect.xml | 37 ++++++++ 1_process_creation/exclude_dotnet-3-or-4.xml | 1 + 1_process_creation/exclude_drivers.xml | 1 + 1_process_creation/exclude_dropbox.xml | 1 + 1_process_creation/exclude_google_chrome.xml | 1 + .../exclude_microsoft_office_click2run.xml | 1 + .../exclude_microsoft_office_services.xml | 1 + .../exclude_mozilla_firefox.xml | 1 + 1_process_creation/exclude_splunk.xml | 1 + .../exclude_splunk_universal_forwarder.xml | 1 + 1_process_creation/exclude_svchost.xml | 89 ++++++++++++++----- .../exclude_windows_defender.xml | 24 ++--- .../exclude_windows_generic_processes.xml | 1 + .../include_accessibility_features.xml | 3 +- 1_process_creation/include_appc_shim.xml | 3 +- 1_process_creation/include_bitsadmin.xml | 1 + 1_process_creation/include_bypass_uac.xml | 3 +- 1_process_creation/include_installutil.xml | 3 +- .../include_living_of_the_land.xml | 1 + 1_process_creation/include_msbuild.xml | 3 +- 1_process_creation/include_regsvcs_regasm.xml | 3 +- .../include_windows_remote_management.xml | 3 +- 2_file_create_time/exclude_onedrive.xml | 1 + 2_file_create_time/exclude_setups.xml | 1 + 2_file_create_time/include_temp_folder.xml | 1 + 2_file_create_time/include_users_folder.xml | 1 + .../exclude_dropbox.xml | 1 + .../exclude_microsoft_onedrive.xml | 1 + .../exclude_spotify.xml | 1 + .../exclude_windows_update.xml | 1 + .../include_3rd_party_remote_management.xml | 1 + .../include_hp_critical_services.xml | 1 + .../include_native_windows_tools.xml | 1 + .../include_ports_proxies.xml | 1 + .../include_ports_suspicous.xml | 1 + .../include_suspicious_sources.xml | 1 + .../include_tor.xml | 1 + .../include_users_and_temp_folders.xml | 1 + .../exclude_intel_drivers.xml | 1 + .../exclude_microsoft_drivers.xml | 1 + 7_image_load/include_general_warning.xml | 1 + 7_image_load/include_mimikatz_inmem.xml | 3 +- .../exclude_generic_windows_processes.xml | 1 + .../exclude_google_chrome.xml | 1 + 8_create_remote_thread/exclude_wmi.xml | 1 + .../include_dll_injection.xml | 3 +- .../include_general_commment.xml | 1 + .../include_general_commment.xml | 1 + baseconfig.xml | 1 + 135 files changed, 266 insertions(+), 62 deletions(-) create mode 100644 .gitignore create mode 100644 1_process_creation/exclude_cisco_anyconnect.xml diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..e43b0f98 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.DS_Store diff --git a/10_process_access/exclude_lsass_noise.xml b/10_process_access/exclude_lsass_noise.xml index 1207f8fb..e82ff100 100644 --- a/10_process_access/exclude_lsass_noise.xml +++ b/10_process_access/exclude_lsass_noise.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/10_process_access/include_general_commment.xml b/10_process_access/include_general_commment.xml index 47a6c6ec..db3639c8 100644 --- a/10_process_access/include_general_commment.xml +++ b/10_process_access/include_general_commment.xml @@ -1,6 +1,7 @@ * + diff --git a/10_process_access/include_mimikatz_inmem.xml b/10_process_access/include_mimikatz_inmem.xml index 2686fdcd..e887e2be 100644 --- a/10_process_access/include_mimikatz_inmem.xml +++ b/10_process_access/include_mimikatz_inmem.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/exclude_dell_process.xml b/11_file_create/exclude_dell_process.xml index 82eab820..73473f7c 100644 --- a/11_file_create/exclude_dell_process.xml +++ b/11_file_create/exclude_dell_process.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/exclude_intel_gfx_service.xml b/11_file_create/exclude_intel_gfx_service.xml index d4a952ff..d23ca90a 100644 --- a/11_file_create/exclude_intel_gfx_service.xml +++ b/11_file_create/exclude_intel_gfx_service.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/exclude_microsoft_click2run.xml b/11_file_create/exclude_microsoft_click2run.xml index ee4d4a49..183c1b98 100644 --- a/11_file_create/exclude_microsoft_click2run.xml +++ b/11_file_create/exclude_microsoft_click2run.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/exclude_microsoft_services.xml b/11_file_create/exclude_microsoft_services.xml index 24a64b82..8180fe67 100644 --- a/11_file_create/exclude_microsoft_services.xml +++ b/11_file_create/exclude_microsoft_services.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/exclude_microsoft_windows_update.xml b/11_file_create/exclude_microsoft_windows_update.xml index 100b86a3..0ee83d07 100644 --- a/11_file_create/exclude_microsoft_windows_update.xml +++ b/11_file_create/exclude_microsoft_windows_update.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_appc_shim.xml b/11_file_create/include_appc_shim.xml index 237fc0b5..9574162f 100644 --- a/11_file_create/include_appc_shim.xml +++ b/11_file_create/include_appc_shim.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/11_file_create/include_batch_files.xml b/11_file_create/include_batch_files.xml index dc9dcac9..7c66c36c 100644 --- a/11_file_create/include_batch_files.xml +++ b/11_file_create/include_batch_files.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_default_profile_changes.xml b/11_file_create/include_default_profile_changes.xml index 90f20f87..a8512b5b 100644 --- a/11_file_create/include_default_profile_changes.xml +++ b/11_file_create/include_default_profile_changes.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_downloaded_files.xml b/11_file_create/include_downloaded_files.xml index 9cb27177..416e2baf 100644 --- a/11_file_create/include_downloaded_files.xml +++ b/11_file_create/include_downloaded_files.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_drivers_added.xml b/11_file_create/include_drivers_added.xml index b9691f0d..16a7aa0e 100644 --- a/11_file_create/include_drivers_added.xml +++ b/11_file_create/include_drivers_added.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_executables.xml b/11_file_create/include_executables.xml index 025d8e23..2e30da17 100644 --- a/11_file_create/include_executables.xml +++ b/11_file_create/include_executables.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_group_policy_changes.xml b/11_file_create/include_group_policy_changes.xml index 2d29afee..585e1bc0 100644 --- a/11_file_create/include_group_policy_changes.xml +++ b/11_file_create/include_group_policy_changes.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_hta_scripts.xml b/11_file_create/include_hta_scripts.xml index 7d728e75..7d2f6a7d 100644 --- a/11_file_create/include_hta_scripts.xml +++ b/11_file_create/include_hta_scripts.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_microsoft_clickonce.xml b/11_file_create/include_microsoft_clickonce.xml index 627f316b..cce2ec9f 100644 --- a/11_file_create/include_microsoft_clickonce.xml +++ b/11_file_create/include_microsoft_clickonce.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_microsoft_msbuild_scripts.xml b/11_file_create/include_microsoft_msbuild_scripts.xml index 350271dc..8563ee29 100644 --- a/11_file_create/include_microsoft_msbuild_scripts.xml +++ b/11_file_create/include_microsoft_msbuild_scripts.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_ms_office_documents_with_macros.xml b/11_file_create/include_ms_office_documents_with_macros.xml index 93b0fe3c..d1ee3d88 100644 --- a/11_file_create/include_ms_office_documents_with_macros.xml +++ b/11_file_create/include_ms_office_documents_with_macros.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_outlook_attachments.xml b/11_file_create/include_outlook_attachments.xml index 71d88272..e25f665f 100644 --- a/11_file_create/include_outlook_attachments.xml +++ b/11_file_create/include_outlook_attachments.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_powershell_changes.xml b/11_file_create/include_powershell_changes.xml index 6f6f61bb..065b59d5 100644 --- a/11_file_create/include_powershell_changes.xml +++ b/11_file_create/include_powershell_changes.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_powershell_scripts.xml b/11_file_create/include_powershell_scripts.xml index 1c62c634..06f3508e 100644 --- a/11_file_create/include_powershell_scripts.xml +++ b/11_file_create/include_powershell_scripts.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_scheduled_task_changes.xml b/11_file_create/include_scheduled_task_changes.xml index a8fd39f2..ad365b06 100644 --- a/11_file_create/include_scheduled_task_changes.xml +++ b/11_file_create/include_scheduled_task_changes.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_start_menu_items.xml b/11_file_create/include_start_menu_items.xml index c93f5428..8a0056a0 100644 --- a/11_file_create/include_start_menu_items.xml +++ b/11_file_create/include_start_menu_items.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_startup_items.xml b/11_file_create/include_startup_items.xml index 92ec0763..38ab26b7 100644 --- a/11_file_create/include_startup_items.xml +++ b/11_file_create/include_startup_items.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_system_driver_files.xml b/11_file_create/include_system_driver_files.xml index 1fbd0224..005dd863 100644 --- a/11_file_create/include_system_driver_files.xml +++ b/11_file_create/include_system_driver_files.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_visual_basic_scripts.xml b/11_file_create/include_visual_basic_scripts.xml index 83f8ab08..ddd855e2 100644 --- a/11_file_create/include_visual_basic_scripts.xml +++ b/11_file_create/include_visual_basic_scripts.xml @@ -1,6 +1,7 @@ * + diff --git a/11_file_create/include_wmi_changes.xml b/11_file_create/include_wmi_changes.xml index b7d2c437..6d8db4e3 100644 --- a/11_file_create/include_wmi_changes.xml +++ b/11_file_create/include_wmi_changes.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/exclude_internet_explorer_settings.xml b/12_13_14_registry_event/exclude_internet_explorer_settings.xml index ca77c4dc..46ac3faf 100644 --- a/12_13_14_registry_event/exclude_internet_explorer_settings.xml +++ b/12_13_14_registry_event/exclude_internet_explorer_settings.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/exclude_webroot.xml b/12_13_14_registry_event/exclude_webroot.xml index 22d49df3..2459199d 100644 --- a/12_13_14_registry_event/exclude_webroot.xml +++ b/12_13_14_registry_event/exclude_webroot.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/exclude_widcomm_bt_driver.xml b/12_13_14_registry_event/exclude_widcomm_bt_driver.xml index 01cc4887..dadcb1c6 100644 --- a/12_13_14_registry_event/exclude_widcomm_bt_driver.xml +++ b/12_13_14_registry_event/exclude_widcomm_bt_driver.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/exclude_windows_bootup_control.xml b/12_13_14_registry_event/exclude_windows_bootup_control.xml index 6e358fe6..7d0a4005 100644 --- a/12_13_14_registry_event/exclude_windows_bootup_control.xml +++ b/12_13_14_registry_event/exclude_windows_bootup_control.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/exclude_windows_file_exts.xml b/12_13_14_registry_event/exclude_windows_file_exts.xml index 18753e83..efbdf9ab 100644 --- a/12_13_14_registry_event/exclude_windows_file_exts.xml +++ b/12_13_14_registry_event/exclude_windows_file_exts.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/exclude_windows_generic_binaries.xml b/12_13_14_registry_event/exclude_windows_generic_binaries.xml index 912d8adb..32ca97b9 100644 --- a/12_13_14_registry_event/exclude_windows_generic_binaries.xml +++ b/12_13_14_registry_event/exclude_windows_generic_binaries.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/exclude_windows_misc.xml b/12_13_14_registry_event/exclude_windows_misc.xml index 033569e7..0f16925c 100644 --- a/12_13_14_registry_event/exclude_windows_misc.xml +++ b/12_13_14_registry_event/exclude_windows_misc.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/exclude_windows_service_autostart.xml b/12_13_14_registry_event/exclude_windows_service_autostart.xml index b13f8e08..afef5309 100644 --- a/12_13_14_registry_event/exclude_windows_service_autostart.xml +++ b/12_13_14_registry_event/exclude_windows_service_autostart.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_accessibility_features.xml b/12_13_14_registry_event/include_accessibility_features.xml index 3fa59c8b..706e1ea0 100644 --- a/12_13_14_registry_event/include_accessibility_features.xml +++ b/12_13_14_registry_event/include_accessibility_features.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/12_13_14_registry_event/include_appc_shim.xml b/12_13_14_registry_event/include_appc_shim.xml index 7fd07047..46f14b07 100644 --- a/12_13_14_registry_event/include_appc_shim.xml +++ b/12_13_14_registry_event/include_appc_shim.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/12_13_14_registry_event/include_authentication_package.xml b/12_13_14_registry_event/include_authentication_package.xml index 2a217b2d..ab03a2bf 100644 --- a/12_13_14_registry_event/include_authentication_package.xml +++ b/12_13_14_registry_event/include_authentication_package.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/12_13_14_registry_event/include_autoruns_and_startup_keys.xml b/12_13_14_registry_event/include_autoruns_and_startup_keys.xml index d595cbe1..dc09a8b4 100644 --- a/12_13_14_registry_event/include_autoruns_and_startup_keys.xml +++ b/12_13_14_registry_event/include_autoruns_and_startup_keys.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_bypass_uac.xml b/12_13_14_registry_event/include_bypass_uac.xml index 35418b62..d10c0b19 100644 --- a/12_13_14_registry_event/include_bypass_uac.xml +++ b/12_13_14_registry_event/include_bypass_uac.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/12_13_14_registry_event/include_com_hijack.xml b/12_13_14_registry_event/include_com_hijack.xml index 4bc11ab9..7062d3b6 100644 --- a/12_13_14_registry_event/include_com_hijack.xml +++ b/12_13_14_registry_event/include_com_hijack.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_disable_password_change.xml b/12_13_14_registry_event/include_disable_password_change.xml index 67caf7a9..66e806dc 100644 --- a/12_13_14_registry_event/include_disable_password_change.xml +++ b/12_13_14_registry_event/include_disable_password_change.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/12_13_14_registry_event/include_dll_injection_at_process_launch.xml b/12_13_14_registry_event/include_dll_injection_at_process_launch.xml index 417d2aca..9609c5b3 100644 --- a/12_13_14_registry_event/include_dll_injection_at_process_launch.xml +++ b/12_13_14_registry_event/include_dll_injection_at_process_launch.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_dns_serverdll_injection.xml b/12_13_14_registry_event/include_dns_serverdll_injection.xml index 191388c1..a50521b5 100644 --- a/12_13_14_registry_event/include_dns_serverdll_injection.xml +++ b/12_13_14_registry_event/include_dns_serverdll_injection.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/12_13_14_registry_event/include_group_policy_integrity.xml b/12_13_14_registry_event/include_group_policy_integrity.xml index d78366a4..bfc109b6 100644 --- a/12_13_14_registry_event/include_group_policy_integrity.xml +++ b/12_13_14_registry_event/include_group_policy_integrity.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_internet_explorer_extentions_helpers_or_toolbars.xml b/12_13_14_registry_event/include_internet_explorer_extentions_helpers_or_toolbars.xml index af5eabe2..2438d872 100644 --- a/12_13_14_registry_event/include_internet_explorer_extentions_helpers_or_toolbars.xml +++ b/12_13_14_registry_event/include_internet_explorer_extentions_helpers_or_toolbars.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_local_port_monitor.xml b/12_13_14_registry_event/include_local_port_monitor.xml index b5b6eba1..634fff34 100644 --- a/12_13_14_registry_event/include_local_port_monitor.xml +++ b/12_13_14_registry_event/include_local_port_monitor.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/12_13_14_registry_event/include_netsh.xml b/12_13_14_registry_event/include_netsh.xml index f70b452c..bfaf1d2e 100644 --- a/12_13_14_registry_event/include_netsh.xml +++ b/12_13_14_registry_event/include_netsh.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_office_clickonce.xml b/12_13_14_registry_event/include_office_clickonce.xml index cb39a6b7..1787fa48 100644 --- a/12_13_14_registry_event/include_office_clickonce.xml +++ b/12_13_14_registry_event/include_office_clickonce.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_office_oulook_addins.xml b/12_13_14_registry_event/include_office_oulook_addins.xml index cee7aa5c..0d46fc5d 100644 --- a/12_13_14_registry_event/include_office_oulook_addins.xml +++ b/12_13_14_registry_event/include_office_oulook_addins.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_rdp_logon_execution.xml b/12_13_14_registry_event/include_rdp_logon_execution.xml index 2eabce84..6dbcf9d4 100644 --- a/12_13_14_registry_event/include_rdp_logon_execution.xml +++ b/12_13_14_registry_event/include_rdp_logon_execution.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/12_13_14_registry_event/include_remote_execution_services.xml b/12_13_14_registry_event/include_remote_execution_services.xml index cb62a139..eca47954 100644 --- a/12_13_14_registry_event/include_remote_execution_services.xml +++ b/12_13_14_registry_event/include_remote_execution_services.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/12_13_14_registry_event/include_security_support_provider.xml b/12_13_14_registry_event/include_security_support_provider.xml index 57ab6623..69c12e23 100644 --- a/12_13_14_registry_event/include_security_support_provider.xml +++ b/12_13_14_registry_event/include_security_support_provider.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_terminal_service_execution.xml b/12_13_14_registry_event/include_terminal_service_execution.xml index 064347a1..1fe05578 100644 --- a/12_13_14_registry_event/include_terminal_service_execution.xml +++ b/12_13_14_registry_event/include_terminal_service_execution.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windows_app_path_hijack.xml b/12_13_14_registry_event/include_windows_app_path_hijack.xml index 14a7c15e..75772252 100644 --- a/12_13_14_registry_event/include_windows_app_path_hijack.xml +++ b/12_13_14_registry_event/include_windows_app_path_hijack.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windows_com_objects.xml b/12_13_14_registry_event/include_windows_com_objects.xml index 6200fabe..3e604993 100644 --- a/12_13_14_registry_event/include_windows_com_objects.xml +++ b/12_13_14_registry_event/include_windows_com_objects.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windows_credential_providers.xml b/12_13_14_registry_event/include_windows_credential_providers.xml index d553f9f3..0a1e3751 100644 --- a/12_13_14_registry_event/include_windows_credential_providers.xml +++ b/12_13_14_registry_event/include_windows_credential_providers.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windows_defender_tampering.xml b/12_13_14_registry_event/include_windows_defender_tampering.xml index 1ae578b1..a6cc4398 100644 --- a/12_13_14_registry_event/include_windows_defender_tampering.xml +++ b/12_13_14_registry_event/include_windows_defender_tampering.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windows_firewall_tampering.xml b/12_13_14_registry_event/include_windows_firewall_tampering.xml index 4f8bf15b..cd004822 100644 --- a/12_13_14_registry_event/include_windows_firewall_tampering.xml +++ b/12_13_14_registry_event/include_windows_firewall_tampering.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windows_integrity_monitoring.xml b/12_13_14_registry_event/include_windows_integrity_monitoring.xml index dc56802f..d874f2d0 100644 --- a/12_13_14_registry_event/include_windows_integrity_monitoring.xml +++ b/12_13_14_registry_event/include_windows_integrity_monitoring.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windows_networking.xml b/12_13_14_registry_event/include_windows_networking.xml index 2a174e86..42360bfc 100644 --- a/12_13_14_registry_event/include_windows_networking.xml +++ b/12_13_14_registry_event/include_windows_networking.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windows_security_center_tampering.xml b/12_13_14_registry_event/include_windows_security_center_tampering.xml index 7149820c..66982aa5 100644 --- a/12_13_14_registry_event/include_windows_security_center_tampering.xml +++ b/12_13_14_registry_event/include_windows_security_center_tampering.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windows_shell_hijack.xml b/12_13_14_registry_event/include_windows_shell_hijack.xml index f89055ea..0a47ad7b 100644 --- a/12_13_14_registry_event/include_windows_shell_hijack.xml +++ b/12_13_14_registry_event/include_windows_shell_hijack.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windows_thumbnail_autostart.xml b/12_13_14_registry_event/include_windows_thumbnail_autostart.xml index 46905c76..acda94a8 100644 --- a/12_13_14_registry_event/include_windows_thumbnail_autostart.xml +++ b/12_13_14_registry_event/include_windows_thumbnail_autostart.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windows_uac_tampering.xml b/12_13_14_registry_event/include_windows_uac_tampering.xml index f459c2dd..a537afff 100644 --- a/12_13_14_registry_event/include_windows_uac_tampering.xml +++ b/12_13_14_registry_event/include_windows_uac_tampering.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_windowsupdate_autostart.xml b/12_13_14_registry_event/include_windowsupdate_autostart.xml index 998723af..4dd2340a 100644 --- a/12_13_14_registry_event/include_windowsupdate_autostart.xml +++ b/12_13_14_registry_event/include_windowsupdate_autostart.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/12_13_14_registry_event/include_winsock.xml b/12_13_14_registry_event/include_winsock.xml index 69c1cbc1..377e01ec 100644 --- a/12_13_14_registry_event/include_winsock.xml +++ b/12_13_14_registry_event/include_winsock.xml @@ -1,6 +1,7 @@ * + diff --git a/12_13_14_registry_event/include_wmi_implant.xml b/12_13_14_registry_event/include_wmi_implant.xml index 7e1406a7..1f26ac16 100644 --- a/12_13_14_registry_event/include_wmi_implant.xml +++ b/12_13_14_registry_event/include_wmi_implant.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/15_file_create_stream_hash/include_7zip_extractions.xml b/15_file_create_stream_hash/include_7zip_extractions.xml index cc7091bd..c86a89bd 100644 --- a/15_file_create_stream_hash/include_7zip_extractions.xml +++ b/15_file_create_stream_hash/include_7zip_extractions.xml @@ -1,6 +1,7 @@ * + diff --git a/15_file_create_stream_hash/include_batch_scripts.xml b/15_file_create_stream_hash/include_batch_scripts.xml index 0bf18496..42167d26 100644 --- a/15_file_create_stream_hash/include_batch_scripts.xml +++ b/15_file_create_stream_hash/include_batch_scripts.xml @@ -1,6 +1,7 @@ * + diff --git a/15_file_create_stream_hash/include_downloads.xml b/15_file_create_stream_hash/include_downloads.xml index ca361919..4b35e8c1 100644 --- a/15_file_create_stream_hash/include_downloads.xml +++ b/15_file_create_stream_hash/include_downloads.xml @@ -1,6 +1,7 @@ * + diff --git a/15_file_create_stream_hash/include_general_commment.xml b/15_file_create_stream_hash/include_general_commment.xml index b1f64ef8..f5409040 100644 --- a/15_file_create_stream_hash/include_general_commment.xml +++ b/15_file_create_stream_hash/include_general_commment.xml @@ -1,6 +1,7 @@ * + diff --git a/15_file_create_stream_hash/include_hta_scripts.xml b/15_file_create_stream_hash/include_hta_scripts.xml index 13bf601b..07fcbe38 100644 --- a/15_file_create_stream_hash/include_hta_scripts.xml +++ b/15_file_create_stream_hash/include_hta_scripts.xml @@ -1,6 +1,7 @@ * + diff --git a/15_file_create_stream_hash/include_lnk_shortcuts.xml b/15_file_create_stream_hash/include_lnk_shortcuts.xml index 1d89517a..93922daf 100644 --- a/15_file_create_stream_hash/include_lnk_shortcuts.xml +++ b/15_file_create_stream_hash/include_lnk_shortcuts.xml @@ -1,6 +1,7 @@ * + diff --git a/15_file_create_stream_hash/include_outlook_attachments.xml b/15_file_create_stream_hash/include_outlook_attachments.xml index 1fc92533..acfc5f6a 100644 --- a/15_file_create_stream_hash/include_outlook_attachments.xml +++ b/15_file_create_stream_hash/include_outlook_attachments.xml @@ -1,6 +1,7 @@ * + diff --git a/15_file_create_stream_hash/include_powershell_scripts.xml b/15_file_create_stream_hash/include_powershell_scripts.xml index a4ebac63..65f0018a 100644 --- a/15_file_create_stream_hash/include_powershell_scripts.xml +++ b/15_file_create_stream_hash/include_powershell_scripts.xml @@ -1,6 +1,7 @@ * + diff --git a/15_file_create_stream_hash/include_registry_file.xml b/15_file_create_stream_hash/include_registry_file.xml index a143971a..7c5c8bf5 100644 --- a/15_file_create_stream_hash/include_registry_file.xml +++ b/15_file_create_stream_hash/include_registry_file.xml @@ -1,6 +1,7 @@ * + diff --git a/15_file_create_stream_hash/include_visual_basic_scripts.xml b/15_file_create_stream_hash/include_visual_basic_scripts.xml index 46847647..689746dd 100644 --- a/15_file_create_stream_hash/include_visual_basic_scripts.xml +++ b/15_file_create_stream_hash/include_visual_basic_scripts.xml @@ -1,6 +1,7 @@ * + diff --git a/17_18_pipe_event/include_general_commment.xml b/17_18_pipe_event/include_general_commment.xml index d232b159..1545d8d3 100644 --- a/17_18_pipe_event/include_general_commment.xml +++ b/17_18_pipe_event/include_general_commment.xml @@ -1,6 +1,7 @@ * + diff --git a/19_20_21_wmi_event/include_wmi_create.xml b/19_20_21_wmi_event/include_wmi_create.xml index 6f5269c4..b3629b72 100644 --- a/19_20_21_wmi_event/include_wmi_create.xml +++ b/19_20_21_wmi_event/include_wmi_create.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/1_process_creation/exclude_adobe_acrobat.xml b/1_process_creation/exclude_adobe_acrobat.xml index 26642839..738716d1 100644 --- a/1_process_creation/exclude_adobe_acrobat.xml +++ b/1_process_creation/exclude_adobe_acrobat.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_adobe_creative_cloud.xml b/1_process_creation/exclude_adobe_creative_cloud.xml index 38f22c3d..a3bb21cb 100644 --- a/1_process_creation/exclude_adobe_creative_cloud.xml +++ b/1_process_creation/exclude_adobe_creative_cloud.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_adobe_flash.xml b/1_process_creation/exclude_adobe_flash.xml index ba89b317..3959edfb 100644 --- a/1_process_creation/exclude_adobe_flash.xml +++ b/1_process_creation/exclude_adobe_flash.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_adobe_supporting_processes.xml b/1_process_creation/exclude_adobe_supporting_processes.xml index 11f0fe23..24df5237 100644 --- a/1_process_creation/exclude_adobe_supporting_processes.xml +++ b/1_process_creation/exclude_adobe_supporting_processes.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_cisco_anyconnect.xml b/1_process_creation/exclude_cisco_anyconnect.xml new file mode 100644 index 00000000..ff861ade --- /dev/null +++ b/1_process_creation/exclude_cisco_anyconnect.xml @@ -0,0 +1,37 @@ + + + * + + + + + C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/1_process_creation/exclude_dotnet-3-or-4.xml b/1_process_creation/exclude_dotnet-3-or-4.xml index 78fbf9f8..a233804e 100644 --- a/1_process_creation/exclude_dotnet-3-or-4.xml +++ b/1_process_creation/exclude_dotnet-3-or-4.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_drivers.xml b/1_process_creation/exclude_drivers.xml index 34513442..91d9562b 100644 --- a/1_process_creation/exclude_drivers.xml +++ b/1_process_creation/exclude_drivers.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_dropbox.xml b/1_process_creation/exclude_dropbox.xml index a5bf9a82..b58cf468 100644 --- a/1_process_creation/exclude_dropbox.xml +++ b/1_process_creation/exclude_dropbox.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_google_chrome.xml b/1_process_creation/exclude_google_chrome.xml index 2eb70335..8389b67c 100644 --- a/1_process_creation/exclude_google_chrome.xml +++ b/1_process_creation/exclude_google_chrome.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_microsoft_office_click2run.xml b/1_process_creation/exclude_microsoft_office_click2run.xml index 751885b1..f50e3579 100644 --- a/1_process_creation/exclude_microsoft_office_click2run.xml +++ b/1_process_creation/exclude_microsoft_office_click2run.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_microsoft_office_services.xml b/1_process_creation/exclude_microsoft_office_services.xml index f87b57ec..33a07053 100644 --- a/1_process_creation/exclude_microsoft_office_services.xml +++ b/1_process_creation/exclude_microsoft_office_services.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_mozilla_firefox.xml b/1_process_creation/exclude_mozilla_firefox.xml index 53ae7554..edb8735f 100644 --- a/1_process_creation/exclude_mozilla_firefox.xml +++ b/1_process_creation/exclude_mozilla_firefox.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_splunk.xml b/1_process_creation/exclude_splunk.xml index d344fa68..553f9674 100644 --- a/1_process_creation/exclude_splunk.xml +++ b/1_process_creation/exclude_splunk.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_splunk_universal_forwarder.xml b/1_process_creation/exclude_splunk_universal_forwarder.xml index 7f159778..f7162e53 100644 --- a/1_process_creation/exclude_splunk_universal_forwarder.xml +++ b/1_process_creation/exclude_splunk_universal_forwarder.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/exclude_svchost.xml b/1_process_creation/exclude_svchost.xml index 3cbdf539..726f815d 100644 --- a/1_process_creation/exclude_svchost.xml +++ b/1_process_creation/exclude_svchost.xml @@ -1,29 +1,76 @@ * + - C:\Windows\System32\svchost.exe -k appmodel - C:\Windows\System32\svchost.exe -k dcomLaunch - C:\Windows\System32\svchost.exe -k defragsvc - C:\Windows\System32\svchost.exe -k imgsvc - C:\Windows\System32\svchost.exe -k localServiceAndNoImpersonation - C:\Windows\System32\svchost.exe -k localServiceNetworkRestricted - C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted - C:\Windows\System32\svchost.exe -k netsvcs - C:\Windows\System32\svchost.exe -k networkServiceNetworkRestricted - C:\Windows\System32\svchost.exe -k rPCSS - C:\Windows\System32\svchost.exe -k swprv - C:\Windows\System32\svchost.exe -k unistackSvcGroup - C:\Windows\System32\svchost.exe -k utcsvc - C:\Windows\System32\svchost.exe -k wbioSvcGroup - C:\Windows\System32\svchost.exe -k wsappx - C:\Windows\system32\svchost.exe -k networkService - C:\windows\System32\svchost.exe -k werSvcGroup - C:\Windows\System32\svchost.exe -k netsvcs - C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted + C:\Windows\system32\svchost.exe -k appmodel -s StateRepository + C:\Windows\system32\svchost.exe -k appmodel + C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc + C:\Windows\system32\svchost.exe -k camera -s FrameServer + C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM + C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay + C:\Windows\system32\svchost.exe -k defragsvc + C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc + C:\Windows\system32\svchost.exe -k imgsvc + C:\Windows\system32\svchost.exe -k localService -s EventSystem + C:\Windows\system32\svchost.exe -k localService -s bthserv + C:\Windows\system32\svchost.exe -k localService -s nsi + C:\Windows\system32\svchost.exe -k localService -s w32Time + C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted + C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc + C:\Windows\system32\svchost.exe -k localServiceNoNetwork + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost + C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted + C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc + C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc + C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC + C:\Windows\system32\svchost.exe -k netsvcs -s BITS + C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc + C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc + C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc + C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc + C:\Windows\system32\svchost.exe -k netsvcs -s SENS + C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv + C:\Windows\system32\svchost.exe -k netsvcs -s Themes + C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt + C:\Windows\system32\svchost.exe -k netsvcs + C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc + C:\Windows\system32\svchost.exe -k networkService -s Dnscache + C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation + C:\Windows\system32\svchost.exe -k networkService -s NlaSvc + C:\Windows\system32\svchost.exe -k networkService -s TermService + C:\Windows\system32\svchost.exe -k networkService + C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted + C:\Windows\system32\svchost.exe -k rPCSS + C:\Windows\system32\svchost.exe -k secsvcs + C:\Windows\system32\svchost.exe -k swprv + C:\Windows\system32\svchost.exe -k unistackSvcGroup + C:\Windows\system32\svchost.exe -k utcsvc + C:\Windows\system32\svchost.exe -k wbioSvcGroup + C:\Windows\system32\svchost.exe -k werSvcGroup + C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC + C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc + C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC + C:\Windows\system32\svchost.exe -k wsappx + C:\Windows\system32\svchost.exe -k netsvcs + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted @@ -34,7 +81,7 @@ - + @@ -52,4 +99,4 @@ - \ No newline at end of file + diff --git a/1_process_creation/exclude_windows_defender.xml b/1_process_creation/exclude_windows_defender.xml index 03ab974e..d52b8fb9 100644 --- a/1_process_creation/exclude_windows_defender.xml +++ b/1_process_creation/exclude_windows_defender.xml @@ -1,25 +1,13 @@ * + - - C:\Windows\system32\DllHost.exe /Processid - C:\Windows\system32\SearchIndexer.exe /Embedding - C:\Windows\System32\CompatTelRunner.exe - C:\Windows\System32\MusNotification.exe - C:\Windows\System32\MusNotificationUx.exe - C:\Windows\System32\audiodg.exe - C:\Windows\System32\conhost.exe - C:\Windows\System32\powercfg.exe - C:\Windows\System32\wbem\WmiApSrv.exe - C:\Windows\System32\wermgr.exe - C:\Windows\SysWOW64\wermgr.exe - C:\Windows\system32\sppsvc.exe - AppContainer - %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows - C:\Windows\system32\SearchIndexer.exe + C:\Program Files\Windows Defender + C:\Windows\system32\MpSigStub.exe + C:\Windows\SoftwareDistribution\Download\Install\AM_ @@ -30,7 +18,7 @@ - + @@ -48,4 +36,4 @@ - \ No newline at end of file + diff --git a/1_process_creation/exclude_windows_generic_processes.xml b/1_process_creation/exclude_windows_generic_processes.xml index c6ad8c97..724ef3e6 100644 --- a/1_process_creation/exclude_windows_generic_processes.xml +++ b/1_process_creation/exclude_windows_generic_processes.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/include_accessibility_features.xml b/1_process_creation/include_accessibility_features.xml index 3798421b..39e61cb2 100644 --- a/1_process_creation/include_accessibility_features.xml +++ b/1_process_creation/include_accessibility_features.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/1_process_creation/include_appc_shim.xml b/1_process_creation/include_appc_shim.xml index 4d82fec9..1c7fc5ed 100644 --- a/1_process_creation/include_appc_shim.xml +++ b/1_process_creation/include_appc_shim.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/1_process_creation/include_bitsadmin.xml b/1_process_creation/include_bitsadmin.xml index 84f5f8af..400e75c8 100644 --- a/1_process_creation/include_bitsadmin.xml +++ b/1_process_creation/include_bitsadmin.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/include_bypass_uac.xml b/1_process_creation/include_bypass_uac.xml index f07cb006..34dc584c 100644 --- a/1_process_creation/include_bypass_uac.xml +++ b/1_process_creation/include_bypass_uac.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/1_process_creation/include_installutil.xml b/1_process_creation/include_installutil.xml index 1f2fcecc..7e62ef5a 100644 --- a/1_process_creation/include_installutil.xml +++ b/1_process_creation/include_installutil.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/1_process_creation/include_living_of_the_land.xml b/1_process_creation/include_living_of_the_land.xml index e408ea41..d091511c 100644 --- a/1_process_creation/include_living_of_the_land.xml +++ b/1_process_creation/include_living_of_the_land.xml @@ -1,6 +1,7 @@ * + diff --git a/1_process_creation/include_msbuild.xml b/1_process_creation/include_msbuild.xml index 583ee0c2..348d30d4 100644 --- a/1_process_creation/include_msbuild.xml +++ b/1_process_creation/include_msbuild.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/1_process_creation/include_regsvcs_regasm.xml b/1_process_creation/include_regsvcs_regasm.xml index 4226effc..214a8df1 100644 --- a/1_process_creation/include_regsvcs_regasm.xml +++ b/1_process_creation/include_regsvcs_regasm.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/1_process_creation/include_windows_remote_management.xml b/1_process_creation/include_windows_remote_management.xml index 9bd7834c..851fbc54 100644 --- a/1_process_creation/include_windows_remote_management.xml +++ b/1_process_creation/include_windows_remote_management.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/2_file_create_time/exclude_onedrive.xml b/2_file_create_time/exclude_onedrive.xml index 0c01b66e..2a887f29 100644 --- a/2_file_create_time/exclude_onedrive.xml +++ b/2_file_create_time/exclude_onedrive.xml @@ -1,6 +1,7 @@ * + diff --git a/2_file_create_time/exclude_setups.xml b/2_file_create_time/exclude_setups.xml index 16dd58bd..44486c4b 100644 --- a/2_file_create_time/exclude_setups.xml +++ b/2_file_create_time/exclude_setups.xml @@ -1,6 +1,7 @@ * + diff --git a/2_file_create_time/include_temp_folder.xml b/2_file_create_time/include_temp_folder.xml index e686d8c4..75815792 100644 --- a/2_file_create_time/include_temp_folder.xml +++ b/2_file_create_time/include_temp_folder.xml @@ -1,6 +1,7 @@ * + diff --git a/2_file_create_time/include_users_folder.xml b/2_file_create_time/include_users_folder.xml index 6bcd5ff3..afa25f6f 100644 --- a/2_file_create_time/include_users_folder.xml +++ b/2_file_create_time/include_users_folder.xml @@ -1,6 +1,7 @@ * + diff --git a/3_network_connection_initiated/exclude_dropbox.xml b/3_network_connection_initiated/exclude_dropbox.xml index 997f1f39..60c4b5db 100644 --- a/3_network_connection_initiated/exclude_dropbox.xml +++ b/3_network_connection_initiated/exclude_dropbox.xml @@ -1,6 +1,7 @@ * + diff --git a/3_network_connection_initiated/exclude_microsoft_onedrive.xml b/3_network_connection_initiated/exclude_microsoft_onedrive.xml index 96e7a076..520300da 100644 --- a/3_network_connection_initiated/exclude_microsoft_onedrive.xml +++ b/3_network_connection_initiated/exclude_microsoft_onedrive.xml @@ -1,6 +1,7 @@ * + diff --git a/3_network_connection_initiated/exclude_spotify.xml b/3_network_connection_initiated/exclude_spotify.xml index 4ed78646..37f50e5b 100644 --- a/3_network_connection_initiated/exclude_spotify.xml +++ b/3_network_connection_initiated/exclude_spotify.xml @@ -1,6 +1,7 @@ * + diff --git a/3_network_connection_initiated/exclude_windows_update.xml b/3_network_connection_initiated/exclude_windows_update.xml index e44db52c..9283ac8b 100644 --- a/3_network_connection_initiated/exclude_windows_update.xml +++ b/3_network_connection_initiated/exclude_windows_update.xml @@ -1,6 +1,7 @@ * + diff --git a/3_network_connection_initiated/include_3rd_party_remote_management.xml b/3_network_connection_initiated/include_3rd_party_remote_management.xml index 133259f0..57bfc170 100644 --- a/3_network_connection_initiated/include_3rd_party_remote_management.xml +++ b/3_network_connection_initiated/include_3rd_party_remote_management.xml @@ -1,6 +1,7 @@ * + diff --git a/3_network_connection_initiated/include_hp_critical_services.xml b/3_network_connection_initiated/include_hp_critical_services.xml index cb21ab3b..866f52c5 100644 --- a/3_network_connection_initiated/include_hp_critical_services.xml +++ b/3_network_connection_initiated/include_hp_critical_services.xml @@ -1,6 +1,7 @@ * + diff --git a/3_network_connection_initiated/include_native_windows_tools.xml b/3_network_connection_initiated/include_native_windows_tools.xml index cf10756a..366a63ab 100644 --- a/3_network_connection_initiated/include_native_windows_tools.xml +++ b/3_network_connection_initiated/include_native_windows_tools.xml @@ -1,6 +1,7 @@ * + diff --git a/3_network_connection_initiated/include_ports_proxies.xml b/3_network_connection_initiated/include_ports_proxies.xml index 43643303..9b623939 100644 --- a/3_network_connection_initiated/include_ports_proxies.xml +++ b/3_network_connection_initiated/include_ports_proxies.xml @@ -1,6 +1,7 @@ * + diff --git a/3_network_connection_initiated/include_ports_suspicous.xml b/3_network_connection_initiated/include_ports_suspicous.xml index 283f38ac..7f6d7b8b 100644 --- a/3_network_connection_initiated/include_ports_suspicous.xml +++ b/3_network_connection_initiated/include_ports_suspicous.xml @@ -1,6 +1,7 @@ * + diff --git a/3_network_connection_initiated/include_suspicious_sources.xml b/3_network_connection_initiated/include_suspicious_sources.xml index 0ffb6237..de173f39 100644 --- a/3_network_connection_initiated/include_suspicious_sources.xml +++ b/3_network_connection_initiated/include_suspicious_sources.xml @@ -1,6 +1,7 @@ * + diff --git a/3_network_connection_initiated/include_tor.xml b/3_network_connection_initiated/include_tor.xml index 40a1b4fd..e4984502 100644 --- a/3_network_connection_initiated/include_tor.xml +++ b/3_network_connection_initiated/include_tor.xml @@ -1,6 +1,7 @@ * + diff --git a/5_process_ended/include_users_and_temp_folders.xml b/5_process_ended/include_users_and_temp_folders.xml index d78fd7b5..136892a3 100644 --- a/5_process_ended/include_users_and_temp_folders.xml +++ b/5_process_ended/include_users_and_temp_folders.xml @@ -1,6 +1,7 @@ * + diff --git a/6_driver_loaded_into_kernel/exclude_intel_drivers.xml b/6_driver_loaded_into_kernel/exclude_intel_drivers.xml index 1f777993..dc444626 100644 --- a/6_driver_loaded_into_kernel/exclude_intel_drivers.xml +++ b/6_driver_loaded_into_kernel/exclude_intel_drivers.xml @@ -1,6 +1,7 @@ * + diff --git a/6_driver_loaded_into_kernel/exclude_microsoft_drivers.xml b/6_driver_loaded_into_kernel/exclude_microsoft_drivers.xml index e9dff940..3063498d 100644 --- a/6_driver_loaded_into_kernel/exclude_microsoft_drivers.xml +++ b/6_driver_loaded_into_kernel/exclude_microsoft_drivers.xml @@ -1,6 +1,7 @@ * + diff --git a/7_image_load/include_general_warning.xml b/7_image_load/include_general_warning.xml index e28d10db..af67921d 100644 --- a/7_image_load/include_general_warning.xml +++ b/7_image_load/include_general_warning.xml @@ -1,6 +1,7 @@ * + diff --git a/7_image_load/include_mimikatz_inmem.xml b/7_image_load/include_mimikatz_inmem.xml index 494d338c..8461219f 100644 --- a/7_image_load/include_mimikatz_inmem.xml +++ b/7_image_load/include_mimikatz_inmem.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/8_create_remote_thread/exclude_generic_windows_processes.xml b/8_create_remote_thread/exclude_generic_windows_processes.xml index f41bece4..7735f2c1 100644 --- a/8_create_remote_thread/exclude_generic_windows_processes.xml +++ b/8_create_remote_thread/exclude_generic_windows_processes.xml @@ -1,6 +1,7 @@ * + diff --git a/8_create_remote_thread/exclude_google_chrome.xml b/8_create_remote_thread/exclude_google_chrome.xml index ab4cd1cc..db8a5085 100644 --- a/8_create_remote_thread/exclude_google_chrome.xml +++ b/8_create_remote_thread/exclude_google_chrome.xml @@ -1,6 +1,7 @@ * + diff --git a/8_create_remote_thread/exclude_wmi.xml b/8_create_remote_thread/exclude_wmi.xml index 80f7d3b0..ca885fc7 100644 --- a/8_create_remote_thread/exclude_wmi.xml +++ b/8_create_remote_thread/exclude_wmi.xml @@ -1,6 +1,7 @@ * + diff --git a/8_create_remote_thread/include_dll_injection.xml b/8_create_remote_thread/include_dll_injection.xml index 3ce678a9..580dac79 100644 --- a/8_create_remote_thread/include_dll_injection.xml +++ b/8_create_remote_thread/include_dll_injection.xml @@ -1,6 +1,7 @@ - * + * + diff --git a/8_create_remote_thread/include_general_commment.xml b/8_create_remote_thread/include_general_commment.xml index 8e7ae372..8e68f4fe 100644 --- a/8_create_remote_thread/include_general_commment.xml +++ b/8_create_remote_thread/include_general_commment.xml @@ -1,6 +1,7 @@ * + diff --git a/9_raw_access_read/include_general_commment.xml b/9_raw_access_read/include_general_commment.xml index 81ab4414..d9f893ff 100644 --- a/9_raw_access_read/include_general_commment.xml +++ b/9_raw_access_read/include_general_commment.xml @@ -1,6 +1,7 @@ * + diff --git a/baseconfig.xml b/baseconfig.xml index ba0e43bd..93d03f46 100644 --- a/baseconfig.xml +++ b/baseconfig.xml @@ -1,6 +1,7 @@ * +