headless_bee

tccontre · tccontre · commit 7ce610f1a4cf · 2025-02-13T11:46:44.000+01:00
diff --git a/detections/endpoint/windows_anonymous_pipe_activity.yml b/detections/endpoint/windows_anonymous_pipe_activity.yml
@@ -43,6 +43,9 @@ rba:
     score: 30
   - field: user
     type: user
+  threat_objects:
+  - field: process_name
+    type: process_name
 tags:
   analytic_story:
   - SnappyBee
diff --git a/detections/endpoint/windows_create_test_registry.yml b/detections/endpoint/windows_create_test_registry.yml
@@ -45,6 +45,7 @@ rba:
   - field: user
     type: user
     score: 60
+    threat_objects: []
 tags:
   analytic_story:
   - SnappyBee
diff --git a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml
@@ -51,6 +51,11 @@ rba:
   - field: user
     type: user
     score: 50
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+  - field: process_name
+    type: process_name
 tags:
   analytic_story:
   - SnappyBee
diff --git a/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml b/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml
@@ -48,9 +48,9 @@ rba:
   - field: dest
     type: system
     score: 40
+  threat_objects:
   - field: process_path
     type: process_name
-    score: 40
 tags:
   analytic_story:
   - Nexus APT Threat Activity
