You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is there any reason for the "[[T1055] Process Injection]" and "[[T1055] Process Injection - CobaltStrike]" saved searches to not have the "| process_create_whitelist" in it and abide by the whitelist?
The text was updated successfully, but these errors were encountered:
those particular savedsearches are derived from eventcode 8 (create remote thread) and not eventcode 1 (process create).
It does seem conspicuous that no whitelist strategy is applied. I imagine the more applicable whitelist to apply would be "remote_thread_whitelist" rather than "process_create_whitelist"
Is there any reason for the "[[T1055] Process Injection]" and "[[T1055] Process Injection - CobaltStrike]" saved searches to not have the "|
process_create_whitelist
" in it and abide by the whitelist?The text was updated successfully, but these errors were encountered: