Merge PR #4681 from @nasbench - Add Missing Ref & Tags

fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode" fix: Metasploit SMB Authentication - Remove unnecessary field fix: Service Installation in Suspicious Folder - Update FP filter update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2" remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules remove: SAM Dump to AppData update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2" update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2" update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1" update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1" update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only update: New or Renamed User Account with '$' Character - Reduced level to "medium" update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium" update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic update: Prefetch File Deleted - Update selection to remove 'C:' prefix update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule) update: Shell Process Spawned by Java.EXE - Add "bash.exe" update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic update: Sysmon Application Crashed - Add 32bit version of sysmon binary update: Tap Driver Installation - Security - Reduce level to "low" update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2024-01-29 13:37:20 +01:00
parent 7f582c3d16
commit be359ef3f2
114 changed files with 482 additions and 342 deletions
@@ -26,8 +26,6 @@ bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.2
 c187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\netsh\.exe
 69aeb277-f15f-4d2d-b32a-55e883609563;Disabling Windows Event Auditing;Computer: .*
 ac175779-025a-4f12-98b0-acdaeb77ea85;PowerShell Script Run in AppData;\\Evernote-
-cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Attribute 'SamAccountName';HomeGroupUser\$
-7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$
 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC
 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6
 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);Computer: Agamemnon
@@ -1,10 +1,10 @@
 title: Dnscat Execution
 id: a6d67db4-6220-436d-8afc-f3842fe05d43
-status: test
+status: deprecated # In favour of the more generic Susp and Malicious Cmdlet rules
 description: Dnscat exfiltration tool execution
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
-modified: 2022/12/25
+modified: 2024/01/25
 tags:
    - attack.exfiltration
    - attack.t1048
@@ -1,10 +1,10 @@
 title: SAM Dump to AppData
 id: 839dd1e8-eda8-4834-8145-01beeee33acd
-status: test
+status: deprecated
 description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
 author: Florian Roth (Nextron Systems)
 date: 2018/01/27
-modified: 2023/04/30
+modified: 2024/01/18
 tags:
    - attack.credential_access
    - attack.t1003.002
@@ -12,18 +12,18 @@ tags:
    - attack.command_and_control
    - attack.g0020
    - attack.t1041
+    - detection.emerging_threats
 logsource:
    category: firewall
 detection:
-    select_outgoing:
-        dst_ip:
-            - '69.42.98.86'
-            - '89.185.234.145'
-    select_incoming:
-        src_ip:
-            - '69.42.98.86'
-            - '89.185.234.145'
-    condition: 1 of select*
+    selection:
+        - dst_ip:
+              - '69.42.98.86'
+              - '89.185.234.145'
+        - src_ip:
+              - '69.42.98.86'
+              - '89.185.234.145'
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -6,6 +6,9 @@ references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
 author: CISA
 date: 2023/12/18
+tags:
+    - attack.defense_evasion
+    - attack.t1574.002
 logsource:
    category: image_load
    product: windows
@@ -2,6 +2,8 @@ title: Interactive Logon to Server Systems
 id: 3ff152b2-1388-4984-9cd9-a323323fdadf
 status: test
 description: Detects interactive console logons to Server Systems
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2017/03/17
 modified: 2023/12/15
@@ -22,10 +24,10 @@ detection:
        ComputerName|expand:
            - '%ServerSystems%'
            - '%DomainControllers%'
-    filter_main:
+    filter_main_advapi:
        LogonProcessName: 'Advapi'
        ComputerName|expand: '%Workstations%'
-    condition: selection and not filter_main
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Administrative activity via KVM or ILO board
 level: medium
@@ -1,13 +1,17 @@
-title: Execution in Webserver Root Folder
+title: Execution From Webserver Root Folder
 id: 35efb964-e6a5-47ad-bbcd-19661854018d
 status: test
-description: Detects a suspicious program execution in a web service root folder (filter out false positives)
+description: |
+    Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2019/01/16
-modified: 2021/11/27
+modified: 2024/01/18
 tags:
    - attack.persistence
    - attack.t1505.003
+    - detection.threat_hunting
 logsource:
    category: process_creation
    product: windows
@@ -17,16 +21,13 @@ detection:
            - '\wwwroot\'
            - '\wmpub\'
            - '\htdocs\'
-    filter:
+    filter_main_generic:
        Image|contains:
            - 'bin\'
            - '\Tools\'
            - '\SMSComponent\'
        ParentImage|endswith: '\services.exe'
-    condition: selection and not filter
-fields:
-    - CommandLine
-    - ParentCommandLine
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Various applications
    - Tools that include ping or nslookup command invocations
@@ -1,27 +1,30 @@
-title: Exfiltration and Tunneling Tools Execution
+title: Tunneling Tool Execution
 id: c75309a3-59f8-4a8d-9c2c-4c927ad50555
 status: test
-description: Execution of well known tools for data exfiltration and tunneling
+description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
 author: Daniil Yugoslavskiy, oscd.community
+references:
+    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
 date: 2019/10/24
-modified: 2021/11/27
+modified: 2024/01/18
 tags:
    - attack.exfiltration
    - attack.command_and_control
    - attack.t1041
    - attack.t1572
    - attack.t1071.001
+    - detection.threat_hunting
 logsource:
    category: process_creation
    product: windows
 detection:
    selection:
        Image|endswith:
+            - '\httptunnel.exe'
            - '\plink.exe'
            - '\socat.exe'
            - '\stunnel.exe'
-            - '\httptunnel.exe'
    condition: selection
 falsepositives:
-    - Legitimate Administrator using tools
+    - Legitimate administrators using one of these tools
 level: medium
@@ -3,8 +3,13 @@ id: 1e33157c-53b1-41ad-bbcc-780b80b58288
 related:
    - id: 23250293-eed5-4c39-b57a-841c8933a57d
      type: obsoletes
+    - id: cea72823-df4d-4567-950c-0b579eaf0846
+      type: derived
 status: test
 description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
+references:
+    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
+    - https://redcanary.com/blog/gootloader/
 author: Michael Haag
 date: 2019/01/16
 modified: 2023/05/15
@@ -12,6 +17,7 @@ tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
+    - detection.threat_hunting
 logsource:
    category: process_creation
    product: windows
@@ -2,6 +2,8 @@ title: AWS Config Disabling Channel/Recorder
 id: 07330162-dba1-4746-8121-a9647d49d297
 status: test
 description: Detects AWS Config Service disabling
+references:
+    - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
 author: vitaliy0x1
 date: 2020/01/21
 modified: 2022/10/09
@@ -12,12 +14,12 @@ logsource:
    product: aws
    service: cloudtrail
 detection:
-    selection_source:
-        eventSource: config.amazonaws.com
+    selection:
+        eventSource: 'config.amazonaws.com'
        eventName:
-            - DeleteDeliveryChannel
-            - StopConfigurationRecorder
-    condition: selection_source
+            - 'DeleteDeliveryChannel'
+            - 'StopConfigurationRecorder'
+    condition: selection
 falsepositives:
    - Valid change in AWS Config Service
 level: high
@@ -9,6 +9,8 @@ references:
 author: Austin Songer @austinsonger
 date: 2021/09/12
 modified: 2022/10/09
+tags:
+    - attack.command_and_control
 logsource:
    product: okta
    service: okta
@@ -2,8 +2,8 @@ title: Default Credentials Usage
 id: 1a395cbc-a84a-463a-9086-ed8a70e573c7
 status: stable
 description: |
-  Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
-  Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
+    Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
+    Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
 references:
    - https://www.cisecurity.org/controls/cis-controls-list/
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
@@ -11,7 +11,8 @@ references:
    - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
 author: Alexandr Yampolskyi, SOC Prime
 date: 2019/03/26
-# tags:
+tags:
+    - attack.initial_access
    # - CSC4
    # - CSC4.2
    # - NIST CSF 1.1 PR.AC-4
@@ -12,7 +12,8 @@ references:
 author: Alexandr Yampolskyi, SOC Prime
 date: 2019/03/26
 modified: 2022/11/18
-# tags:
+tags:
+    - attack.credential_access
    # - CSC4
    # - CSC4.5
    # - CSC14
@@ -2,6 +2,8 @@ title: Suspicious Log Entries
 id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
 status: test
 description: Detects suspicious log entries in Linux log files
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
 author: Florian Roth (Nextron Systems)
 date: 2017/03/25
 modified: 2021/11/27
@@ -12,11 +14,11 @@ logsource:
 detection:
    keywords:
        # Generic suspicious log lines
-        - entered promiscuous mode
+        - 'entered promiscuous mode'
        # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
-        - Deactivating service
-        - Oversized packet received from
-        - imuxsock begins to drop messages
+        - 'Deactivating service'
+        - 'Oversized packet received from'
+        - 'imuxsock begins to drop messages'
    condition: keywords
 falsepositives:
    - Unknown
@@ -2,6 +2,9 @@ title: Cisco Clear Logs
 id: ceb407f6-8277-439b-951f-e4210e3ed956
 status: test
 description: Clear command history in network OS which is used for defense evasion
+references:
+    - https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html
+    - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
 author: Austin Clark
 date: 2019/08/12
 modified: 2023/05/26
@@ -16,12 +19,6 @@ detection:
        - 'clear logging'
        - 'clear archive'
    condition: keywords
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
 falsepositives:
    - Legitimate administrators may run these commands
 level: high
@@ -2,6 +2,10 @@ title: Cisco Collect Data
 id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
 status: test
 description: Collect pertinent data from the configuration files
+references:
+    - https://blog.router-switch.com/2013/11/show-running-config/
+    - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
+    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
 author: Austin Clark
 date: 2019/08/11
 modified: 2023/01/04
@@ -22,12 +26,6 @@ detection:
        - 'show archive config'
        - 'more'
    condition: keywords
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
 falsepositives:
    - Commonly run by administrators
 level: low
@@ -2,6 +2,8 @@ title: Cisco Crypto Commands
 id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
 status: test
 description: Show when private keys are being exported from the device, or when new certificates are installed
+references:
+    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
 author: Austin Clark
 date: 2019/08/12
 modified: 2023/01/04
@@ -19,12 +21,6 @@ detection:
        - 'crypto pki import'
        - 'crypto pki trustpoint'
    condition: keywords
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
 falsepositives:
    - Not commonly run by administrators. Also whitelist your known good certificates
 level: high
@@ -2,6 +2,8 @@ title: Cisco Disabling Logging
 id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
 status: test
 description: Turn off logging locally or remote
+references:
+    - https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf
 author: Austin Clark
 date: 2019/08/11
 modified: 2023/01/04
@@ -2,6 +2,8 @@ title: Cisco Discovery
 id: 9705a6a1-6db6-4a16-a987-15b7151e299b
 status: test
 description: Find information about network devices that is not stored in config files
+references:
+    - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
 author: Austin Clark
 date: 2019/08/12
 modified: 2023/01/04
@@ -22,23 +24,17 @@ logsource:
 detection:
    keywords:
        - 'dir'
-        - 'show processes'
        - 'show arp'
        - 'show cdp'
-        - 'show version'
-        - 'show ip route'
-        - 'show ip interface'
-        - 'show ip sockets'
-        - 'show users'
-        - 'show ssh'
        - 'show clock'
+        - 'show ip interface'
+        - 'show ip route'
+        - 'show ip sockets'
+        - 'show processes'
+        - 'show ssh'
+        - 'show users'
+        - 'show version'
    condition: keywords
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
 falsepositives:
    - Commonly used by administrators for troubleshooting
 level: low
@@ -2,8 +2,8 @@ title: Cleartext Protocol Usage
 id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
 status: stable
 description: |
-  Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
-  Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
+    Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
+    Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
 references:
    - https://www.cisecurity.org/controls/cis-controls-list/
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
@@ -11,7 +11,8 @@ references:
 author: Alexandr Yampolskyi, SOC Prime, Tim Shelton
 date: 2019/03/26
 modified: 2022/10/10
-# tags:
+tags:
+    - attack.credential_access
    # - CSC4
    # - CSC4.5
    # - CSC14
@@ -5,7 +5,9 @@ related:
      type: derived
 status: test
 description: Detects known sensitive file extensions via Zeek
-author: 'Samir Bousseaden, @neu5ron'
+references:
+    - Internal Research
+author: Samir Bousseaden, @neu5ron
 date: 2020/04/02
 modified: 2021/11/27
 tags:
@@ -29,11 +31,6 @@ detection:
            - '\groups.xml'
            - '.rdp'
    condition: selection
-fields:
-    - ComputerName
-    - SubjectDomainName
-    - SubjectUserName
-    - RelativeTargetName
 falsepositives:
    - Help Desk operator doing backup or re-imaging end user machine or backup software
    - Users working with these data types or exchanging message files
@@ -5,6 +5,8 @@ related:
      type: similar
 status: test
 description: Detects executable downloads from suspicious remote systems
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2017/03/13
 modified: 2023/05/18
@@ -2,6 +2,8 @@ title: Bitsadmin to Uncommon IP Server Address
 id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
 status: test
 description: Detects Bitsadmin connections to IP addresses instead of FQDN names
+references:
+    - https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
 author: Florian Roth (Nextron Systems)
 date: 2022/06/10
 modified: 2022/08/24
@@ -2,6 +2,8 @@ title: Ursnif Malware Download URL Pattern
 id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
 status: stable
 description: Detects download of Ursnif malware done by dropper documents.
+references:
+    - https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware
 author: Thomas Patzke
 date: 2019/12/19
 modified: 2022/08/15
@@ -18,11 +20,6 @@ detection:
        c-uri|endswith: '.cab'
        sc-status: 200
    condition: selection
-fields:
-    - c-ip
-    - c-uri
-    - sc-bytes
-    - c-ua
 falsepositives:
    - Unknown
 level: high
@@ -2,6 +2,9 @@ title: Application Uninstalled
 id: 570ae5ec-33dc-427c-b815-db86228ad43e
 status: test
 description: An application has been removed. Check if it is critical.
+references:
+    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml
+    - https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
 author: frack113
 date: 2022/01/28
 modified: 2022/09/17
@@ -15,8 +18,8 @@ detection:
    selection:
        Provider_Name: 'MsiInstaller'
        EventID:
-            - 11724
-            - 1034
+            - 1034 # Windows Installer removed the product
+            - 11724 # Product Removal Successful
    condition: selection
 falsepositives:
    - Unknown
@@ -1,7 +1,9 @@
 title: Failed Logon From Public IP
 id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
 status: test
-description: A login from a public IP can indicate a misconfigured firewall or network boundary.
+description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
+references:
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
 author: NVISO
 date: 2020/05/06
 modified: 2023/01/11
@@ -17,9 +19,9 @@ logsource:
 detection:
    selection:
        EventID: 4625
-    filter_ip_unknown:
+    filter_main_ip_unknown:
        IpAddress|contains: '-'
-    filter_ip_privatev4:
+    filter_main_ip_privatev4:
        IpAddress|startswith:
            - '10.' # 10.0.0.0/8
            - '192.168.' # 192.168.0.0/16
@@ -41,12 +43,12 @@ detection:
            - '172.31.'
            - '127.' # 127.0.0.0/8
            - '169.254.' # 169.254.0.0/16
-    filter_ip_privatev6:
+    filter_main_ip_privatev6:
        - IpAddress: '::1' # loopback
        - IpAddress|startswith:
              - 'fe80::' # link-local
              - 'fc00::' # unique local
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Legitimate logon attempts over the internet
    - IPv4-to-IPv6 mapped IPs
@@ -1,9 +1,12 @@
-title: Login with WMI
+title: Successful Account Login Via WMI
 id: 5af54681-df95-4c26-854f-2565e13cfab0
 status: stable
-description: Detection of logins performed with WMI
+description: Detects successful logon attempts performed with WMI
+references:
+    - Internal Research
 author: Thomas Patzke
 date: 2019/12/04
+modified: 2024/01/17
 tags:
    - attack.execution
    - attack.t1047
@@ -1,24 +1,26 @@
-title: Access to ADMIN$ Share
+title: Access To ADMIN$ Network Share
 id: 098d7118-55bc-4912-a836-dc6483a8d150
 status: test
-description: Detects access to $ADMIN share
+description: Detects access to ADMIN$ network share
+references:
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
 author: Florian Roth (Nextron Systems)
 date: 2017/03/04
-modified: 2021/11/27
+modified: 2024/01/16
 tags:
    - attack.lateral_movement
    - attack.t1021.002
 logsource:
    product: windows
    service: security
-    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
+    definition: 'Requirements: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
 detection:
    selection:
        EventID: 5140
-        ShareName: Admin$
-    filter:
+        ShareName: 'Admin$'
+    filter_main_computer_account:
        SubjectUserName|endswith: '$'
-    condition: selection and not filter
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Legitimate administrative activity
 level: low
@@ -3,6 +3,9 @@ id: 470ec5fa-7b4e-4071-b200-4c753100f49b
 status: stable
 description: |
    Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
+references:
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281
 author: Thomas Patzke
 date: 2019/12/03
 modified: 2023/12/13
@@ -1,10 +1,12 @@
-title: External Disk Drive Or USB Storage Device
+title: External Disk Drive Or USB Storage Device Was Recognized By The System
 id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
 status: test
 description: Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later
+references:
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
 author: Keith Wright
 date: 2019/11/20
-modified: 2022/10/09
+modified: 2024/01/16
 tags:
    - attack.t1091
    - attack.t1200
@@ -14,12 +16,12 @@ logsource:
    product: windows
    service: security
 detection:
-    selection:
+    selection_disk:
        EventID: 6416
        ClassName: 'DiskDrive'
-    selection2:
+    selection_usb:
        DeviceDescription: 'USB Mass Storage Device'
-    condition: selection or selection2
+    condition: 1 of selection_*
 falsepositives:
-    - Legitimate administrative activity
+    - Likely
 level: low
@@ -6,7 +6,7 @@ references:
    - https://twitter.com/SBousseaden/status/1387743867663958021
 author: Christian Burkard (Nextron Systems)
 date: 2021/05/03
-modified: 2022/10/09
+modified: 2024/01/16
 tags:
    - attack.persistence
    - attack.t1136.001
@@ -17,7 +17,9 @@ detection:
    selection:
        EventID: 4720
        TargetUserName|endswith: '$'
-    condition: selection
+    filter_main_homegroup:
+        TargetUserName: 'HomeGroupUser$'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: high
@@ -6,7 +6,7 @@ references:
    - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
 author: Chakib Gzenayi (@Chak092), Hosni Mribah
 date: 2020/05/06
-modified: 2022/10/09
+modified: 2024/01/25
 tags:
    - attack.lateral_movement
    - attack.t1021.002
@@ -22,7 +22,6 @@ detection:
        AuthenticationPackageName: 'NTLM'
        WorkstationName|re: '^[A-Za-z0-9]{16}$'
    selection2:
-        ProcessName:
        EventID: 4776
        Workstation|re: '^[A-Za-z0-9]{16}$'
    condition: 1 of selection*
@@ -1,10 +1,13 @@
-title: New or Renamed User Account with '$' in Attribute 'SamAccountName'
+title: New or Renamed User Account with '$' Character
 id: cfeed607-6aa4-4bbd-9627-b637deb723c8
 status: test
-description: Detects possible bypass EDR and SIEM via abnormal user account name.
+description: |
+    Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
+references:
+    - https://twitter.com/SBousseaden/status/1387743867663958021
 author: Ilyas Ochkov, oscd.community
 date: 2019/10/25
-modified: 2022/11/22
+modified: 2024/01/16
 tags:
    - attack.defense_evasion
    - attack.t1036
@@ -12,18 +15,16 @@ logsource:
    product: windows
    service: security
 detection:
-    selection1:
+    selection_create:
        EventID: 4720 # create user
        SamAccountName|contains: '$'
-    selection2:
+    selection_rename:
        EventID: 4781 # rename user
        NewTargetUserName|contains: '$'
-    condition: 1 of selection*
-fields:
-    - EventID
-    - SamAccountName
-    - SubjectUserName
-    - NewTargetUserName
+    filter_main_homegroup:
+        EventID: 4720
+        TargetUserName: 'HomeGroupUser$'
+    condition: 1 of selection_* and not 1 of filter_main_*
 falsepositives:
    - Unknown
-level: high
+level: medium
@@ -9,7 +9,7 @@ references:
    - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
    - https://www.x86matthew.com/view_post?id=create_svc_rpc
    - https://twitter.com/SBousseaden/status/1490608838701166596
-author: Tim Rauch (Nextron Systems), Elastic
+author: Tim Rauch (Nextron Systems), Elastic (idea)
 date: 2022/09/15
 modified: 2023/01/04
 tags:
@@ -1,9 +1,12 @@
-title: Addition of Domain Trusts
+title: A New Trust Was Created To A Domain
 id: 0255a820-e564-4e40-af2b-6ac61160335c
 status: stable
 description: Addition of domains is seldom and should be verified for legitimacy.
+references:
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
 author: Thomas Patzke
 date: 2019/12/03
+modified: 2024/01/16
 tags:
    - attack.persistence
    - attack.t1098
@@ -1,10 +1,12 @@
 title: Kerberos Manipulation
 id: f7644214-0eb0-4ace-9455-331ec4c09253
 status: test
-description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
+description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
+references:
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
 author: Florian Roth (Nextron Systems)
 date: 2017/02/10
-modified: 2021/11/27
+modified: 2024/01/16
 tags:
    - attack.credential_access
    - attack.t1212
@@ -18,7 +20,7 @@ detection:
            - 4768
            - 4769
            - 4771
-        FailureCode:
+        Status:
            - '0x9'
            - '0xA'
            - '0xB'
@@ -5,6 +5,8 @@ related:
      type: similar
 status: test
 description: Detects known sensitive file extensions accessed on a network share
+references:
+    - Internal Research
 author: Samir Bousseaden
 date: 2019/04/03
 modified: 2022/10/09
@@ -18,24 +20,19 @@ detection:
    selection:
        EventID: 5145
        RelativeTargetName|endswith:
-            - '.pst'
-            - '.ost'
-            - '.msg'
-            - '.nst'
-            - '.oab'
-            - '.edb'
-            - '.nsf'
            - '.bak'
            - '.dmp'
+            - '.edb'
            - '.kirbi'
-            - '\groups.xml'
+            - '.msg'
+            - '.nsf'
+            - '.nst'
+            - '.oab'
+            - '.ost'
+            - '.pst'
            - '.rdp'
+            - '\groups.xml'
    condition: selection
-fields:
-    - ComputerName
-    - SubjectDomainName
-    - SubjectUserName
-    - RelativeTargetName
 falsepositives:
    - Help Desk operator doing backup or re-imaging end user machine or backup software
    - Users working with these data types or exchanging message files
@@ -4,7 +4,10 @@ related:
    - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
      type: derived
 status: test
-description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
+description: |
+    Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
+references:
+    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
 author: Daniil Yugoslavskiy, Ian Davis, oscd.community
 date: 2019/10/24
 modified: 2022/11/29
@@ -14,12 +17,12 @@ tags:
 logsource:
    product: windows
    service: security
-    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
+    definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
 detection:
    selection:
        EventID: 4697
        ServiceFileName|contains: 'tap0901'
    condition: selection
 falsepositives:
-    - Legitimate OpenVPN TAP insntallation
-level: medium
+    - Legitimate OpenVPN TAP installation
+level: low
@@ -1,7 +1,10 @@
-title: User Added to Local Administrators
+title: User Added to Local Administrator Group
 id: c265cf08-3f99-46c1-8d59-328247057d57
 status: stable
-description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity
+description: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
+references:
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
+    - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
 author: Florian Roth (Nextron Systems)
 date: 2017/03/14
 modified: 2021/01/17
@@ -14,15 +17,14 @@ logsource:
    product: windows
    service: security
 detection:
-    selection:
+    selection_eid:
        EventID: 4732
-    selection_group1:
-        TargetUserName|startswith: 'Administr'
-    selection_group2:
-        TargetSid: 'S-1-5-32-544'
-    filter:
+    selection_group:
+        - TargetUserName|startswith: 'Administr'
+        - TargetSid: 'S-1-5-32-544'
+    filter_main_computer_accounts:
        SubjectUserName|endswith: '$'
-    condition: selection and (1 of selection_group*) and not filter
+    condition: all of selection_* and not 1 of filter_*
 falsepositives:
    - Legitimate administrative activity
 level: medium
@@ -1,7 +1,8 @@
 title: Local User Creation
 id: 66b6be3d-55d0-4f47-9855-d69df21740ea
 status: test
-description: Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
+description: |
+    Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
 references:
    - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
 author: Patrick Bareiss
@@ -17,10 +18,6 @@ detection:
    selection:
        EventID: 4720
    condition: selection
-fields:
-    - EventCode
-    - AccountName
-    - AccountDomain
 falsepositives:
    - Domain Controller Logs
    - Local accounts managed by privileged account management tools
@@ -8,6 +8,9 @@ references:
    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647
 author: frack113
 date: 2022/10/14
+tags:
+    - attack.impact
+    - attack.t1531
 logsource:
    service: security
    product: windows
@@ -10,7 +10,8 @@ references:
 author: Alexandr Yampolskyi, SOC Prime
 date: 2019/03/26
 modified: 2023/12/11
-# tags:
+tags:
+    - attack.impact
    # - CSC16
    # - CSC16.11
    # - ISO27002-2013 A.9.1.1
@@ -1,9 +1,12 @@
-title: Sysmon Crash
+title: Sysmon Application Crashed
 id: 4d7f1827-1637-4def-8d8a-fd254f9454df
 status: test
 description: Detects application popup reporting a failure of the Sysmon service
+references:
+    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36
 author: Tim Shelton
 date: 2022/04/26
+modified: 2024/01/17
 tags:
    - attack.defense_evasion
    - attack.t1562
@@ -14,7 +17,9 @@ detection:
    selection:
        Provider_Name: 'Application Popup'
        EventID: 26
-        Caption: 'sysmon64.exe - Application Error'
+        Caption:
+            - 'sysmon64.exe - Application Error'
+            - 'sysmon.exe - Application Error'
    condition: selection
 falsepositives:
    - Unknown
@@ -1,23 +0,0 @@
-title: QuarksPwDump Clearing Access History
-id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
-status: test
-description: Detects QuarksPwDump clearing access history in hive
-author: Florian Roth (Nextron Systems)
-date: 2017/05/15
-modified: 2022/04/14
-tags:
-    - attack.credential_access
-    - attack.t1003.002
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 16
-        Provider_Name: Microsoft-Windows-Kernel-General
-        HiveName|contains: '\AppData\Local\Temp\SAM'
-        HiveName|endswith: '.dmp'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
@@ -0,0 +1,32 @@
+title: Critical Hive In Suspicious Location Access Bits Cleared
+id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
+related:
+    - id: 839dd1e8-eda8-4834-8145-01beeee33acd
+      type: obsoletes
+status: test
+description: |
+    Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
+    This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
+    Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
+references:
+    - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
+author: Florian Roth (Nextron Systems)
+date: 2017/05/15
+modified: 2024/01/18
+tags:
+    - attack.credential_access
+    - attack.t1003.002
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 16
+        Provider_Name: Microsoft-Windows-Kernel-General
+        HiveName|contains:
+            - '\Temp\SAM'
+            - '\Temp\SECURITY'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -1,7 +1,10 @@
 title: Windows Update Error
 id: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59
 status: stable
-description: Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KB aren't installed.
+description: |
+    Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
+references:
+    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
 author: frack113
 date: 2021/12/04
 modified: 2023/09/07
@@ -7,7 +7,7 @@ status: test
 description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
 references:
    - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
-author: Tim Rauch (Nextron Systems), Elastic
+author: Tim Rauch (Nextron Systems), Elastic (idea)
 date: 2022/09/15
 modified: 2023/01/04
 tags:
@@ -7,6 +7,8 @@ related:
      type: similar
 status: test
 description: Detects suspicious service installation commands
+references:
+    - Internal Research
 author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
 date: 2022/03/18
 modified: 2023/12/04
@@ -2,6 +2,8 @@ title: Tap Driver Installation
 id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
 status: test
 description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
+references:
+    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
 author: Daniil Yugoslavskiy, Ian Davis, oscd.community
 date: 2019/10/24
 modified: 2022/12/25
@@ -18,5 +20,5 @@ detection:
        ImagePath|contains: 'tap0901'
    condition: selection
 falsepositives:
-    - Legitimate OpenVPN TAP insntallation
+    - Legitimate OpenVPN TAP installation
 level: medium
@@ -1,4 +1,4 @@
-title: Uncommon Service Installation
+title: Uncommon Service Installation Image Path
 id: 26481afe-db26-4228-b264-25a29fe6efc7
 related:
    - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53
@@ -6,7 +6,10 @@ related:
    - id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b
      type: derived
 status: test
-description: Detects uncommon service installation commands
+description: |
+    Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2022/03/18
 modified: 2023/12/04
@@ -3,8 +3,10 @@ id: 5e993621-67d4-488a-b9ae-b420d08b96cb
 status: test
 description: Detects service installation in suspicious folder appdata
 author: pH-T (Nextron Systems)
+references:
+    - Internal Research
 date: 2022/03/18
-modified: 2022/10/12
+modified: 2024/01/18
 tags:
    - attack.persistence
    - attack.privilege_escalation
@@ -17,15 +19,14 @@ detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
-    selection_suspicious1:
        ImagePath|contains:
            - '\AppData\'
            - '\\\\127.0.0.1'
            - '\\\\localhost'
-    filter_zoom:
+    filter_optional_zoom:
        ServiceName: 'Zoom Sharing Service'
-        ImagePath|startswith: '"C:\Program Files\Common Files\Zoom\Support\CptService.exe'
-    condition: all of selection* and not 1 of filter*
+        ImagePath|contains: ':\Program Files\Common Files\Zoom\Support\CptService.exe'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: medium
@@ -2,6 +2,8 @@ title: Service Installation with Suspicious Folder Pattern
 id: 1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2
 status: test
 description: Detects service installation with suspicious folder patterns
+references:
+    - Internal Research
 author: pH-T (Nextron Systems)
 date: 2022/03/18
 modified: 2022/03/24
@@ -2,6 +2,8 @@ title: Suspicious Service Installation Script
 id: 70f00d10-60b2-4f34-b9a0-dc3df3fe762a
 status: test
 description: Detects suspicious service installation scripts
+references:
+    - Internal Research
 author: pH-T (Nextron Systems)
 date: 2022/03/18
 modified: 2022/11/18
@@ -6,7 +6,10 @@ related:
    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
      type: similar
 status: test
-description: Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
+description: |
+    Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
+references:
+    - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
 author: frack113
 date: 2023/01/13
 modified: 2023/02/07
@@ -2,6 +2,8 @@ title: Driver Load From A Temporary Directory
 id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
 status: test
 description: Detects a driver load from a temporary directory
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2017/02/12
 modified: 2021/11/27
@@ -7,7 +7,7 @@ status: test
 description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html
-author: Tim Rauch (Nextron Systems)
+author: Tim Rauch (Nextron Systems), Elastic (idea)
 date: 2022/09/27
 tags:
    - attack.initial_access
@@ -2,9 +2,12 @@ title: Prefetch File Deleted
 id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
 status: test
 description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
+references:
+    - Internal Research
+    - https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
 author: Cedric MAURUGEON
 date: 2021/09/29
-modified: 2023/02/15
+modified: 2024/01/25
 tags:
    - attack.defense_evasion
    - attack.t1070.004
@@ -13,14 +16,14 @@ logsource:
    category: file_delete
 detection:
    selection:
-        TargetFilename|startswith: 'C:\Windows\Prefetch\'
+        TargetFilename|contains: ':\Windows\Prefetch\'
        TargetFilename|endswith: '.pf'
-    filter:
-        Image: 'C:\windows\system32\svchost.exe'
+    filter_main_svchost:
+        Image|endswith: ':\windows\system32\svchost.exe'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
-    condition: selection and not filter
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: high
@@ -7,7 +7,7 @@ status: test
 description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html
-author: Tim Rauch (Nextron Systems)
+author: Tim Rauch (Nextron Systems), Elastic (idea)
 date: 2022/09/27
 modified: 2023/02/15
 tags:
@@ -1,7 +1,10 @@
 title: Files With System Process Name In Unsuspected Locations
 id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
 status: test
-description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
+description: |
+    Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
+references:
+    - Internal Research
 author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/05/26
 modified: 2023/11/10
@@ -28,7 +28,7 @@ references:
    - https://github.com/adrecon/AzureADRecon
 author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
 date: 2018/04/07
-modified: 2023/04/17
+modified: 2024/01/25
 tags:
    - attack.execution
    - attack.t1059.001
@@ -52,6 +52,7 @@ detection:
            - '\Copy-VSS.ps1'
            - '\Create-MultipleSessions.ps1'
            - '\DNS_TXT_Pwnage.ps1'
+            - '\dnscat2.ps1'
            - '\Do-Exfiltration.ps1'
            - '\DomainPasswordSpray.ps1'
            - '\Download_Execute.ps1'
@@ -3,6 +3,8 @@ id: 52753ea4-b3a0-4365-910d-36cff487b789
 status: test
 description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
 author: Samir Bousseaden
+references:
+    - Internal Research
 date: 2019/02/21
 modified: 2021/11/27
 tags:
@@ -25,8 +25,9 @@ references:
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
-author: frack113, Nasreddine Bencherchali
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/23
+modified: 2024/01/25
 tags:
    - attack.execution
    - attack.t1059.001
@@ -48,6 +49,7 @@ detection:
            - 'Copy-VSS.ps1'
            - 'Create-MultipleSessions.ps1'
            - 'DNS_TXT_Pwnage.ps1'
+            - 'dnscat2.ps1'
            - 'Do-Exfiltration.ps1'
            - 'DomainPasswordSpray.ps1'
            - 'Download_Execute.ps1'
@@ -28,7 +28,7 @@ references:
    - https://github.com/adrecon/AzureADRecon
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/20
-modified: 2023/04/17
+modified: 2024/01/25
 tags:
    - attack.execution
    - attack.discovery
@@ -236,6 +236,7 @@ detection:
            - 'Set-Wallpaper'
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
+            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'VolumeShadowCopyTools'
    condition: selection
@@ -24,7 +24,6 @@ detection:
    filter_pwsh_archive:
        ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
    condition: selection and not 1 of filter_*
-
 falsepositives:
    - Legitimate use remote PowerShell sessions
 level: high
@@ -5,6 +5,9 @@ related:
      type: derived
 status: test
 description: Detects suspicious PowerShell download command
+references:
+    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
+    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
 author: Florian Roth (Nextron Systems)
 date: 2017/03/05
 modified: 2023/01/20
@@ -7,6 +7,8 @@ related:
      type: similar
 status: test
 description: Detects suspicious PowerShell invocation command parameters
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2017/03/12
 modified: 2023/01/03
@@ -2,13 +2,15 @@ title: Suspicious PowerShell Invocations - Specific - PowerShell Module
 id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
 related:
    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
-      type: derived
+      type: obsoletes
    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
      type: similar
    - id: 536e2947-3729-478c-9903-745aaffe60d2
      type: similar
 status: test
 description: Detects suspicious PowerShell invocation command parameters
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
 date: 2017/03/05
 modified: 2023/01/05
@@ -32,7 +32,7 @@ references:
    - https://github.com/adrecon/AzureADRecon
 author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
 date: 2017/03/05
-modified: 2023/11/22
+modified: 2024/01/25
 tags:
    - attack.execution
    - attack.discovery
@@ -226,6 +226,7 @@ detection:
            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
+            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'VolumeShadowCopyTools'
            # - 'Check-VM'
@@ -4,7 +4,7 @@ status: test
 description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
 references:
    - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
-author: Tim Rauch
+author: Tim Rauch, Elastic (idea)
 date: 2022/09/28
 tags:
    - attack.credential_access
@@ -5,6 +5,9 @@ related:
      type: derived
 status: test
 description: Detects suspicious PowerShell download command
+references:
+    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
+    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
 author: Florian Roth (Nextron Systems)
 date: 2017/03/05
 modified: 2022/12/02
@@ -21,7 +24,9 @@ detection:
    download:
        ScriptBlockText|contains:
            - '.DownloadFile('
+            - '.DownloadFileAsync('
            - '.DownloadString('
+            - '.DownloadStringAsync('
    condition: webclient and download
 falsepositives:
    - PowerShell scripts that download content from the Internet
@@ -7,6 +7,8 @@ related:
      type: similar
 status: test
 description: Detects suspicious PowerShell invocation command parameters
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2017/03/12
 modified: 2023/01/03
@@ -2,13 +2,15 @@ title: Suspicious PowerShell Invocations - Specific
 id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
 related:
    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
-      type: derived
+      type: obsoletes
    - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
      type: similar
    - id: 536e2947-3729-478c-9903-745aaffe60d2
      type: similar
 status: test
 description: Detects suspicious PowerShell invocation command parameters
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
 date: 2017/03/05
 modified: 2023/01/05
@@ -7,7 +7,7 @@ status: test
 description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
 references:
    - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
-author: Tim Rauch
+author: Tim Rauch, Elastic (idea)
 date: 2022/09/16
 modified: 2022/11/26
 tags:
@@ -2,6 +2,8 @@ title: Potential Shellcode Injection
 id: 250ae82f-736e-4844-a68b-0b5e8cc887da
 status: test
 description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject
+references:
+    - https://github.com/EmpireProject/PSInject
 author: Bhabesh Raj
 date: 2022/03/11
 modified: 2023/11/29
@@ -1,14 +1,18 @@
 title: Monitoring For Persistence Via BITS
 id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d
 status: test
-description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded
+description: |
+    BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.
+    When the job runs on the system the command specified in the BITS job will be executed.
+    This can be abused by actors to create a backdoor within the system and for persistence.
+    It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
 references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
    - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
    - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
 author: Sreeman
 date: 2020/10/29
-modified: 2022/03/07
+modified: 2024/01/25
 tags:
    - attack.defense_evasion
    - attack.t1197
@@ -16,24 +20,25 @@ logsource:
    product: windows
    category: process_creation
 detection:
-    selection_1:
-        CommandLine|contains|all:
-            - 'bitsadmin'
-            - '/SetNotifyCmdLine'
+    selection_img:
+        - Image|endswith: '\bitsadmin.exe'
+        - OriginalFileName: 'bitsadmin.exe'
+    selection_cli_notify_1:
+        CommandLine|contains: '/SetNotifyCmdLine'
+    selection_cli_notify_2:
        CommandLine|contains:
            - '%COMSPEC%'
            - 'cmd.exe'
            - 'regsvr32.exe'
-    selection_2:
-        CommandLine|contains|all:
-            - 'bitsadmin'
-            - '/Addfile'
+    selection_cli_add_1:
+        CommandLine|contains: '/Addfile'
+    selection_cli_add_2:
        CommandLine|contains:
            - 'http:'
            - 'https:'
            - 'ftp:'
            - 'ftps:'
-    condition: 1 of selection_*
+    condition: selection_img and (all of selection_cli_notify_* or all of selection_cli_add_*)
 falsepositives:
    - Unknown
 level: medium
@@ -4,7 +4,7 @@ status: experimental
 description: Detects suspicious parent process for cmd.exe
 references:
    - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html
-author: Tim Rauch
+author: Tim Rauch, Elastic (idea)
 date: 2022/09/21
 modified: 2023/12/05
 tags:
@@ -4,7 +4,7 @@ status: experimental
 description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
 references:
    - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
-author: Tim Rauch
+author: Tim Rauch, Elastic (idea)
 date: 2022/09/28
 modified: 2023/03/29
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
 references:
    - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html
-author: Tim Rauch
+author: Tim Rauch, Elastic (idea)
 date: 2022/09/27
 tags:
    - attack.command_and_control
@@ -2,6 +2,9 @@ title: DNS Exfiltration and Tunneling Tools Execution
 id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
 status: test
 description: Well-known DNS Exfiltration tools execution
+references:
+    - https://github.com/iagox86/dnscat2
+    - https://github.com/yarrick/iodine
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
 modified: 2021/11/27
@@ -4,7 +4,7 @@ status: test
 description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 references:
    - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html
-author: Tim Rauch
+author: Tim Rauch, Elastic (idea)
 date: 2022/09/27
 modified: 2023/02/05
 tags:
@@ -1,11 +1,12 @@
-title: Fake Instance Of Hxtsr.exe
+title: Potential Fake Instance Of Hxtsr.EXE Executed
 id: 4e762605-34a8-406d-b72e-c1a089313320
 status: test
 description: |
    HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
    HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
-    Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe".
    Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
+references:
+    - Internal Research
 author: Sreeman
 date: 2020/04/17
 modified: 2023/02/21
@@ -16,12 +17,13 @@ logsource:
    product: windows
    category: process_creation
 detection:
+    # TODO: Link this to the more generic system process rule
    selection:
-        Image: hxtsr.exe
-    filter:
-        CurrentDirectory|startswith: 'C:\program files\windowsapps\microsoft.windowscommunicationsapps_'
+        Image|endswith: '\hxtsr.exe'
+    filter_main_hxtsr:
+        CurrentDirectory|contains: ':\program files\windowsapps\microsoft.windowscommunicationsapps_'
        CurrentDirectory|endswith: '\hxtsr.exe'
-    condition: selection and not filter
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: medium
@@ -6,7 +6,7 @@ references:
    - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
    - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA
    - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
-author: Tim Rauch, Janantha Marasinghe
+author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
 date: 2022/11/08
 modified: 2023/01/22
 tags:
@@ -4,7 +4,7 @@ status: test
 description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
 references:
    - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
-author: Tim Rauch
+author: Tim Rauch, Elastic (idea)
 date: 2022/09/28
 modified: 2022/12/30
 tags:
@@ -5,9 +5,11 @@ related:
      type: similar
 status: experimental
 description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
+references:
+    - https://www.lunasec.io/docs/blog/log4j-zero-day/
 author: Andreas Hunkeler (@Karneades), Florian Roth
 date: 2021/12/17
-modified: 2023/11/09
+modified: 2024/01/18
 tags:
    - attack.initial_access
    - attack.persistence
@@ -20,7 +22,6 @@ detection:
        ParentImage|endswith: '\java.exe'
        Image|endswith:
            - '\AppVLP.exe'
-            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\certutil.exe'
            - '\cscript.exe'
@@ -5,9 +5,11 @@ related:
      type: similar
 status: test
 description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
+references:
+    - https://www.lunasec.io/docs/blog/log4j-zero-day/
 author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
 date: 2021/12/17
-modified: 2023/11/09
+modified: 2024/01/18
 tags:
    - attack.initial_access
    - attack.persistence
@@ -19,6 +21,7 @@ detection:
    selection:
        ParentImage|endswith: '\java.exe'
        Image|endswith:
+            - '\bash.exe'
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
@@ -1,39 +0,0 @@
-title: WScript or CScript Dropper
-id: cea72823-df4d-4567-950c-0b579eaf0846
-status: test
-description: Detects wscript/cscript executions of scripts located in user directories
-author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community
-date: 2019/01/16
-modified: 2021/11/27
-tags:
-    - attack.execution
-    - attack.t1059.005
-    - attack.t1059.007
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Image|endswith:
-            - '\wscript.exe'
-            - '\cscript.exe'
-        CommandLine|contains:
-            - 'C:\Users\'
-            - 'C:\ProgramData\'
-    selection2:
-        CommandLine|contains:
-            - '.jse'
-            - '.vbe'
-            - '.js'
-            - '.vba'
-            - '.vbs'
-    falsepositive:
-        ParentImage|contains: '\winzip'
-    condition: selection1 and selection2 and not falsepositive
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Winzip
-    - Other self-extractors
-level: high
@@ -5,6 +5,8 @@ related:
      type: obsoletes
 status: experimental
 description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
+references:
+    - Internal Research
 author: FPT.EagleEye Team, wagga
 date: 2020/12/11
 modified: 2023/05/04
@@ -4,7 +4,9 @@ related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsoletes
 status: test
-description: Detects the stopping of a Windows service
+description: Detects the stopping of a Windows service via the "net" utility.
+references:
+    - https://ss64.com/nt/net-service.html
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/03/05
 tags:
@@ -1,8 +1,10 @@
-title: Execution in Outlook Temp Folder
+title: Suspicious Execution From Outlook Temporary Folder
 id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
 status: test
 description: Detects a suspicious program execution in Outlook temp folder
 author: Florian Roth (Nextron Systems)
+references:
+    - Internal Research
 date: 2019/10/01
 modified: 2022/10/09
 tags:
@@ -15,9 +17,6 @@ detection:
    selection:
        Image|contains: '\Temporary Internet Files\Content.Outlook\'
    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
    - Unknown
 level: high
@@ -1,4 +1,4 @@
-title: Potential RDP Tunneling Via SSH Plink
+title: Potential RDP Tunneling Via Plink
 id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da
 related:
    - id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d # ssh.exe
@@ -29,5 +29,5 @@ detection:
            - ' -P 22'
    condition: selection_a or all of selection_b*
 falsepositives:
-    - Administrative activity
+    - Unknown
 level: high
@@ -7,7 +7,7 @@ status: test
 description: Detects attempts to disable the Windows Firewall using PowerShell
 references:
    - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
-author: Tim Rauch
+author: Tim Rauch, Elastic (idea)
 date: 2022/09/14
 modified: 2023/02/13
 tags:
@@ -5,6 +5,10 @@ related:
      type: derived
 status: test
 description: Detects a Powershell process that contains download commands in its command line string
+references:
+    - https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html
+    - https://lab52.io/blog/winter-vivern-all-summer/
+    - https://hatching.io/blog/powershell-analysis/
 author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
 date: 2019/01/16
 modified: 2023/01/26
@@ -31,9 +35,6 @@ detection:
            - 'string('
            - 'file('
    condition: all of selection_*
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
    - Unknown
 level: medium
@@ -2,13 +2,15 @@ title: Suspicious PowerShell Invocations - Specific - ProcessCreation
 id: 536e2947-3729-478c-9903-745aaffe60d2
 related:
    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
-      type: derived
+      type: obsoletes
    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
      type: similar
    - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
      type: similar
 status: test
 description: Detects suspicious PowerShell invocation command parameters
+references:
+    - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/05
 tags:
@@ -28,7 +28,7 @@ references:
    - https://github.com/adrecon/AzureADRecon
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/02
-modified: 2023/04/17
+modified: 2024/01/25
 tags:
    - attack.execution
    - attack.discovery
@@ -235,6 +235,7 @@ detection:
            - 'Set-Wallpaper'
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
+            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'VolumeShadowCopyTools'
    condition: selection
@@ -10,7 +10,7 @@ description: Detects deletion of Windows Volume Shadow Copies with PowerShell co
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
    - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
-author: Tim Rauch
+author: Tim Rauch, Elastic (idea)
 date: 2022/09/20
 modified: 2022/12/30
 tags:
@@ -4,7 +4,9 @@ related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsoletes
 status: test
-description: Detects the stopping of a Windows service
+description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
+references:
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/03/05
 tags:
@@ -1,10 +1,14 @@
 title: Write Protect For Storage Disabled
 id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
 status: test
-description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
+description: |
+    Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
+    This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
+references:
+    - https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
 author: Sreeman
 date: 2021/06/11
-modified: 2023/12/15
+modified: 2024/01/18
 tags:
    - attack.defense_evasion
    - attack.t1562
@@ -17,9 +21,7 @@ detection:
            - '\System\CurrentControlSet\Control'
            - 'Write Protection'
            - '0'
-        CommandLine|contains:
            - 'storage'
-            - 'storagedevicepolicies'
    condition: selection
 falsepositives:
    - Unknown
@@ -4,9 +4,12 @@ related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsoletes
 status: test
-description: Detects the stopping of a Windows service
+description: Detects the stopping of a Windows service via the "sc.exe" utility
+references:
+    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/03/05
+modified: 2024/01/18
 tags:
    - attack.impact
    - attack.t1489
@@ -19,14 +22,7 @@ detection:
        - Image|endswith: '\sc.exe'
    selection_cli:
        CommandLine|contains: ' stop '
-    filter_kaspersky:
-        CommandLine:
-            - 'sc  stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop
-            - 'sc  stop LGHUBUpdaterService' # Logitech LGHUB Updater Service
-        User|contains: # covers many language settings
-            - 'AUTHORI'
-            - 'AUTORI'
-    condition: all of selection_* and not 1 of filter_*
+    condition: all of selection_*
 falsepositives:
-    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
+    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly
 level: low
@@ -1,10 +1,12 @@
-title: Scheduled Task Creation
+title: Scheduled Task Creation Via Schtasks.EXE
 id: 92626ddd-662c-49e3-ac59-f6535f12d189
 status: test
-description: Detects the creation of scheduled tasks in user session
+description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
+references:
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
 author: Florian Roth (Nextron Systems)
 date: 2019/01/16
-modified: 2022/10/09
+modified: 2024/01/18
 tags:
    - attack.execution
    - attack.persistence
@@ -20,14 +22,11 @@ detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains: ' /create '
-    filter:
+    filter_main_system_user:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
-    condition: selection and not filter
-fields:
-    - CommandLine
-    - ParentCommandLine
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Administrative activity
    - Software installation
@@ -22,5 +22,5 @@ detection:
        CommandLine|contains: ':3389'
    condition: selection
 falsepositives:
-    - Administrative activity
+    - Unknown
 level: high
--- a/Show More
+++ b/Show More