new: Legitimate Application Writing Files In Uncommon Location
update: Suspicious Download From File-Sharing Website Via Bitsadmin - add github URL
update: File Download Via Bitsadmin To A Suspicious Target Folder - add more susp locations
remove: File Download Via Bitsadmin To An Uncommon Target Folder - deprecate in favor of 2ddef153-167b-4e89-86b6-757a9e65dcac
chore: add regression tests for bitsadmin related rules
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
removed: FileFix - Suspicious Child Process from Browser File Upload Abuse - Deprecated in favor of b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
new: DNS Query by Finger Utility
new: Network Connection Initiated via Finger.EXE
fix: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix - Fix selection to use ParentImage instead of Image field
new: Suspicious FileFix Execution Pattern
update: FileFix - Command Evidence in TypedPaths - Added more markers
update: Potential ClickFix Execution Pattern - Registry - Add 2 new strings, "finger" and "identification"
chore: Update "test_rules.py" filename test with better output formatting
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <monsteroffire2@gmail.com>
chore: ci: add a check for duplicate ids over all rules that ever existed
chore: change duplicate IDs in obsoleted rules
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
remove: Active Directory Kerberos DLL Loaded Via Office Application - deprecated as it triggers on normal activity
fix: Scheduled Task Creation Via Schtasks.EXE - add for for msoffice application
fix: Use Short Name Path in Command Line - add filter for dotnet csc.exe
fix: Potential Product Reconnaissance Via Wmic.EXE - add filter for some product related operation through wmic
fix: WMIC Remote Command Execution - fix broken FP filter
fix: Classes Autorun Keys Modification - filter null details
fix: CurrentVersion Autorun Keys Modification - filter null details
fix: Modification of IE Registry Settings - filter null details
fix: Potential Persistence Via Shim Database Modification - filter null details
fix: Scheduled TaskCache Change by Uncommon Program - filter null details
update: Copy From Or To Admin Share Or Sysvol Folder - some logic change
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
remove: PowerShell DownloadFile - Deprecated in favour of 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
remove: Whoami Utility Execution - Deprecated in favor of 502b42de-4306-40b4-9596-6f590c81f073
fix: Usage Of Web Request Commands And Cmdlets - ScriptBlock - Commented out Net.webclient
fix: Usage Of Web Request Commands And Cmdlets - Comment out Net.webclient
fix: System Disk And Volume Reconnaissance via Wmic.EXE - update the rule logic to remove potential FPs
update: PowerShell Download Pattern - add powershell_ise
update: Use Short Name Path in Image - change detection logic structure
update: Local Accounts Discovery - add OriginalFileName field
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
remove: Active Directory Parsing DLL Loaded Via Office Application - deprecated as this rule was triggered everytime any office app was opened
fix: Uncommon AppX Package Locations - Add a filter to legit Microsoft path
fix: File With Uncommon Extension Created By An Office Application - Add a filter to remove fp caused by ".com" directory filename
fix: Startup Folder File Write - Add a filter for OneNote
fix: Suspicious Volume Shadow Copy Vssapi.dll Load - Add a filter for null Image field
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add a filter for null Image field
fix: Suspicious WSMAN Provider Image Loads - Add a filter for mmc loading wsman provider images
fix: Office Application Initiated Network Connection To Non-Local IP - Add filter to more legit microsoft IP address ASN subnets
fix: Office Application Initiated Network Connection Over Uncommon Ports - Add filter for other common ports
fix: Suspicious Userinit Child Process - Add filter to Explorer in CommandLine
fix: CurrentVersion Autorun Keys Modification - Add more filters for OneDriverSetup.EXE
fix: Office Autorun Keys Modification - Add a new filter for a FriendlyName Addin
fix: Suspicious Access to Sensitive File Extensions - Zeek - Commented out groups.xml
fix: Suspicious Access to Sensitive File Extensions - Commented out groups.xml
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
new: Suspicious File Created in Outlook Temporary Directory
remove: .RDP File Created by Outlook Process - deprecate in favour of fabb0e80-030c-4e3e-a104-d09676991ac3
update: Suspicious Double Extension Files - add .svg extension
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
chore: deprecate rule in favour of c1337eb8-921a-4b59-855b-4ba188ddcc42
chore: update the ref of some rules
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
remove: Windows Defender Exclusion Deleted
fix: WCE wceaux.dll Access - Remove EventIDs `4658` and `4660` as they both do not contain the `ObjectName` field
new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for `e0552b19-5a83-4222-b141-b36184bb8d79`
remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation.
remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of `790317c0-0a36-4a6a-a105-6e576bf99a14`.
update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.
fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Filter out additional Microsoft IP block and moved to the threat hunting folder due to large amount of matches based on VT data
fix: Forest Blizzard APT - File Creation Activity - Fix typo in filename
fix: New RUN Key Pointing to Suspicious Folder - Enhance filter to fix new false positive found in testing
new: COM Object Hijacking Via Modification Of Default System CLSID Default Value
new: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
new: DPAPI Backup Keys And Certificate Export Activity IOC
new: DSInternals Suspicious PowerShell Cmdlets
new: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
new: HackTool - RemoteKrbRelay Execution
new: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
new: HackTool - SharpDPAPI Execution
new: Hypervisor Enforced Paging Translation Disabled
new: PDF File Created By RegEdit.EXE
new: Periodic Backup For System Registry Hives Enabled
new: Renamed Microsoft Teams Execution
new: Windows LAPS Credential Dump From Entra ID
remove: Potential Persistence Via COM Hijacking From Suspicious Locations - Deprecated because of incorrect logic, replaced by "790317c0-0a36-4a6a-a105-6e576bf99a14"
update: DLL Call by Ordinal Via Rundll32.EXE - Reduced level to "medium" and moved to the threat hunting folder due to the fact that calling by ordinal can be seen by many legitimate utilities. An initial baseline needs to be set for the rule to be promoted.
update: Msiexec.EXE Initiated Network Connection Over HTTP - Reduced level to low and moved to the threat hunting folder due to large amount of matches based on VT data
update: MSSQL Add Account To Sysadmin Role - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Disable Audit Settings - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon From External Network - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL SPProcoption Set - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Option Change - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Suspicious Execution - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: Network Connection Initiated By AddinUtil.EXE - increase level to "high" and promote the status to "test" based on VT data
update: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Reduced the level to "medium" and added filters for "null" and empty values based on VT data
update: Office Application Initiated Network Connection Over Uncommon Ports - Add port "143" based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Office Application Initiated Network Connection To Non-Local IP - Add "outlook.exe" to the list of processes and filter multiple IP ranges based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Password Protected Compressed File Extraction Via 7Zip - Reduced level to "low" and moved to the threat hunting folder due to large amount of matches based on VT data
update: Potential Dead Drop Resolvers - Add filters for "null" and empty values based on VT data
update: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Update metadata information
update: Potential Shellcode Injection - Reduced level to "medium" and moved to the threat hunting folder due multiple FP with third party softwares
update: Potential Suspicious Execution From GUID Like Folder Names - Reduced level to "low" and moved to the threat hunting folder
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Add additional EventLog and ETW providers to increase coverage
update: Potentially Suspicious Execution From Parent Process In Public Folder - Update logic to add Image names in addition to the previous CommandLines
update: Potentially Suspicious PowerShell Child Processes - Reduced level to "medium" and moved to the threat hunting folder due to large amount of matches based on VT data. As well as the logic doesn't look for anything suspicious but "child processes" that might be "uncommon".
update: Process Execution From A Potentially Suspicious Folder - Update metadata and remove "\Users\Public" to avoid false positives
update: Recon Command Output Piped To Findstr.EXE - Update the logic to user "wildcards" instead of spaces to cover different variants and increase the coverage.
update: Suspicious Electron Application Child Processes - Remove unnecessary filters
update: Suspicious Non-Browser Network Communication With Google API - Add filters for "null" and empty values based on VT data
update: System File Execution Location Anomaly - Enhance filters
update: Uncommon Child Process Of Setres.EXE - Update logic and metadata
update: Uncommon Link.EXE Parent Process - Enhance the filters and metadata
update: Windows Defender Threat Detection Service Disabled - Add french keyword for "stopped" to increase coverage for windows os that uses the french language
---------
Thanks: cY83rR0H1t
Thanks: CTI-Driven
Thanks: BIitzkrieg
Thanks: DFIR-jwedd
Thanks: Snp3r
fix: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process - Add multiple new FP filters seen in the wild
fix: Potential System DLL Sideloading From Non System Locations - Add multiple new FP filters seen in the wild
new: CrackMapExec File Indicators
remove: CrackMapExec File Creation Patterns
remove: Suspicious Epmap Connection
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
fix: Metasploit SMB Authentication - Remove unnecessary field
fix: Service Installation in Suspicious Folder - Update FP filter
update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
remove: SAM Dump to AppData
update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
update: New or Renamed User Account with '$' Character - Reduced level to "medium"
update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
update: Prefetch File Deleted - Update selection to remove 'C:' prefix
update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
update: Shell Process Spawned by Java.EXE - Add "bash.exe"
update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
update: Sysmon Application Crashed - Add 32bit version of sysmon binary
update: Tap Driver Installation - Security - Reduce level to "low"
update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
new: Potential Persistence Via AppCompat RegisterAppRestart Layer
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Add additional commandline flag that might trigger FPs
update: Hypervisor Enforced Code Integrity Disabled - Add additional path for the HVCI config
update: Creation Of Non-Existent System DLL - Remove driver anchor and the System32 filter. The reason behind this is that an attacker can copy the file elsewhere and then use a system utility such as copy or xcopy located in the system32 folder to create it again. Which will bypass the rule.
update: Potential System DLL Sideloading From Non System Locations - Remove the driver anchor from the filter to catch cases where the system is installed on non default C: driver
update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add SignatureStatus in the filter to exclude only valid signatures and decrease bypass.
remove: Svchost DLL Search Order Hijack - Deprecated in favor of the rule 6b98b92b-4f00-4f62-b4fe-4d1920215771. The reason is that for legit cases where the DLL is still present we can't filter out anything. We assume that the loading is done by a non valid/signed DLLs which will catch most cases. In cas the attacker had the option to sign the DLL with a valid signature he can bypass the rule.
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters
fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters
fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C:
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition
fix: Credential Manager Access By Uncommon Application - Enhance FP filters
fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters
fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP
fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments
fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter
fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb
fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process
fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost"
fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters
fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name
fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location.
fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters
fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases
fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list
fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate
fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations
fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID
fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters
new: Communication To Uncommon Destination Ports
new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
remove: Credential Dumping Tools Service Execution
remove: New Service Uses Double Ampersand in Path
remove: Powershell File and Directory Discovery
remove: PowerShell Scripts Run by a Services
remove: Security Event Log Cleared
remove: Suspicious Get-WmiObject
remove: Windows Defender Threat Detection Disabled
update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections
update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium
update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low
update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate
update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage
update: Failed Code Integrity Checks - Reduce level to informational
update: HH.EXE Execution - Reduce level to low
update: Locked Workstation - Reduce level to informational
update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data
update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections
update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections
update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks
update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic
update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic
update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports
update: PUA - Nmap/Zenmap Execution - Reduce level to medium
update: PUA - Process Hacker Execution - Reduce level to medium
update: PUA - Radmin Viewer Utility Execution - Reduce level to medium
update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list
update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters
update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:"
update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition
update: Suspicious Schtasks From Env Var Folder - Reduce level to medium
update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium
update: Whoami Utility Execution - Reduce level to low
update: Whoami.EXE Execution With Output Option - Reduce level to medium
update: Windows Defender Malware Detection History Deletion - Reduce level to informational
update: WMI Event Consumer Created Named Pipe - Reduce leve to medium
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Thanks: @Blackmore-Robert
Thanks: @swachchhanda000
Thanks: @celalettin-turgut
Thanks: @AaronS97
fix: Potential NT API Stub Patching - Tune FP filter
new: Credential Dumping Activity By Python Based Tool
new: HackTool - Generic Process Access
remove: Credential Dumping Tools Accessing LSASS Memory
update: Credential Dumping Activity Via Lsass - Update selection to increase coverage and filters to tune false positives
update: Credential Dumping Attempt Via WerFault - Update title
update: Function Call From Undocumented COM Interface EditionUpgradeManager - Reduce level to medium
update: HackTool - CobaltStrike BOF Injection Pattern - Update title
update: HackTool - HandleKatz Duplicating LSASS Handle - Update title
update: HackTool - LittleCorporal Generated Maldoc Injection - Update title
update: HackTool - SysmonEnte Execution - Add additional location of Sysmon, update title and filters
update: HackTool - winPEAS Execution - Add additional image names for winPEAS
update: LSASS Access From Potentially White-Listed Processes - Update title and description
update: LSASS Access From Program In Potentially Suspicious Folder - Update filters to take into account other drivers than C:
update: LSASS Memory Access by Tool With Dump Keyword In Name - Update title and description
update: Lsass Memory Dump via Comsvcs DLL - Reduce level and remove path from filter to account for any location of rundll32
update: Malware Shellcode in Verclsid Target Process - Move to hunting folder
update: Potential Credential Dumping Attempt Via PowerShell - Reduce level to medium, update description and move to hunting folder
update: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Update filters and metadata
update: Potential Process Hollowing Activity - Update FP filter
update: Potential Shellcode Injection - Update title and enhance false positive filter
update: Potentially Suspicious GrantedAccess Flags On LSASS -
update: Remote LSASS Process Access Through Windows Remote Management - Update title, description and filter to account for installation other than C:
update: Suspicious Svchost Process Access - Enhance filter to account for installation in non C: locations
update: Uncommon GrantedAccess Flags On LSASS - Enhance false positive filter
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Thanks: swachchhanda000
remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135
fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
new: Insenstive Subfolder Search Via Findstr.EXE
new: Remote File Download Via Findstr.EXE
new: Windows Defender Exclusion Deleted
new: Windows Defender Exclusion List Modified
new: Windows Defender Exclusion Reigstry Key - Write Access Requested
update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Suspicious Appended Extension - Enhance list of extension
update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
thanks: @vj-codes for #4554
thanks: @mezzofix for #4520
thanks: @rkmbaxed for #4566 and #4569
thanks: @celalettin-turgut for #4570
remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135
fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
new: Insenstive Subfolder Search Via Findstr.EXE
new: Remote File Download Via Findstr.EXE
new: Windows Defender Exclusion Deleted
new: Windows Defender Exclusion List Modified
new: Windows Defender Exclusion Reigstry Key - Write Access Requested
update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Suspicious Appended Extension - Enhance list of extension
update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
thanks: @vj-codes for #4554
thanks: @mezzofix for #4520
thanks: @rkmbaxed for #4566 and #4569
thanks: @celalettin-turgut for #4570
new: Application Terminated Via Wmic.EXE
new: Browser Execution In Headless Mode
new: Chromium Browser Headless Execution To Mockbin Like Site
new: DarkGate User Created Via Net.EXE
new: DMP/HDMP File Creation
new: Malicious Driver Load
new: Malicious Driver Load By Name
new: Potentially Suspicious DMP/HDMP File Creation
new: Remote DLL Load Via Rundll32.EXE
new: Renamed CURL.EXE Execution
new: Vulnerable Driver Load
new: Vulnerable Driver Load By Name
update: 7Zip Compressing Dump Files - Increase coverage
update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to `medium`
update: COM Hijack via Sdclt - Fix Logic
update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage
update: Creation of an Executable by an Executable - Fix FP
update: DLL Load By System Process From Suspicious Locations - Reduce level to `medium`
update: DNS Query Request By Regsvr32.EXE - Reduce level to `medium`
update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to `medium`
update: DNS Query To MEGA Hosting Website - Reduce level to `low` and update metadata
update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains
update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to `low`
update: DNS Query To Ufile.io - Update title and reduce level to `low`
update: DNS Query Tor .Onion Address - Sysmon - Update title
update: DNS Server Discovery Via LDAP Query - Reduce level to `low` and update FP filters
update: DriverQuery.EXE Execution - Increase coverage
update: File Download From Browser Process Via Inline Link
update: Greedy File Deletion Using Del - Increase coverage
update: Leviathan Registry Key Activity - Fix logic
update: Network Connection Initiated By Regsvr32.EXE - Reduce level to `medium` and metadata update
update: Non Interactive PowerShell Process Spawned - Increase coverage
update: OceanLotus Registry Activity - Fix Logic
update: Office Application Startup - Office Test - Fix Logic
update: OneNote Attachment File Dropped In Suspicious Location - Fix FP
update: Potential Dead Drop Resolvers - Increase coverage with new domains
update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic
update: Potential Persistence Via COM Search Order Hijacking - Fix Logic
update: Potential Process Hollowing Activity - Update FP filters
update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage
update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to `medium`
update: Potentially Suspicious Event Viewer Child Process - Update metadata
update: PowerShell Initiated Network Connection - Update description
update: PowerShell Module File Created By Non-PowerShell Process - Fix FP
update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to `medium`
update: Python Image Load By Non-Python Process - Update description and title
update: Python Initiated Connection - Update FP filter
update: Remote Thread Creation By Uncommon Source Image - Update FP filter
update: Renamed AutoIt Execution - Increase coverage
update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage
update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title
update: Sysinternals Tools AppX Versions Execution - Reduce level to `low`
update: Sysmon Blocked Executable - Update logsource
update: UAC Bypass via Event Viewer - Fix Logic
update: UNC2452 Process Creation Patterns - Fix logic
update: Usage Of Malicious POORTRY Signed Driver - Deprecated
update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated
update: Vulnerable Dell BIOS Update Driver Load - Deprecated
update: Vulnerable Driver Load By Name - Deprecated
update: Vulnerable GIGABYTE Driver Load - Deprecated
update: Vulnerable HW Driver Load - Deprecated
update: Vulnerable Lenovo Driver Load - Deprecated
update: WebDav Client Execution Via Rundll32.EXE
update: Windows Update Error - Reduce level to `informational` and status to `stable`
update: Winrar Compressing Dump Files - Increase Coverage
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Marco Pedrinazzi