update: Dynamic .NET Compilation Via Csc.EXE - Update regex to use a non-capturing group
update: Csc.EXE Execution Form Potentially Suspicious Parent - Update regex to use a non-capturing group
update: Invoke-Obfuscation Obfuscated IEX Invocation - Update regex to use a non-capturing group
update: Invoke-Obfuscation Via Stdin - Update regex to use a non-capturing group
update: Invoke-Obfuscation Via Use Clip - Update regex to use a non-capturing group
update: Powershell Token Obfuscation - Process Creation - Update regex to use a non-capturing group
update: Potential Rundll32 Execution With DLL Stored In ADS - Update regex to use a non-capturing group
update: Suspicious Copy From or To System Directory - Update regex to use a non-capturing group
update: Obfuscated IP Download Activity - Update regex to use a non-capturing group
update: Obfuscated IP Via CLI - Update regex to use a non-capturing group
update: Uncommon Svchost Command Line Parameter - Update regex to use a non-capturing group
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
new: Windows EventLog Autologger Session Registry Modification Via CommandLine
update: Potential AutoLogger Sessions Tampering - Update the value to an accurate one
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
update: Suspicious Creation TXT File in User Desktop - Move to a TH rule
fix: ffice Macro File Creation - Exclude office binaries
fix: Suspicious Msiexec Execute Arbitrary DLL - Make the filter more generic due to the amount of FPs.
fix: Script Interpreter Execution From Suspicious Folder - Add filters for chocolatey
fix: Suspicious Script Execution From Temp Folder - Add filter for chocolatey
fix: Office Autorun Keys Modification - Add filters for shortened paths using tilda
fix Outlook Security Settings Updated - Registry - Exclude the outlook process
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
new: Service Startup Type Change Via Wmic.EXE
update: Service Reconnaissance Via Wmic.EXE - Add filters to exclude out legitimate service manipulation cases.
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
new: msDS-ManagedAccountPrecededByLink Attribute Modified
new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
new: DMSA Service Account Created in Specific OUs - PowerShell
new: DMSA Link Attributes Modified
new: New DMSA Service Account Created in Specific OUs
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location - remove troublesome locations commonly used by installers
fix: HackTool - WSASS Execution - update regex to avoid mismatching on legitimate cli
update: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze - change it into hunting rule
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add filter entry for "tscdn.m365.static.microsoft"
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter entry for MS office path
fix: Non Interactive PowerShell Process Spawned - Add filter entry for "SenseIR.exe"
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
update: Files With System Process Name In Unsuspected Locations - Add fsquirt.exe entry
update: System Control Panel Item Loaded From Uncommon Location - Add entries for bthprops.cpl and hdwwiz.cpl
update: System File Execution Location Anomaly - Add fsquirt.exe entry
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
new: Windows Credential Guard Registry Tampering Via CommandLine
new: Windows Credential Guard Related Registry Value Deleted - Registry
new: Windows Credential Guard Disabled - Registry
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
new: Windows AMSI Related Registry Tampering Via CommandLine
new: AMSI Disabled via Registry Modification
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
new: Legitimate Application Writing Files In Uncommon Location
update: Suspicious Download From File-Sharing Website Via Bitsadmin - add github URL
update: File Download Via Bitsadmin To A Suspicious Target Folder - add more susp locations
remove: File Download Via Bitsadmin To An Uncommon Target Folder - deprecate in favor of 2ddef153-167b-4e89-86b6-757a9e65dcac
chore: add regression tests for bitsadmin related rules
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
update: Direct Autorun Keys Modification - remove User Shell Folder registry modification
new: User Shell Folders Registry Modification via CommandLine
update: Modify User Shell Folders Startup Value - add new registry path, also add filtering of legit paths
update: Curl Web Request With Potential Custom User-Agent - add another curl supported flag for header
chore: add regression tests for curl-related rules
new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
update: Hacktool - EDR-Freeze Execution - add more coverage
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
update: Suspicious Download Via Certutil.EXE - add URL flag related with GUI-based download
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add URL flag related with GUI-based download
update: Suspicious File Downloaded From Direct IP Via Certutil.EXE - add URL flag related with GUI-based download
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
removed: FileFix - Suspicious Child Process from Browser File Upload Abuse - Deprecated in favor of b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
new: DNS Query by Finger Utility
new: Network Connection Initiated via Finger.EXE
fix: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix - Fix selection to use ParentImage instead of Image field
new: Suspicious FileFix Execution Pattern
update: FileFix - Command Evidence in TypedPaths - Added more markers
update: Potential ClickFix Execution Pattern - Registry - Add 2 new strings, "finger" and "identification"
chore: Update "test_rules.py" filename test with better output formatting
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <monsteroffire2@gmail.com>
update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe
update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching
update: Tor Client/Browser Execution - Add additional PE metadata markers
update: System Information Discovery via Registry Queries - Enhance registry markers
update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage.
fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value
fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic
fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic
fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource
fix: PUA - Sysinternal Tool Execution - Registry - Fix incorrect logsource
fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource
fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource
chore: add CI script for regression
chore: add regression data
---------
Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
remove: Space After Filename - Logic was incorrect and untested
update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
update: JexBoss Command Sequence - Update the selection to use the |all modifier.
chore: remove any usage of the fields field to prepare for deprecation in the spec.
Nasreddine Bencherchali