new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
update: Hacktool - EDR-Freeze Execution - add more coverage
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
update: Suspicious Download Via Certutil.EXE - add URL flag related with GUI-based download
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add URL flag related with GUI-based download
update: Suspicious File Downloaded From Direct IP Via Certutil.EXE - add URL flag related with GUI-based download
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
removed: FileFix - Suspicious Child Process from Browser File Upload Abuse - Deprecated in favor of b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
new: DNS Query by Finger Utility
new: Network Connection Initiated via Finger.EXE
fix: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix - Fix selection to use ParentImage instead of Image field
new: Suspicious FileFix Execution Pattern
update: FileFix - Command Evidence in TypedPaths - Added more markers
update: Potential ClickFix Execution Pattern - Registry - Add 2 new strings, "finger" and "identification"
chore: Update "test_rules.py" filename test with better output formatting
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <monsteroffire2@gmail.com>
update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe
update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching
update: Tor Client/Browser Execution - Add additional PE metadata markers
update: System Information Discovery via Registry Queries - Enhance registry markers
update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage.
fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value
fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic
fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic
fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource
fix: PUA - Sysinternal Tool Execution - Registry - Fix incorrect logsource
fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource
fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource
chore: add CI script for regression
chore: add regression data
---------
Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
remove: Space After Filename - Logic was incorrect and untested
update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
update: JexBoss Command Sequence - Update the selection to use the |all modifier.
chore: remove any usage of the fields field to prepare for deprecation in the spec.
update: Potentially Suspicious NTFS Symlink Behavior Modification - Tighten logic to focus on proxy process such as cmd or powershell
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
remove: Active Directory Kerberos DLL Loaded Via Office Application - deprecated as it triggers on normal activity
fix: Scheduled Task Creation Via Schtasks.EXE - add for for msoffice application
fix: Use Short Name Path in Command Line - add filter for dotnet csc.exe
fix: Potential Product Reconnaissance Via Wmic.EXE - add filter for some product related operation through wmic
fix: WMIC Remote Command Execution - fix broken FP filter
fix: Classes Autorun Keys Modification - filter null details
fix: CurrentVersion Autorun Keys Modification - filter null details
fix: Modification of IE Registry Settings - filter null details
fix: Potential Persistence Via Shim Database Modification - filter null details
fix: Scheduled TaskCache Change by Uncommon Program - filter null details
update: Copy From Or To Admin Share Or Sysvol Folder - some logic change
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
fix: Office Macro File Download - Reduce level to low due to FPs spotted via VT.
fix: Suspicious CustomShellHost Execution - Increased level to high due to low FP rate spotted via VT.
fix: Explorer Process Tree Break - Fix incorrect usage of windash with the all modifier, that broke the logic.
fix: MSDT Execution Via Answer File - Rename rule as well as introduce usage of windash for increased coverage.
fix: Capture Credentials with Rpcping.exe - Fix incorrect usage of windash with the all modifier, that broke the logic.
fix: Wlrmdr.EXE Uncommon Argument Or Child Process - Fix incorrect usage of windash with the all modifier, that broke the logic.
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations.
fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic
chore: add sorting to the rule archiver script
---------
Thanks: KingKDot
Thanks: zambomarcell
Thanks: Koifman
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
remove: PowerShell DownloadFile - Deprecated in favour of 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
remove: Whoami Utility Execution - Deprecated in favor of 502b42de-4306-40b4-9596-6f590c81f073
fix: Usage Of Web Request Commands And Cmdlets - ScriptBlock - Commented out Net.webclient
fix: Usage Of Web Request Commands And Cmdlets - Comment out Net.webclient
fix: System Disk And Volume Reconnaissance via Wmic.EXE - update the rule logic to remove potential FPs
update: PowerShell Download Pattern - add powershell_ise
update: Use Short Name Path in Image - change detection logic structure
update: Local Accounts Discovery - add OriginalFileName field
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
remove: Active Directory Parsing DLL Loaded Via Office Application - deprecated as this rule was triggered everytime any office app was opened
fix: Uncommon AppX Package Locations - Add a filter to legit Microsoft path
fix: File With Uncommon Extension Created By An Office Application - Add a filter to remove fp caused by ".com" directory filename
fix: Startup Folder File Write - Add a filter for OneNote
fix: Suspicious Volume Shadow Copy Vssapi.dll Load - Add a filter for null Image field
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add a filter for null Image field
fix: Suspicious WSMAN Provider Image Loads - Add a filter for mmc loading wsman provider images
fix: Office Application Initiated Network Connection To Non-Local IP - Add filter to more legit microsoft IP address ASN subnets
fix: Office Application Initiated Network Connection Over Uncommon Ports - Add filter for other common ports
fix: Suspicious Userinit Child Process - Add filter to Explorer in CommandLine
fix: CurrentVersion Autorun Keys Modification - Add more filters for OneDriverSetup.EXE
fix: Office Autorun Keys Modification - Add a new filter for a FriendlyName Addin
fix: Suspicious Access to Sensitive File Extensions - Zeek - Commented out groups.xml
fix: Suspicious Access to Sensitive File Extensions - Commented out groups.xml
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
update: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze - refine image path logic and include OriginalFileName for improved rule accuracy
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Micah Babinski