fix: Remote Task Creation via ATSVC Named Pipe - Fixed field name from `Accesses` to `AccessList`
fix: Persistence and Execution at Scale via GPO Scheduled Task - Fixed field name from `Accesses` to `AccessList`
fix: Remote Service Activity via SVCCTL Named Pipe - Fixed field name from `Accesses` to `AccessList`
fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Filter out additional Microsoft IP block and moved to the threat hunting folder due to large amount of matches based on VT data
fix: Forest Blizzard APT - File Creation Activity - Fix typo in filename
fix: New RUN Key Pointing to Suspicious Folder - Enhance filter to fix new false positive found in testing
new: COM Object Hijacking Via Modification Of Default System CLSID Default Value
new: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
new: DPAPI Backup Keys And Certificate Export Activity IOC
new: DSInternals Suspicious PowerShell Cmdlets
new: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
new: HackTool - RemoteKrbRelay Execution
new: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
new: HackTool - SharpDPAPI Execution
new: Hypervisor Enforced Paging Translation Disabled
new: PDF File Created By RegEdit.EXE
new: Periodic Backup For System Registry Hives Enabled
new: Renamed Microsoft Teams Execution
new: Windows LAPS Credential Dump From Entra ID
remove: Potential Persistence Via COM Hijacking From Suspicious Locations - Deprecated because of incorrect logic, replaced by "790317c0-0a36-4a6a-a105-6e576bf99a14"
update: DLL Call by Ordinal Via Rundll32.EXE - Reduced level to "medium" and moved to the threat hunting folder due to the fact that calling by ordinal can be seen by many legitimate utilities. An initial baseline needs to be set for the rule to be promoted.
update: Msiexec.EXE Initiated Network Connection Over HTTP - Reduced level to low and moved to the threat hunting folder due to large amount of matches based on VT data
update: MSSQL Add Account To Sysadmin Role - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Disable Audit Settings - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon From External Network - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL SPProcoption Set - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Option Change - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Suspicious Execution - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: Network Connection Initiated By AddinUtil.EXE - increase level to "high" and promote the status to "test" based on VT data
update: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Reduced the level to "medium" and added filters for "null" and empty values based on VT data
update: Office Application Initiated Network Connection Over Uncommon Ports - Add port "143" based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Office Application Initiated Network Connection To Non-Local IP - Add "outlook.exe" to the list of processes and filter multiple IP ranges based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Password Protected Compressed File Extraction Via 7Zip - Reduced level to "low" and moved to the threat hunting folder due to large amount of matches based on VT data
update: Potential Dead Drop Resolvers - Add filters for "null" and empty values based on VT data
update: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Update metadata information
update: Potential Shellcode Injection - Reduced level to "medium" and moved to the threat hunting folder due multiple FP with third party softwares
update: Potential Suspicious Execution From GUID Like Folder Names - Reduced level to "low" and moved to the threat hunting folder
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Add additional EventLog and ETW providers to increase coverage
update: Potentially Suspicious Execution From Parent Process In Public Folder - Update logic to add Image names in addition to the previous CommandLines
update: Potentially Suspicious PowerShell Child Processes - Reduced level to "medium" and moved to the threat hunting folder due to large amount of matches based on VT data. As well as the logic doesn't look for anything suspicious but "child processes" that might be "uncommon".
update: Process Execution From A Potentially Suspicious Folder - Update metadata and remove "\Users\Public" to avoid false positives
update: Recon Command Output Piped To Findstr.EXE - Update the logic to user "wildcards" instead of spaces to cover different variants and increase the coverage.
update: Suspicious Electron Application Child Processes - Remove unnecessary filters
update: Suspicious Non-Browser Network Communication With Google API - Add filters for "null" and empty values based on VT data
update: System File Execution Location Anomaly - Enhance filters
update: Uncommon Child Process Of Setres.EXE - Update logic and metadata
update: Uncommon Link.EXE Parent Process - Enhance the filters and metadata
update: Windows Defender Threat Detection Service Disabled - Add french keyword for "stopped" to increase coverage for windows os that uses the french language
---------
Thanks: cY83rR0H1t
Thanks: CTI-Driven
Thanks: BIitzkrieg
Thanks: DFIR-jwedd
Thanks: Snp3r
chore: update Microsoft references link to use the "learn" subdomain instead of "docs".
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @ryanplasma
update: Uncommon Outbound Kerberos Connection - Security - Update filter to include device type paths and reduce the level to "medium"
update: Uncommon Outbound Kerberos Connection - Update filters to include tomcat and reduce the level to "medium"
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
update: External Disk Drive Or USB Storage Device Was Recognized By The System - Update selection to reflect the logic correctly
fix: Uncommon Service Installation Image Path - Update filter logic to use correct modifiers
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
fix: Metasploit SMB Authentication - Remove unnecessary field
fix: Service Installation in Suspicious Folder - Update FP filter
update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
remove: SAM Dump to AppData
update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
update: New or Renamed User Account with '$' Character - Reduced level to "medium"
update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
update: Prefetch File Deleted - Update selection to remove 'C:' prefix
update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
update: Shell Process Spawned by Java.EXE - Add "bash.exe"
update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
update: Sysmon Application Crashed - Add 32bit version of sysmon binary
update: Tap Driver Installation - Security - Reduce level to "low"
update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters
fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters
fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C:
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition
fix: Credential Manager Access By Uncommon Application - Enhance FP filters
fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters
fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP
fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments
fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter
fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb
fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process
fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost"
fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters
fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name
fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location.
fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters
fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases
fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list
fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate
fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations
fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID
fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters
new: Communication To Uncommon Destination Ports
new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
remove: Credential Dumping Tools Service Execution
remove: New Service Uses Double Ampersand in Path
remove: Powershell File and Directory Discovery
remove: PowerShell Scripts Run by a Services
remove: Security Event Log Cleared
remove: Suspicious Get-WmiObject
remove: Windows Defender Threat Detection Disabled
update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections
update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium
update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low
update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate
update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage
update: Failed Code Integrity Checks - Reduce level to informational
update: HH.EXE Execution - Reduce level to low
update: Locked Workstation - Reduce level to informational
update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data
update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections
update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections
update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks
update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic
update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic
update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports
update: PUA - Nmap/Zenmap Execution - Reduce level to medium
update: PUA - Process Hacker Execution - Reduce level to medium
update: PUA - Radmin Viewer Utility Execution - Reduce level to medium
update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list
update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters
update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:"
update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition
update: Suspicious Schtasks From Env Var Folder - Reduce level to medium
update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium
update: Whoami Utility Execution - Reduce level to low
update: Whoami.EXE Execution With Output Option - Reduce level to medium
update: Windows Defender Malware Detection History Deletion - Reduce level to informational
update: WMI Event Consumer Created Named Pipe - Reduce leve to medium
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Thanks: @Blackmore-Robert
Thanks: @swachchhanda000
Thanks: @celalettin-turgut
Thanks: @AaronS97
remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135
fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
new: Insenstive Subfolder Search Via Findstr.EXE
new: Remote File Download Via Findstr.EXE
new: Windows Defender Exclusion Deleted
new: Windows Defender Exclusion List Modified
new: Windows Defender Exclusion Reigstry Key - Write Access Requested
update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Suspicious Appended Extension - Enhance list of extension
update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
thanks: @vj-codes for #4554
thanks: @mezzofix for #4520
thanks: @rkmbaxed for #4566 and #4569
thanks: @celalettin-turgut for #4570
remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135
fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
new: Insenstive Subfolder Search Via Findstr.EXE
new: Remote File Download Via Findstr.EXE
new: Windows Defender Exclusion Deleted
new: Windows Defender Exclusion List Modified
new: Windows Defender Exclusion Reigstry Key - Write Access Requested
update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Suspicious Appended Extension - Enhance list of extension
update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
thanks: @vj-codes for #4554
thanks: @mezzofix for #4520
thanks: @rkmbaxed for #4566 and #4569
thanks: @celalettin-turgut for #4570
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Enhance filter to account for an FP found with MS edge
fix: Files With System Process Name In Unsuspected Locations - Enhance filter to cover other folder variation for windows recovery
fix: Portable Gpg.EXE Execution - Add new legitimate location for GNuGpg
fix: Suspicious WmiPrvSE Child Process - Add a filter for msiexec image used to install new MSI packages via WMI process
update: ISO Image Mounted - Update title and add new filter
update: Potential NT API Stub Patching - Enhance the selection coverage by removing the "C:" prefix to cover other installation possibilities
update: Remote Thread Creation Via PowerShell - Update selection to use endswith modifier for better coverage
update: Remote Thread Creation Via PowerShell In Potentially Suspicious Target - Update title and add a "regsvr32" as a new additional process to increase coverage
update: Suspicious Whoami.EXE Execution - Enhance the selection by using a * wildcard to account for the order and avoid FPs
update: WMI Module Loaded By Non Uncommon Process - Enhance selection by making the System folders filter use a "contains" instead of an exact match
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
update: Potential AD User Enumeration From Non-Machine Account - Apply additional filters to only look for Access Masks with "READ PROPERTY" values
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Potentially Suspicious AccessMask Requested From LSASS - FP with Avira from Windows temp folder
fix: Direct Syscall of NtOpenProcess - FP with another Firefox process and removing drive letters
fix: Control Panel Items - FP with command line observed from taskhost.exe
fix: Rundll32 Execution Without DLL File - remove non-essential ParentCommandLine dependency in filter
fix: Schtasks Creation Or Modification With SYSTEM Privileges - remove non-essential ParentImage dependency in filter
fix: Suspicious Elevated System Shell - remove non-essential ParentImage dependency in filter
fix: Suspicious Elevated System Shell - FP with Avira update utility
fix: Execution of Suspicious File Type Extension - FP with OpenOffice
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
fix: Generic Password Dumper Activity on LSASS - FP with GoogleUpdate.exe
fix: Rundll32 Execution Without DLL File - FP with another zzzzInvokeManagedCustomActionOutOfProc MSI installer
fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with being started as a background service
fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - FP with $WinREAgent folder
fix: Files With System Process Name In Unsuspected Locations - FP with wuaucltcore
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
GtUGtHGtNDtEUaE