fix: Potential DLL Sideloading Of DbgModel.DLL - Update selection name to match the condition
fix: NTLM Logon - Remove unnecessary field
fix: Potential Commandline Obfuscation Using Unicode Characters - Remove legitimate currency characters as they could be used in document names
fix: Suspicious SYSTEM User Process Creation - Update `ping` filter to account for other FP variants found in the wild.
new: Headless Process Launched Via Conhost.EXE
new: Potential BOINC Software Execution (UC-Berkeley Signature)
new: Powershell Executed From Headless ConHost Process
new: Process Launched Without Image Name
new: Renamed BOINC Client Execution
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Filter out additional Microsoft IP block and moved to the threat hunting folder due to large amount of matches based on VT data
fix: Forest Blizzard APT - File Creation Activity - Fix typo in filename
fix: New RUN Key Pointing to Suspicious Folder - Enhance filter to fix new false positive found in testing
new: COM Object Hijacking Via Modification Of Default System CLSID Default Value
new: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
new: DPAPI Backup Keys And Certificate Export Activity IOC
new: DSInternals Suspicious PowerShell Cmdlets
new: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
new: HackTool - RemoteKrbRelay Execution
new: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
new: HackTool - SharpDPAPI Execution
new: Hypervisor Enforced Paging Translation Disabled
new: PDF File Created By RegEdit.EXE
new: Periodic Backup For System Registry Hives Enabled
new: Renamed Microsoft Teams Execution
new: Windows LAPS Credential Dump From Entra ID
remove: Potential Persistence Via COM Hijacking From Suspicious Locations - Deprecated because of incorrect logic, replaced by "790317c0-0a36-4a6a-a105-6e576bf99a14"
update: DLL Call by Ordinal Via Rundll32.EXE - Reduced level to "medium" and moved to the threat hunting folder due to the fact that calling by ordinal can be seen by many legitimate utilities. An initial baseline needs to be set for the rule to be promoted.
update: Msiexec.EXE Initiated Network Connection Over HTTP - Reduced level to low and moved to the threat hunting folder due to large amount of matches based on VT data
update: MSSQL Add Account To Sysadmin Role - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Disable Audit Settings - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon From External Network - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL SPProcoption Set - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Option Change - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Suspicious Execution - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: Network Connection Initiated By AddinUtil.EXE - increase level to "high" and promote the status to "test" based on VT data
update: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Reduced the level to "medium" and added filters for "null" and empty values based on VT data
update: Office Application Initiated Network Connection Over Uncommon Ports - Add port "143" based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Office Application Initiated Network Connection To Non-Local IP - Add "outlook.exe" to the list of processes and filter multiple IP ranges based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Password Protected Compressed File Extraction Via 7Zip - Reduced level to "low" and moved to the threat hunting folder due to large amount of matches based on VT data
update: Potential Dead Drop Resolvers - Add filters for "null" and empty values based on VT data
update: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Update metadata information
update: Potential Shellcode Injection - Reduced level to "medium" and moved to the threat hunting folder due multiple FP with third party softwares
update: Potential Suspicious Execution From GUID Like Folder Names - Reduced level to "low" and moved to the threat hunting folder
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Add additional EventLog and ETW providers to increase coverage
update: Potentially Suspicious Execution From Parent Process In Public Folder - Update logic to add Image names in addition to the previous CommandLines
update: Potentially Suspicious PowerShell Child Processes - Reduced level to "medium" and moved to the threat hunting folder due to large amount of matches based on VT data. As well as the logic doesn't look for anything suspicious but "child processes" that might be "uncommon".
update: Process Execution From A Potentially Suspicious Folder - Update metadata and remove "\Users\Public" to avoid false positives
update: Recon Command Output Piped To Findstr.EXE - Update the logic to user "wildcards" instead of spaces to cover different variants and increase the coverage.
update: Suspicious Electron Application Child Processes - Remove unnecessary filters
update: Suspicious Non-Browser Network Communication With Google API - Add filters for "null" and empty values based on VT data
update: System File Execution Location Anomaly - Enhance filters
update: Uncommon Child Process Of Setres.EXE - Update logic and metadata
update: Uncommon Link.EXE Parent Process - Enhance the filters and metadata
update: Windows Defender Threat Detection Service Disabled - Add french keyword for "stopped" to increase coverage for windows os that uses the french language
---------
Thanks: cY83rR0H1t
Thanks: CTI-Driven
Thanks: BIitzkrieg
Thanks: DFIR-jwedd
Thanks: Snp3r
chore: update Microsoft references link to use the "learn" subdomain instead of "docs".
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @ryanplasma
chore: delete "Pipfile" and "Pipfile.lock"
fix: Filter Driver Unloaded Via Fltmc.EXE - Add exclusion for ManageEngine
fix: Suspicious Child Process Of Wermgr.EXE - Exclude "WerConCpl.dll"
new: DNS Query To AzureWebsites.NET By Non-Browser Process
new: Files With System DLL Name In Unsuspected Locations
new: HackTool - Evil-WinRm Execution - PowerShell Module
new: HackTool - LaZagne Execution
new: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
update: Copying Sensitive Files with Credential Data - Use "windash" modifier
update: Explorer Process Tree Break - Use "windash" modifier
update: Files With System Process Name In Unsuspected Locations - Remove old filter
update: Lolbin Unregmp2.exe Use As Proxy - Use "windash" modifier
update: LSASS Process Reconnaissance Via Findstr.EXE - Use "windash" modifier
update: New Remote Desktop Connection Initiated Via Mstsc.EXE - Use "windash" modifier
update: Potential Proxy Execution Via Explorer.EXE From Shell Process - Update metadata and moved to Threat Hunting folder
update: Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Enhance logic
update: Renamed ProcDump Execution - Add new flag option
update: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Use "windash" modifier
---------
Thanks: @qasimqlf
Thanks: @celalettin-turgut
Thanks: @cY83rR0H1t
new: Uncommon File Creation By Mysql Daemon Process
new: Potential Suspicious Browser Launch From Document Reader Process
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
new: All Backups Deleted Via Wbadmin.EXE
new: Sensitive File Dump Via Wbadmin.EXE
new: File Recovery From Backup Via Wbadmin.EXE
new: Sensitive File Recovery From Backup Via Wbadmin.EXE
update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions
update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description
update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution
update: COM Object Execution via Xwizard.EXE - Update logic
update: JScript Compiler Execution - Update metadata
update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy
update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description
update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description
update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end.
update: Renamed ZOHO Dctask64 Execution - Add additional imphash values
update: Windows Kernel Debugger Execution - Reduce level to "medium"
update: Xwizard.EXE Execution From Non-Default Location - Update description
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
update: HackTool - CoercedPotato Execution - Update Hashes field to use contains modifier
update: HackTool - HandleKatz LSASS Dumper Execution - Update Hashes field to use contains modifier
update: HackTool - SysmonEOP Execution - Update Hashes field to use contains modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: File And SubFolder Enumeration Via Dir Command - Fix false positive with Firefox and similar CLI apps.
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Remote Access Tool - Team Viewer Session Started On Linux Host
new: Remote Access Tool - Team Viewer Session Started On MacOS Host
new: Remote Access Tool - Team Viewer Session Started On Windows Host
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Diskshadow Script Mode Execution - Update rule to use the windash modifier
update: IIS Native-Code Module Command Line Installation - Update rule to use the windash modifier
update: Replace.exe Usage - Update rule to use the windash modifier
update: Potential Arbitrary Command Execution Using Msdt.EXE - Update rule to use the windash modifier
update: Suspicious Cabinet File Execution Via Msdt.EXE - Update rule to use the windash modifier
update: DllUnregisterServer Function Call Via Msiexec.EXE - Update rule to use the windash modifier
update: Suspicious Msiexec Execute Arbitrary DLL - Update rule to use the windash modifier
update: Msiexec Quiet Installation - Update rule to use the windash modifier
update: Suspicious Msiexec Quiet Install From Remote Location - Update rule to use the windash modifier
update: Suspicious Response File Execution Via Odbcconf.EXE - Update rule to use the windash modifier
update: Changing Existing Service ImagePath Value Via Reg.EXE - Update rule to use the windash modifier
update: Exports Critical Registry Keys To a File - Update rule to use the windash modifier
update: Exports Registry Key To a File - Update rule to use the windash modifier
update: Imports Registry Key From a File - Update rule to use the windash modifier
update: Imports Registry Key From an ADS - Update rule to use the windash modifier
update: Potential Regsvr32 Commandline Flag Anomaly - Update rule to use the windash modifier
update: Capture Credentials with Rpcping.exe - Update rule to use the windash modifier
update: Potential Execution of Sysinternals Tools - Update rule to use the windash modifier
update: Kernel Memory Dump Via LiveKD - Update rule to use the windash modifier
update: Potential LSASS Process Dump Via Procdump - Update rule to use the windash modifier
update: Sysmon Configuration Update - Update rule to use the windash modifier
update: Uninstall Sysinternals Sysmon - Update rule to use the windash modifier
update: Loaded Module Enumeration Via Tasklist.EXE - Update rule to use the windash modifier
update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
chore: update multiple rules to use the windash modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Unsigned DLL Loaded by Windows Utility - Add InstallUtil, RegAsm and RegSvcs as additional process and add additional "null" and "empty" filters to cover for non available fields.
update: Potential PowerShell Execution Via DLL - Add regsvr32 to increase coverage.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Wlrmdr.EXE Uncommon Argument Or Child Process - Update metadata, add new filters and use the windash modifier.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE - Add more builtin ATs to the list
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Suspicious Service Installation Script - Increase coverage by adding for the "/" option in commands flags
update: Console CodePage Lookup Via CHCP - Increase coverage by adding for the "/" option in commands flags
update: Curl Download And Execute Combination - Increase coverage by adding for the "/" option in commands flags
update: File Deletion Via Del - Increase coverage by adding for the "/" option in commands flags
update: Files And Subdirectories Listing Using Dir - Increase coverage by adding for the "/" option in commands flags
update: Suspicious Ping/Copy Command Combination - Increase coverage by adding for the "/" option in commands flags
update: New Generic Credentials Added Via Cmdkey.EXE - Increase coverage by adding for the "/" option in commands flags
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Swachchhanda Shrawan Poudel