new: System Information Discovery Using Ioreg
new: System Information Discovery Using sw_vers
new: Potential Base64 Decoded From Images
new: System Information Discovery Via Wmic.EXE
update: Uncommon System Information Discovery Via Wmic.EXE - Updated logic to focus on more specific WMIC query sequence to increase the level and added a related rule to cover the missing gaps in d85ecdd7-b855-4e6e-af59-d9c78b5b861e
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
chore: Add new validators from sigma-cli 0.7.10 and remove obsolete tests in test_rules.py
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Lazarus APT DLL Sideloading Activity
new: File Download From IP Based URL Via CertOC.EXE
new: File Download From IP URL Via Curl.EXE
update: Remote Thread Creation By Uncommon Source Image
update: Remote Thread Creation In Uncommon Target Image
update: ADSI-Cache File Creation By Uncommon Tool
update: Files With System Process Name In Unsuspected Locations
update: PowerShell Module File Created By Non-PowerShell Process
update: PSScriptPolicyTest Creation By Uncommon Process
update: Suspicious LNK Double Extension File Created
update: PowerShell Profile Modification
update: Alternate PowerShell Hosts Pipe
update: File Download via CertOC.EXE
update: Suspicious File Download From IP Via Curl.EXE
update: Arbitrary File Download Via GfxDownloadWrapper.EXE
update: Potentially Suspicious Office Document Executed From Trusted Location
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
fix: Google Workspace Application Removed - Update logsource product field to `gcp`
fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp`
fix: Google Workspace MFA Disabled - Update logsource product field to `gcp`
fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp`
fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp`
fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp`
new: Stale Accounts In A Privileged Role
new: Invalid PIM License
new: Roles Assigned Outside PIM
new: Roles Activated Too Frequently
new: Roles Activation Doesn't Require MFA
new: Roles Are Not Being Used
new: Too Many Global Admins
---------
Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
frack113