update: RDP Sensitive Settings Changed - Add DisableRemoteDesktopAntiAlias and DisableSecuritySettings as seen used by DarkGate malware
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Suspicious DNS Query for IP Lookup Service APIs - Add ipconfig.io domain
update: Suspicious Network Connection to IP Lookup Service APIs - Add ipconfig.io domain
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Rundll32 Execution With Uncommon DLL Extension - Update the selection to allow for additional quoted cases such as rundll32 "shell32.dll",ShellExec_RunDLL <somethin>
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
fix: Metasploit SMB Authentication - Remove unnecessary field
fix: Service Installation in Suspicious Folder - Update FP filter
update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
remove: SAM Dump to AppData
update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
update: New or Renamed User Account with '$' Character - Reduced level to "medium"
update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
update: Prefetch File Deleted - Update selection to remove 'C:' prefix
update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
update: Shell Process Spawned by Java.EXE - Add "bash.exe"
update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
update: Sysmon Application Crashed - Add 32bit version of sysmon binary
update: Tap Driver Installation - Security - Reduce level to "low"
update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
fix: Firewall Rule Modified In The Windows Firewall Exception List - new optional filter Brave browser
fix: Outbound RDP Connections Over Non-Standard Tools - new FP filter for RAS TSplus
fix: PowerShell Core DLL Loaded By Non PowerShell Process - new optional filter for chocolatey
fix: Remote Thread Creation In Mstsc.Exe From Suspicious Location - Fix a broken path string
fix: Remote Thread Creation In Uncommon Target Image - Reduce level to medium and remove explorer as target due to FP rates.
fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Fix the filters to be more generic
new: Rare Remote Thread Creation By Uncommon Source Image - A split of 66d31e5f-52d6-40a4-9615-002d3789a119
update: All Rules Have Been Deleted From The Windows Firewall Configuration - Remove program files filter to increase coverage. As deleting rules shouldn't be a "normal" behavior.
update: CreateRemoteThread API and LoadLibrary - Reduce level to medium and convert to a TH rule
update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add additional paths to increase coverage
update: Powershell Install a DLL in System Directory - enhance rule context in big script blocks
update: Remote Thread Creation By Uncommon Source Image - Reduced level to medium and move high indicators to 02d1d718-dd13-41af-989d-ea85c7fab93f
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Network Communication With Crypto Mining Pool - new domains from `miningocean.org`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: System Information Discovery Via Wmic.EXE - Move to threat hunting and add additional filter to reduce noise coming from VMware Tools
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Hacktool Execution - Imphash - Add additional imphash values to increase coverage
update: Findstr Launching .lnk File - Increase coverage by adding cases where the commandline ends with a double or a single quote.
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
new: Potential Persistence Via AppCompat RegisterAppRestart Layer
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Add additional commandline flag that might trigger FPs
update: Hypervisor Enforced Code Integrity Disabled - Add additional path for the HVCI config
update: Creation Of Non-Existent System DLL - Remove driver anchor and the System32 filter. The reason behind this is that an attacker can copy the file elsewhere and then use a system utility such as copy or xcopy located in the system32 folder to create it again. Which will bypass the rule.
update: Potential System DLL Sideloading From Non System Locations - Remove the driver anchor from the filter to catch cases where the system is installed on non default C: driver
update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add SignatureStatus in the filter to exclude only valid signatures and decrease bypass.
remove: Svchost DLL Search Order Hijack - Deprecated in favor of the rule 6b98b92b-4f00-4f62-b4fe-4d1920215771. The reason is that for legit cases where the DLL is still present we can't filter out anything. We assume that the loading is done by a non valid/signed DLLs which will catch most cases. In cas the attacker had the option to sign the DLL with a valid signature he can bypass the rule.
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
chore: add additional checks to the `sigma-logsource-checker.py` so that it only cares about yaml files
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: System Information Discovery Using Ioreg - enhanced coverage with additional flags and cli options
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
jstnk9