update: Suspicious Get Local Groups Information - PowerShell - increase coverage for WMI modules
update: Suspicious Get Local Groups Information - increase coverage for WMI modules
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
new: Suspicious Autorun Registry Modified via WMI
update: Suspicious PowerShell Invocations - Specific - PowerShell Module
update: Suspicious PowerShell Invocations - Specific
update: Potential Persistence Attempt Via Run Keys Using Reg.EXE
update: New RUN Key Pointing to Suspicious Folder
update: Suspicious Powershell In Registry Run Keys
update: Direct Autorun Keys Modification
update: Suspicious Run Key from Download
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
chore: update Microsoft references link to use the "learn" subdomain instead of "docs".
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @ryanplasma
chore: delete "Pipfile" and "Pipfile.lock"
fix: Filter Driver Unloaded Via Fltmc.EXE - Add exclusion for ManageEngine
fix: Suspicious Child Process Of Wermgr.EXE - Exclude "WerConCpl.dll"
new: DNS Query To AzureWebsites.NET By Non-Browser Process
new: Files With System DLL Name In Unsuspected Locations
new: HackTool - Evil-WinRm Execution - PowerShell Module
new: HackTool - LaZagne Execution
new: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
update: Copying Sensitive Files with Credential Data - Use "windash" modifier
update: Explorer Process Tree Break - Use "windash" modifier
update: Files With System Process Name In Unsuspected Locations - Remove old filter
update: Lolbin Unregmp2.exe Use As Proxy - Use "windash" modifier
update: LSASS Process Reconnaissance Via Findstr.EXE - Use "windash" modifier
update: New Remote Desktop Connection Initiated Via Mstsc.EXE - Use "windash" modifier
update: Potential Proxy Execution Via Explorer.EXE From Shell Process - Update metadata and moved to Threat Hunting folder
update: Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Enhance logic
update: Renamed ProcDump Execution - Add new flag option
update: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Use "windash" modifier
---------
Thanks: @qasimqlf
Thanks: @celalettin-turgut
Thanks: @cY83rR0H1t
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
fix: Metasploit SMB Authentication - Remove unnecessary field
fix: Service Installation in Suspicious Folder - Update FP filter
update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
remove: SAM Dump to AppData
update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
update: New or Renamed User Account with '$' Character - Reduced level to "medium"
update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
update: Prefetch File Deleted - Update selection to remove 'C:' prefix
update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
update: Shell Process Spawned by Java.EXE - Add "bash.exe"
update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
update: Sysmon Application Crashed - Add 32bit version of sysmon binary
update: Tap Driver Installation - Security - Reduce level to "low"
update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
new: DLL Names Used By SVR For GraphicalProton Backdoor
new: Enable LM Hash Storage
new: Enable LM Hash Storage - ProcCreation
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
update: Compress-Archive Cmdlet Execution - Reudced Level to low and moved to Threat Hunting folder.
update: Disabled Volume Snapshots - Update logic by removing the reg string to also account for potential renamed executions
update: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Update logic to be more specific
update: Potential Recon Activity Via Nltest.EXE - Add dnsgetdc coverage and enhance logic by removing /
update: Potential System DLL Sideloading From Non System Locations - Enhance logic by removing hardcoded C: value to account for other potential system locations
update: RestrictedAdminMode Registry Value Tampering - ProcCreation - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: RestrictedAdminMode Registry Value Tampering - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: Write Protect For Storage Disabled - Update logic by removing the reg string to also account for potential renamed executions
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Update logic to be more specific
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Toheeb Ajala Husain