fix: Generic Password Dumper Activity on LSASS - FP with GoogleUpdate.exe
fix: Rundll32 Execution Without DLL File - FP with another zzzzInvokeManagedCustomActionOutOfProc MSI installer
fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with being started as a background service
fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - FP with $WinREAgent folder
fix: Files With System Process Name In Unsuspected Locations - FP with wuaucltcore
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Application Terminated Via Wmic.EXE
new: Browser Execution In Headless Mode
new: Chromium Browser Headless Execution To Mockbin Like Site
new: DarkGate User Created Via Net.EXE
new: DMP/HDMP File Creation
new: Malicious Driver Load
new: Malicious Driver Load By Name
new: Potentially Suspicious DMP/HDMP File Creation
new: Remote DLL Load Via Rundll32.EXE
new: Renamed CURL.EXE Execution
new: Vulnerable Driver Load
new: Vulnerable Driver Load By Name
update: 7Zip Compressing Dump Files - Increase coverage
update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to `medium`
update: COM Hijack via Sdclt - Fix Logic
update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage
update: Creation of an Executable by an Executable - Fix FP
update: DLL Load By System Process From Suspicious Locations - Reduce level to `medium`
update: DNS Query Request By Regsvr32.EXE - Reduce level to `medium`
update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to `medium`
update: DNS Query To MEGA Hosting Website - Reduce level to `low` and update metadata
update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains
update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to `low`
update: DNS Query To Ufile.io - Update title and reduce level to `low`
update: DNS Query Tor .Onion Address - Sysmon - Update title
update: DNS Server Discovery Via LDAP Query - Reduce level to `low` and update FP filters
update: DriverQuery.EXE Execution - Increase coverage
update: File Download From Browser Process Via Inline Link
update: Greedy File Deletion Using Del - Increase coverage
update: Leviathan Registry Key Activity - Fix logic
update: Network Connection Initiated By Regsvr32.EXE - Reduce level to `medium` and metadata update
update: Non Interactive PowerShell Process Spawned - Increase coverage
update: OceanLotus Registry Activity - Fix Logic
update: Office Application Startup - Office Test - Fix Logic
update: OneNote Attachment File Dropped In Suspicious Location - Fix FP
update: Potential Dead Drop Resolvers - Increase coverage with new domains
update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic
update: Potential Persistence Via COM Search Order Hijacking - Fix Logic
update: Potential Process Hollowing Activity - Update FP filters
update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage
update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to `medium`
update: Potentially Suspicious Event Viewer Child Process - Update metadata
update: PowerShell Initiated Network Connection - Update description
update: PowerShell Module File Created By Non-PowerShell Process - Fix FP
update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to `medium`
update: Python Image Load By Non-Python Process - Update description and title
update: Python Initiated Connection - Update FP filter
update: Remote Thread Creation By Uncommon Source Image - Update FP filter
update: Renamed AutoIt Execution - Increase coverage
update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage
update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title
update: Sysinternals Tools AppX Versions Execution - Reduce level to `low`
update: Sysmon Blocked Executable - Update logsource
update: UAC Bypass via Event Viewer - Fix Logic
update: UNC2452 Process Creation Patterns - Fix logic
update: Usage Of Malicious POORTRY Signed Driver - Deprecated
update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated
update: Vulnerable Dell BIOS Update Driver Load - Deprecated
update: Vulnerable Driver Load By Name - Deprecated
update: Vulnerable GIGABYTE Driver Load - Deprecated
update: Vulnerable HW Driver Load - Deprecated
update: Vulnerable Lenovo Driver Load - Deprecated
update: WebDav Client Execution Via Rundll32.EXE
update: Windows Update Error - Reduce level to `informational` and status to `stable`
update: Winrar Compressing Dump Files - Increase Coverage
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
update: Linux Network Service Scanning - Auditd - Update coverage to add `ncat` and `nc.openbsd`
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Access To .Reg/.Hive Files By Uncommon Application
update: Access To Browser Credential Files By Uncommon Application
update: Credential Manager Access By Uncommon Application
update: Access To Windows DPAPI Master Keys By Uncommon Application
update: Access To Windows Credential History File By Uncommon Application
---------
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Stale Accounts In A Privileged Role
new: Invalid PIM License
new: Roles Assigned Outside PIM
new: Roles Activated Too Frequently
new: Roles Activation Doesn't Require MFA
new: Roles Are Not Being Used
new: Too Many Global Admins
---------
Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Okta Identity Provider Created
new: Okta New Admin Console Behaviours
new: Okta Suspicious Activity Reported by End-user
new: Okta User Session Start Via An Anonymising Proxy Service
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
fix: Potential Dead Drop Resolvers - FP with chrome/FF being installed in appdata
fix: Suspicious Elevated System Shell - update FP for improved script that causes a FP
new: ESXi Network Configuration Discovery Via ESXCLI
new: ESXi Admin Permission Assigned To Account Via ESXCLI
new: ESXi Storage Information Discovery Via ESXCLI
new: ESXi System Information Discovery Via ESXCLI
new: ESXi VM List Discovery Via ESXCLI
new: ESXi VM Kill Via ESXCLI
new: ESXi VSAN Information Discovery Via ESXCLI
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
- fix: New Port Forwarding Rule Added Via Netsh.EXE - Fix typo in title
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
brady