update: HackTool - CoercedPotato Execution - Update Hashes field to use contains modifier
update: HackTool - HandleKatz LSASS Dumper Execution - Update Hashes field to use contains modifier
update: HackTool - SysmonEOP Execution - Update Hashes field to use contains modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Windows Binaries Write Suspicious Extensions - Add new filter for when "bat" or "powershell" scripts are written via GPO to run at startup.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: File And SubFolder Enumeration Via Dir Command - Fix false positive with Firefox and similar CLI apps.
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Container With A hostPath Mount Created
new: Creation Of Pod In System Namespace
new: Deployment Deleted From Kubernetes Cluster
new: Kubernetes Events Deleted
new: Kubernetes Secrets Enumeration
new: New Kubernetes Service Account Created
new: Potential Remote Command Execution In Pod Container
new: Potential Sidecar Injection Into Running Deployment
new: Privileged Container Deployed
new: RBAC Permission Enumeration Attempt
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Suspicious DNS Query for IP Lookup Service APIs - Add new domains
update: Suspicious Network Connection to IP Lookup Service APIs - Add new domains
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
update: Uncommon Outbound Kerberos Connection - Security - Update filter to include device type paths and reduce the level to "medium"
update: Uncommon Outbound Kerberos Connection - Update filters to include tomcat and reduce the level to "medium"
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
new: Remote Access Tool - Team Viewer Session Started On Linux Host
new: Remote Access Tool - Team Viewer Session Started On MacOS Host
new: Remote Access Tool - Team Viewer Session Started On Windows Host
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Diskshadow Script Mode Execution - Update rule to use the windash modifier
update: IIS Native-Code Module Command Line Installation - Update rule to use the windash modifier
update: Replace.exe Usage - Update rule to use the windash modifier
update: Potential Arbitrary Command Execution Using Msdt.EXE - Update rule to use the windash modifier
update: Suspicious Cabinet File Execution Via Msdt.EXE - Update rule to use the windash modifier
update: DllUnregisterServer Function Call Via Msiexec.EXE - Update rule to use the windash modifier
update: Suspicious Msiexec Execute Arbitrary DLL - Update rule to use the windash modifier
update: Msiexec Quiet Installation - Update rule to use the windash modifier
update: Suspicious Msiexec Quiet Install From Remote Location - Update rule to use the windash modifier
update: Suspicious Response File Execution Via Odbcconf.EXE - Update rule to use the windash modifier
update: Changing Existing Service ImagePath Value Via Reg.EXE - Update rule to use the windash modifier
update: Exports Critical Registry Keys To a File - Update rule to use the windash modifier
update: Exports Registry Key To a File - Update rule to use the windash modifier
update: Imports Registry Key From a File - Update rule to use the windash modifier
update: Imports Registry Key From an ADS - Update rule to use the windash modifier
update: Potential Regsvr32 Commandline Flag Anomaly - Update rule to use the windash modifier
update: Capture Credentials with Rpcping.exe - Update rule to use the windash modifier
update: Potential Execution of Sysinternals Tools - Update rule to use the windash modifier
update: Kernel Memory Dump Via LiveKD - Update rule to use the windash modifier
update: Potential LSASS Process Dump Via Procdump - Update rule to use the windash modifier
update: Sysmon Configuration Update - Update rule to use the windash modifier
update: Uninstall Sysinternals Sysmon - Update rule to use the windash modifier
update: Loaded Module Enumeration Via Tasklist.EXE - Update rule to use the windash modifier
update: Communication To Uncommon Destination Ports - Add link-local address range
update: Dfsvc.EXE Network Connection To Non-Local IPs - Update rule to use cidr modifier
update: Microsoft Sync Center Suspicious Network Connections - Add link-local address range
update: Network Connection Initiated By PowerShell Process - Update rule to use cidr modifier
update: Office Application Initiated Network Connection To Non-Local IP - Update rule to use cidr modifier
update: Outbound Network Connection To Public IP Via Winlogon - Add link-local address range
update: Potential CVE-2023-23397 Exploitation Attempt - SMB - Update rule to use cidr modifier
update: Potentially Suspicious Malware Callback Communication - Add link-local address range
update: Potentially Suspicious Wuauclt Network Connection - Update rule to use cidr modifier
update: Publicly Accessible RDP Service - Add link-local address range
update: RDP Over Reverse SSH Tunnel - Update rule to use cidr modifier
update: Rundll32 Internet Connection - Add link-local address range
update: Script Initiated Connection to Non-Local Network - Update rule to use cidr modifier
update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
update: WebDav Put Request - Update rule to use cidr modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Microsoft VBA For Outlook Addin Loaded Via Outlook - Fix incorrect use of "modifier"
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process - Add multiple new FP filters seen in the wild
fix: Potential System DLL Sideloading From Non System Locations - Add multiple new FP filters seen in the wild
new: CrackMapExec File Indicators
remove: CrackMapExec File Creation Patterns
remove: Suspicious Epmap Connection
update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
chore: update multiple rules to use the windash modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Unsigned DLL Loaded by Windows Utility - Add InstallUtil, RegAsm and RegSvcs as additional process and add additional "null" and "empty" filters to cover for non available fields.
update: Potential PowerShell Execution Via DLL - Add regsvr32 to increase coverage.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Wlrmdr.EXE Uncommon Argument Or Child Process - Update metadata, add new filters and use the windash modifier.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE - Add more builtin ATs to the list
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
pratinavchandra