update: HackTool - CoercedPotato Execution - Update Hashes field to use contains modifier
update: HackTool - HandleKatz LSASS Dumper Execution - Update Hashes field to use contains modifier
update: HackTool - SysmonEOP Execution - Update Hashes field to use contains modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Windows Binaries Write Suspicious Extensions - Add new filter for when "bat" or "powershell" scripts are written via GPO to run at startup.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: File And SubFolder Enumeration Via Dir Command - Fix false positive with Firefox and similar CLI apps.
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
update: Suspicious DNS Query for IP Lookup Service APIs - Add new domains
update: Suspicious Network Connection to IP Lookup Service APIs - Add new domains
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
update: Uncommon Outbound Kerberos Connection - Security - Update filter to include device type paths and reduce the level to "medium"
update: Uncommon Outbound Kerberos Connection - Update filters to include tomcat and reduce the level to "medium"
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
new: Remote Access Tool - Team Viewer Session Started On Linux Host
new: Remote Access Tool - Team Viewer Session Started On MacOS Host
new: Remote Access Tool - Team Viewer Session Started On Windows Host
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Diskshadow Script Mode Execution - Update rule to use the windash modifier
update: IIS Native-Code Module Command Line Installation - Update rule to use the windash modifier
update: Replace.exe Usage - Update rule to use the windash modifier
update: Potential Arbitrary Command Execution Using Msdt.EXE - Update rule to use the windash modifier
update: Suspicious Cabinet File Execution Via Msdt.EXE - Update rule to use the windash modifier
update: DllUnregisterServer Function Call Via Msiexec.EXE - Update rule to use the windash modifier
update: Suspicious Msiexec Execute Arbitrary DLL - Update rule to use the windash modifier
update: Msiexec Quiet Installation - Update rule to use the windash modifier
update: Suspicious Msiexec Quiet Install From Remote Location - Update rule to use the windash modifier
update: Suspicious Response File Execution Via Odbcconf.EXE - Update rule to use the windash modifier
update: Changing Existing Service ImagePath Value Via Reg.EXE - Update rule to use the windash modifier
update: Exports Critical Registry Keys To a File - Update rule to use the windash modifier
update: Exports Registry Key To a File - Update rule to use the windash modifier
update: Imports Registry Key From a File - Update rule to use the windash modifier
update: Imports Registry Key From an ADS - Update rule to use the windash modifier
update: Potential Regsvr32 Commandline Flag Anomaly - Update rule to use the windash modifier
update: Capture Credentials with Rpcping.exe - Update rule to use the windash modifier
update: Potential Execution of Sysinternals Tools - Update rule to use the windash modifier
update: Kernel Memory Dump Via LiveKD - Update rule to use the windash modifier
update: Potential LSASS Process Dump Via Procdump - Update rule to use the windash modifier
update: Sysmon Configuration Update - Update rule to use the windash modifier
update: Uninstall Sysinternals Sysmon - Update rule to use the windash modifier
update: Loaded Module Enumeration Via Tasklist.EXE - Update rule to use the windash modifier
update: Communication To Uncommon Destination Ports - Add link-local address range
update: Dfsvc.EXE Network Connection To Non-Local IPs - Update rule to use cidr modifier
update: Microsoft Sync Center Suspicious Network Connections - Add link-local address range
update: Network Connection Initiated By PowerShell Process - Update rule to use cidr modifier
update: Office Application Initiated Network Connection To Non-Local IP - Update rule to use cidr modifier
update: Outbound Network Connection To Public IP Via Winlogon - Add link-local address range
update: Potential CVE-2023-23397 Exploitation Attempt - SMB - Update rule to use cidr modifier
update: Potentially Suspicious Malware Callback Communication - Add link-local address range
update: Potentially Suspicious Wuauclt Network Connection - Update rule to use cidr modifier
update: Publicly Accessible RDP Service - Add link-local address range
update: RDP Over Reverse SSH Tunnel - Update rule to use cidr modifier
update: Rundll32 Internet Connection - Add link-local address range
update: Script Initiated Connection to Non-Local Network - Update rule to use cidr modifier
update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
update: WebDav Put Request - Update rule to use cidr modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Microsoft VBA For Outlook Addin Loaded Via Outlook - Fix incorrect use of "modifier"
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process - Add multiple new FP filters seen in the wild
fix: Potential System DLL Sideloading From Non System Locations - Add multiple new FP filters seen in the wild
new: CrackMapExec File Indicators
remove: CrackMapExec File Creation Patterns
remove: Suspicious Epmap Connection
update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
chore: update multiple rules to use the windash modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Unsigned DLL Loaded by Windows Utility - Add InstallUtil, RegAsm and RegSvcs as additional process and add additional "null" and "empty" filters to cover for non available fields.
update: Potential PowerShell Execution Via DLL - Add regsvr32 to increase coverage.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Wlrmdr.EXE Uncommon Argument Or Child Process - Update metadata, add new filters and use the windash modifier.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE - Add more builtin ATs to the list
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Suspicious Service Installation Script - Increase coverage by adding for the "/" option in commands flags
update: Console CodePage Lookup Via CHCP - Increase coverage by adding for the "/" option in commands flags
update: Curl Download And Execute Combination - Increase coverage by adding for the "/" option in commands flags
update: File Deletion Via Del - Increase coverage by adding for the "/" option in commands flags
update: Files And Subdirectories Listing Using Dir - Increase coverage by adding for the "/" option in commands flags
update: Suspicious Ping/Copy Command Combination - Increase coverage by adding for the "/" option in commands flags
update: New Generic Credentials Added Via Cmdkey.EXE - Increase coverage by adding for the "/" option in commands flags
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: External Disk Drive Or USB Storage Device Was Recognized By The System - Update selection to reflect the logic correctly
fix: Uncommon Service Installation Image Path - Update filter logic to use correct modifiers
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Fukusuke Takahashi