update: HackTool - CoercedPotato Execution - Update Hashes field to use contains modifier
update: HackTool - HandleKatz LSASS Dumper Execution - Update Hashes field to use contains modifier
update: HackTool - SysmonEOP Execution - Update Hashes field to use contains modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: File And SubFolder Enumeration Via Dir Command - Fix false positive with Firefox and similar CLI apps.
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Remote Access Tool - Team Viewer Session Started On Linux Host
new: Remote Access Tool - Team Viewer Session Started On MacOS Host
new: Remote Access Tool - Team Viewer Session Started On Windows Host
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Diskshadow Script Mode Execution - Update rule to use the windash modifier
update: IIS Native-Code Module Command Line Installation - Update rule to use the windash modifier
update: Replace.exe Usage - Update rule to use the windash modifier
update: Potential Arbitrary Command Execution Using Msdt.EXE - Update rule to use the windash modifier
update: Suspicious Cabinet File Execution Via Msdt.EXE - Update rule to use the windash modifier
update: DllUnregisterServer Function Call Via Msiexec.EXE - Update rule to use the windash modifier
update: Suspicious Msiexec Execute Arbitrary DLL - Update rule to use the windash modifier
update: Msiexec Quiet Installation - Update rule to use the windash modifier
update: Suspicious Msiexec Quiet Install From Remote Location - Update rule to use the windash modifier
update: Suspicious Response File Execution Via Odbcconf.EXE - Update rule to use the windash modifier
update: Changing Existing Service ImagePath Value Via Reg.EXE - Update rule to use the windash modifier
update: Exports Critical Registry Keys To a File - Update rule to use the windash modifier
update: Exports Registry Key To a File - Update rule to use the windash modifier
update: Imports Registry Key From a File - Update rule to use the windash modifier
update: Imports Registry Key From an ADS - Update rule to use the windash modifier
update: Potential Regsvr32 Commandline Flag Anomaly - Update rule to use the windash modifier
update: Capture Credentials with Rpcping.exe - Update rule to use the windash modifier
update: Potential Execution of Sysinternals Tools - Update rule to use the windash modifier
update: Kernel Memory Dump Via LiveKD - Update rule to use the windash modifier
update: Potential LSASS Process Dump Via Procdump - Update rule to use the windash modifier
update: Sysmon Configuration Update - Update rule to use the windash modifier
update: Uninstall Sysinternals Sysmon - Update rule to use the windash modifier
update: Loaded Module Enumeration Via Tasklist.EXE - Update rule to use the windash modifier
update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
chore: update multiple rules to use the windash modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Unsigned DLL Loaded by Windows Utility - Add InstallUtil, RegAsm and RegSvcs as additional process and add additional "null" and "empty" filters to cover for non available fields.
update: Potential PowerShell Execution Via DLL - Add regsvr32 to increase coverage.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Wlrmdr.EXE Uncommon Argument Or Child Process - Update metadata, add new filters and use the windash modifier.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE - Add more builtin ATs to the list
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Suspicious Service Installation Script - Increase coverage by adding for the "/" option in commands flags
update: Console CodePage Lookup Via CHCP - Increase coverage by adding for the "/" option in commands flags
update: Curl Download And Execute Combination - Increase coverage by adding for the "/" option in commands flags
update: File Deletion Via Del - Increase coverage by adding for the "/" option in commands flags
update: Files And Subdirectories Listing Using Dir - Increase coverage by adding for the "/" option in commands flags
update: Suspicious Ping/Copy Command Combination - Increase coverage by adding for the "/" option in commands flags
update: New Generic Credentials Added Via Cmdkey.EXE - Increase coverage by adding for the "/" option in commands flags
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Rundll32 Execution With Uncommon DLL Extension - Update the selection to allow for additional quoted cases such as rundll32 "shell32.dll",ShellExec_RunDLL <somethin>
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
fix: Metasploit SMB Authentication - Remove unnecessary field
fix: Service Installation in Suspicious Folder - Update FP filter
update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
remove: SAM Dump to AppData
update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
update: New or Renamed User Account with '$' Character - Reduced level to "medium"
update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
update: Prefetch File Deleted - Update selection to remove 'C:' prefix
update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
update: Shell Process Spawned by Java.EXE - Add "bash.exe"
update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
update: Sysmon Application Crashed - Add 32bit version of sysmon binary
update: Tap Driver Installation - Security - Reduce level to "low"
update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
fix: System Information Discovery Via Wmic.EXE - Move to threat hunting and add additional filter to reduce noise coming from VMware Tools
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Hacktool Execution - Imphash - Add additional imphash values to increase coverage
update: Findstr Launching .lnk File - Increase coverage by adding cases where the commandline ends with a double or a single quote.
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
new: Potential Persistence Via AppCompat RegisterAppRestart Layer
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Add additional commandline flag that might trigger FPs
update: Hypervisor Enforced Code Integrity Disabled - Add additional path for the HVCI config
update: Creation Of Non-Existent System DLL - Remove driver anchor and the System32 filter. The reason behind this is that an attacker can copy the file elsewhere and then use a system utility such as copy or xcopy located in the system32 folder to create it again. Which will bypass the rule.
update: Potential System DLL Sideloading From Non System Locations - Remove the driver anchor from the filter to catch cases where the system is installed on non default C: driver
update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add SignatureStatus in the filter to exclude only valid signatures and decrease bypass.
remove: Svchost DLL Search Order Hijack - Deprecated in favor of the rule 6b98b92b-4f00-4f62-b4fe-4d1920215771. The reason is that for legit cases where the DLL is still present we can't filter out anything. We assume that the loading is done by a non valid/signed DLLs which will catch most cases. In cas the attacker had the option to sign the DLL with a valid signature he can bypass the rule.
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Fukusuke Takahashi