chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
chore: delete "Pipfile" and "Pipfile.lock"
fix: Filter Driver Unloaded Via Fltmc.EXE - Add exclusion for ManageEngine
fix: Suspicious Child Process Of Wermgr.EXE - Exclude "WerConCpl.dll"
new: DNS Query To AzureWebsites.NET By Non-Browser Process
new: Files With System DLL Name In Unsuspected Locations
new: HackTool - Evil-WinRm Execution - PowerShell Module
new: HackTool - LaZagne Execution
new: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
update: Copying Sensitive Files with Credential Data - Use "windash" modifier
update: Explorer Process Tree Break - Use "windash" modifier
update: Files With System Process Name In Unsuspected Locations - Remove old filter
update: Lolbin Unregmp2.exe Use As Proxy - Use "windash" modifier
update: LSASS Process Reconnaissance Via Findstr.EXE - Use "windash" modifier
update: New Remote Desktop Connection Initiated Via Mstsc.EXE - Use "windash" modifier
update: Potential Proxy Execution Via Explorer.EXE From Shell Process - Update metadata and moved to Threat Hunting folder
update: Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Enhance logic
update: Renamed ProcDump Execution - Add new flag option
update: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Use "windash" modifier
---------
Thanks: @qasimqlf
Thanks: @celalettin-turgut
Thanks: @cY83rR0H1t
update: Cloudflared Tunnels Related DNS Requests - Update description and related field
new: Network Connection Initiated To Cloudflared Tunnels Domains
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Suspicious DNS Query for IP Lookup Service APIs - Add new domains
update: Suspicious Network Connection to IP Lookup Service APIs - Add new domains
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
update: Suspicious DNS Query for IP Lookup Service APIs - Add ipconfig.io domain
update: Suspicious Network Connection to IP Lookup Service APIs - Add ipconfig.io domain
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Suspicious Network Connection to IP Lookup Service APIs - add several external IP lookup services to existing list
update: Suspicious DNS Query for IP Lookup Service APIs - add several external IP lookup services to existing list
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: DNS Query To Devtunnels Domain - Split rule based on b3e6418f-7c7a-4fad-993a-93b65027a9f1
new: Network Connection Initiated To DevTunnels Domain
new: Network Connection Initiated To Visual Studio Code Tunnels Domain
update: DNS Query To Visual Studio Code Tunnels Domain - Update the rule to only focus on DNS requests from Vscode tunnels and move the logic of Devtunnels to another rule. To ease FP management for users that leverage one but not the other.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
new: Arbitrary File Download Via IMEWDBLD.EXE
new: Arbitrary File Download Via MSEDGE_PROXY.EXE
new: Arbitrary File Download Via Squirrel.EXE - This is a split rule from "45239e6a-b035-4aaf-b339-8ad379fcb67e"
new: Msxsl.EXE Execution
new: Potential File Download Via MS-AppInstaller Protocol Handler
new: Remote XSL Execution Via Msxsl.EXE
update: AppX Package Installation Attempts Via AppInstaller.EXE - Update description and title
update: Arbitrary File Download Via MSOHTMED.EXE - Update title
update: Arbitrary File Download Via PresentationHost.EXE - Update title
update: File Download And Execution Via IEExec.EXE - Update title and description
update: File Download From Browser Process Via Inline URL - Enhance accuracy by using the "endswith" modifier and incrasing coverage by adding new extensions to the list
update: File Download Using ProtocolHandler.exe - Update logic by removing unecessary the "selection_cli_1"
update: File Download Via InstallUtil.EXE - Update title and description
update: File Download Via Windows Defender MpCmpRun.EXE - Update metadata information and add additional fields to the image selection
update: Network Connection Initiated By IMEWDBLD.EXE - Update description and title
update: Potentially Suspicious Electron Application CommandLine - Add "msedge_proxy.exe" to list of processes
update: Process Proxy Execution Via Squirrel.EXE - Moved the logic that covers the "download" aspect into a new rule "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c"
update: Suspicious Calculator Usage - Update filter to remove the "C:" prefix, which increase coverage of other partitions
update: Uncommon Child Process Of Appvlp.EXE - Update description, title and enahnce false positives filters
update: XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Update title and description
update: XSL Script Execution Via WMIC.EXE - Removed the selection that covers "Msxsl" and moved to a seperate rules "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0"
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
new: Application Terminated Via Wmic.EXE
new: Browser Execution In Headless Mode
new: Chromium Browser Headless Execution To Mockbin Like Site
new: DarkGate User Created Via Net.EXE
new: DMP/HDMP File Creation
new: Malicious Driver Load
new: Malicious Driver Load By Name
new: Potentially Suspicious DMP/HDMP File Creation
new: Remote DLL Load Via Rundll32.EXE
new: Renamed CURL.EXE Execution
new: Vulnerable Driver Load
new: Vulnerable Driver Load By Name
update: 7Zip Compressing Dump Files - Increase coverage
update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to `medium`
update: COM Hijack via Sdclt - Fix Logic
update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage
update: Creation of an Executable by an Executable - Fix FP
update: DLL Load By System Process From Suspicious Locations - Reduce level to `medium`
update: DNS Query Request By Regsvr32.EXE - Reduce level to `medium`
update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to `medium`
update: DNS Query To MEGA Hosting Website - Reduce level to `low` and update metadata
update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains
update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to `low`
update: DNS Query To Ufile.io - Update title and reduce level to `low`
update: DNS Query Tor .Onion Address - Sysmon - Update title
update: DNS Server Discovery Via LDAP Query - Reduce level to `low` and update FP filters
update: DriverQuery.EXE Execution - Increase coverage
update: File Download From Browser Process Via Inline Link
update: Greedy File Deletion Using Del - Increase coverage
update: Leviathan Registry Key Activity - Fix logic
update: Network Connection Initiated By Regsvr32.EXE - Reduce level to `medium` and metadata update
update: Non Interactive PowerShell Process Spawned - Increase coverage
update: OceanLotus Registry Activity - Fix Logic
update: Office Application Startup - Office Test - Fix Logic
update: OneNote Attachment File Dropped In Suspicious Location - Fix FP
update: Potential Dead Drop Resolvers - Increase coverage with new domains
update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic
update: Potential Persistence Via COM Search Order Hijacking - Fix Logic
update: Potential Process Hollowing Activity - Update FP filters
update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage
update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to `medium`
update: Potentially Suspicious Event Viewer Child Process - Update metadata
update: PowerShell Initiated Network Connection - Update description
update: PowerShell Module File Created By Non-PowerShell Process - Fix FP
update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to `medium`
update: Python Image Load By Non-Python Process - Update description and title
update: Python Initiated Connection - Update FP filter
update: Remote Thread Creation By Uncommon Source Image - Update FP filter
update: Renamed AutoIt Execution - Increase coverage
update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage
update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title
update: Sysinternals Tools AppX Versions Execution - Reduce level to `low`
update: Sysmon Blocked Executable - Update logsource
update: UAC Bypass via Event Viewer - Fix Logic
update: UNC2452 Process Creation Patterns - Fix logic
update: Usage Of Malicious POORTRY Signed Driver - Deprecated
update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated
update: Vulnerable Dell BIOS Update Driver Load - Deprecated
update: Vulnerable Driver Load By Name - Deprecated
update: Vulnerable GIGABYTE Driver Load - Deprecated
update: Vulnerable HW Driver Load - Deprecated
update: Vulnerable Lenovo Driver Load - Deprecated
update: WebDav Client Execution Via Rundll32.EXE
update: Windows Update Error - Reduce level to `informational` and status to `stable`
update: Winrar Compressing Dump Files - Increase Coverage
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
phantinuss