fix: Creation of an Executable by an Executable - Add filter for Windows Microsoft.NET ARM path
fix: Amsi.DLL Load By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
fix: WMI Module Loaded By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
fix: PowerShell Core DLL Loaded By Non PowerShell Process - Add filter for Windows Microsoft.NET ARM path
fix: Potential DLL Sideloading Of MsCorSvc.DLL - Add filter for Windows Microsoft.NET ARM path
fix: Suspicious WSMAN Provider Image Loads - Add filter for Windows Microsoft.NET ARM path
fix: AddinUtil.EXE Execution From Uncommon Directory - Add filter for Windows Microsoft.NET ARM path
fix: Potential System DLL Sideloading From Non System Locations - Add filter for "C:\Windows\SyChpe32\"
update: AspNetCompiler Execution - Add ARM version of the \Microsoft.NET path
update: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler - Add ARM version of the \Microsoft.NET path
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
fix: Potential DLL Sideloading Of DbgModel.DLL - Update selection name to match the condition
fix: NTLM Logon - Remove unnecessary field
fix: Potential Commandline Obfuscation Using Unicode Characters - Remove legitimate currency characters as they could be used in document names
fix: Suspicious SYSTEM User Process Creation - Update `ping` filter to account for other FP variants found in the wild.
update: Potential System DLL Sideloading From Non System Locations - Add new entries to increase coverage
new: Potential DLL Sideloading Of DbgModel.DLL
new: Potential DLL Sideloading Of MpSvc.DLL
new: Potential DLL Sideloading Of MsCorSvc.DLL
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
chore: update Microsoft references link to use the "learn" subdomain instead of "docs".
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @ryanplasma
fix: Microsoft VBA For Outlook Addin Loaded Via Outlook - Fix incorrect use of "modifier"
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process - Add multiple new FP filters seen in the wild
fix: Potential System DLL Sideloading From Non System Locations - Add multiple new FP filters seen in the wild
new: CrackMapExec File Indicators
remove: CrackMapExec File Creation Patterns
remove: Suspicious Epmap Connection
update: Unsigned DLL Loaded by Windows Utility - Add InstallUtil, RegAsm and RegSvcs as additional process and add additional "null" and "empty" filters to cover for non available fields.
update: Potential PowerShell Execution Via DLL - Add regsvr32 to increase coverage.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Firewall Rule Modified In The Windows Firewall Exception List - new optional filter Brave browser
fix: Outbound RDP Connections Over Non-Standard Tools - new FP filter for RAS TSplus
fix: PowerShell Core DLL Loaded By Non PowerShell Process - new optional filter for chocolatey
fix: Remote Thread Creation In Mstsc.Exe From Suspicious Location - Fix a broken path string
fix: Remote Thread Creation In Uncommon Target Image - Reduce level to medium and remove explorer as target due to FP rates.
fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Fix the filters to be more generic
new: Rare Remote Thread Creation By Uncommon Source Image - A split of 66d31e5f-52d6-40a4-9615-002d3789a119
update: All Rules Have Been Deleted From The Windows Firewall Configuration - Remove program files filter to increase coverage. As deleting rules shouldn't be a "normal" behavior.
update: CreateRemoteThread API and LoadLibrary - Reduce level to medium and convert to a TH rule
update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add additional paths to increase coverage
update: Powershell Install a DLL in System Directory - enhance rule context in big script blocks
update: Remote Thread Creation By Uncommon Source Image - Reduced level to medium and move high indicators to 02d1d718-dd13-41af-989d-ea85c7fab93f
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
new: Potential Persistence Via AppCompat RegisterAppRestart Layer
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Add additional commandline flag that might trigger FPs
update: Hypervisor Enforced Code Integrity Disabled - Add additional path for the HVCI config
update: Creation Of Non-Existent System DLL - Remove driver anchor and the System32 filter. The reason behind this is that an attacker can copy the file elsewhere and then use a system utility such as copy or xcopy located in the system32 folder to create it again. Which will bypass the rule.
update: Potential System DLL Sideloading From Non System Locations - Remove the driver anchor from the filter to catch cases where the system is installed on non default C: driver
update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add SignatureStatus in the filter to exclude only valid signatures and decrease bypass.
remove: Svchost DLL Search Order Hijack - Deprecated in favor of the rule 6b98b92b-4f00-4f62-b4fe-4d1920215771. The reason is that for legit cases where the DLL is still present we can't filter out anything. We assume that the loading is done by a non valid/signed DLLs which will catch most cases. In cas the attacker had the option to sign the DLL with a valid signature he can bypass the rule.
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters
fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters
fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C:
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition
fix: Credential Manager Access By Uncommon Application - Enhance FP filters
fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters
fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP
fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments
fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter
fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb
fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process
fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost"
fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters
fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name
fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location.
fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters
fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases
fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list
fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate
fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations
fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID
fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters
new: Communication To Uncommon Destination Ports
new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
remove: Credential Dumping Tools Service Execution
remove: New Service Uses Double Ampersand in Path
remove: Powershell File and Directory Discovery
remove: PowerShell Scripts Run by a Services
remove: Security Event Log Cleared
remove: Suspicious Get-WmiObject
remove: Windows Defender Threat Detection Disabled
update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections
update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium
update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low
update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate
update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage
update: Failed Code Integrity Checks - Reduce level to informational
update: HH.EXE Execution - Reduce level to low
update: Locked Workstation - Reduce level to informational
update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data
update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections
update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections
update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks
update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic
update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic
update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports
update: PUA - Nmap/Zenmap Execution - Reduce level to medium
update: PUA - Process Hacker Execution - Reduce level to medium
update: PUA - Radmin Viewer Utility Execution - Reduce level to medium
update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list
update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters
update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:"
update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition
update: Suspicious Schtasks From Env Var Folder - Reduce level to medium
update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium
update: Whoami Utility Execution - Reduce level to low
update: Whoami.EXE Execution With Output Option - Reduce level to medium
update: Windows Defender Malware Detection History Deletion - Reduce level to informational
update: WMI Event Consumer Created Named Pipe - Reduce leve to medium
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Thanks: @Blackmore-Robert
Thanks: @swachchhanda000
Thanks: @celalettin-turgut
Thanks: @AaronS97
new: DLL Names Used By SVR For GraphicalProton Backdoor
new: Enable LM Hash Storage
new: Enable LM Hash Storage - ProcCreation
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
update: Compress-Archive Cmdlet Execution - Reudced Level to low and moved to Threat Hunting folder.
update: Disabled Volume Snapshots - Update logic by removing the reg string to also account for potential renamed executions
update: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Update logic to be more specific
update: Potential Recon Activity Via Nltest.EXE - Add dnsgetdc coverage and enhance logic by removing /
update: Potential System DLL Sideloading From Non System Locations - Enhance logic by removing hardcoded C: value to account for other potential system locations
update: RestrictedAdminMode Registry Value Tampering - ProcCreation - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: RestrictedAdminMode Registry Value Tampering - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: Write Protect For Storage Disabled - Update logic by removing the reg string to also account for potential renamed executions
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Update logic to be more specific
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Enhance filter to account for an FP found with MS edge
fix: Files With System Process Name In Unsuspected Locations - Enhance filter to cover other folder variation for windows recovery
fix: Portable Gpg.EXE Execution - Add new legitimate location for GNuGpg
fix: Suspicious WmiPrvSE Child Process - Add a filter for msiexec image used to install new MSI packages via WMI process
update: ISO Image Mounted - Update title and add new filter
update: Potential NT API Stub Patching - Enhance the selection coverage by removing the "C:" prefix to cover other installation possibilities
update: Remote Thread Creation Via PowerShell - Update selection to use endswith modifier for better coverage
update: Remote Thread Creation Via PowerShell In Potentially Suspicious Target - Update title and add a "regsvr32" as a new additional process to increase coverage
update: Suspicious Whoami.EXE Execution - Enhance the selection by using a * wildcard to account for the order and avoid FPs
update: WMI Module Loaded By Non Uncommon Process - Enhance selection by making the System folders filter use a "contains" instead of an exact match
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
update: Registry Persistence via Service in Safe Mode - Fix typo in title
chore: Fix multiple typo in metadata fields and comments
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Swachchhanda Shrawan Poudel