chore: update metadata of many rules
update: AppX Located in Uncommon Directory Added to Deployment Pipeline - Enhance selection criteria
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
update: Hacktool - EDR-Freeze Execution - add more coverage
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
fix: Uncommon AppX Package Locations - filter out system32
fix: Unauthorized System Time Modification - filter out vmwaretools
fix: Files With System Process Name In Unsuspected Locations - filter windows temp
fix: Startup Folder File Write - filter out wuauclt.exe and C:$WinREAgent\Scratch\Mount\ directory
fix: Potentially Suspicious WDAC Policy File Creation - filter wuaucltcore.exe
fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - filter C:\Windows\UUS\arm64\
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - filter C:$WinREAgent\Scratch\
fix: Potential System DLL Sideloading From Non System Locations - filter legitimate ARM based locations
fix: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - filter legitimate ARM based locations
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
chore: rename auditd folders and others
update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Suspicious Download Via Certutil.EXE - add URL flag related with GUI-based download
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add URL flag related with GUI-based download
update: Suspicious File Downloaded From Direct IP Via Certutil.EXE - add URL flag related with GUI-based download
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
removed: FileFix - Suspicious Child Process from Browser File Upload Abuse - Deprecated in favor of b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
new: DNS Query by Finger Utility
new: Network Connection Initiated via Finger.EXE
fix: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix - Fix selection to use ParentImage instead of Image field
new: Suspicious FileFix Execution Pattern
update: FileFix - Command Evidence in TypedPaths - Added more markers
update: Potential ClickFix Execution Pattern - Registry - Add 2 new strings, "finger" and "identification"
chore: Update "test_rules.py" filename test with better output formatting
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <monsteroffire2@gmail.com>
update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe
update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching
update: Tor Client/Browser Execution - Add additional PE metadata markers
update: System Information Discovery via Registry Queries - Enhance registry markers
update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage.
fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value
fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic
fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic
fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource
fix: PUA - Sysinternal Tool Execution - Registry - Fix incorrect logsource
fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource
fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource
chore: add CI script for regression
chore: add regression data
---------
Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
remove: Space After Filename - Logic was incorrect and untested
update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
update: JexBoss Command Sequence - Update the selection to use the |all modifier.
chore: remove any usage of the fields field to prepare for deprecation in the spec.
update: Potentially Suspicious NTFS Symlink Behavior Modification - Tighten logic to focus on proxy process such as cmd or powershell
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
chore: ci: add a check for duplicate ids over all rules that ever existed
chore: change duplicate IDs in obsoleted rules
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
remove: Active Directory Kerberos DLL Loaded Via Office Application - deprecated as it triggers on normal activity
fix: Scheduled Task Creation Via Schtasks.EXE - add for for msoffice application
fix: Use Short Name Path in Command Line - add filter for dotnet csc.exe
fix: Potential Product Reconnaissance Via Wmic.EXE - add filter for some product related operation through wmic
fix: WMIC Remote Command Execution - fix broken FP filter
fix: Classes Autorun Keys Modification - filter null details
fix: CurrentVersion Autorun Keys Modification - filter null details
fix: Modification of IE Registry Settings - filter null details
fix: Potential Persistence Via Shim Database Modification - filter null details
fix: Scheduled TaskCache Change by Uncommon Program - filter null details
update: Copy From Or To Admin Share Or Sysvol Folder - some logic change
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
fix: Office Macro File Download - Reduce level to low due to FPs spotted via VT.
fix: Suspicious CustomShellHost Execution - Increased level to high due to low FP rate spotted via VT.
fix: Explorer Process Tree Break - Fix incorrect usage of windash with the all modifier, that broke the logic.
fix: MSDT Execution Via Answer File - Rename rule as well as introduce usage of windash for increased coverage.
fix: Capture Credentials with Rpcping.exe - Fix incorrect usage of windash with the all modifier, that broke the logic.
fix: Wlrmdr.EXE Uncommon Argument Or Child Process - Fix incorrect usage of windash with the all modifier, that broke the logic.
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations.
fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic
chore: add sorting to the rule archiver script
---------
Thanks: KingKDot
Thanks: zambomarcell
Thanks: Koifman
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Nasreddine Bencherchali