update: Dynamic .NET Compilation Via Csc.EXE - Update regex to use a non-capturing group
update: Csc.EXE Execution Form Potentially Suspicious Parent - Update regex to use a non-capturing group
update: Invoke-Obfuscation Obfuscated IEX Invocation - Update regex to use a non-capturing group
update: Invoke-Obfuscation Via Stdin - Update regex to use a non-capturing group
update: Invoke-Obfuscation Via Use Clip - Update regex to use a non-capturing group
update: Powershell Token Obfuscation - Process Creation - Update regex to use a non-capturing group
update: Potential Rundll32 Execution With DLL Stored In ADS - Update regex to use a non-capturing group
update: Suspicious Copy From or To System Directory - Update regex to use a non-capturing group
update: Obfuscated IP Download Activity - Update regex to use a non-capturing group
update: Obfuscated IP Via CLI - Update regex to use a non-capturing group
update: Uncommon Svchost Command Line Parameter - Update regex to use a non-capturing group
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
fix: Linux Logs Clearing Attempts - Add new filters for sysstat and dmesg legitimate command deletion
fix: Disable Or Stop Services - Add new filters for legitimate service stoppoing via systemctl for snapd, asw and others
fix: Potential Suspicious Change To Sensitive/Critical Files - Add filters for `/^*` and `s/^` usage with sed
fix: Persistence Via Sudoers.d Files - Add filter for dpkg writing README
fix: Chmod Targeting Sensitive Directories - enhance metadata and add multipel filters for legit use cases
update: Shell Invocation via Env Command - Linux - Switch modifier to use contains instead of endswith for better accuracy
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
new: Windows EventLog Autologger Session Registry Modification Via CommandLine
update: Potential AutoLogger Sessions Tampering - Update the value to an accurate one
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
update: Suspicious Creation TXT File in User Desktop - Move to a TH rule
fix: ffice Macro File Creation - Exclude office binaries
fix: Suspicious Msiexec Execute Arbitrary DLL - Make the filter more generic due to the amount of FPs.
fix: Script Interpreter Execution From Suspicious Folder - Add filters for chocolatey
fix: Suspicious Script Execution From Temp Folder - Add filter for chocolatey
fix: Office Autorun Keys Modification - Add filters for shortened paths using tilda
fix Outlook Security Settings Updated - Registry - Exclude the outlook process
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
new: Service Startup Type Change Via Wmic.EXE
update: Service Reconnaissance Via Wmic.EXE - Add filters to exclude out legitimate service manipulation cases.
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
update: Okta 2023 Breach Indicator Of Compromise - Update field name to use CamleCase
update: Okta Admin Role Assigned to an User or Group - Update field name to use CamleCase
update: Okta Admin Role Assignment Created - Update field name to use CamleCase
update: Okta API Token Created - Update field name to use CamleCase
update: Okta API Token Revoked - Update field name to use CamleCase
update: Okta Application Modified or Deleted - Update field name to use CamleCase
update: Okta Application Sign-On Policy Modified or Deleted - Update field name to use CamleCase
update: Okta FastPass Phishing Detection - Update field name to use CamleCase
update: Okta Identity Provider Created - Update field name to use CamleCase
update: Okta MFA Reset or Deactivated - Update field name to use CamleCase
update: Okta Network Zone Deactivated or Deleted - Update field name to use CamleCase
update: Okta New Admin Console Behaviours - Update field name to use CamleCase
update: Potential Okta Password in AlternateID Field - Update field name to use CamleCase
update: Okta Policy Modified or Deleted - Update field name to use CamleCase
update: Okta Policy Rule Modified or Deleted - Update field name to use CamleCase
update: Okta Security Threat Detected - Update field name to use CamleCase
update: Okta Suspicious Activity Reported by End-user - Update field name to use CamleCase
update: Okta Unauthorized Access to App - Update field name to use CamleCase
update: Okta User Account Locked Out - Update field name to use CamleCase
update: New Okta User Created - Update field name to use CamleCase
update: Okta User Session Start Via An Anonymising Proxy Service - Update field name to use CamleCase
new: msDS-ManagedAccountPrecededByLink Attribute Modified
new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
new: DMSA Service Account Created in Specific OUs - PowerShell
new: DMSA Link Attributes Modified
new: New DMSA Service Account Created in Specific OUs
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location - remove troublesome locations commonly used by installers
fix: HackTool - WSASS Execution - update regex to avoid mismatching on legitimate cli
update: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze - change it into hunting rule
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add filter entry for "tscdn.m365.static.microsoft"
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter entry for MS office path
fix: Non Interactive PowerShell Process Spawned - Add filter entry for "SenseIR.exe"
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
update: Files With System Process Name In Unsuspected Locations - Add fsquirt.exe entry
update: System Control Panel Item Loaded From Uncommon Location - Add entries for bthprops.cpl and hdwwiz.cpl
update: System File Execution Location Anomaly - Add fsquirt.exe entry
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
new: Windows Credential Guard Registry Tampering Via CommandLine
new: Windows Credential Guard Related Registry Value Deleted - Registry
new: Windows Credential Guard Disabled - Registry
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
new: Windows AMSI Related Registry Tampering Via CommandLine
new: AMSI Disabled via Registry Modification
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
new: Legitimate Application Writing Files In Uncommon Location
update: Suspicious Download From File-Sharing Website Via Bitsadmin - add github URL
update: File Download Via Bitsadmin To A Suspicious Target Folder - add more susp locations
remove: File Download Via Bitsadmin To An Uncommon Target Folder - deprecate in favor of 2ddef153-167b-4e89-86b6-757a9e65dcac
chore: add regression tests for bitsadmin related rules
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
update: Direct Autorun Keys Modification - remove User Shell Folder registry modification
new: User Shell Folders Registry Modification via CommandLine
update: Modify User Shell Folders Startup Value - add new registry path, also add filtering of legit paths
Nasreddine Bencherchali