fix: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process - Remove `selection_2` as it generates tons of false positives.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
chore: update Microsoft references link to use the "learn" subdomain instead of "docs".
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @ryanplasma
chore: delete "Pipfile" and "Pipfile.lock"
fix: Filter Driver Unloaded Via Fltmc.EXE - Add exclusion for ManageEngine
fix: Suspicious Child Process Of Wermgr.EXE - Exclude "WerConCpl.dll"
new: DNS Query To AzureWebsites.NET By Non-Browser Process
new: Files With System DLL Name In Unsuspected Locations
new: HackTool - Evil-WinRm Execution - PowerShell Module
new: HackTool - LaZagne Execution
new: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
update: Copying Sensitive Files with Credential Data - Use "windash" modifier
update: Explorer Process Tree Break - Use "windash" modifier
update: Files With System Process Name In Unsuspected Locations - Remove old filter
update: Lolbin Unregmp2.exe Use As Proxy - Use "windash" modifier
update: LSASS Process Reconnaissance Via Findstr.EXE - Use "windash" modifier
update: New Remote Desktop Connection Initiated Via Mstsc.EXE - Use "windash" modifier
update: Potential Proxy Execution Via Explorer.EXE From Shell Process - Update metadata and moved to Threat Hunting folder
update: Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Enhance logic
update: Renamed ProcDump Execution - Add new flag option
update: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Use "windash" modifier
---------
Thanks: @qasimqlf
Thanks: @celalettin-turgut
Thanks: @cY83rR0H1t
new: Communication To LocaltoNet Tunneling Service Initiated
new: Communication To LocaltoNet Tunneling Service Initiated - Linux
---------
Co-authored-by: Andreas Braathen <andreasb@mnemonic.io>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Antivirus Hacktool Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
update: Antivirus Password Dumper Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
update: Relevant Anti-Virus Signature Keywords In Application Log - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
new: Network Connection Initiated From Users\Public Folder
update: Outbound Network Connection Initiated By Cmstp.EXE - Exclude local IPs and ranges
update: Network Connection Initiated To Mega.nz - Reduce level to "low"
new: Network Communication Initiated To Portmap.IO Domain
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional file paths
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional file paths
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
new: Uncommon File Creation By Mysql Daemon Process
new: Potential Suspicious Browser Launch From Document Reader Process
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Cloudflared Tunnels Related DNS Requests - Update description and related field
new: Network Connection Initiated To Cloudflared Tunnels Domains
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
new: All Backups Deleted Via Wbadmin.EXE
new: Sensitive File Dump Via Wbadmin.EXE
new: File Recovery From Backup Via Wbadmin.EXE
new: Sensitive File Recovery From Backup Via Wbadmin.EXE
update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
new: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add new EID and paths
update: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Add new EID and paths
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: AWS User Login Profile Was Modified - use fieldref instead of contains modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions
update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description
update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution
update: COM Object Execution via Xwizard.EXE - Update logic
update: JScript Compiler Execution - Update metadata
update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy
update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description
update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description
update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end.
update: Renamed ZOHO Dctask64 Execution - Add additional imphash values
update: Windows Kernel Debugger Execution - Reduce level to "medium"
update: Xwizard.EXE Execution From Non-Default Location - Update description
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Cygnetix