chore: update Microsoft references link to use the "learn" subdomain instead of "docs".
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @ryanplasma
chore: delete "Pipfile" and "Pipfile.lock"
fix: Filter Driver Unloaded Via Fltmc.EXE - Add exclusion for ManageEngine
fix: Suspicious Child Process Of Wermgr.EXE - Exclude "WerConCpl.dll"
new: DNS Query To AzureWebsites.NET By Non-Browser Process
new: Files With System DLL Name In Unsuspected Locations
new: HackTool - Evil-WinRm Execution - PowerShell Module
new: HackTool - LaZagne Execution
new: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
update: Copying Sensitive Files with Credential Data - Use "windash" modifier
update: Explorer Process Tree Break - Use "windash" modifier
update: Files With System Process Name In Unsuspected Locations - Remove old filter
update: Lolbin Unregmp2.exe Use As Proxy - Use "windash" modifier
update: LSASS Process Reconnaissance Via Findstr.EXE - Use "windash" modifier
update: New Remote Desktop Connection Initiated Via Mstsc.EXE - Use "windash" modifier
update: Potential Proxy Execution Via Explorer.EXE From Shell Process - Update metadata and moved to Threat Hunting folder
update: Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Enhance logic
update: Renamed ProcDump Execution - Add new flag option
update: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Use "windash" modifier
---------
Thanks: @qasimqlf
Thanks: @celalettin-turgut
Thanks: @cY83rR0H1t
new: Uncommon File Creation By Mysql Daemon Process
new: Potential Suspicious Browser Launch From Document Reader Process
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
new: All Backups Deleted Via Wbadmin.EXE
new: Sensitive File Dump Via Wbadmin.EXE
new: File Recovery From Backup Via Wbadmin.EXE
new: Sensitive File Recovery From Backup Via Wbadmin.EXE
update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions
update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description
update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution
update: COM Object Execution via Xwizard.EXE - Update logic
update: JScript Compiler Execution - Update metadata
update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy
update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description
update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description
update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end.
update: Renamed ZOHO Dctask64 Execution - Add additional imphash values
update: Windows Kernel Debugger Execution - Reduce level to "medium"
update: Xwizard.EXE Execution From Non-Default Location - Update description
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
update: HackTool - CoercedPotato Execution - Update Hashes field to use contains modifier
update: HackTool - HandleKatz LSASS Dumper Execution - Update Hashes field to use contains modifier
update: HackTool - SysmonEOP Execution - Update Hashes field to use contains modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: File And SubFolder Enumeration Via Dir Command - Fix false positive with Firefox and similar CLI apps.
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Remote Access Tool - Team Viewer Session Started On Linux Host
new: Remote Access Tool - Team Viewer Session Started On MacOS Host
new: Remote Access Tool - Team Viewer Session Started On Windows Host
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Diskshadow Script Mode Execution - Update rule to use the windash modifier
update: IIS Native-Code Module Command Line Installation - Update rule to use the windash modifier
update: Replace.exe Usage - Update rule to use the windash modifier
update: Potential Arbitrary Command Execution Using Msdt.EXE - Update rule to use the windash modifier
update: Suspicious Cabinet File Execution Via Msdt.EXE - Update rule to use the windash modifier
update: DllUnregisterServer Function Call Via Msiexec.EXE - Update rule to use the windash modifier
update: Suspicious Msiexec Execute Arbitrary DLL - Update rule to use the windash modifier
update: Msiexec Quiet Installation - Update rule to use the windash modifier
update: Suspicious Msiexec Quiet Install From Remote Location - Update rule to use the windash modifier
update: Suspicious Response File Execution Via Odbcconf.EXE - Update rule to use the windash modifier
update: Changing Existing Service ImagePath Value Via Reg.EXE - Update rule to use the windash modifier
update: Exports Critical Registry Keys To a File - Update rule to use the windash modifier
update: Exports Registry Key To a File - Update rule to use the windash modifier
update: Imports Registry Key From a File - Update rule to use the windash modifier
update: Imports Registry Key From an ADS - Update rule to use the windash modifier
update: Potential Regsvr32 Commandline Flag Anomaly - Update rule to use the windash modifier
update: Capture Credentials with Rpcping.exe - Update rule to use the windash modifier
update: Potential Execution of Sysinternals Tools - Update rule to use the windash modifier
update: Kernel Memory Dump Via LiveKD - Update rule to use the windash modifier
update: Potential LSASS Process Dump Via Procdump - Update rule to use the windash modifier
update: Sysmon Configuration Update - Update rule to use the windash modifier
update: Uninstall Sysinternals Sysmon - Update rule to use the windash modifier
update: Loaded Module Enumeration Via Tasklist.EXE - Update rule to use the windash modifier
update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
chore: update multiple rules to use the windash modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Unsigned DLL Loaded by Windows Utility - Add InstallUtil, RegAsm and RegSvcs as additional process and add additional "null" and "empty" filters to cover for non available fields.
update: Potential PowerShell Execution Via DLL - Add regsvr32 to increase coverage.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Wlrmdr.EXE Uncommon Argument Or Child Process - Update metadata, add new filters and use the windash modifier.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE - Add more builtin ATs to the list
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Suspicious Service Installation Script - Increase coverage by adding for the "/" option in commands flags
update: Console CodePage Lookup Via CHCP - Increase coverage by adding for the "/" option in commands flags
update: Curl Download And Execute Combination - Increase coverage by adding for the "/" option in commands flags
update: File Deletion Via Del - Increase coverage by adding for the "/" option in commands flags
update: Files And Subdirectories Listing Using Dir - Increase coverage by adding for the "/" option in commands flags
update: Suspicious Ping/Copy Command Combination - Increase coverage by adding for the "/" option in commands flags
update: New Generic Credentials Added Via Cmdkey.EXE - Increase coverage by adding for the "/" option in commands flags
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
update: Rundll32 Execution With Uncommon DLL Extension - Update the selection to allow for additional quoted cases such as rundll32 "shell32.dll",ShellExec_RunDLL <somethin>
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
rahulchandran19