e8a6894eca
Merge PR #5132 from @Neo23x0 - Update DNS Query To Remote Access Software Domain From Non-Browser App
...
Create Release / Create Release (push) Has been cancelled
update: DNS Query To Remote Access Software Domain From Non-Browser App - Add `getscreen.me`
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2024-12-19 20:38:44 +01:00
3449958dbf
Merge PR #5041 from @Koifman - Update tags for Register new Logon Process by Rubeus
...
chore: update tags for `Register new Logon Process by Rubeus`
2024-12-19 18:41:14 +01:00
8e8b86aab9
Merge PR #5095 from @faisalusuf - Add new rules related to QuickAssist usage
...
new: QuickAssist Execution
new: DNS Query Request By QuickAssist.EXE
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2024-12-19 18:07:19 +01:00
9f54b01218
Merge PR #5122 from @djlukic - Fix bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
...
fix: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic - Update the logic to remove unrelated keywords and reduce unwanted matches.
---------
Co-authored-by: Djordje Lukic <djordje.lukic@binalyze.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2024-12-14 22:55:02 +02:00
17dcad456f
Merge PR #5116 from @Neo23x0 - Add rules and updates related to Cleo exploitation
...
new: CVE-2024-50623 Exploitation Attempt - Cleo
update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2024-12-14 22:44:55 +02:00
a290d22143
Merge PR #5125 from @randomaccess3 - Update Potential Secure Deletion with SDelete
...
update: Potential Secure Deletion with SDelete - Enhance metadata
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2024-12-14 21:55:43 +02:00
9b67acfcf6
Merge PR #5126 from @MalGamy12 - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value
...
update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add {603D3801-BD81-11d0-A3A5-00C04FD706EC}
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2024-12-14 21:09:33 +02:00
ee821b8e99
Merge PR #5110 from @Neo23x0 - Update Remote Access Tool Services Have Been Installed - Security
...
update: Remote Access Tool Services Have Been Installed - Security - Add anydesk
2024-12-07 15:47:45 +01:00
6fd57da131
fix: FPs with NetNTLM downgrade attack ( #5108 )
...
fix: NetNTLM Downgrade Attack - Registry - Tune the rule for specific registry values in order to reduce FP rate.
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2024-12-03 22:44:37 +01:00
2a0c9b5550
Merge PR #5107 from @mgreen27 - Update Potential Defense Evasion Via Rename Of Highly Relevant Binaries
...
update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Add ie4uinit.exe and msxsl.exe to old binary rename rule
2024-12-03 22:14:54 +01:00
6048be5a7a
Merge PR #5106 from @nasbench - Add SID version of integrity levels
...
chore: add SID version of IntegrityLevel
fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name
2024-12-01 23:29:17 +01:00
6e71f6ad5e
Merge PR #5046 from @frack113 - Add Setup16.EXE Execution With Custom .Lst File
...
new: Setup16.EXE Execution With Custom .Lst File
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-12-01 17:35:53 +01:00
f39c9acbc4
Merge PR #5082 from @swachchhanda000 - Add Suspicious ShellExec_RunDLL Call Via Ordinal
...
new: Suspicious ShellExec_RunDLL Call Via Ordinal
---------
Co-authored-by: Swachchhanda Shrawan Poudel <logpoint-admin@NP-SSP-MBP-02.local >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2024-12-01 17:32:36 +01:00
995dac17d1
Merge PR #5084 from @MalGamy12 - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value
...
update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add 2 new additional built-in COM object GUID that were seen being used for hijacking
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-12-01 13:48:59 +01:00
9367349016
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-12-01 13:40:32 +01:00
374f003507
Merge PR #5093 from @Neo23x0 - Fix Creation of WerFault.exe/Wer.dll in Unusual Folder
...
fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - Add filter for windows update/installation folder `C:\Windows\SoftwareDistribution\`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-29 13:06:11 +01:00
d804e9cba1
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
...
update: GALLIUM IOCs - remove custom dedicated hash fields
update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
update: HackTool Named File Stream Created - remove custom dedicated hash fields
update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
update: PUA - System Informer Driver Load - remove custom dedicated hash fields
update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
update: WinDivert Driver Load - remove custom dedicated hash fields
update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
update: Hacktool Execution - Imphash - remove custom dedicated hash fields
update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
update: HackTool - Impersonate Execution - remove custom dedicated hash fields
update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
update: HackTool - PCHunter Execution - remove custom dedicated hash fields
update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
update: MpiExec Lolbin - remove custom dedicated hash fields
update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Nimgrab Execution - remove custom dedicated hash fields
update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Process Hacker Execution - remove custom dedicated hash fields
update: PUA - System Informer Execution - remove custom dedicated hash fields
update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
update: Renamed AdFind Execution - remove custom dedicated hash fields
update: Renamed AutoIt Execution - remove custom dedicated hash fields
update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
update: Renamed PAExec Execution - remove custom dedicated hash fields
update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-25 09:30:14 +01:00
41a59142d7
Merge PR #5081 from @cod3nym - Add Potential File Extension Spoofing Using Right-to-Left Override
...
new: Potential File Extension Spoofing Using Right-to-Left Override
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-18 22:43:01 +01:00
5aa899415b
Merge PR #5075 from @MalGamy12 - Update Potentially Suspicious Cabinet File Expansion
...
update: Potentially Suspicious Cabinet File Expansion - Add new paths for built-in shares
---------
Co-authored-by: nasbench <nasreddineb@splunk.com >
2024-11-17 23:46:53 +01:00
5d1cf4b9de
Merge PR #5076 from @Neo23x0 - Fix Suspicious SYSTEM User Process Creation
...
fix: Suspicious SYSTEM User Process Creation - filter false positives with Google Updater uninstall script
2024-11-13 23:21:16 +01:00
fe999a5e9e
Merge PR #5070 from @Neo23x0 - Update .RDP File Created by Outlook Process
...
update: .RDP File Created by Outlook Process - Add new paths for Outlook apps in Windows 11
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-04 11:25:05 +01:00
e1787dad38
Merge PR #5067 from @nasbench - Add missing reference links
...
chore: add missing reference links to some rules
2024-11-01 20:52:27 +01:00
14ce104a16
Merge PR #5058 from @ahmedfarou22 - Add new rules related to command execution via run dialogue
...
new: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
new: Command Executed Via Run Dialog Box - Registry
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-01 20:45:17 +01:00
0cb8d0e091
Merge PR #5063 from @Neo23x0 - Add & Update rules related to the suspicious creation of ".rdp" files
...
new: .RDP File Created by Outlook Process
update: .RDP File Created By Uncommon Application - Add `olk.exe` to cover the new version of outlook
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-01 10:47:36 +01:00
f533350560
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from `experimental` to `test`
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-11-01 10:21:04 +01:00
05a496388b
Merge PR #5052 from @dan21san - Update Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
...
update: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet - Add the "-Attachments" flag to the logic in order to reduce false positives.
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-01 10:20:29 +01:00
ad8ab49d45
Merge PR #5060 from @MalGamy12 - Update Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
...
Update: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE - Add additional paths for `:\Users\All Users\` and `:\Users\Default\`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-28 12:25:02 +01:00
7e4748ec0e
feat: update multiple rules ( #5055 )
...
* Update multiple rules
* updates
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-25 16:32:03 +02:00
f33530e756
Merge PR #4994 from @djlukic - Multiple FP fixes
...
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV
update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the `HostApplication` field is null
update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the `HostApplication` field is null
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-08 23:08:50 +02:00
86989a0464
Merge PR #5008 from @BlackB0lt - Update HackTool - Certipy Execution
...
update: HackTool - Certipy Execution - Increase coverage by adding new flags such as 'cert', 'template' and 'ptt'
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-08 22:37:23 +02:00
b063a9d755
Merge PR #5036 from @dan21san - Update Alternate PowerShell Hosts Pipe
...
update: Alternate PowerShell Hosts Pipe - Add optional filter for `AzureConnectedMachineAgent` and update old filters to be more accurate
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-08 22:17:21 +02:00
f472015599
Merge PR #5037 from @MalGamy12 - Update Disable Windows Defender Functionalities Via Registry Keys
...
update: Disable Windows Defender Functionalities Via Registry Keys - Remove `\Real-Time Protection\` prefix to increase coverage.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-08 22:07:45 +02:00
a997d6282a
Merge PR #5038 from @Neo23x0 - Update LSASS Process Memory Dump Files
...
update: LSASS Process Memory Dump Files - add new dump pattern for RustiveDump and NativeDump, and exchanged "startswith" with "contains" modifier for better coverage
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-08 21:57:25 +02:00
5b59c6d115
Merge PR #5012 from @ionsor - Update Potentially Suspicious JWT Token Search Via CLI
...
update: Potentially Suspicious JWT Token Search Via CLI - added the `eyJhbGciOi` string, corresponding to `{"alg":` from the JWT token header.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-06 23:03:54 +02:00
d1f1fc716f
Merge PR #5031 from @swachchhanda000 - Add Potential Python DLL SideLoading
...
new: Potential Python DLL SideLoading
---------
Co-authored-by: Swachchhanda Shrawan Poudel <logpoint-admin@NP-SSP-MBP-02.local >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-06 22:51:09 +02:00
c70fff4b8b
Merge PR #4935 from @frack113 - Add new IIS logsource and related rules
...
chore: add "Microsoft-IIS-Configuration/Operational" support to the tests and thor.yml
new: ETW Logging/Processing Option Disabled On IIS Server
new: HTTP Logging Disabled On IIS Server
new: New Module Module Added To IIS Server
new: Previously Installed IIS Module Was Removed
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-06 22:44:05 +02:00
1f1f31e99c
Merge PR #5026 from @X-Junior - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value
...
update : COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add new suspicious locations and builtin CLSID
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-01 15:22:42 +02:00
08c52c367c
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-10-01 14:56:09 +02:00
014d169f83
Merge PR #5020 from @tsale - Add Remote Access Tool - MeshAgent Command Execution via MeshCentral
...
new: Remote Access Tool - MeshAgent Command Execution via MeshCentral
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-09-22 19:26:02 +02:00
9db7e07223
Merge PR #5022 from @jaegeral - Fix some typos in rules metadata
...
chore: fix some typos in the title and description of some rules
2024-09-22 19:14:26 +02:00
99a47e4f96
Merge PR #4980 from @Mahir-Ali-khan - Update DNS Query To Remote Access Software Domain From Non-Browser App
...
update: DNS Query To Remote Access Software Domain From Non-Browser App - Add `remoteassistance.support.services.microsoft.com`, `tailscale.com`, `twingate.com`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-09-13 13:55:33 +02:00
71be3c719b
Merge PR #5003 from @deFr0ggy - Add Network Connection Initiated To BTunnels Domains
...
new: Network Connection Initiated To BTunnels Domains
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-09-13 12:15:58 +02:00
132482818e
Merge PR #5007 from @fukusuket - Fix unreachable GitHub URL references
...
chore: CVE-2021-1675 Print Spooler Exploitation Filename Pattern - Fix unreachable GitHub URL references
chore: HackTool - DInjector PowerShell Cradle Execution - Fix unreachable GitHub URL references
chore: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event - Fix unreachable GitHub URL references
chore: LPE InstallerFileTakeOver PoC CVE-2021-41379 - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - FileCreation - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - PoshModule - Fix unreachable GitHub URL references
chore: Possible CVE-2021-1675 Print Spooler Exploitation - Fix unreachable GitHub URL references
chore: Potential NT API Stub Patching - Fix unreachable GitHub URL references
chore: Potential PrintNightmare Exploitation Attempt - Fix unreachable GitHub URL references
chore: Potential RDP Exploit CVE-2019-0708 - Fix unreachable GitHub URL references
chore: Potential SAM Database Dump - Fix unreachable GitHub URL references
chore: Scanner PoC for CVE-2019-0708 RDP RCE Vuln - Fix unreachable GitHub URL references
chore: Suspicious Rejected SMB Guest Logon From IP - Fix unreachable GitHub URL references
chore: Windows Spooler Service Suspicious Binary Load - Fix unreachable GitHub URL references
2024-09-13 11:14:11 +02:00
ab2fb36426
Merge PR #5002 from @secDre4mer - Update Potential CommandLine Obfuscation Using Unicode Characters rules
...
update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Add coverage for `0x00A0`
update: Potential CommandLine Obfuscation Using Unicode Characters - Add coverage for `0x00A0`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-09-06 11:42:04 +02:00
8288d4be9f
Merge PR #5001 from @joshnck - Add Startup/Logon Script Added to Group Policy Object
...
new: Startup/Logon Script Added to Group Policy Object
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-09-06 11:41:18 +02:00
ad84d82baf
Merge PR #5000 from @joshnck - Update Persistence and Execution at Scale via GPO Scheduled Task
...
update: Persistence and Execution at Scale via GPO Scheduled Task - Increase coverage by adding selection for EID 5136
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-09-06 11:40:46 +02:00
06b116608e
Merge PR #4999 from @joshnck - Add Group Policy Abuse for Privilege Addition
...
new: Group Policy Abuse for Privilege Addition
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-09-06 11:40:04 +02:00
9b39e26260
Merge PR #4995 from @secDre4mer - Add Process Deletion of Its Own Executable
...
new: Process Deletion of Its Own Executable
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-09-03 22:20:20 +02:00
b724a7f59d
Merge PR #4997 from @MHaggis - Add rules related to PowerShell Web Access
...
new: PowerShell Web Access Feature Enabled Via DISM
new: PowerShell Web Access Installation - PsScript
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-09-03 22:17:47 +02:00
b86a494f55
Merge PR #4993 from @nasbench - Fix Issues
...
new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for `e0552b19-5a83-4222-b141-b36184bb8d79`
remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation.
remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of `790317c0-0a36-4a6a-a105-6e576bf99a14`.
update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.
2024-09-02 19:03:46 +02:00
Florian Roth