- Renamed "sql_injection_keywords.yml" to "web_sql_injection_keywords.yml" to conform with the rest of the rule in the WEB directory
- Renamed "xss_keywords.yml" to "web_xss_keywords.yml" to conform with the rest of the rule in the WEB directory
- Renamed "proc_create_win_msdt_susp_parent.yml" to "proc_creation_win_msdt_susp_parent.yml" to conform with other process creation rules
- Renamed "proc_create_win_sdiagnhost_susp_child.yml" to "proc_creation_win_sdiagnhost_susp_child.yml" to conform with other process creation rules
- Moved the rule "win_powershell_snapins_hafnium.yml" to process_creation folder instead of the WEB folder
- Created "web_susp_windows_path_uri.yml" to detect URI that contains susp windows paths
- Updated the description "web_webshell_keyword.yml" and added 3 more cases
- Created "file_event_win_cve_2021_44077_poc_default_files.yml" to detect the default dropped file from the POC of CVE-2021-44077 (Showcased in the DFIR report)
- Created "proc_creation_win_renamed_plink.yml" to detect renamed usage of "Plink"
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on default windows binaries to avoid changing logic of other rules.
- Added "Invoke-EventViewer.ps1" script to the rule "file_event_win_powershell_exploit_scripts"
- Added "OriginalFileName" to "proc_creation_win_susp_taskkill"
- Created rule for "winword" being used as a LOLBIN to download and load arbitrary DLLs
- Added 5 more PowerShell scripts for the rule "file_event_win_powershell_exploit_scripts.yml"
- Created new rule for "certoc" lolbin to cover "Download" option as described in the LOLBAS project
- Created specific rule for the "IEExec" lolbin to cover "Download" option as described in the LOLBAS Project
- Updated some rules to use "OriginalFileName" in addition to the "Image" selection
- Updated some rules to increase coverage.
Nasreddine Bencherchali