update: Registry Persistence via Service in Safe Mode - Fix typo in title
chore: Fix multiple typo in metadata fields and comments
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Okta 2023 Breach Indicator Of Compromise
new: Okta Password Health Report Query
new: Okta Admin Functions Access Through Proxy
new: New Okta User Created
update: Okta New Admin Console Behaviours - Field notation
update: Potential Okta Password in AlternateID Field - Field notation
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
update: Suspicious XOR Encoded PowerShell Command Line - PowerShell
update: Uncommon PowerShell Hosts
update: Delete Volume Shadow Copies Via WMI With PowerShell
update: PowerShell Downgrade Attack - PowerShell
update: PowerShell Called from an Executable Version Mismatch
update: Netcat The Powershell Version
update: Remote PowerShell Session (PS Classic)
update: Renamed Powershell Under Powershell Channel
update: Suspicious PowerShell Download
update: Use Get-NetTCPConnection
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell
update: Tamper Windows Defender - PSClassic
update: Suspicious Non PowerShell WSMAN COM Provider
update: Suspicious XOR Encoded PowerShell Command Line - PowerShell
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Lazarus APT DLL Sideloading Activity
new: File Download From IP Based URL Via CertOC.EXE
new: File Download From IP URL Via Curl.EXE
update: Remote Thread Creation By Uncommon Source Image
update: Remote Thread Creation In Uncommon Target Image
update: ADSI-Cache File Creation By Uncommon Tool
update: Files With System Process Name In Unsuspected Locations
update: PowerShell Module File Created By Non-PowerShell Process
update: PSScriptPolicyTest Creation By Uncommon Process
update: Suspicious LNK Double Extension File Created
update: PowerShell Profile Modification
update: Alternate PowerShell Hosts Pipe
update: File Download via CertOC.EXE
update: Suspicious File Download From IP Via Curl.EXE
update: Arbitrary File Download Via GfxDownloadWrapper.EXE
update: Potentially Suspicious Office Document Executed From Trusted Location
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
fix: Direct Syscall of NtOpenProcess - falsepositives meta data
fix: Potential Shellcode Injection - remove System.ni.dll as there are multiple FPs with ntdll.dll
fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with another sdbinst execution by svchost
fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
fix: Google Workspace Application Removed - Update logsource product field to `gcp`
fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp`
fix: Google Workspace MFA Disabled - Update logsource product field to `gcp`
fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp`
fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp`
fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp`
fix: Potentially Suspicious AccessMask Requested From LSASS - FP with Avira from Windows temp folder
fix: Direct Syscall of NtOpenProcess - FP with another Firefox process and removing drive letters
fix: Control Panel Items - FP with command line observed from taskhost.exe
fix: Rundll32 Execution Without DLL File - remove non-essential ParentCommandLine dependency in filter
fix: Schtasks Creation Or Modification With SYSTEM Privileges - remove non-essential ParentImage dependency in filter
fix: Suspicious Elevated System Shell - remove non-essential ParentImage dependency in filter
fix: Suspicious Elevated System Shell - FP with Avira update utility
fix: Execution of Suspicious File Type Extension - FP with OpenOffice
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
fix: Generic Password Dumper Activity on LSASS - FP with GoogleUpdate.exe
fix: Rundll32 Execution Without DLL File - FP with another zzzzInvokeManagedCustomActionOutOfProc MSI installer
fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with being started as a background service
fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - FP with $WinREAgent folder
fix: Files With System Process Name In Unsuspected Locations - FP with wuaucltcore
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Application Terminated Via Wmic.EXE
new: Browser Execution In Headless Mode
new: Chromium Browser Headless Execution To Mockbin Like Site
new: DarkGate User Created Via Net.EXE
new: DMP/HDMP File Creation
new: Malicious Driver Load
new: Malicious Driver Load By Name
new: Potentially Suspicious DMP/HDMP File Creation
new: Remote DLL Load Via Rundll32.EXE
new: Renamed CURL.EXE Execution
new: Vulnerable Driver Load
new: Vulnerable Driver Load By Name
update: 7Zip Compressing Dump Files - Increase coverage
update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to `medium`
update: COM Hijack via Sdclt - Fix Logic
update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage
update: Creation of an Executable by an Executable - Fix FP
update: DLL Load By System Process From Suspicious Locations - Reduce level to `medium`
update: DNS Query Request By Regsvr32.EXE - Reduce level to `medium`
update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to `medium`
update: DNS Query To MEGA Hosting Website - Reduce level to `low` and update metadata
update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains
update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to `low`
update: DNS Query To Ufile.io - Update title and reduce level to `low`
update: DNS Query Tor .Onion Address - Sysmon - Update title
update: DNS Server Discovery Via LDAP Query - Reduce level to `low` and update FP filters
update: DriverQuery.EXE Execution - Increase coverage
update: File Download From Browser Process Via Inline Link
update: Greedy File Deletion Using Del - Increase coverage
update: Leviathan Registry Key Activity - Fix logic
update: Network Connection Initiated By Regsvr32.EXE - Reduce level to `medium` and metadata update
update: Non Interactive PowerShell Process Spawned - Increase coverage
update: OceanLotus Registry Activity - Fix Logic
update: Office Application Startup - Office Test - Fix Logic
update: OneNote Attachment File Dropped In Suspicious Location - Fix FP
update: Potential Dead Drop Resolvers - Increase coverage with new domains
update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic
update: Potential Persistence Via COM Search Order Hijacking - Fix Logic
update: Potential Process Hollowing Activity - Update FP filters
update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage
update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to `medium`
update: Potentially Suspicious Event Viewer Child Process - Update metadata
update: PowerShell Initiated Network Connection - Update description
update: PowerShell Module File Created By Non-PowerShell Process - Fix FP
update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to `medium`
update: Python Image Load By Non-Python Process - Update description and title
update: Python Initiated Connection - Update FP filter
update: Remote Thread Creation By Uncommon Source Image - Update FP filter
update: Renamed AutoIt Execution - Increase coverage
update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage
update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title
update: Sysinternals Tools AppX Versions Execution - Reduce level to `low`
update: Sysmon Blocked Executable - Update logsource
update: UAC Bypass via Event Viewer - Fix Logic
update: UNC2452 Process Creation Patterns - Fix logic
update: Usage Of Malicious POORTRY Signed Driver - Deprecated
update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated
update: Vulnerable Dell BIOS Update Driver Load - Deprecated
update: Vulnerable Driver Load By Name - Deprecated
update: Vulnerable GIGABYTE Driver Load - Deprecated
update: Vulnerable HW Driver Load - Deprecated
update: Vulnerable Lenovo Driver Load - Deprecated
update: WebDav Client Execution Via Rundll32.EXE
update: Windows Update Error - Reduce level to `informational` and status to `stable`
update: Winrar Compressing Dump Files - Increase Coverage
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
update: Linux Network Service Scanning - Auditd - Update coverage to add `ncat` and `nc.openbsd`
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Access To .Reg/.Hive Files By Uncommon Application
update: Access To Browser Credential Files By Uncommon Application
update: Credential Manager Access By Uncommon Application
update: Access To Windows DPAPI Master Keys By Uncommon Application
update: Access To Windows Credential History File By Uncommon Application
---------
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Stale Accounts In A Privileged Role
new: Invalid PIM License
new: Roles Assigned Outside PIM
new: Roles Activated Too Frequently
new: Roles Activation Doesn't Require MFA
new: Roles Are Not Being Used
new: Too Many Global Admins
---------
Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: Okta Identity Provider Created
new: Okta New Admin Console Behaviours
new: Okta Suspicious Activity Reported by End-user
new: Okta User Session Start Via An Anonymising Proxy Service
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Sean Johnstone