Nasreddine Bencherchali
e230acd7ed
new: Application Terminated Via Wmic.EXE new: Browser Execution In Headless Mode new: Chromium Browser Headless Execution To Mockbin Like Site new: DarkGate User Created Via Net.EXE new: DMP/HDMP File Creation new: Malicious Driver Load new: Malicious Driver Load By Name new: Potentially Suspicious DMP/HDMP File Creation new: Remote DLL Load Via Rundll32.EXE new: Renamed CURL.EXE Execution new: Vulnerable Driver Load new: Vulnerable Driver Load By Name update: 7Zip Compressing Dump Files - Increase coverage update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to `medium` update: COM Hijack via Sdclt - Fix Logic update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage update: Creation of an Executable by an Executable - Fix FP update: DLL Load By System Process From Suspicious Locations - Reduce level to `medium` update: DNS Query Request By Regsvr32.EXE - Reduce level to `medium` update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to `medium` update: DNS Query To MEGA Hosting Website - Reduce level to `low` and update metadata update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to `low` update: DNS Query To Ufile.io - Update title and reduce level to `low` update: DNS Query Tor .Onion Address - Sysmon - Update title update: DNS Server Discovery Via LDAP Query - Reduce level to `low` and update FP filters update: DriverQuery.EXE Execution - Increase coverage update: File Download From Browser Process Via Inline Link update: Greedy File Deletion Using Del - Increase coverage update: Leviathan Registry Key Activity - Fix logic update: Network Connection Initiated By Regsvr32.EXE - Reduce level to `medium` and metadata update update: Non Interactive PowerShell Process Spawned - Increase coverage update: OceanLotus Registry Activity - Fix Logic update: Office Application Startup - Office Test - Fix Logic update: OneNote Attachment File Dropped In Suspicious Location - Fix FP update: Potential Dead Drop Resolvers - Increase coverage with new domains update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic update: Potential Persistence Via COM Search Order Hijacking - Fix Logic update: Potential Process Hollowing Activity - Update FP filters update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to `medium` update: Potentially Suspicious Event Viewer Child Process - Update metadata update: PowerShell Initiated Network Connection - Update description update: PowerShell Module File Created By Non-PowerShell Process - Fix FP update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to `medium` update: Python Image Load By Non-Python Process - Update description and title update: Python Initiated Connection - Update FP filter update: Remote Thread Creation By Uncommon Source Image - Update FP filter update: Renamed AutoIt Execution - Increase coverage update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title update: Sysinternals Tools AppX Versions Execution - Reduce level to `low` update: Sysmon Blocked Executable - Update logsource update: UAC Bypass via Event Viewer - Fix Logic update: UNC2452 Process Creation Patterns - Fix logic update: Usage Of Malicious POORTRY Signed Driver - Deprecated update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated update: Vulnerable Dell BIOS Update Driver Load - Deprecated update: Vulnerable Driver Load By Name - Deprecated update: Vulnerable GIGABYTE Driver Load - Deprecated update: Vulnerable HW Driver Load - Deprecated update: Vulnerable Lenovo Driver Load - Deprecated update: WebDav Client Execution Via Rundll32.EXE update: Windows Update Error - Reduce level to `informational` and status to `stable` update: Winrar Compressing Dump Files - Increase Coverage --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
TBD