security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,070 Commits 1 Branch 0 Tags
8eb32f96cebb2e80236751df9658a5b9c8cf2cd7
Commit Graph

909 Commits

Author SHA1 Message Date
Samirbous 29c4c19d59 [Tuning] Startup or Run Key Registry Modification (#5137) 
* [Tuning] Startup or Run Key Registry Modification

high percentage of the FPs are for programfiles and localappdata files in the registry data string value. This tuning should drop FPs/volume significantly.

* Update rules/windows/persistence_run_key_and_startup_broad.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-10-06 09:24:33 +01:00
Samirbous b4e9b48ad7 [New] Suspicious SeIncreaseBasePriorityPrivilege Use (#5150) 
* [New] Suspicious SeIncreaseBasePriorityPrivilege Us

https://github.com/Octoberfest7/ThreadCPUAssignment_POC/tree/main

https://x.com/sixtyvividtails/status/1970721197617717483

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-10-03 16:52:32 +01:00
Samirbous 66a0b6b97c [Tuning] Potential Ransomware Behavior - High count of Readme files by System (#5167) 
* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-10-02 17:39:51 +01:00
Jonhnathan f75062a855 [Rule Tuning] Suspicious PowerShell Engine ImageLoad (#5134) 
* Update execution_suspicious_powershell_imgload.toml

* Update execution_suspicious_powershell_imgload.toml
 2025-09-22 06:03:41 -07:00
Jonhnathan cd6c37e3b9 [Rule Tuning] Mark some field optional for 3rd party compatibility (#5135) 
* [Rule Tuning] Mark some field optional for 3rd party compatibility

* bump
 2025-09-22 05:43:10 -07:00
shashank-elastic 657b504f46 Update investigation guides (#5112) 2025-09-16 18:34:37 +05:30
Jonhnathan 4476ac52a8 [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091) 
* [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms

* ++

* ++

* Update credential_access_dcsync_replication_rights.toml

* Update persistence_webshell_detection.toml

* ++

* Update persistence_webshell_detection.toml
 2025-09-15 09:38:03 -07:00
Jonhnathan 7bd9c52852 [Rule Tuning] Windows High Severity - 5 (#5096) 
* [Rule Tuning] Windows High Severity - 4

* Update privilege_escalation_windows_service_via_unusual_client.toml
 2025-09-15 09:29:37 -07:00
Jonhnathan 76c73f84f6 [Rule Tuning] Windows High Severity - 4 (#5095) 
* [Rule Tuning] Windows High Severity - 4

* Update initial_access_execution_from_inetcache.toml
 2025-09-15 09:18:55 -07:00
Jonhnathan 8d9822e8be [Rule Tuning] Fix process.pe.original_file_name Conditions (#5101) 
* [Rule Tuning] Fix process.pe.original_file_name Conditions

* --
 2025-09-15 09:06:23 -07:00
Jonhnathan d69ede2508 [Rule Tuning] Windows High Severity - 3 (#5094) 
* [Rule Tuning] Windows High Severity - 3

* Update execution_pdf_written_file.toml

* Update execution_pdf_written_file.toml

* Update execution_pdf_written_file.toml
 2025-09-15 08:34:43 -07:00
Jonhnathan 567b82cb2f [Rule Tuning] Windows High Severity - 2 (#5093) 
* [Rule Tuning] Windows High Severity - 2

* [Rule Tuning] Windows High Severity - 3

* Revert "[Rule Tuning] Windows High Severity - 3"

This reverts commit 32c8348072ab1629e2a164a3579d866b2682f234.
 2025-09-15 07:53:31 -07:00
Jonhnathan 7910f465cc [Rule Tuning] Windows High Severity - 1 (#5092) 
* [Rule Tuning] Windows High Severity - 1

* Update command_and_control_headless_browser.toml

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Update command_and_control_outlook_home_page.toml
 2025-09-15 07:44:20 -07:00
Jonhnathan 1dedea798a [Rule Tuning] Component Object Model Hijacking (#5065) 2025-09-11 17:18:05 -07:00
Jonhnathan aa97487b20 [Rule Tuning] PowerShell Rules (#5056) 
* [Rule Tuning] PowerShell Rules

* Update defense_evasion_posh_defender_tampering.toml

* [Rule Tuning] Connection to Commonly Abused Web Services

* Revert "[Rule Tuning] Connection to Commonly Abused Web Services"

This reverts commit 74dcea07e16a2b50ee8a372aef63a7c699e7c66a.
 2025-09-11 16:54:11 -07:00
Jonhnathan b5d77951b5 [Rule Tuning] Remote Execution via File Shares (#5066) 
* [Rule Tuning] Remote Execution via File Shares

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-09-11 16:40:59 -07:00
shashank-elastic 25539fd6c6 Delete Development Rules (#5084) 2025-09-10 23:24:28 +05:30
Jonhnathan 375082729a [Rule Tuning] Adjust process.code_signature.trusted condition (#5067) 
* [Rule Tuning] Adjust process.code_signature.trusted condition

* typo
 2025-09-08 08:42:17 -07:00
Jonhnathan 6ac71050dc [Rule Tuning] Remote File Download via PowerShell (#5062) 
* [Rule Tuning] Remote File Download via PowerShell

* Update command_and_control_remote_file_copy_powershell.toml

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update command_and_control_remote_file_copy_powershell.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-09-08 07:59:53 -07:00
Jonhnathan 4aa6c4e715 [Rule Tuning] Untrusted Driver Loaded (#5061) 
* [Rule Tuning] Untrusted Driver Loaded

* Update defense_evasion_untrusted_driver_loaded.toml
 2025-09-05 06:12:30 -07:00
Jonhnathan 9ee15a13b0 [Rule Tuning] Connection to Commonly Abused Web Services (#5060) 
* [Rule Tuning] Connection to Commonly Abused Web Services

* Update command_and_control_common_webservices.toml
 2025-09-04 11:58:13 -07:00
Samirbous 0bbad3bbf8 Update defense_evasion_modify_ownership_os_files.toml (#5051) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-09-02 08:18:35 -07:00
Jonhnathan 8d2ea9220b [New Rules] Potential Relay Attack against a Computer Account (#4826) 
* [New Rules] Potential Relay Attack against a Computer Account Rules

* update description

* .

* add min_stack

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-09-01 10:07:37 -07:00
Samirbous 464fb3951e [Tuning] Unusual Network Activity from a Windows System Binary (#5048) 2025-09-01 22:17:53 +05:30
Jonhnathan a31b3a36ad [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

* pending adjustments

* Update execution_windows_cmd_shell_susp_args.toml
 2025-09-01 09:30:21 -07:00
Samirbous a62ee7a8a2 [New] Active Directory Discovery using AdExplorer (#5047) 
* [New] Active Directory Discovery using AdExplorer

* Update discovery_ad_explorer_execution.toml

* Update rules/windows/discovery_ad_explorer_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_ad_explorer_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-09-01 16:58:22 +01:00
Samirbous 40794368a7 [New] Connection to Common Large Language Model Endpoints (#5044) 
* [New] Connection to Common Large Language Model Endpoints

* [New] Connection to Common Large Language Model Endpoints

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_common_llm_endpoint.toml

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-09-01 16:47:31 +01:00
Jonhnathan ba354ceff9 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038) 2025-09-01 08:25:52 -07:00
shashank-elastic 93ac471574 Monthly Schema Updates (#5046) 2025-09-01 20:42:42 +05:30
Samirbous 61af3e801d [New] Potential System Tampering via File Modification (#5043) 
* [New] Potential System Tampering via File Modification

* Update impact_mod_critical_os_files.toml

* Update rules/windows/impact_mod_critical_os_files.toml

* Create defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-09-01 15:52:26 +01:00
Samirbous e1205cb5c5 [New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001) 
* [New/Tuning] Windows Top Threats 2024/2025

1) MSHTA:
- tuning to exclude FPs
- new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events.

2) MSIEXEC:

* Update defense_evasion_mshta_susp_child.toml

* Update defense_evasion_script_via_html_app.toml

* Update defense_evasion_mshta_susp_child.toml

* Create defense_evasion_msiexec_remote_payload.toml

* Update defense_evasion_msiexec_remote_payload.toml

* ++

* Create execution_scripting_remote_webdav.toml

* Create execution_windows_fakecaptcha_cmd_ps.toml

* Create command_and_control_rmm_netsupport_susp_path.toml

* Update command_and_control_rmm_netsupport_susp_path.toml

* ++

* Update execution_jscript_fake_updates.toml

* Create command_and_control_dns_susp_tld.toml

* ++

* Create command_and_control_remcos_rat_iocs.toml

* Update execution_windows_fakecaptcha_cmd_ps.toml

* Update execution_scripts_archive_file.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* ++

* Create execution_nodejs_susp_patterns.toml

* Update execution_nodejs_susp_patterns.toml

* Update execution_windows_fakecaptcha_cmd_ps.toml

* Fix unit test errors

* Update defense_evasion_network_connection_from_windows_binary.toml

* Add system index

* Add tag

* Update rules/windows/command_and_control_remcos_rat_iocs.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Remove duplicate

* Update defense_evasion_msiexec_child_proc_netcon.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Create credential_access_browsers_unusual_parent.toml

* Update credential_access_browsers_unusual_parent.toml

* ++

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_remcos_rat_iocs.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_mshta_susp_child.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_windows_phish_clickfix.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update discovery_host_public_ip_address_lookup.toml

* Update execution_windows_phish_clickfix.toml

* Update rules/windows/defense_evasion_script_via_html_app.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_browsers_unusual_parent.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_nodejs_susp_patterns.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update discovery_host_public_ip_address_lookup.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_script_via_html_app.toml

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-09-01 15:41:51 +01:00
Jonhnathan b2bc6021f2 [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037) 
* [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths

* ++

* Update defense_evasion_workfolders_control_execution.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml
 2025-09-01 05:31:12 -07:00
Jonhnathan dd918b1f80 [Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#5039) 2025-09-01 05:09:31 -07:00
Jonhnathan 79daf3fc68 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 13:28:14 -07:00
Jonhnathan ccedd45df1 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 (#5030) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* ++

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 13:07:38 -07:00
Jonhnathan 86dd350579 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:50:59 -07:00
Jonhnathan 7eec833ec8 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12

* Update rules/windows/persistence_app_compat_shim.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:40:03 -07:00
Jonhnathan 41dd521546 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:28:49 -07:00
Jonhnathan 9c08869575 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024) 2025-08-28 12:15:25 -07:00
Jonhnathan be18b4db16 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update defense_evasion_wdac_policy_by_unusual_process.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:04:55 -07:00
Jonhnathan 48dfb759cd [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 (#5022) 2025-08-28 11:51:45 -07:00
Jonhnathan 1af98a6170 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 (#5021) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update defense_evasion_proxy_execution_via_msdt.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 11:37:15 -07:00
Jonhnathan b91e73714e [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5

* Update defense_evasion_ms_office_suspicious_regmod.toml
 2025-08-28 11:26:09 -07:00
Jonhnathan 85a0d27b13 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 (#5019) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 11:05:42 -07:00
Jonhnathan 0fbf57c1d9 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 (#5018) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_file_creation_mult_extension.toml

* Update rules/windows/defense_evasion_file_creation_mult_extension.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 10:55:21 -07:00
Jonhnathan 8ab98458fa [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2

* Update defense_evasion_code_signing_policy_modification_registry.toml

* Update defense_evasion_communication_apps_suspicious_child_process.toml

* Update rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml

* Update defense_evasion_communication_apps_suspicious_child_process.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 10:40:34 -07:00
Jonhnathan 00c6e785cb [Rule Tuning] Windows - Small Adjusts for Compatibility (#5032) 2025-08-28 10:20:13 -07:00
Jonhnathan 9c2ceb2bd7 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1

* Update defense_evasion_amsi_bypass_dllhijack.toml

* Update command_and_control_outlook_home_page.toml

* Update command_and_control_outlook_home_page.toml

* Update defense_evasion_amsi_bypass_dllhijack.toml

* Update rules/windows/command_and_control_port_forwarding_added_registry.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 06:43:09 -07:00
Samirbous 9dfc42aa1d [Tuning] Connection to Commonly Abused Web Services - alerts JetBrains to GH (#4973) 
* Update command_and_control_common_webservices.toml

* Update command_and_control_common_webservices.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-08-18 17:21:04 +01:00
Jonhnathan 58f62fd138 [Rule Tuning] Suspicious Windows Powershell Arguments (#4961) 2025-08-18 09:02:04 -07:00