Merge PR #4577 from @nasbench - Multiple Fixes & Updates

fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters
fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters
fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C:
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition
fix: Credential Manager Access By Uncommon Application - Enhance FP filters
fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters
fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP
fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments
fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter
fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb
fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process
fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost"
fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters
fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name
fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location.
fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters
fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases
fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list
fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate
fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations
fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID
fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters
new: Communication To Uncommon Destination Ports
new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
remove: Credential Dumping Tools Service Execution
remove: New Service Uses Double Ampersand in Path
remove: Powershell File and Directory Discovery
remove: PowerShell Scripts Run by a Services
remove: Security Event Log Cleared
remove: Suspicious Get-WmiObject
remove: Windows Defender Threat Detection Disabled
update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections
update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium
update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low
update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate
update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage
update: Failed Code Integrity Checks - Reduce level to informational
update: HH.EXE Execution - Reduce level to low
update: Locked Workstation - Reduce level to informational
update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data
update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections
update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections
update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks
update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic
update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic
update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports
update: PUA - Nmap/Zenmap Execution - Reduce level to medium
update: PUA - Process Hacker Execution - Reduce level to medium
update: PUA - Radmin Viewer Utility Execution - Reduce level to medium
update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list
update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters
update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:"
update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition
update: Suspicious Schtasks From Env Var Folder - Reduce level to medium
update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium
update: Whoami Utility Execution - Reduce level to low
update: Whoami.EXE Execution With Output Option - Reduce level to medium
update: Windows Defender Malware Detection History Deletion - Reduce level to informational
update: WMI Event Consumer Created Named Pipe - Reduce leve to medium

---------

Co-authored-by: phantinuss <[email protected]>
Thanks: @Blackmore-Robert
Thanks: @swachchhanda000
Thanks: @celalettin-turgut
Thanks: @AaronS97

rules/windows/driver_load/driver_load_win_mal_creddumper.yml → deprecated/windows/driver_load_win_mal_creddumper.yml

@@ -3,13 +3,13 @@ id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
 related:
     - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
       type: derived
-status: test
+status: deprecated
 description: Detects well-known credential dumping tools execution via service execution events
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2017/03/05
-modified: 2022/12/25
+modified: 2023/12/11
 tags:
     - attack.credential_access
     - attack.execution

rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml → deprecated/windows/driver_load_win_powershell_script_installed_as_service.yml

@@ -3,13 +3,13 @@ id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
 related:
     - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
       type: derived
-status: test
+status: deprecated
 description: Detects powershell script installed as a Service
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: oscd.community, Natalia Shornikova
 date: 2020/10/06
-modified: 2022/10/09
+modified: 2023/12/11
 tags:
     - attack.execution
     - attack.t1569.002

rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml → deprecated/windows/posh_ps_file_and_directory_discovery.yml

@@ -1,6 +1,6 @@
 title: Powershell File and Directory Discovery
 id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
-status: test
+status: deprecated
 description: |
     Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
     Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,
@@ -9,7 +9,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
 author: frack113
 date: 2021/12/15
-modified: 2022/12/25
+modified: 2023/12/11
 tags:
     - attack.discovery
     - attack.t1083

rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml → deprecated/windows/posh_ps_susp_gwmi.yml

@@ -1,13 +1,13 @@
 title: Suspicious Get-WmiObject
 id: 0332a266-b584-47b4-933d-a00b103e1b37
-status: test
+status: deprecated
 description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
 references:
     - https://attack.mitre.org/datasources/DS0005/
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
 author: frack113
 date: 2022/01/12
-modified: 2022/11/02
+modified: 2023/12/11
 tags:
     - attack.persistence
     - attack.t1546

rules/windows/builtin/windefend/win_defender_disabled.yml → deprecated/windows/win_defender_disabled.yml

@@ -1,13 +1,13 @@
 title: Windows Defender Threat Detection Disabled
 id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
-status: stable
+status: deprecated
 description: Detects disabling Windows Defender threat protection
 references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 author: Ján Trenčanský, frack113
 date: 2020/07/28
-modified: 2022/12/06
+modified: 2023/11/22
 tags:
     - attack.defense_evasion
     - attack.t1562.001

rules/windows/builtin/security/win_security_event_log_cleared.yml → deprecated/windows/win_security_event_log_cleared.yml

@@ -1,12 +1,12 @@
 title: Security Event Log Cleared
 id: a122ac13-daf8-4175-83a2-72c387be339d
-status: test
+status: deprecated
 description: Checks for event id 1102 which indicates the security event log was cleared.
 references:
     - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
 author: Saw Winn Naung
 date: 2021/08/15
-modified: 2022/12/25
+modified: 2023/12/06
 tags:
     - attack.t1070.001
 logsource:

rules/windows/builtin/system/service_control_manager/win_system_service_install_susp_double_ampersand.yml → deprecated/windows/win_system_service_install_susp_double_ampersand.yml

@@ -1,11 +1,12 @@
 title: New Service Uses Double Ampersand in Path
 id: ca83e9f3-657a-45d0-88d6-c1ac280caf53
-status: test
+status: deprecated
 description: Detects a service installation that uses a suspicious double ampersand used in the image path value
 references:
     - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2022/07/05
+modified: 2023/11/15
 tags:
     - attack.defense_evasion
     - attack.t1027

rules/windows/builtin/security/win_security_admin_logon.yml → rules-placeholder/windows/builtin/security/win_security_admin_logon.yml

@@ -8,7 +8,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964
 author: frack113
 date: 2022/10/14
-modified: 2022/10/22
+modified: 2023/12/14
 tags:
     - attack.defense_evasion
     - attack.lateral_movement
@@ -24,12 +24,11 @@ detection:
         EventID:
             - 4672
             - 4964
-    filter:
-        SubjectUserSid: S-1-5-18
-    # Level can be upgrade to medium with a filter
-    # filter_valid_account:
-    #     SubjectUserName: set valid internal naming pattern or a list a valid account
-    condition: selection and not filter
+    filter_main_local_system:
+        SubjectUserSid: 'S-1-5-18'
+    filter_main_valid_account:
+        SubjectUserName|expand: '%Admins_Workstations%' # Set valid internal naming pattern or a list a valid account
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: low

rules/windows/file/file_event/file_event_win_dump_file_creation.yml → rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml

@@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/09/07
 tags:
     - attack.defense_evasion
+    - detection.threat_hunting
 logsource:
     category: file_event
     product: windows

rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml → rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml

@@ -8,41 +8,42 @@ references:
     - https://github.com/surya-dev-singh/AmsiBypass-OpenSession
 author: frack113
 date: 2023/03/12
-modified: 2023/06/01
+modified: 2023/12/18
 tags:
     - attack.defense_evasion
     - attack.impact
     - attack.t1490
+    - detection.threat_hunting
 logsource:
     category: image_load
     product: windows
 detection:
     selection:
         ImageLoaded|endswith: '\amsi.dll'
     filter_main_exact:
-        Image:
-            - 'C:\Windows\explorer.exe'
-            - 'C:\Windows\Sysmon64.exe'
+        Image|endswith:
+            - ':\Windows\explorer.exe'
+            - ':\Windows\Sysmon64.exe'
     filter_main_generic:
-        Image|startswith:
-            - 'C:\Program Files (x86)\'
-            - 'C:\Program Files\'
-            - 'C:\Windows\System32\'
-            - 'C:\Windows\SysWOW64\'
-            - 'C:\Windows\WinSxS\'
+        Image|contains:
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
+            - ':\Windows\WinSxS\'
     filter_optional_defender:
-        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+        Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
         Image|endswith: '\MsMpEng.exe'
     filter_main_dotnet:
-        Image|startswith:
-            - 'C:\Windows\Microsoft.NET\Framework\'
-            - 'C:\Windows\Microsoft.NET\Framework64\'
+        Image|contains:
+            - ':\Windows\Microsoft.NET\Framework\'
+            - ':\Windows\Microsoft.NET\Framework64\'
         Image|endswith: '\ngentask.exe'
     filter_main_null:
         Image: null
     filter_main_empty:
         Image: ''
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Legitimate third party apps installed in "ProgramData" and "AppData" might generate some false positives. Apply additional filters accordingly
 level: low

rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml → rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml

@@ -1,15 +1,16 @@
-title: WMI Module Loaded By Non Uncommon Process
+title: WMI Module Loaded By Uncommon Process
 id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
 status: test
-description: Detects a WMI modules being loaded by an uncommon process
+description: Detects WMI modules being loaded by an uncommon process
 references:
     - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/08/10
-modified: 2023/11/27
+modified: 2023/12/11
 tags:
     - attack.execution
     - attack.t1047
+    - detection.threat_hunting
 logsource:
     category: image_load
     product: windows
@@ -27,13 +28,13 @@ detection:
             - '\wmiutils.dll'
     filter_main_generic:
         Image|contains:
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
             - ':\Windows\explorer.exe'
-            - ':\Windows\Sysmon.exe'
-            - ':\Windows\Sysmon64.exe'
+            - ':\Windows\Microsoft.NET\Framework\'
+            - ':\Windows\Microsoft.NET\Framework64\'
             - ':\Windows\System32\'
             - ':\Windows\SysWOW64\'
-            - '\Microsoft\Teams\current\Teams.exe'
-            - '\Microsoft\Teams\Update.exe'
     filter_optional_other:
         Image|endswith:
             - '\WindowsAzureGuestAgent.exe'
@@ -44,15 +45,14 @@ detection:
             - '\thor64.exe'
     filter_optional_defender:
         Image|endswith: '\MsMpEng.exe'
-    filter_optional_dotnet:
-        Image|contains:
-            - ':\Windows\Microsoft.NET\Framework\'
-            - ':\Windows\Microsoft.NET\Framework64\'
-        Image|endswith: '\ngentask.exe'
-    filter_optional_programfiles:
+    filter_optional_teams:
         Image|contains:
-            - ':\Program Files\'
-            - ':\Program Files (x86)\'
+            - '\Microsoft\Teams\current\Teams.exe'
+            - '\Microsoft\Teams\Update.exe'
+    filter_optional_sysmon:
+        Image|endswith:
+            - ':\Windows\Sysmon.exe'
+            - ':\Windows\Sysmon64.exe'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown

rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml → rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml

@@ -9,10 +9,11 @@ references:
     - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/08/11
-modified: 2023/11/03
+modified: 2023/12/11
 tags:
     - attack.execution
     - attack.t1059.001
+    - detection.threat_hunting
 logsource:
     product: windows
     category: ps_classic_start
@@ -22,12 +23,13 @@ detection:
     # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.
     filter_main_ps:
         Data|contains:
+            - 'HostApplication=?:/Windows/System32/WindowsPowerShell/v1.0/powershell' # In some cases powershell was invoked with inverted slashes
+            - 'HostApplication=?:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' # In some cases powershell was invoked with inverted slashes
+            - 'HostApplication=?:\Windows\System32\sdiagnhost.exe'
+            - 'HostApplication=?:\Windows\System32\WindowsPowerShell\v1.0\powershell'
+            - 'HostApplication=?:\Windows\SysWOW64\sdiagnhost.exe'
+            - 'HostApplication=?:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
             - 'HostApplication=powershell'
-            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
-            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
-            # In some cases powershell was invoked with inverted slashes
-            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
-            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
     filter_optional_citrix:
         Data|contains: 'Citrix\ConfigSync\ConfigSync.ps1'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml → rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml

@@ -1,7 +1,7 @@
-title: Use Remove-Item to Delete File
+title: Use Of Remove-Item to Delete File - ScriptBlock
 id: b8af5f36-1361-4ebe-9e76-e36128d947bf
 status: test
-description: Powershell Remove-Item  with -Path to delete a file or a folder with "-Recurse"
+description: PowerShell Remove-Item  with -Path to delete a file or a folder with "-Recurse"
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7
@@ -11,20 +11,22 @@ modified: 2022/03/17
 tags:
     - attack.defense_evasion
     - attack.t1070.004
+    - detection.threat_hunting
 logsource:
     product: windows
     category: ps_script
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
-        ScriptBlockText|contains|all:
-            - Remove-Item
-            - '-Path '
-    filter_reg:
         ScriptBlockText|contains:
-            - 'HKCU:\'
-            - 'HKLM:\'
-    condition: selection and not filter_reg
+            - 'Remove-Item -Path '
+            - 'del -Path '
+            - 'erase -Path '
+            - 'rd -Path '
+            - 'ri -Path '
+            - 'rm -Path '
+            - 'rmdir -Path '
+    condition: selection
 falsepositives:
     - Legitimate PowerShell scripts
 level: low

rules/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml → rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml

@@ -18,6 +18,7 @@ tags:
     - attack.credential_access
     - attack.t1003.001
     - attack.s0002
+    - detection.threat_hunting
 logsource:
     category: process_access
     product: windows

rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml

@@ -9,25 +9,26 @@ references:
     - https://github.com/med0x2e/vba2clr
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/10/13
-modified: 2023/02/04
+modified: 2023/12/19
 tags:
     - attack.execution
     - attack.defense_evasion
+    - detection.threat_hunting
 logsource:
     product: windows
     category: process_creation
 detection:
     selection:
         ParentImage|endswith: '\svchost.exe'
         Image|endswith:
-            - '\winword.exe'
+            - '\eqnedt32.exe'
             - '\excel.exe'
-            - '\powerpnt.exe'
             - '\msaccess.exe'
             - '\mspub.exe'
-            - '\eqnedt32.exe'
+            - '\powerpnt.exe'
             - '\visio.exe'
-    condition: all of selection*
+            - '\winword.exe'
+    condition: selection
 falsepositives:
     - Legitimate usage of office automation via scripting
 level: medium