chore: delete "Pipfile" and "Pipfile.lock"
fix: Filter Driver Unloaded Via Fltmc.EXE - Add exclusion for ManageEngine
fix: Suspicious Child Process Of Wermgr.EXE - Exclude "WerConCpl.dll"
new: DNS Query To AzureWebsites.NET By Non-Browser Process
new: Files With System DLL Name In Unsuspected Locations
new: HackTool - Evil-WinRm Execution - PowerShell Module
new: HackTool - LaZagne Execution
new: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
update: Copying Sensitive Files with Credential Data - Use "windash" modifier
update: Explorer Process Tree Break - Use "windash" modifier
update: Files With System Process Name In Unsuspected Locations - Remove old filter
update: Lolbin Unregmp2.exe Use As Proxy - Use "windash" modifier
update: LSASS Process Reconnaissance Via Findstr.EXE - Use "windash" modifier
update: New Remote Desktop Connection Initiated Via Mstsc.EXE - Use "windash" modifier
update: Potential Proxy Execution Via Explorer.EXE From Shell Process - Update metadata and moved to Threat Hunting folder
update: Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Enhance logic
update: Renamed ProcDump Execution - Add new flag option
update: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Use "windash" modifier
Example Log Event
N/A
Fixed Issues
Fixes #4874
SigmaHQ Rule Creation Conventions
If your PR adds new rules, please consider following and applying these conventions
Summary of the Pull Request
This PR updates and add multiple rules
Changelog
chore: delete "Pipfile" and "Pipfile.lock" fix: Filter Driver Unloaded Via Fltmc.EXE - Add exclusion for ManageEngine fix: Suspicious Child Process Of Wermgr.EXE - Exclude "WerConCpl.dll" new: DNS Query To AzureWebsites.NET By Non-Browser Process new: Files With System DLL Name In Unsuspected Locations new: HackTool - Evil-WinRm Execution - PowerShell Module new: HackTool - LaZagne Execution new: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process update: Copying Sensitive Files with Credential Data - Use "windash" modifier update: Explorer Process Tree Break - Use "windash" modifier update: Files With System Process Name In Unsuspected Locations - Remove old filter update: Lolbin Unregmp2.exe Use As Proxy - Use "windash" modifier update: LSASS Process Reconnaissance Via Findstr.EXE - Use "windash" modifier update: New Remote Desktop Connection Initiated Via Mstsc.EXE - Use "windash" modifier update: Potential Proxy Execution Via Explorer.EXE From Shell Process - Update metadata and moved to Threat Hunting folder update: Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Enhance logic update: Renamed ProcDump Execution - Add new flag option update: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Use "windash" modifier
Example Log Event
N/A
Fixed Issues
Fixes #4874
SigmaHQ Rule Creation Conventions