SavinSpring
diff --git a/‎…_load/driver_load_win_mal_creddumper.yml‎ ‎…ndows/driver_load_win_mal_creddumper.yml‎rules/windows/driver_load/driver_load_win_mal_creddumper.yml renamed to deprecated/windows/driver_load_win_mal_creddumper.yml
Lines changed: 2 additions & 2 deletions b/‎…_load/driver_load_win_mal_creddumper.yml‎ ‎…ndows/driver_load_win_mal_creddumper.yml‎rules/windows/driver_load/driver_load_win_mal_creddumper.yml renamed to deprecated/windows/driver_load_win_mal_creddumper.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎…wershell_script_installed_as_service.yml‎ ‎…wershell_script_installed_as_service.yml‎rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml renamed to deprecated/windows/driver_load_win_powershell_script_installed_as_service.yml
Lines changed: 2 additions & 2 deletions b/‎…wershell_script_installed_as_service.yml‎ ‎…wershell_script_installed_as_service.yml‎rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml renamed to deprecated/windows/driver_load_win_powershell_script_installed_as_service.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎…posh_ps_file_and_directory_discovery.yml‎ ‎…posh_ps_file_and_directory_discovery.yml‎rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml renamed to deprecated/windows/posh_ps_file_and_directory_discovery.yml
Lines changed: 2 additions & 2 deletions b/‎…posh_ps_file_and_directory_discovery.yml‎ ‎…posh_ps_file_and_directory_discovery.yml‎rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml renamed to deprecated/windows/posh_ps_file_and_directory_discovery.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎…/powershell_script/posh_ps_susp_gwmi.yml‎ ‎deprecated/windows/posh_ps_susp_gwmi.yml‎rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml renamed to deprecated/windows/posh_ps_susp_gwmi.yml
Lines changed: 2 additions & 2 deletions b/‎…/powershell_script/posh_ps_susp_gwmi.yml‎ ‎deprecated/windows/posh_ps_susp_gwmi.yml‎rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml renamed to deprecated/windows/posh_ps_susp_gwmi.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎…ltin/windefend/win_defender_disabled.yml‎ ‎…ecated/windows/win_defender_disabled.yml‎rules/windows/builtin/windefend/win_defender_disabled.yml renamed to deprecated/windows/win_defender_disabled.yml
Lines changed: 2 additions & 2 deletions b/‎…ltin/windefend/win_defender_disabled.yml‎ ‎…ecated/windows/win_defender_disabled.yml‎rules/windows/builtin/windefend/win_defender_disabled.yml renamed to deprecated/windows/win_defender_disabled.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎…urity/win_security_event_log_cleared.yml‎ ‎…ndows/win_security_event_log_cleared.yml‎rules/windows/builtin/security/win_security_event_log_cleared.yml renamed to deprecated/windows/win_security_event_log_cleared.yml
Lines changed: 2 additions & 2 deletions b/‎…urity/win_security_event_log_cleared.yml‎ ‎…ndows/win_security_event_log_cleared.yml‎rules/windows/builtin/security/win_security_event_log_cleared.yml renamed to deprecated/windows/win_security_event_log_cleared.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎…ervice_install_susp_double_ampersand.yml‎ ‎…ervice_install_susp_double_ampersand.yml‎rules/windows/builtin/system/service_control_manager/win_system_service_install_susp_double_ampersand.yml renamed to deprecated/windows/win_system_service_install_susp_double_ampersand.yml
Lines changed: 2 additions & 1 deletion b/‎…ervice_install_susp_double_ampersand.yml‎ ‎…ervice_install_susp_double_ampersand.yml‎rules/windows/builtin/system/service_control_manager/win_system_service_install_susp_double_ampersand.yml renamed to deprecated/windows/win_system_service_install_susp_double_ampersand.yml
Lines changed: 2 additions & 1 deletion
diff --git a/‎…in/security/win_security_admin_logon.yml‎ ‎…in/security/win_security_admin_logon.yml‎rules/windows/builtin/security/win_security_admin_logon.yml renamed to rules-placeholder/windows/builtin/security/win_security_admin_logon.yml
Lines changed: 6 additions & 7 deletions b/‎…in/security/win_security_admin_logon.yml‎ ‎…in/security/win_security_admin_logon.yml‎rules/windows/builtin/security/win_security_admin_logon.yml renamed to rules-placeholder/windows/builtin/security/win_security_admin_logon.yml
Lines changed: 6 additions & 7 deletions
diff --git a/‎…nt/file_event_win_dump_file_creation.yml‎ ‎…nt/file_event_win_dump_file_creation.yml‎rules/windows/file/file_event/file_event_win_dump_file_creation.yml renamed to rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml
Lines changed: 1 addition & 0 deletions b/‎…nt/file_event_win_dump_file_creation.yml‎ ‎…nt/file_event_win_dump_file_creation.yml‎rules/windows/file/file_event/file_event_win_dump_file_creation.yml renamed to rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml
Lines changed: 1 addition & 0 deletions
diff --git a/‎…image_load_dll_amsi_uncommon_process.yml‎ ‎…image_load_dll_amsi_uncommon_process.yml‎rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml renamed to rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml
Lines changed: 16 additions & 15 deletions b/‎…image_load_dll_amsi_uncommon_process.yml‎ ‎…image_load_dll_amsi_uncommon_process.yml‎rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml renamed to rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml
Lines changed: 16 additions & 15 deletions
@@ -3,13 +3,13 @@ id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
 related:
     - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
       type: derived
-status: test
+status: deprecated
 description: Detects well-known credential dumping tools execution via service execution events
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2017/03/05
-modified: 2022/12/25
+modified: 2023/12/11
 tags:
     - attack.credential_access
     - attack.execution
 
@@ -3,13 +3,13 @@ id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
 related:
     - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
       type: derived
-status: test
+status: deprecated
 description: Detects powershell script installed as a Service
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: oscd.community, Natalia Shornikova
 date: 2020/10/06
-modified: 2022/10/09
+modified: 2023/12/11
 tags:
     - attack.execution
     - attack.t1569.002
 
@@ -1,6 +1,6 @@
 title: Powershell File and Directory Discovery
 id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
-status: test
+status: deprecated
 description: |
     Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
     Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,
@@ -9,7 +9,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
 author: frack113
 date: 2021/12/15
-modified: 2022/12/25
+modified: 2023/12/11
 tags:
     - attack.discovery
     - attack.t1083
 
@@ -1,13 +1,13 @@
 title: Suspicious Get-WmiObject
 id: 0332a266-b584-47b4-933d-a00b103e1b37
-status: test
+status: deprecated
 description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
 references:
     - https://attack.mitre.org/datasources/DS0005/
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
 author: frack113
 date: 2022/01/12
-modified: 2022/11/02
+modified: 2023/12/11
 tags:
     - attack.persistence
     - attack.t1546
 
@@ -1,13 +1,13 @@
 title: Windows Defender Threat Detection Disabled
 id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
-status: stable
+status: deprecated
 description: Detects disabling Windows Defender threat protection
 references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 author: Ján Trenčanský, frack113
 date: 2020/07/28
-modified: 2022/12/06
+modified: 2023/11/22
 tags:
     - attack.defense_evasion
     - attack.t1562.001
 
@@ -1,12 +1,12 @@
 title: Security Event Log Cleared
 id: a122ac13-daf8-4175-83a2-72c387be339d
-status: test
+status: deprecated
 description: Checks for event id 1102 which indicates the security event log was cleared.
 references:
     - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
 author: Saw Winn Naung
 date: 2021/08/15
-modified: 2022/12/25
+modified: 2023/12/06
 tags:
     - attack.t1070.001
 logsource:
 
@@ -1,11 +1,12 @@
 title: New Service Uses Double Ampersand in Path
 id: ca83e9f3-657a-45d0-88d6-c1ac280caf53
-status: test
+status: deprecated
 description: Detects a service installation that uses a suspicious double ampersand used in the image path value
 references:
     - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2022/07/05
+modified: 2023/11/15
 tags:
     - attack.defense_evasion
     - attack.t1027
 
@@ -8,7 +8,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964
 author: frack113
 date: 2022/10/14
-modified: 2022/10/22
+modified: 2023/12/14
 tags:
     - attack.defense_evasion
     - attack.lateral_movement
@@ -24,12 +24,11 @@ detection:
         EventID:
             - 4672
             - 4964
-    filter:
-        SubjectUserSid: S-1-5-18
-    # Level can be upgrade to medium with a filter
-    # filter_valid_account:
-    #     SubjectUserName: set valid internal naming pattern or a list a valid account
-    condition: selection and not filter
+    filter_main_local_system:
+        SubjectUserSid: 'S-1-5-18'
+    filter_main_valid_account:
+        SubjectUserName|expand: '%Admins_Workstations%' # Set valid internal naming pattern or a list a valid account
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: low
@@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/09/07
 tags:
     - attack.defense_evasion
+    - detection.threat_hunting
 logsource:
     category: file_event
     product: windows
 
@@ -8,41 +8,42 @@ references:
     - https://github.com/surya-dev-singh/AmsiBypass-OpenSession
 author: frack113
 date: 2023/03/12
-modified: 2023/06/01
+modified: 2023/12/18
 tags:
     - attack.defense_evasion
     - attack.impact
     - attack.t1490
+    - detection.threat_hunting
 logsource:
     category: image_load
     product: windows
 detection:
     selection:
         ImageLoaded|endswith: '\amsi.dll'
     filter_main_exact:
-        Image:
-            - 'C:\Windows\explorer.exe'
-            - 'C:\Windows\Sysmon64.exe'
+        Image|endswith:
+            - ':\Windows\explorer.exe'
+            - ':\Windows\Sysmon64.exe'
     filter_main_generic:
-        Image|startswith:
-            - 'C:\Program Files (x86)\'
-            - 'C:\Program Files\'
-            - 'C:\Windows\System32\'
-            - 'C:\Windows\SysWOW64\'
-            - 'C:\Windows\WinSxS\'
+        Image|contains:
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
+            - ':\Windows\WinSxS\'
     filter_optional_defender:
-        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+        Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
         Image|endswith: '\MsMpEng.exe'
     filter_main_dotnet:
-        Image|startswith:
-            - 'C:\Windows\Microsoft.NET\Framework\'
-            - 'C:\Windows\Microsoft.NET\Framework64\'
+        Image|contains:
+            - ':\Windows\Microsoft.NET\Framework\'
+            - ':\Windows\Microsoft.NET\Framework64\'
         Image|endswith: '\ngentask.exe'
     filter_main_null:
         Image: null
     filter_main_empty:
         Image: ''
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Legitimate third party apps installed in "ProgramData" and "AppData" might generate some false positives. Apply additional filters accordingly
 level: low