Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Lookups & Windows EventLog Macros #3303

Merged
merged 6 commits into from
Feb 18, 2025
Merged

Update Lookups & Windows EventLog Macros #3303

merged 6 commits into from
Feb 18, 2025

Conversation

nasbench
Copy link
Contributor

@nasbench nasbench commented Jan 30, 2025
edited
Loading

This PR updates the windows event log macros for better consistency and coverage, as well as some lookups with additional data. Below are details of the updates:

Lookup Updates

asr_rules

Added 2 additional rules that are in preview to the list, based on https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#asr-rule-to-guid-matrix

builtin_groups_lookup

Added additional groups based on our research on SDDL - https://github.com/MHaggis/SDDLMaker/tree/main/MindMap

dynamic_dns_providers_default

Re-ordered the list alphabetically, and added a couple more entries

security_services_lookup

Added multiple entries to other AV and EDR vendors based on https://github.com/Pennyw0rth/NetExec/blob/c904f3aa813f36f56b61d1021d32f6b527b20d0a/nxc/modules/enum_av.py and https://github.com/netwrix/pingcastle/blob/3e377c62f143ddf4db8c871a10bdf7c8b4605406/Scanners/AntivirusScanner.cs
and make the lookup search a case-insensitive search.

Macro Updates

  • All windows event log macros have been updated to use both WinEventLog and XmlWinEventLog .
  • Added PowerShellCore/Operational to the PowerShell macro.
  • Fixed the WMI macro from using sourcetype to using the source (similar to all other macros).
  • Added channel logic to the built-in event logs (Application, System, Security).

@nasbench nasbench marked this pull request as ready for review January 31, 2025 14:41
@patel-bhavin
Copy link
Contributor

Nice clean up! LGTM

@patel-bhavin patel-bhavin added this to the v5.1.0 milestone Feb 18, 2025
@patel-bhavin
Copy link
Contributor

Transient attack data failure for one detection, I believe we can ignore this error!
image

@patel-bhavin patel-bhavin merged commit 90d46c5 into develop Feb 18, 2025
4 checks passed
@patel-bhavin patel-bhavin deleted the other-updates branch February 18, 2025 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Assignees
No one assigned
Labels
Lookups Macros
Projects
None yet
Milestone
v5.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@nasbench @patel-bhavin