[Rule Tuning] Update MDE tags to "Microsoft Defender XDR"

[w0rk3r]

Issue

Resolves #5346

Summary

Updates "Microsoft Defender for Endpoint" mentions/tags to "Microsoft Defender XDR" for clarity.

[github-actions]

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

• Detailed description of the suggested changes.
• Provide example JSON data or screenshots.
• Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
• Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
• Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
• Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
• Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
• Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
• Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
• Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
• Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
• Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

• updated_date matches the date of tuning PR merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

• Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
• Ensure that the tuned rule has a low false positive rate.

[tradebot-elastic]

⛔️ Test failed

Results

• ✅ Potential Credential Access via Windows Utilities (eql)
• ✅ System Shells via Services (eql)
• ❌ Potential Escalation via Vulnerable MSI Repair (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious Microsoft Antimalware Service Execution (eql)
• ✅ Conhost Spawned By Suspicious Parent Process (eql)
• ❌ Enumerating Domain Trusts via DSQUERY.EXE (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Potential Evasion via Filter Manager (eql)
• ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
• ❌ Local Account TokenFilter Policy Disabled (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ First Time Seen Removable Device (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Attempt to Establish VScode Remote Tunnel (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Peripheral Device Discovery (eql)
• ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
• ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Exploitation of an Unquoted Service Path Vulnerability (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Cmd Execution via WMI (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Persistence via Scheduled Job Creation (eql)
• ❌ Office Test Registry Persistence (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Persistence via Time Provider Modification (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Remote File Download via Desktopimgdownldr Utility (eql)
• ✅ Renamed Utility Executed with Short Program Name (eql)
• ❌ Script Execution via Microsoft HTML Application (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential System Tampering via File Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Execution of COM object via Xwizard (eql)
• ❌ User Account Creation (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Windows Server Update Service Spawning Suspicious Processes (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Remote Management Access Launch After MSI Install (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious .NET Code Compilation (eql)
• ✅ Creation or Modification of Root Certificate (eql)
• ❌ Werfault ReflectDebugger Persistence (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Mofcomp Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Full User-Mode Dumps Enabled System-Wide (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Lateral Movement via Startup Folder (eql)
• ❌ Persistence via Update Orchestrator Service Hijack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ UAC Bypass Attempt via Windows Directory Masquerading (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Shell Detection: Script Process Child of Common Web Processes (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Adobe Hijack Persistence (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Windows Defender Exclusions Added via PowerShell (eql)
• ✅ Suspicious Microsoft Diagnostics Wizard Execution (eql)
• ❌ Potential Foxmail Exploitation (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Command and Scripting Interpreter via Windows Scripts (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Wireless Credential Dumping using Netsh Command (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential File Transfer via Curl for Windows (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Renamed Automation Script Interpreter (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Creation of a Hidden Local User Account (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Windows Defender Disabled via Registry Modification (eql)
• ❌ Windows Script Execution from Archive (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Bypass UAC via Event Viewer (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Potential Web Shell ASPX File Creation (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Program Files Directory Masquerading (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious MS Outlook Child Process (eql)
• ✅ Port Forwarding Rule Addition (eql)
• ✅ Unusual Parent-Child Relationship (eql)
• ✅ Suspicious ImagePath Service Creation (eql)
• ❌ Command Obfuscation via Unicode Modifier Letters (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Disabling Lsa Protection via Registry Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Persistence via Microsoft Outlook VBA (eql)
• ✅ Potential DNS Tunneling via NsLookup (eql)
• ❌ WDAC Policy File by an Unusual Process (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Unusual Parent Process for cmd.exe (eql)
• ✅ NTDS or SAM Database File Copied (eql)
• ❌ ScreenConnect Server Spawning Suspicious Processes (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Privilege Escalation via Named Pipe Impersonation (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Data Exfiltration via Rclone (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Command Execution via ForFiles (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Persistence via Services Registry (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Control Panel Process with Unusual Arguments (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Startup Persistence by a Suspicious Process (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Encrypting Files with WinRar or 7z (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Adding Hidden File Attribute via Attrib (eql)
• ✅ Potential Local NTLM Relay via HTTP (eql)
• ❌ Browser Process Spawned from an Unusual Parent (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Access via TruffleHog Execution (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Microsoft Exchange Server UM Spawning Suspicious Processes (eql)
• ❌ Suspicious Microsoft HTML Application Child Process (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Disable Windows Firewall Rules via Netsh (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential NetNTLMv1 Downgrade Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
• ❌ Execution via MSSQL xp_cmdshell Stored Procedure (kuery)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Execution via TSClient Mountpoint (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Registry Persistence via AppCert DLL (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Service DACL Modification via sc.exe (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious PDF Reader Child Process (eql)
• ✅ Network Logon Provider Registry Modification (eql)
• ❌ Suspicious Execution with NodeJS (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Windows Sandbox with Sensitive Configuration (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ DNS Global Query Block List Modified or Disabled (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Remote GitHub Actions Runner Registration (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Backup Deletion with Wbadmin (eql)
• ✅ RDP Enabled via Registry (eql)
• ❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Secure File Deletion via SDelete Utility (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Suspicious PrintSpooler Service Executable File Creation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Persistence via PowerShell profile (eql)
• ❌ Potential CVE-2025-33053 Exploitation (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential File Download via a Headless Browser (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ NetSupport Manager Execution from an Unusual Path (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Rare Connection to WebDAV Target (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Image File Execution Options Injection (eql)
• ✅ Persistence via TelemetryController Scheduled Task Hijack (eql)
• ❌ UAC Bypass via ICMLuaUtil Elevated COM Interface (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Modification of Boot Configuration (eql)
• ✅ Unusual Service Host Child Process - Childless Service (eql)
• ✅ Exporting Exchange Mailbox via PowerShell (eql)
• ✅ Microsoft Exchange Server UM Writing Suspicious Files (eql)
• ✅ Unusual File Creation - Alternate Data Stream (eql)
• ❌ Suspicious JetBrains TeamCity Child Process (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Modification of Accessibility Binaries (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Potential Remote Desktop Tunneling Detected (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Enumeration Command Spawned via WMIPrvSE (eql)
• ❌ Suspicious ScreenConnect Client Child Process (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential File Transfer via Certreq (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Execution via FileFix Phishing Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Microsoft Management Console File from Unusual Path (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ System File Ownership Change (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Notepad Markdown RCE Exploitation (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ PowerShell Script Block Logging Disabled (eql)
• ❌ Suspicious Windows Powershell Arguments (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Enumeration of Administrator Accounts (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Executable File Creation with Multiple Extensions (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Enable Host Network Discovery via Netsh (eql)
• ✅ Unusual Child Process of dns.exe (eql)
• ❌ Proxy Execution via Windows OpenSSH (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential WSUS Abuse for Lateral Movement (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Port Monitor or Print Processor Registration Abuse (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Deprecated - Encoded Executable Stored in the Registry (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Group Policy Discovery via Microsoft GPResult Utility (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious Zoom Child Process (eql)
• ✅ Suspicious Explorer Child Process (eql)
• ✅ Scheduled Tasks AT Command Enabled (eql)
• ❌ Suspicious Shell Execution via Velociraptor (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Persistence via WMI Event Subscription (eql)
• ✅ Command Shell Activity Started via RunDLL32 (eql)
• ✅ Microsoft Build Engine Started by a System Process (eql)
• ✅ Microsoft Build Engine Using an Alternate Name (eql)
• ❌ Windows Subsystem for Linux Distribution Installed (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ DNS-over-HTTPS Enabled via Registry (eql)
• ❌ Execution via local SxS Shared Module (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious MS Office Child Process (eql)
• ❌ Execution via GitHub Actions Runner (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Print Spooler SPL File Created (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Credential Acquisition via Registry Hive Dumping (eql)
• ❌ Persistence via Hidden Run Key Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious WerFault Child Process (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Outlook Home Page Registry Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Managed Code Hosting Process (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Signed Proxy Execution via MS Work Folders (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Suspicious Execution via Microsoft Office Add-Ins (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Netsh Helper DLL (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Traffic Tunneling using QEMU (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GenAI Process Compiling or Generating Executables (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious Endpoint Security Parent Process (eql)
• ❌ Code Signing Policy Modification Through Built-in tools (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Clearing Windows Console History (eql)
• ❌ Volume Shadow Copy Deleted or Resized via VssAdmin (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Veeam Credential Access Command (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Creation or Modification of Domain Backup DPAPI private key (eql)
• ❌ Kirbi File Creation (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface (eql)
• ❌ SolarWinds Process Disabling Services via Registry (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Print Spooler Point and Print DLL (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Execution via Windows Command Debugging Utility (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Searching for Saved Credentials via VaultCmd (eql)
• ❌ Creation or Modification of a new GPO Scheduled Task or Service (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential RemoteMonologue Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Microsoft IIS Connection Strings Decryption (eql)
• ✅ Persistence via BITS Job Notify Cmdline (eql)
• ❌ GenAI Process Performing Encoding/Chunking Prior to Network Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Multiple Remote Management Tool Vendors on Same Host (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Mounting Hidden or WebDav Remote Shares (eql)
• ✅ Suspicious Print Spooler File Deletion (eql)
• ❌ Potential Remote Desktop Shadowing Activity (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Installation of Custom Shim Databases (eql)
• ✅ Microsoft Build Engine Started by an Office Application (eql)
• ✅ Remote File Download via MpCmdRun (eql)
• ✅ Suspicious Startup Shell Folder Modification (eql)
• ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
• ❌ Potential Remote Install via MsiExec (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ New ActiveSyncAllowedDeviceID Added via PowerShell (eql)
• ✅ Execution from Unusual Directory - Command Line (eql)
• ✅ Registry Persistence via AppInit DLL (eql)
• ✅ Symbolic Link to Shadow Copy Created (eql)
• ✅ Disabling User Account Control via Registry Modification (eql)
• ✅ Clearing Windows Event Logs (eql)
• ❌ Privilege Escalation via Windir Environment Variable (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Protocol Tunneling via Cloudflared (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Modification of WDigest Security Provider (eql)
• ✅ Command Execution via SolarWinds Process (eql)
• ❌ Potential REMCOS Trojan Execution (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ NTDS Dump via Wbadmin (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Volume Shadow Copy Deletion via PowerShell (eql)
• ❌ Suspicious Windows Command Shell Arguments (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Code Signing Policy Modification Through Registry (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Network-Level Authentication (NLA) Disabled (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Execution via Windows Subsystem for Linux (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Volume Shadow Copy Deletion via WMIC (eql)
• ❌ Suspicious Execution from INET Cache (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Attempt to Install Kali Linux via WSL (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ NullSessionPipe Registry Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Child Process from a System Virtual Process (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential privilege escalation via CVE-2022-38028 (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
• ✅ Process Activity via Compiled HTML File (eql)
• ❌ Unusual Execution via Microsoft Common Console File (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Protocol Tunneling via Yuze (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Service Control Spawned via Script Interpreter (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Installation of Security Support Provider (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Unusual Executable File Creation by a System Critical Process (eql)
• ❌ Potential LSA Authentication Package Abuse (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Mimikatz Memssp Log File Detected (eql)
• ✅ IIS HTTP Logging Disabled (eql)
• ❌ Process Execution from an Unusual Directory (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ AdFind Command Activity (eql)
• ❌ ImageLoad via Windows Update Auto Update Client (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Print Spooler Child Process (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Execution from a WebDav Share (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Whoami Process Activity (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ SIP Provider Modification (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ LSASS Memory Dump Creation (eql)
• ❌ Remote Desktop File Opened from Suspicious Path (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Persistence via Microsoft Office AddIns (eql)
• ✅ Windows Script Executing PowerShell (eql)
• ❌ Rare SMB Connection to the Internet (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Windows Firewall Disabled via PowerShell (eql)
• ✅ Delete Volume USN Journal with Fsutil (eql)
• ❌ Persistent Scripts in the Startup Directory (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Microsoft Exchange Worker Spawning Suspicious Processes (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Modification of AmsiEnable Registry Key (eql)
• ❌ Potential Secret Scanning via Gitleaks (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Browser Extension Install (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Remote File Copy to a Hidden Share (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Suspicious Antimalware Scan Interface DLL (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Fake CAPTCHA Phishing Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Proxy Execution via Console Window Host (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Potential Application Shimming via Sdbinst (eql)
• ✅ Suspicious CertUtil Commands (eql)
• ❌ Svchost spawning Cmd (kuery)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Microsoft Windows Defender Tampering (eql)
• ❌ MS Office Macro Security Registry Modifications (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious JavaScript Execution via Deno (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ LSASS Process Access via Windows API (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Active Directory Discovery using AdExplorer (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[terrancedejesus]

If we do this, I'd just remove all of the other Microsoft Defender references.

[terrancedejesus]

Any min-stacked rules this may break?

[terrancedejesus]

Double check any min-stacked rules where the unit test enforcement may fail on older branches. If any other Microsoft Defender data source tags, I'd remove. Other than these, looks good.