Skip to content

Commit 6d07ef8

Browse files
nasbenchnasbench
committed
update: lookups with additional data
1 parent a6c06d0 commit 6d07ef8

8 files changed

+9626
-9497
lines changed

lookups/asr_rules.csv

+2
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,9 @@ D3E037E1-3EB8-44C8-A917-57927947596D,Block JavaScript or VBScript from launching
1212
26190899-1602-49E8-8B27-EB1D0A1CE869,Block Office communication application from creating child processes
1313
E6DB77E5-3DF2-4CF1-B95A-636979351E5B,Block persistence through WMI event subscription
1414
D1E49AAC-8F56-4280-B9BA-993A6D77406C,Block process creations originating from PSExec and WMI commands
15+
33DDEDF1-C6E0-47CB-833E-DE6133960387,Block rebooting machine in Safe Mode
1516
B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4,Block untrusted and unsigned processes that run from USB
17+
C0033C00-D16D-4114-A5A0-DC9B3A7D2CEB,Block use of copied or impersonated system tools
1618
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B,Block Win32 API calls from Office macros
1719
C1DB55AB-C21A-4637-BB3F-A12568109D35,Use advanced protection against ransomware
1820
A8F5898E-1DC8-49A9-9878-85004B8A61E6,Block Webshell creation for Servers

lookups/asr_rules.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: asr_rules
2-
date: 2024-12-23
3-
version: 2
2+
date: 2025-01-29
3+
version: 3
44
id: 3886d687-ae77-4a61-99eb-e745083e391e
55
author: Splunk Threat Research Team
66
lookup_type: csv

lookups/builtin_groups_lookup.csv

+20-9
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
builtin_group_string,builtin_group_name
2-
AO,Account operators
3-
RU,Alias to allow previous Windows 2000
2+
AA,Access control assistant operators
43
AN,Anonymous logon
4+
AO,Account operators
5+
AP,Protected users
56
AU,Authenticated users
67
BA,Built-in administrators
78
BG,Built-in guests
@@ -10,30 +11,40 @@ BU,Built-in users
1011
CA,Certificate server administrators
1112
CG,Creator group
1213
CO,Creator owner
14+
CY,Crypto operators
1315
DA,Domain administrators
1416
DC,Domain computers
1517
DD,Domain controllers
1618
DG,Domain guests
1719
DU,Domain users
1820
EA,Enterprise administrators
1921
ED,Enterprise domain controllers
20-
WD,Everyone
21-
PA,Group Policy administrators
22+
ER,Eventlog readers
23+
ES,Endpoint servers
24+
HA,Hyper-V administrators
25+
IS,Anonymous internet users
2226
IU,Interactively logged-on user
27+
KA,Domain key administrators
2328
LA,Local administrator
2429
LG,Local guest
2530
LS,Local service account
26-
SY,Local system
27-
NU,Network sign-in user
31+
LU,Performance log users
32+
MS,Management servers
33+
MU,Performance monitor users
2834
NO,Network configuration operators
2935
NS,Network service account
36+
NU,Network sign-in user
37+
PA,Group Policy administrators
3038
PO,Printer operators
3139
PS,Personal self
3240
PU,Power users
33-
RS,RAS servers group
41+
RC,Restricted code
3442
RD,Terminal server users
3543
RE,Replicator
36-
RC,Restricted code
44+
RS,RAS servers group
45+
RU,Alias to allow previous Windows 2000
3746
SA,Schema administrators
3847
SO,Server operators
39-
SU,Service sign-in user
48+
SU,Service sign-in user
49+
SY,Local system
50+
WD,Everyone

lookups/builtin_groups_lookup.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: builtin_groups_lookup
2-
date: 2024-12-23
3-
version: 2
2+
date: 2025-01-29
3+
version: 3
44
id: 7d0a0c1c-2ef0-48a9-87c6-de97a0ad1ccf
55
author: Splunk Threat Research Team
66
lookup_type: csv

0 commit comments

Comments
 (0)