Update Lookups & Windows EventLog Macros

lookups/asr_rules.csv

@@ -12,7 +12,9 @@ D3E037E1-3EB8-44C8-A917-57927947596D,Block JavaScript or VBScript from launching
 26190899-1602-49E8-8B27-EB1D0A1CE869,Block Office communication application from creating child processes
 E6DB77E5-3DF2-4CF1-B95A-636979351E5B,Block persistence through WMI event subscription
 D1E49AAC-8F56-4280-B9BA-993A6D77406C,Block process creations originating from PSExec and WMI commands
+33DDEDF1-C6E0-47CB-833E-DE6133960387,Block rebooting machine in Safe Mode
 B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4,Block untrusted and unsigned processes that run from USB
+C0033C00-D16D-4114-A5A0-DC9B3A7D2CEB,Block use of copied or impersonated system tools
 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B,Block Win32 API calls from Office macros
 C1DB55AB-C21A-4637-BB3F-A12568109D35,Use advanced protection against ransomware
 A8F5898E-1DC8-49A9-9878-85004B8A61E6,Block Webshell creation for Servers

lookups/asr_rules.yml

@@ -1,6 +1,6 @@
 name: asr_rules
-date: 2024-12-23
-version: 2
+date: 2025-01-29
+version: 3
 id: 3886d687-ae77-4a61-99eb-e745083e391e
 author: Splunk Threat Research Team
 lookup_type: csv

lookups/builtin_groups_lookup.csv

@@ -1,7 +1,8 @@
 builtin_group_string,builtin_group_name
-AO,Account operators
-RU,Alias to allow previous Windows 2000
+AA,Access control assistant operators
 AN,Anonymous logon
+AO,Account operators
+AP,Protected users
 AU,Authenticated users
 BA,Built-in administrators
 BG,Built-in guests
@@ -10,30 +11,40 @@ BU,Built-in users
 CA,Certificate server administrators
 CG,Creator group
 CO,Creator owner
+CY,Crypto operators
 DA,Domain administrators
 DC,Domain computers
 DD,Domain controllers
 DG,Domain guests
 DU,Domain users
 EA,Enterprise administrators
 ED,Enterprise domain controllers
-WD,Everyone
-PA,Group Policy administrators
+ER,Eventlog readers
+ES,Endpoint servers
+HA,Hyper-V administrators
+IS,Anonymous internet users
 IU,Interactively logged-on user
+KA,Domain key administrators
 LA,Local administrator
 LG,Local guest
 LS,Local service account
-SY,Local system
-NU,Network sign-in user
+LU,Performance log users
+MS,Management servers
+MU,Performance monitor users
 NO,Network configuration operators
 NS,Network service account
+NU,Network sign-in user
+PA,Group Policy administrators
 PO,Printer operators
 PS,Personal self
 PU,Power users
-RS,RAS servers group
+RC,Restricted code
 RD,Terminal server users
 RE,Replicator
-RC,Restricted code
+RS,RAS servers group
+RU,Alias to allow previous Windows 2000
 SA,Schema administrators
 SO,Server operators
-SU,Service sign-in user
+SU,Service sign-in user
+SY,Local system
+WD,Everyone

lookups/builtin_groups_lookup.yml

@@ -1,6 +1,6 @@
 name: builtin_groups_lookup
-date: 2024-12-23
-version: 2
+date: 2025-01-29
+version: 3
 id: 7d0a0c1c-2ef0-48a9-87c6-de97a0ad1ccf
 author: Splunk Threat Research Team
 lookup_type: csv