Merge branch 'develop' into fix-issue-3690

Author: patel-bhavin

detections/endpoint/bitsadmin_download_file.yml

@@ -1,7 +1,7 @@
 name: BITSAdmin Download File
 id: 80630ff4-8e4c-11eb-aab5-acde48001122
-version: 12
-date: '2025-07-29'
+version: 13
+date: '2025-09-16'
 author: Michael Haag, Sittikorn S
 status: production
 type: TTP
@@ -81,6 +81,7 @@ tags:
   - Flax Typhoon
   - Gozi Malware
   - Scattered Spider
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1197

detections/endpoint/certutil_with_decode_argument.yml

@@ -1,7 +1,7 @@
 name: CertUtil With Decode Argument
 id: bfe94226-8c10-11eb-a4b3-acde48001122
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-09-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -79,6 +79,7 @@ tags:
   - Forest Blizzard
   - APT29 Diplomatic Deceptions with WINELOADER
   - Storm-2460 CLFS Zero Day Exploitation
+  - GhostRedirector IIS Module and Rungan Backdoor
   group:
   - APT29
   - Cozy Bear

detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml

@@ -1,7 +1,7 @@
 name: Cisco NVM - Webserver Download From File Sharing Website
 id: 1984f997-3b49-4d4b-a7e9-dc5dbf88370e
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2025-09-16'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -86,6 +86,7 @@ drilldown_searches:
     latest_offset: $info_max_time$
 tags:
   analytic_story:
+    - GhostRedirector IIS Module and Rungan Backdoor
     - Cisco Network Visibility Module Analytics
   asset_type: Endpoint
   mitre_attack_id:

detections/endpoint/detect_exchange_web_shell.yml

@@ -1,7 +1,7 @@
 name: Detect Exchange Web Shell
 id: 8c14eeee-2af1-4a4b-bda8-228da0f4862a
-version: 12
-date: '2025-05-02'
+version: 13
+date: '2025-09-16'
 author: Michael Haag, Shannon Davis, David Dorsey, Splunk
 status: production
 type: TTP
@@ -73,6 +73,7 @@ tags:
   - Compromised Windows Host
   - BlackByte Ransomware
   - Seashell Blizzard
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1133

detections/endpoint/detect_remote_access_software_usage_file.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage File
 id: 3bf5541a-6a45-4fdc-b01d-59b899fff961
-version: 10
-date: '2025-07-29'
+version: 11
+date: '2025-09-16'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -90,6 +90,7 @@ tags:
   - Seashell Blizzard
   - Scattered Spider
   - Interlock Ransomware
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1219

detections/endpoint/detect_remote_access_software_usage_process.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage Process
 id: ffd5e001-2e34-48f4-97a2-26dc4bb08178
-version: 10
-date: '2025-07-29'
+version: 11
+date: '2025-09-16'
 author: Steven Dick, Sebastian Wurl, Splunk Community
 status: production
 type: Anomaly
@@ -104,6 +104,7 @@ tags:
   - Seashell Blizzard
   - Scattered Spider
   - Interlock Ransomware
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1219

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 18
-date: '2025-07-28'
+version: 19
+date: '2025-09-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -114,6 +114,7 @@ tags:
   - Interlock Ransomware
   - Interlock Rat
   - NailaoLocker Ransomware
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

detections/endpoint/headless_browser_mockbin_or_mocky_request.yml

@@ -1,7 +1,7 @@
 name: Headless Browser Mockbin or Mocky Request
 id: 94fc85a1-e55b-4265-95e1-4b66730e05c0
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -65,6 +65,7 @@ rba:
 tags:
   analytic_story:
   - Forest Blizzard
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   atomic_guid: []
   mitre_attack_id:

detections/endpoint/lolbas_with_network_traffic.yml

@@ -1,7 +1,7 @@
 name: LOLBAS With Network Traffic
 id: 2820f032-19eb-497e-8642-25b04a880359
-version: 11
-date: '2025-05-26'
+version: 12
+date: '2025-09-16'
 author: Steven Dick
 status: production
 type: TTP
@@ -74,6 +74,7 @@ tags:
   - Living Off The Land
   - Malicious Inno Setup Loader
   - Water Gamayun
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1105

detections/endpoint/malicious_powershell_process___encoded_command.yml

@@ -1,7 +1,7 @@
 name: Malicious PowerShell Process - Encoded Command
 id: c4db14d9-7909-48b4-a054-aa14d89dbb19
-version: 16
-date: '2025-07-29'
+version: 17
+date: '2025-09-16'
 author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community
 status: production
 type: Hunting
@@ -62,6 +62,7 @@ tags:
   - Crypto Stealer
   - Microsoft SharePoint Vulnerabilities
   - Scattered Spider
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1027