splunk
diff --git a/‎detections/endpoint/add_or_set_windows_defender_exclusion.yml‎
Lines changed: 8 additions & 7 deletions b/‎detections/endpoint/add_or_set_windows_defender_exclusion.yml‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎detections/endpoint/any_powershell_downloadfile.yml‎
Lines changed: 6 additions & 5 deletions b/‎detections/endpoint/any_powershell_downloadfile.yml‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎detections/endpoint/chcp_command_execution.yml‎
Lines changed: 2 additions & 1 deletion b/‎detections/endpoint/chcp_command_execution.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎detections/endpoint/cmd_carry_out_string_command_parameter.yml‎
Lines changed: 15 additions & 14 deletions b/‎detections/endpoint/cmd_carry_out_string_command_parameter.yml‎
Lines changed: 15 additions & 14 deletions
diff --git a/‎detections/endpoint/detect_password_spray_attack_behavior_on_user.yml‎
Lines changed: 1 addition & 0 deletions b/‎detections/endpoint/detect_password_spray_attack_behavior_on_user.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎detections/endpoint/detect_rare_executables.yml‎
Lines changed: 1 addition & 0 deletions b/‎detections/endpoint/detect_rare_executables.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎detections/endpoint/download_files_using_telegram.yml‎
Lines changed: 2 additions & 1 deletion b/‎detections/endpoint/download_files_using_telegram.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎detections/endpoint/excessive_service_stop_attempt.yml‎
Lines changed: 2 additions & 1 deletion b/‎detections/endpoint/excessive_service_stop_attempt.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎detections/endpoint/excessive_usage_of_cacls_app.yml‎
Lines changed: 2 additions & 1 deletion b/‎detections/endpoint/excessive_usage_of_cacls_app.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎detections/endpoint/excessive_usage_of_sc_service_utility.yml‎
Lines changed: 2 additions & 1 deletion b/‎detections/endpoint/excessive_usage_of_sc_service_utility.yml‎
Lines changed: 2 additions & 1 deletion
@@ -1,7 +1,7 @@
 name: Add or Set Windows Defender Exclusion
 id: 773b66fe-4dd9-11ec-8289-acde48001122
-version: 6
-date: '2024-12-10'
+version: '6'
+date: '2024-12-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -65,14 +65,15 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - WhisperGate
-  - Windows Defense Evasion Tactics
+  - CISA AA22-320A
+  - AgentTesla
   - Remcos
   - Data Destruction
-  - CISA AA22-320A
-  - ValleyRAT
   - Compromised Windows Host
-  - AgentTesla
+  - ValleyRAT
+  - Windows Defense Evasion Tactics
+  - WhisperGate
+  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1562.001
 
@@ -71,15 +71,16 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - DarkCrystal RAT
-  - Ingress Tool Transfer
   - Hermetic Wiper
-  - Malicious PowerShell
-  - Data Destruction
   - Log4Shell CVE-2021-44228
   - Phemedrone Stealer
-  - Braodo Stealer
+  - Data Destruction
   - PXA Stealer
+  - Ingress Tool Transfer
+  - Malicious PowerShell
+  - DarkCrystal RAT
+  - Crypto Stealer
+  - Braodo Stealer
   asset_type: Endpoint
   cve:
   - CVE-2021-44228
 
@@ -65,9 +65,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - IcedID
   - Azorult
   - Forest Blizzard
+  - Crypto Stealer
+  - IcedID
   asset_type: Endpoint
   mitre_attack_id:
   - T1059
 
@@ -38,26 +38,27 @@ references:
 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
 tags:
   analytic_story:
-  - AsyncRAT
-  - Winter Vivern
-  - WhisperGate
-  - Living Off The Land
+  - Data Destruction
   - DarkGate Malware
+  - Chaos Ransomware
+  - Hermetic Wiper
+  - Warzone RAT
+  - Winter Vivern
   - ProxyNotShell
-  - Log4Shell CVE-2021-44228
+  - IcedID
+  - Living Off The Land
   - NjRAT
-  - RedLine Stealer
+  - Log4Shell CVE-2021-44228
+  - CISA AA23-347A
+  - AsyncRAT
   - Rhysida Ransomware
-  - IcedID
-  - Chaos Ransomware
-  - PlugX
+  - DarkCrystal RAT
+  - Crypto Stealer
   - Azorult
   - Qakbot
-  - Hermetic Wiper
-  - Warzone RAT
-  - DarkCrystal RAT
-  - CISA AA23-347A
-  - Data Destruction
+  - RedLine Stealer
+  - PlugX
+  - WhisperGate
   asset_type: Endpoint
   cve:
   - CVE-2021-44228
 
@@ -65,6 +65,7 @@ rba:
 tags:
   analytic_story:
   - Compromised User Account
+  - Crypto Stealer
   asset_type: Account
   mitre_attack_id:
   - T1110.003
 
@@ -60,6 +60,7 @@ tags:
   analytic_story:
   - Unusual Processes
   - Rhysida Ransomware
+  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1204
 
@@ -50,9 +50,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - XMRig
   - Phemedrone Stealer
+  - Crypto Stealer
   - Snake Keylogger
+  - XMRig
   asset_type: Endpoint
   mitre_attack_id:
   - T1105
 
@@ -63,9 +63,10 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - XMRig
   - Ransomware
   - BlackByte Ransomware
+  - Crypto Stealer
+  - XMRig
   asset_type: Endpoint
   mitre_attack_id:
   - T1489
 
@@ -62,10 +62,11 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - XMRig
   - Azorult
   - Windows Post-Exploitation
   - Prestige Ransomware
+  - XMRig
+  - Crypto Stealer
   - Defense Evasion or Unauthorized Access Via SDDL Tampering
   asset_type: Endpoint
   mitre_attack_id:
 
@@ -54,8 +54,9 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Ransomware
   - Azorult
+  - Ransomware
+  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1569