update: lookups with additional data

Author: nasbench

lookups/asr_rules.csv

@@ -12,7 +12,9 @@ D3E037E1-3EB8-44C8-A917-57927947596D,Block JavaScript or VBScript from launching
 26190899-1602-49E8-8B27-EB1D0A1CE869,Block Office communication application from creating child processes
 E6DB77E5-3DF2-4CF1-B95A-636979351E5B,Block persistence through WMI event subscription
 D1E49AAC-8F56-4280-B9BA-993A6D77406C,Block process creations originating from PSExec and WMI commands
+33DDEDF1-C6E0-47CB-833E-DE6133960387,Block rebooting machine in Safe Mode
 B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4,Block untrusted and unsigned processes that run from USB
+C0033C00-D16D-4114-A5A0-DC9B3A7D2CEB,Block use of copied or impersonated system tools
 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B,Block Win32 API calls from Office macros
 C1DB55AB-C21A-4637-BB3F-A12568109D35,Use advanced protection against ransomware
 A8F5898E-1DC8-49A9-9878-85004B8A61E6,Block Webshell creation for Servers

lookups/asr_rules.yml

@@ -1,6 +1,6 @@
 name: asr_rules
-date: 2024-12-23
-version: 2
+date: 2025-01-29
+version: 3
 id: 3886d687-ae77-4a61-99eb-e745083e391e
 author: Splunk Threat Research Team
 lookup_type: csv

lookups/builtin_groups_lookup.csv

@@ -1,7 +1,8 @@
 builtin_group_string,builtin_group_name
-AO,Account operators
-RU,Alias to allow previous Windows 2000
+AA,Access control assistant operators
 AN,Anonymous logon
+AO,Account operators
+AP,Protected users
 AU,Authenticated users
 BA,Built-in administrators
 BG,Built-in guests
@@ -10,30 +11,40 @@ BU,Built-in users
 CA,Certificate server administrators
 CG,Creator group
 CO,Creator owner
+CY,Crypto operators
 DA,Domain administrators
 DC,Domain computers
 DD,Domain controllers
 DG,Domain guests
 DU,Domain users
 EA,Enterprise administrators
 ED,Enterprise domain controllers
-WD,Everyone
-PA,Group Policy administrators
+ER,Eventlog readers
+ES,Endpoint servers
+HA,Hyper-V administrators
+IS,Anonymous internet users
 IU,Interactively logged-on user
+KA,Domain key administrators
 LA,Local administrator
 LG,Local guest
 LS,Local service account
-SY,Local system
-NU,Network sign-in user
+LU,Performance log users
+MS,Management servers
+MU,Performance monitor users
 NO,Network configuration operators
 NS,Network service account
+NU,Network sign-in user
+PA,Group Policy administrators
 PO,Printer operators
 PS,Personal self
 PU,Power users
-RS,RAS servers group
+RC,Restricted code
 RD,Terminal server users
 RE,Replicator
-RC,Restricted code
+RS,RAS servers group
+RU,Alias to allow previous Windows 2000
 SA,Schema administrators
 SO,Server operators
-SU,Service sign-in user
+SU,Service sign-in user
+SY,Local system
+WD,Everyone

lookups/builtin_groups_lookup.yml

@@ -1,6 +1,6 @@
 name: builtin_groups_lookup
-date: 2024-12-23
-version: 2
+date: 2025-01-29
+version: 3
 id: 7d0a0c1c-2ef0-48a9-87c6-de97a0ad1ccf
 author: Splunk Threat Research Team
 lookup_type: csv

lookups/dynamic_dns_providers_default.csv

@@ -1,6 +1,6 @@
 name: dynamic_dns_providers_default
-date: 2024-12-23
-version: 2
+date: 2025-01-29
+version: 3
 id: 37046407-ef07-48a5-b63d-384fd15b8c4b
 author: Splunk Threat Research Team
 lookup_type: csv

lookups/dynamic_dns_providers_default.yml

@@ -1,10 +1,126 @@
 service,description,category
 *mpssvc*,Windows Firewall Service,security
 *wscsvc*,Windows Security Center Service,security
-*windefend*,Windows Defender Service,security
 *sysmon*,Sysmon Driver,security
 *csc_iseagent*,Cisco Secure Client - ISE Posture Agent,security
 *csc_nvmagent*,Cisco Secure Client - Network Visibility Agent,security
 *csc_umbrellaagent*,Cisco Secure Client - Umbrella Agent,security
 *csc_swgagent*,Cisco Secure Client - Umbrella SWG Agent,security
 *CiscoAMP*,Cisco Secure Endpoint,security
+*CiscoOrbital*,Cisco AMP Orbital,security
+*CiscoSCMS*,Cisco Security Connector Monitoring,security
+*avast! Antivirus*,Avast,security
+*aswBcc*,Avast,security
+*Avast Business Console Client Antivirus Service*,Avast,security
+*epag*,Bitdefender Endpoint Agent,security
+*CylanceSvc*,Cylance,security
+*CynetLauncher*,Cynet Launcher Service,security
+*xagt*,FireEye Endpoint Agent,security
+*fgprocsvc*,ForeScout Remote Inspection Service,security
+*SecureConnector*, ForeScout SecureConnector Service,security
+*fsdevcon*,F-Secure,security
+*FSDFWD*,F-Secure,security
+*F-Secure Network Request Broker*,F-Secure,security
+*FSMA*,F-Secure,security
+*FSORSPClient*,F-Secure,security
+*klif*,Kasperksky,security
+*klim*,Kasperksky,security
+*kltdi*,Kasperksky,security
+*enterceptagent*,MacAfee,security
+*McAfeeFramework*,MacAfee Agent Backwards Compatiblity Service,security
+*McAfeeEngineService*,MacAfee,security
+*mfevtp*,MacAfee Validation Trust Protection Service,security
+*cyverak*,PaloAlto Traps KernelDriver,security
+*cyvrmtgn*,PaloAlto Traps KernelDriver,security
+*cyvrfsfd*,PaloAlto Traps FileSystemDriver,security
+*CyveraService*,PaloAlto Traps,security
+*tlaservice*,PaloAlto Traps Local Analysis Service,security
+*twdservice*,PaloAlto Traps Watchdog Service,security
+*SentinelHelperService*,SentinelOne,security
+*sophosssp*,Sophos,security
+*Sophos Agent*,Sophos,security
+*Sophos AutoUpdate Service*,Sophos,security
+*Sophos Clean Service*,Sophos,security
+*Sophos Device Control Service*,Sophos,security
+*Sophos Message Router*,Sophos,security
+*Sophos Safestore Service*,Sophos,security
+*Sophos Web Control Service*,Sophos,security
+*sophossps*,Sophos,security
+*Symantec System Recovery*, Symantec System Recovery,security
+*Smcinst*,Symantec Connect,security
+*SmcService*,Symantec Connect,security
+*AMSP*,Trend,security
+*tmcomm*,Trend,security
+*tmactmon*,Trend,security
+*tmevtmgr*,Trend,security
+*ntrtscan*,Trend Micro Worry Free Business,security
+*WRSVC*,Webroot,security
+*AcronisActiveProtectionService*,Acronis Active Protection Service,security
+*bdredline_agent*,Bitdefender Agent RedLine Service,security
+*BDAuxSrv*,Bitdefender Auxiliary Service,security
+*UPDATESRV*,Bitdefender Desktop Update Service,security
+*VSSERV*,Bitdefender Virus Shield,security
+*bdredline*,Bitdefender RedLine Service,security
+*EPRedline*,Bitdefender Endpoint Redline Service,security
+*EPUpdateService*,Bitdefender Endpoint Update Service,security
+*EPSecurityService*,Bitdefender Endpoint Security Service,security
+*EPProtectedService*,Bitdefender Endpoint Protected Service,security
+*EPIntegrationService*,Bitdefender Endpoint Integration Service,security
+*Parity*,Carbon Black App Control Agent,security
+*CSFalconService*,CrowdStrike Falcon Sensor Service,security
+*xdrhealth*,Cortex XDR Health Helper,security
+*cyserver*, Cortex XDR,security
+*CybereasonActiveProbe*,Cybereason Active Probe,security
+*CybereasonCRS*,Cybereason Anti-Ransomware,security
+*CybereasonBlocki*,Cybereason Execution Prevention,security
+*ekm*,ESET,security
+*epfw*,ESET,security
+*epfwlwf*,ESET,security
+*epfwwfp*,ESET,security
+*EraAgentSvc*,ESET Management Agent service,security
+*ERAAgent*,ESET Management Agent service,security
+*efwd*,ESET Communication Forwarding Service,security
+*ehttpsrv*,ESET HTTP Server,security
+*AVKWCtl*,Anti-virus Kit Window Control,security
+*AVKProxy*,G Data AntiVirus Proxy Service,security
+*GDScan*,GDSG Data AntiVirus Scan Service,security
+*kavfsslp*,Kaspersky Security Exploit Prevention Service,security
+*KAVFS*,Kaspersky Security Service,security
+*KAVFSGT*,Kaspersky Security Management Service,security
+*klnagent*,Kaspersky Security Center,security
+*PandaAetherAgent*,Panda Endpoint Agent,security
+*PSUAService*,Panda Product Service,security
+*NanoServiceMain*,Panda Cloud Antivirus Service,security
+*SentinelAgent*,SentinelOne Endpoint Protection Agent,security
+*SentinelStaticEngine*,Manage static engines for SentinelOne Endpoint Protection,security
+*LogProcessorService*,Manage logs for SentinelOne Endpoint Protection,security
+*SepMasterService*,Symantec Endpoint Protection,security
+*SepScanService*,Symantec Endpoint Protection Scan Services,security
+*SNAC*,Symantec Network Access Control,security
+*SntpService*,Sophos Network Threat Protection,security
+*Sophos Endpoint Defense Service*,Sophos Endpoint Defense Service,security
+*Sophos File Scanner Service*,Sophos File Scanner Service,security
+*Sophos Health Service*,Sophos Health Service,security
+*Sophos Live Query*,Sophos Live Query,security
+*Sophos Managed Threat Response*,Sophos Managed Threat Response,security
+*Sophos MCS Agent*,Sophos MCS Agent,security
+*Sophos MCS Client*,Sophos MCS Client,security
+*Sophos System Protection Service*,Sophos System Protection Service,security
+*McAfee Endpoint Security Platform Service*,Trellix Core Service,security
+*mfemactl*,Trellix Management Service,security
+*mfemms*,McAfee Management Service,security
+*mfefire*,Trellix Firewall Core Service,security
+*masvc*,Trellix Agent Service,security
+*macmnsvc*,Trellix Agent Common Service,security
+*mfetp*,Trellix Endpoint Threat Prevention Service,security
+*mfewc*,Trellix Endpoint Security Web Control Service*,security
+*mfeaack*,Trellix Anti-Malware Core Service,security
+*Trend Micro Endpoint Basecamp*,Trend Micro Endpoint Basecamp,security
+*TMBMServer*,Trend Micro Unauthorized Change Prevention Service,security
+*Trend Micro Web Service Communicator*,Trend Micro Web Service Communicator,security
+*TMiACAgentSvc*,Trend Micro Application Control Service (Agent),security
+*CETASvc*,Trend Micro Cloud Endpoint Telemetry Service,security
+*iVPAgent*,Trend Micro Vulnerability Protection Service (Agent),security
+*WinDefend*,Windows Defender Antivirus Service,security
+*Sense*,Windows Defender Advanced Threat Protection Service,security
+*WdNisSvc*,Windows Defender Antivirus Network Inspection Service,security

lookups/security_services_lookup.csv

@@ -1,11 +1,11 @@
 name: security_services_lookup
-date: 2024-12-23
-version: 2
+date: 2025-01-29
+version: 4
 id: c9038bad-c77b-4caa-9df2-09dc4454ac77
 author: Splunk Threat Research Team
 lookup_type: csv
 default_match: false
-description: A list of services that deal with security
+description: A list of services that deal with security, such as Antivirus, Endpoint Detection and Response, etc.
 match_type: 
 - WILDCARD(service)
 min_matches: 1