Branch was auto-updated.

.github/workflows/build.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl
+          pip install contentctl==4.1.5
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git
       
       - name: Running build with enrichments

.github/workflows/unit-testing.yml

@@ -24,7 +24,7 @@ jobs:
         - name: Install Python Dependencies and ContentCTL
           run: |
             python -m pip install --upgrade pip
-            pip install contentctl
+            pip install contentctl==4.1.5
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
         # Make sure we check out the PR, even if it actually lives in a fork

detections/endpoint/detect_renamed_psexec.yml

@@ -1,8 +1,8 @@
 name: Detect Renamed PSExec
 id: 683e6196-b8e8-11eb-9a79-acde48001122
-version: 5
-date: '2024-05-11'
-author: Michael Haag, Splunk
+version: 6
+date: '2024-07-23'
+author: Michael Haag, Splunk, Alex Oberkircher, Github Community
 status: production
 type: Hunting
 description: The following analytic identifies instances where `PsExec.exe` has been
@@ -16,7 +16,7 @@ data_source:
 - Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe
-  OR Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c
+  AND Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c
   by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
   Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`

detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml

@@ -1,8 +1,8 @@
 name: Scheduled Task Initiation on Remote Endpoint
 id: 95cf4608-4302-11ec-8194-3e22fbd008af
-version: 3
+version: 4
 date: '2024-07-23'
-author: Mauricio Velazco, Splunk
+author: Mauricio Velazco, Splunk, Badoodish, Github Community
 status: production
 type: TTP
 description: The following analytic detects the use of 'schtasks.exe' to start a Scheduled
@@ -16,7 +16,7 @@ data_source:
 - Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe
-  OR Processes.original_file_name=schtasks.exe) (Processes.process=*/s* AND Processes.process=*/run*)
+  OR Processes.original_file_name=schtasks.exe) (Processes.process= "* /S *" AND Processes.process=*/run*)
   by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
   Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
   | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`'