You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Validated end-to-end by firing real payloads on a live Windows agent and
confirming each alert in UTMStack (22/22 fired). Fixes regex backslash-escaping,
the non-existent eventDataFileName field on 4663, eventDataProcessName on 4688
(use log.data.NewProcessName), the unpopulated log.channel clause, and the WinRM
4624-ProcessName issue. Adds 7 detections (shadow-copy deletion, suspicious
PowerShell, Office-spawned shell, LOLBins, scheduled tasks, log tampering,
credential dumping). Hardened for false positives; groupBy/deduplicateBy set on
dataSource so a burst yields a single alert.
Co-authored-by: rvald26 <rick@utmstack.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com>
description: Detects command-line and PowerShell script-block indicators of credential-dumping tools (mimikatz/sekurlsa/lsadump, procdump lsass, comsvcs MiniDump, nanodump, rubeus). The command-line branch is the reliable trigger since AMSI blocks literal mimikatz strings in PowerShell.
0 commit comments