First Pass

rules/apt/apt_sofacy.yml

@@ -12,6 +12,7 @@ tags:
     - attack.t1059
     - attack.defense_evasion
     - attack.t1085
+    - car.2013-10-002
 logsource:
     category: process_creation
     product: windows

rules/apt/apt_ta17_293a_ps.yml

@@ -6,6 +6,7 @@ tags:
     - attack.defense_evasion
     - attack.g0035
     - attack.t1036
+    - car.2013-05-009
 author: Florian Roth
 date: 2017/10/22
 logsource:

rules/windows/builtin/win_alert_mimikatz_keywords.yml

@@ -6,6 +6,8 @@ tags:
     - attack.t1003
     - attack.lateral_movement
     - attack.credential_access
+    - car.2013-07-001
+    - car.2019-04-004
 logsource:
     product: windows
 detection:

rules/windows/builtin/win_atsvc_task.yml

@@ -7,6 +7,8 @@ tags:
     - attack.lateral_movement
     - attack.persistence
     - attack.t1053
+    - car.2013-05-004
+    - car.2015-04-001
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_mal_service_installs.yml

@@ -5,6 +5,7 @@ tags:
     - attack.persistence
     - attack.privilege_escalation
     - attack.t1050
+    - car.2013-09-005
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_pass_the_hash.yml

@@ -7,6 +7,7 @@ author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA
 tags:
     - attack.lateral_movement
     - attack.t1075
+    - car.2016-04-004
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_rare_schtasks_creations.yml

@@ -7,6 +7,7 @@ tags:
     - attack.privilege_escalation
     - attack.persistence
     - attack.t1053
+    - car.2013-08-001
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_rare_service_installs.yml

@@ -6,6 +6,7 @@ tags:
     - attack.persistence
     - attack.privilege_escalation
     - attack.t1050
+    - car.2013-09-005
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml

@@ -6,6 +6,7 @@ references:
 tags:
     - attack.lateral_movement
     - attack.t1210
+    - car.2013-07-002
 author: Florian Roth (rule), Adam Bradbury (idea)
 date: 2019/06/02
 logsource:

rules/windows/builtin/win_rdp_localhost_login.yml

@@ -7,6 +7,7 @@ modified: 2019/01/29
 tags:
     - attack.lateral_movement
     - attack.t1076
+    - car.2013-07-002
 status: experimental
 author: Thomas Patzke
 logsource:

rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml

@@ -4,6 +4,7 @@ references:
     - https://github.com/zerosum0x0/CVE-2019-0708
 tags:
     - attack.initial_access
+    - car.2013-07-002
 status: experimental
 author: Lionel PRAT, Christophe BROCAS
 logsource:

rules/windows/builtin/win_rdp_reverse_tunnel.yml

@@ -9,6 +9,7 @@ tags:
     - attack.defense_evasion
     - attack.command_and_control
     - attack.t1076
+    - car.2013-07-002
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -7,6 +7,7 @@ author: Florian Roth
 tags:
     - attack.defense_evasion
     - attack.t1070
+    - car.2016-04-002
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_susp_security_eventlog_cleared.yml

@@ -3,6 +3,7 @@ description: Some threat groups tend to delete the local 'Security' Eventlog usi
 tags:
     - attack.defense_evasion
     - attack.t1070
+    - car.2016-04-002
 author: Florian Roth
 logsource:
     product: windows

rules/windows/process_creation/win_cmstp_com_object_access.yml

@@ -8,6 +8,7 @@ tags:
     - attack.t1088
     - attack.t1191
     - attack.g0069
+    - car.2019-04-001
 author: Nik Seetharaman
 references:
     - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

rules/windows/process_creation/win_etw_trace_evasion.yml

@@ -8,7 +8,8 @@ author: '@neu5ron, Florian Roth'
 date: 2019/03/22
 tags:
     - attack.execution
-    - attack.t1070    
+    - attack.t1070  
+    - car.2016-04-002  
 level: high
 logsource:
     category: process_creation

rules/windows/process_creation/win_malware_notpetya.yml

@@ -13,6 +13,7 @@ tags:
     - attack.t1085
     - attack.t1070
     - attack.t1003
+    - car.2016-04-002
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_mshta_spawn_shell.yml

@@ -28,6 +28,9 @@ tags:
     - attack.defense_evasion
     - attack.execution
     - attack.t1170
+    - car.2013-02-003
+    - car.2013-03-001
+    - car.2014-04-003
 falsepositives:
     - Printer software / driver installations
     - HP software

rules/windows/process_creation/win_netsh_port_fwd_3389.yml

@@ -6,6 +6,7 @@ date: 2019/01/29
 tags:
     - attack.lateral_movement
     - attack.t1021
+    - car.2013-07-002
 status: experimental
 author: Florian Roth
 logsource:

rules/windows/process_creation/win_office_shell.yml

@@ -9,6 +9,8 @@ tags:
     - attack.defense_evasion
     - attack.t1059
     - attack.t1202
+    - car.2013-02-003
+    - car.2014-04-003
 author: Michael Haag, Florian Roth, Markus Neis
 date: 2018/04/06
 logsource:

rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml

@@ -10,6 +10,7 @@ tags:
     - attack.t1059
     - attack.t1202
     - FIN7
+    - car.2013-05-002
 author: Jason Lynch 
 date: 2019/04/02
 logsource:

rules/windows/process_creation/win_powershell_dll_execution.yml

@@ -6,6 +6,7 @@ references:
 tags:
     - attack.execution
     - attack.t1086
+    - car.2014-04-003
 author: Markus Neis
 date: 2018/08/25
 logsource:

rules/windows/process_creation/win_powershell_renamed_ps.yml

@@ -7,6 +7,7 @@ references:
 tags:
     - attack.t1086
     - attack.execution
+    - car.2013-05-009
 author: Tom Ueltschi (@c_APT_ure)
 logsource:
     category: process_creation

rules/windows/process_creation/win_renamed_paexec.yml

@@ -8,6 +8,7 @@ tags:
     - attack.defense_evasion
     - attack.t1036
     - FIN7
+    - car.2013-05-009
 date: 2019/04/17
 author: Jason Lynch 
 falsepositives:

rules/windows/process_creation/win_susp_commands_recon_activity.yml

@@ -12,6 +12,7 @@ tags:
     - attack.discovery
     - attack.t1087
     - attack.t1082
+    - car.2016-03-001
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_control_dll_load.yml

@@ -9,6 +9,7 @@ tags:
     - attack.defense_evasion
     - attack.t1073
     - attack.t1085
+    - car.2013-10-002
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_mmc_source.yml

@@ -6,6 +6,7 @@ references:
 tags:
     - attack.lateral_movement
     - attack.t1175
+    - car.2013-02-003
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_procdump.yml

@@ -11,6 +11,7 @@ tags:
     - attack.t1036
     - attack.credential_access
     - attack.t1003
+    - car.2013-05-009
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_process_creations.yml

@@ -16,6 +16,8 @@ references:
     - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf
 author: Florian Roth
 modified: 2018/12/11
+tags:
+    - car.2013-07-001
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_regsvr32_anomalies.yml

@@ -8,6 +8,8 @@ tags:
     - attack.t1117
     - attack.defense_evasion
     - attack.execution
+    - car.2019-04-002
+    - car.2019-04-003
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_schtask_creation.yml

@@ -21,6 +21,7 @@ tags:
     - attack.privilege_escalation
     - attack.t1053
     - attack.s0111
+    - car.2013-08-001
 falsepositives:
     - Administrative activity
     - Software installation

rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml

@@ -8,6 +8,7 @@ tags:
     - attack.lateral_movement
     - attack.privilege_escalation
     - attack.t1076
+    - car.2013-07-002
 author: Florian Roth
 date: 2018/03/17
 modified: 2018/12/11

rules/windows/process_creation/win_susp_whoami.yml

@@ -9,6 +9,7 @@ date: 2018/05/22
 tags:
     - attack.discovery
     - attack.t1033
+    - car.2016-03-001
 logsource:
     category: process_creation
     product: windows

rules/windows/sysmon/sysmon_cmstp_execution.yml

@@ -8,6 +8,7 @@ tags:
     - attack.execution
     - attack.t1191
     - attack.g0069
+    - car.2019-04-001
 author: Nik Seetharaman
 references:
     - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

@@ -7,6 +7,7 @@ tags:
     - attack.t1003
     - attack.s0002
     - attack.credential_access
+    - car.2019-04-004
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml

@@ -8,6 +8,7 @@ tags:
     - attack.t1003
     - attack.lateral_movement
     - attack.credential_access
+    - car.2019-04-004
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_powersploit_schtasks.yml

@@ -27,6 +27,7 @@ tags:
     - attack.s0111
     - attack.g0022
     - attack.g0060
+    - car.2013-08-001
 falsepositives:
     - False positives are possible, depends on organisation and processes
 level: high

rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml

@@ -9,6 +9,7 @@ tags:
     - attack.defense_evasion
     - attack.command_and_control
     - attack.t1076
+    - car.2013-07-002
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_renamed_psexec.yml

@@ -5,6 +5,8 @@ references:
     - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
 author: Florian Roth
 date: 2019/05/21
+tags:
+    - car.2013-05-009
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml

@@ -8,6 +8,8 @@ tags:
     - attack.privilege_escalation
     - attack.persistence
     - attack.t1015
+    - car.2014-11-003
+    - car.2014-11-008
 author: Florian Roth, @twjackomo
 date: 2018/03/15
 detection:

rules/windows/sysmon/sysmon_susp_rdp.yml

@@ -8,6 +8,7 @@ date: 2019/05/15
 tags:
     - attack.lateral_movement
     - attack.t1210
+    - car.2013-07-002
 logsource:
     product: windows
     service: sysmon

rules/windows/process_creation/sysmon_termserv_proc_spawn.yml → rules/windows/sysmon/sysmon_termserv_proc_spawn.yml

@@ -5,9 +5,11 @@ references:
     - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
 author: Florian Roth
 date: 2019/05/22
+tags:
+    - car.2013-07-002
 logsource:
     product: windows
-    category: process_creation
+    service: sysmon
 detection:
     selection:
         ParentCommandLine: '*\svchost.exe*termsvcs'

rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml

@@ -25,6 +25,7 @@ tags:
     - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1088
+    - car.2019-04-001
 falsepositives:
     - unknown
 level: critical

rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml

@@ -16,6 +16,7 @@ tags:
     - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1088
+    - car.2019-04-001
 falsepositives:
     - unknown
 level: high

rules/windows/sysmon/sysmon_win10_sched_task_0day.yml

@@ -19,4 +19,5 @@ tags:
     - attack.privilege_escalation
     - attack.execution
     - attack.t1053
+    - car.2013-08-001
 level: high

rules/windows/sysmon/sysmon_win_reg_persistence.yml

@@ -21,6 +21,7 @@ tags:
     - attack.persistence
     - attack.defense_evasion
     - attack.t1183
+    - car.2013-01-002
 falsepositives:
     - unknown
 level: critical