From f70549ec5482aa6133939d60896aa96688c5aeb5 Mon Sep 17 00:00:00 2001 From: Michael Wade Date: Thu, 13 Jun 2019 23:15:38 -0500 Subject: [PATCH] First Pass --- rules/apt/apt_sofacy.yml | 1 + rules/apt/apt_ta17_293a_ps.yml | 1 + rules/windows/builtin/win_alert_mimikatz_keywords.yml | 2 ++ rules/windows/builtin/win_atsvc_task.yml | 2 ++ rules/windows/builtin/win_mal_service_installs.yml | 1 + rules/windows/builtin/win_pass_the_hash.yml | 1 + rules/windows/builtin/win_rare_schtasks_creations.yml | 1 + rules/windows/builtin/win_rare_service_installs.yml | 1 + rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml | 1 + rules/windows/builtin/win_rdp_localhost_login.yml | 1 + rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml | 1 + rules/windows/builtin/win_rdp_reverse_tunnel.yml | 1 + rules/windows/builtin/win_susp_eventlog_cleared.yml | 1 + rules/windows/builtin/win_susp_security_eventlog_cleared.yml | 1 + .../windows/process_creation/win_cmstp_com_object_access.yml | 1 + rules/windows/process_creation/win_etw_trace_evasion.yml | 3 ++- rules/windows/process_creation/win_malware_notpetya.yml | 1 + rules/windows/process_creation/win_mshta_spawn_shell.yml | 3 +++ rules/windows/process_creation/win_netsh_port_fwd_3389.yml | 1 + rules/windows/process_creation/win_office_shell.yml | 2 ++ .../win_office_spawn_exe_from_users_directory.yml | 1 + .../windows/process_creation/win_powershell_dll_execution.yml | 1 + rules/windows/process_creation/win_powershell_renamed_ps.yml | 1 + rules/windows/process_creation/win_renamed_paexec.yml | 1 + .../process_creation/win_susp_commands_recon_activity.yml | 1 + rules/windows/process_creation/win_susp_control_dll_load.yml | 1 + rules/windows/process_creation/win_susp_mmc_source.yml | 1 + rules/windows/process_creation/win_susp_procdump.yml | 1 + rules/windows/process_creation/win_susp_process_creations.yml | 2 ++ .../windows/process_creation/win_susp_regsvr32_anomalies.yml | 2 ++ rules/windows/process_creation/win_susp_schtask_creation.yml | 1 + .../windows/process_creation/win_susp_tscon_rdp_redirect.yml | 1 + rules/windows/process_creation/win_susp_whoami.yml | 1 + rules/windows/sysmon/sysmon_cmstp_execution.yml | 1 + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml | 1 + rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml | 1 + rules/windows/sysmon/sysmon_powersploit_schtasks.yml | 1 + rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml | 1 + rules/windows/sysmon/sysmon_renamed_psexec.yml | 2 ++ rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml | 2 ++ rules/windows/sysmon/sysmon_susp_rdp.yml | 1 + .../sysmon_termserv_proc_spawn.yml | 4 +++- rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml | 1 + rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml | 1 + rules/windows/sysmon/sysmon_win10_sched_task_0day.yml | 1 + rules/windows/sysmon/sysmon_win_reg_persistence.yml | 1 + 46 files changed, 58 insertions(+), 2 deletions(-) rename rules/windows/{process_creation => sysmon}/sysmon_termserv_proc_spawn.yml (93%) diff --git a/rules/apt/apt_sofacy.yml b/rules/apt/apt_sofacy.yml index e8d6c4e4bb4..18033b89314 100755 --- a/rules/apt/apt_sofacy.yml +++ b/rules/apt/apt_sofacy.yml @@ -12,6 +12,7 @@ tags: - attack.t1059 - attack.defense_evasion - attack.t1085 + - car.2013-10-002 logsource: category: process_creation product: windows diff --git a/rules/apt/apt_ta17_293a_ps.yml b/rules/apt/apt_ta17_293a_ps.yml index 032a8a25a66..c7ff3aab318 100755 --- a/rules/apt/apt_ta17_293a_ps.yml +++ b/rules/apt/apt_ta17_293a_ps.yml @@ -6,6 +6,7 @@ tags: - attack.defense_evasion - attack.g0035 - attack.t1036 + - car.2013-05-009 author: Florian Roth date: 2017/10/22 logsource: diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index fe114d87532..db3ad758634 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -6,6 +6,8 @@ tags: - attack.t1003 - attack.lateral_movement - attack.credential_access + - car.2013-07-001 + - car.2019-04-004 logsource: product: windows detection: diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index d94ef290908..390fa944986 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -7,6 +7,8 @@ tags: - attack.lateral_movement - attack.persistence - attack.t1053 + - car.2013-05-004 + - car.2015-04-001 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index ac515d50b03..bd52c9f9c78 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -5,6 +5,7 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1050 + - car.2013-09-005 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index 8ead5dab94f..e83c723aad3 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -7,6 +7,7 @@ author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA tags: - attack.lateral_movement - attack.t1075 + - car.2016-04-004 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/win_rare_schtasks_creations.yml index 89173c79735..ba622eeba54 100644 --- a/rules/windows/builtin/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/win_rare_schtasks_creations.yml @@ -7,6 +7,7 @@ tags: - attack.privilege_escalation - attack.persistence - attack.t1053 + - car.2013-08-001 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/win_rare_service_installs.yml index 99b8b29e88f..428f51708ae 100644 --- a/rules/windows/builtin/win_rare_service_installs.yml +++ b/rules/windows/builtin/win_rare_service_installs.yml @@ -6,6 +6,7 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1050 + - car.2013-09-005 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml index 29d97032446..217e7b7ce70 100644 --- a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml @@ -6,6 +6,7 @@ references: tags: - attack.lateral_movement - attack.t1210 + - car.2013-07-002 author: Florian Roth (rule), Adam Bradbury (idea) date: 2019/06/02 logsource: diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/win_rdp_localhost_login.yml index bf68c6fbbc2..a5fd26e2511 100644 --- a/rules/windows/builtin/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/win_rdp_localhost_login.yml @@ -7,6 +7,7 @@ modified: 2019/01/29 tags: - attack.lateral_movement - attack.t1076 + - car.2013-07-002 status: experimental author: Thomas Patzke logsource: diff --git a/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml b/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml index e48981ea1f4..2d205c697a6 100644 --- a/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml +++ b/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml @@ -4,6 +4,7 @@ references: - https://github.com/zerosum0x0/CVE-2019-0708 tags: - attack.initial_access + - car.2013-07-002 status: experimental author: Lionel PRAT, Christophe BROCAS logsource: diff --git a/rules/windows/builtin/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/win_rdp_reverse_tunnel.yml index 8e4ea475016..e0c137ab411 100644 --- a/rules/windows/builtin/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/win_rdp_reverse_tunnel.yml @@ -9,6 +9,7 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1076 + - car.2013-07-002 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 35ff19a7421..e3427dc505f 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -7,6 +7,7 @@ author: Florian Roth tags: - attack.defense_evasion - attack.t1070 + - car.2016-04-002 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml index cc61bdf1006..063dfa98165 100644 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -3,6 +3,7 @@ description: Some threat groups tend to delete the local 'Security' Eventlog usi tags: - attack.defense_evasion - attack.t1070 + - car.2016-04-002 author: Florian Roth logsource: product: windows diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index d5c2a386ea7..32ee4017906 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -8,6 +8,7 @@ tags: - attack.t1088 - attack.t1191 - attack.g0069 + - car.2019-04-001 author: Nik Seetharaman references: - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index 7cc4bc7d493..634fd281232 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -8,7 +8,8 @@ author: '@neu5ron, Florian Roth' date: 2019/03/22 tags: - attack.execution - - attack.t1070 + - attack.t1070 + - car.2016-04-002 level: high logsource: category: process_creation diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 151cc43dcef..dbf237d904a 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -13,6 +13,7 @@ tags: - attack.t1085 - attack.t1070 - attack.t1003 + - car.2016-04-002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index 37f72ce9141..f825d054775 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -28,6 +28,9 @@ tags: - attack.defense_evasion - attack.execution - attack.t1170 + - car.2013-02-003 + - car.2013-03-001 + - car.2014-04-003 falsepositives: - Printer software / driver installations - HP software diff --git a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml index 3b556df5aeb..16ad6b6bc0d 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml @@ -6,6 +6,7 @@ date: 2019/01/29 tags: - attack.lateral_movement - attack.t1021 + - car.2013-07-002 status: experimental author: Florian Roth logsource: diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index 6d12a17eb41..b903abd4848 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -9,6 +9,8 @@ tags: - attack.defense_evasion - attack.t1059 - attack.t1202 + - car.2013-02-003 + - car.2014-04-003 author: Michael Haag, Florian Roth, Markus Neis date: 2018/04/06 logsource: diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index cee32a74a73..49c0f8619c4 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -10,6 +10,7 @@ tags: - attack.t1059 - attack.t1202 - FIN7 + - car.2013-05-002 author: Jason Lynch date: 2019/04/02 logsource: diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index be57fb37412..21d44ac4482 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -6,6 +6,7 @@ references: tags: - attack.execution - attack.t1086 + - car.2014-04-003 author: Markus Neis date: 2018/08/25 logsource: diff --git a/rules/windows/process_creation/win_powershell_renamed_ps.yml b/rules/windows/process_creation/win_powershell_renamed_ps.yml index 1e02fef2bac..d6e9ef86dab 100644 --- a/rules/windows/process_creation/win_powershell_renamed_ps.yml +++ b/rules/windows/process_creation/win_powershell_renamed_ps.yml @@ -7,6 +7,7 @@ references: tags: - attack.t1086 - attack.execution + - car.2013-05-009 author: Tom Ueltschi (@c_APT_ure) logsource: category: process_creation diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index ac6f00f6319..ccbd055e2de 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.t1036 - FIN7 + - car.2013-05-009 date: 2019/04/17 author: Jason Lynch falsepositives: diff --git a/rules/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/windows/process_creation/win_susp_commands_recon_activity.yml index 6a565dfdd6a..094958a3390 100644 --- a/rules/windows/process_creation/win_susp_commands_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_commands_recon_activity.yml @@ -12,6 +12,7 @@ tags: - attack.discovery - attack.t1087 - attack.t1082 + - car.2016-03-001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index 87bc10f8f68..2e2fba61d06 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -9,6 +9,7 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1085 + - car.2013-10-002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_mmc_source.yml b/rules/windows/process_creation/win_susp_mmc_source.yml index 991eb22ab47..6503f881ce4 100644 --- a/rules/windows/process_creation/win_susp_mmc_source.yml +++ b/rules/windows/process_creation/win_susp_mmc_source.yml @@ -6,6 +6,7 @@ references: tags: - attack.lateral_movement - attack.t1175 + - car.2013-02-003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index 1f6c6ce631c..d9ab90830bb 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -11,6 +11,7 @@ tags: - attack.t1036 - attack.credential_access - attack.t1003 + - car.2013-05-009 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_process_creations.yml b/rules/windows/process_creation/win_susp_process_creations.yml index 2733c981555..4aa7be11ab3 100644 --- a/rules/windows/process_creation/win_susp_process_creations.yml +++ b/rules/windows/process_creation/win_susp_process_creations.yml @@ -16,6 +16,8 @@ references: - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf author: Florian Roth modified: 2018/12/11 +tags: + - car.2013-07-001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index 3e838bab1a6..e7a56ad8af2 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -8,6 +8,8 @@ tags: - attack.t1117 - attack.defense_evasion - attack.execution + - car.2019-04-002 + - car.2019-04-003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index f9b0f1f419a..514db7fc746 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -21,6 +21,7 @@ tags: - attack.privilege_escalation - attack.t1053 - attack.s0111 + - car.2013-08-001 falsepositives: - Administrative activity - Software installation diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index a4d1c334b9c..ac6e7d43e88 100644 --- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -8,6 +8,7 @@ tags: - attack.lateral_movement - attack.privilege_escalation - attack.t1076 + - car.2013-07-002 author: Florian Roth date: 2018/03/17 modified: 2018/12/11 diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml index ac983d9735a..9c81749939a 100644 --- a/rules/windows/process_creation/win_susp_whoami.yml +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -9,6 +9,7 @@ date: 2018/05/22 tags: - attack.discovery - attack.t1033 + - car.2016-03-001 logsource: category: process_creation product: windows diff --git a/rules/windows/sysmon/sysmon_cmstp_execution.yml b/rules/windows/sysmon/sysmon_cmstp_execution.yml index 91056cb9868..e4baea9d403 100644 --- a/rules/windows/sysmon/sysmon_cmstp_execution.yml +++ b/rules/windows/sysmon/sysmon_cmstp_execution.yml @@ -8,6 +8,7 @@ tags: - attack.execution - attack.t1191 - attack.g0069 + - car.2019-04-001 author: Nik Seetharaman references: - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ diff --git a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml index 8612cef5471..bb50ae52e0c 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml @@ -7,6 +7,7 @@ tags: - attack.t1003 - attack.s0002 - attack.credential_access + - car.2019-04-004 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index 45aff904d34..5658542b636 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -8,6 +8,7 @@ tags: - attack.t1003 - attack.lateral_movement - attack.credential_access + - car.2019-04-004 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml b/rules/windows/sysmon/sysmon_powersploit_schtasks.yml index b0574753cdb..5c19aaab341 100644 --- a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml +++ b/rules/windows/sysmon/sysmon_powersploit_schtasks.yml @@ -27,6 +27,7 @@ tags: - attack.s0111 - attack.g0022 - attack.g0060 + - car.2013-08-001 falsepositives: - False positives are possible, depends on organisation and processes level: high diff --git a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml index e92bb6d60f7..6ff58594e1d 100644 --- a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml @@ -9,6 +9,7 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1076 + - car.2013-07-002 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_renamed_psexec.yml b/rules/windows/sysmon/sysmon_renamed_psexec.yml index 5e0e44a447a..943f3fd6951 100644 --- a/rules/windows/sysmon/sysmon_renamed_psexec.yml +++ b/rules/windows/sysmon/sysmon_renamed_psexec.yml @@ -5,6 +5,8 @@ references: - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks author: Florian Roth date: 2019/05/21 +tags: + - car.2013-05-009 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml b/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml index 0bff218438f..3524682726c 100644 --- a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml @@ -8,6 +8,8 @@ tags: - attack.privilege_escalation - attack.persistence - attack.t1015 + - car.2014-11-003 + - car.2014-11-008 author: Florian Roth, @twjackomo date: 2018/03/15 detection: diff --git a/rules/windows/sysmon/sysmon_susp_rdp.yml b/rules/windows/sysmon/sysmon_susp_rdp.yml index 651a1bfd649..b388b170697 100644 --- a/rules/windows/sysmon/sysmon_susp_rdp.yml +++ b/rules/windows/sysmon/sysmon_susp_rdp.yml @@ -8,6 +8,7 @@ date: 2019/05/15 tags: - attack.lateral_movement - attack.t1210 + - car.2013-07-002 logsource: product: windows service: sysmon diff --git a/rules/windows/process_creation/sysmon_termserv_proc_spawn.yml b/rules/windows/sysmon/sysmon_termserv_proc_spawn.yml similarity index 93% rename from rules/windows/process_creation/sysmon_termserv_proc_spawn.yml rename to rules/windows/sysmon/sysmon_termserv_proc_spawn.yml index cd2c53cd118..aeed946f3c1 100644 --- a/rules/windows/process_creation/sysmon_termserv_proc_spawn.yml +++ b/rules/windows/sysmon/sysmon_termserv_proc_spawn.yml @@ -5,9 +5,11 @@ references: - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ author: Florian Roth date: 2019/05/22 +tags: + - car.2013-07-002 logsource: product: windows - category: process_creation + service: sysmon detection: selection: ParentCommandLine: '*\svchost.exe*termsvcs' diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index 773ffd2bab5..e535de2b3f0 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -25,6 +25,7 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1088 + - car.2019-04-001 falsepositives: - unknown level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index dbb12c8182f..501e50c991e 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -16,6 +16,7 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1088 + - car.2019-04-001 falsepositives: - unknown level: high diff --git a/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml b/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml index 563b3ad4084..c9205fb3614 100644 --- a/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml +++ b/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml @@ -19,4 +19,5 @@ tags: - attack.privilege_escalation - attack.execution - attack.t1053 + - car.2013-08-001 level: high diff --git a/rules/windows/sysmon/sysmon_win_reg_persistence.yml b/rules/windows/sysmon/sysmon_win_reg_persistence.yml index 0b9727168f2..656f38ef2ea 100644 --- a/rules/windows/sysmon/sysmon_win_reg_persistence.yml +++ b/rules/windows/sysmon/sysmon_win_reg_persistence.yml @@ -21,6 +21,7 @@ tags: - attack.persistence - attack.defense_evasion - attack.t1183 + - car.2013-01-002 falsepositives: - unknown level: critical