diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index a2cd5acf698..911a72d0e20 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -75,8 +75,7 @@ jobs: python-version: 3.11 - name: Install dependencies run: | - # pip install sigma-cli~=0.7.1 - pip install pysigma==0.11.9 + pip install pysigma pip install sigma-cli pip install pySigma-validators-sigmahq==0.7.0 - name: Test Sigma Rule Syntax diff --git a/other/godmode_sigma_rule.yml b/other/godmode_sigma_rule.yml index 1288301ad55..c4e21aa3da9 100644 --- a/other/godmode_sigma_rule.yml +++ b/other/godmode_sigma_rule.yml @@ -18,8 +18,8 @@ id: def6caac-a999-4fc9-8800-cfeff700ba98 description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?' status: experimental author: Florian Roth (Nextron Systems) -date: 2019/12/22 -modified: 2022/08/04 +date: 2019-12-22 +modified: 2022-08-04 level: high action: global --- diff --git a/rules-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml b/rules-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml index ee750830e00..9346e4f0605 100644 --- a/rules-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml +++ b/rules-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml @@ -7,13 +7,13 @@ description: | references: - https://github.com/projectdiscovery/nuclei-templates author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -modified: 2023/01/02 +date: 2021-08-25 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2010.5278 - - detection.emerging_threats + - cve.2010-5278 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml index 0860e557ca5..9f11fc0186c 100644 --- a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml +++ b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml @@ -7,14 +7,14 @@ references: - https://www.exploit-db.com/exploits/39161 - https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/19 -modified: 2023/01/02 +date: 2022-07-19 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.t1505.003 - - cve.2014.6287 - - detection.emerging_threats + - cve.2014-6287 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml b/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml index e95751a8549..d93c2786c8d 100644 --- a/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml +++ b/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml @@ -6,16 +6,16 @@ references: - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -date: 2017/07/20 -modified: 2021/11/27 +date: 2017-07-20 +modified: 2021-11-27 tags: - attack.execution - attack.t1059.003 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - attack.s0412 - attack.g0001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml index b533f2f3dd0..f35fd53e08c 100644 --- a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml +++ b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml @@ -5,18 +5,18 @@ description: Detects automated lateral movement by Turla group references: - https://securelist.com/the-epic-turla-operation/65545/ author: Markus Neis -date: 2017/11/07 -modified: 2022/10/09 +date: 2017-11-07 +modified: 2022-10-09 tags: - attack.g0010 - attack.execution - attack.t1059 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.discovery - attack.t1083 - attack.t1135 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml index a42eb311a8f..c912f3e8321 100644 --- a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml +++ b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml @@ -5,15 +5,15 @@ description: Detects commands used by Turla group as reported by ESET in May 202 references: - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf author: Florian Roth (Nextron Systems) -date: 2020/05/26 -modified: 2021/11/27 +date: 2020-05-26 +modified: 2021-11-27 tags: - attack.g0010 - attack.execution - attack.t1059.001 - attack.t1053.005 - attack.t1027 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml b/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml index 99125133b68..a617999f5f4 100644 --- a/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml +++ b/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml @@ -6,13 +6,13 @@ references: - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2018/02/22 -modified: 2021/11/27 +date: 2018-02-22 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 - - cve.2015.1641 - - detection.emerging_threats + - cve.2015-1641 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml b/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml index e876e676da2..19eeb1a14eb 100644 --- a/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml +++ b/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml @@ -5,16 +5,16 @@ description: Detects Winword starting uncommon sub process FLTLDR.exe as used in references: - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html author: Florian Roth (Nextron Systems) -date: 2018/02/22 -modified: 2021/11/27 +date: 2018-02-22 +modified: 2021-11-27 tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.initial_access + - attack.initial-access - attack.t1566.001 - - cve.2017.0261 - - detection.emerging_threats + - cve.2017-0261 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml b/rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml index a68aafcfc77..cb60fe737db 100644 --- a/rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml +++ b/rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml @@ -7,16 +7,16 @@ references: - https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen- - https://github.com/embedi/CVE-2017-11882 author: Florian Roth (Nextron Systems) -date: 2017/11/23 -modified: 2021/11/27 +date: 2017-11-23 +modified: 2021-11-27 tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.initial_access + - attack.initial-access - attack.t1566.001 - - cve.2017.11882 - - detection.emerging_threats + - cve.2017-11882 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml b/rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml index c3e2ac7fac3..06e16bf5596 100644 --- a/rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml +++ b/rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml @@ -6,16 +6,16 @@ references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/09/15 -modified: 2021/11/27 +date: 2017-09-15 +modified: 2021-11-27 tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.initial_access + - attack.initial-access - attack.t1566.001 - - cve.2017.8759 - - detection.emerging_threats + - cve.2017-8759 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml b/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml index 29eb1d61f86..ceb0385b32d 100644 --- a/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml +++ b/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml @@ -6,13 +6,13 @@ references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community -date: 2017/11/10 -modified: 2022/10/09 +date: 2017-11-10 +modified: 2022-10-09 tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml b/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml index 4bb92e609fc..d6f85a435e9 100644 --- a/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml +++ b/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml @@ -10,13 +10,13 @@ description: | references: - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update) -date: 2017/03/27 -modified: 2022/10/09 +date: 2017-03-27 +modified: 2022-10-09 tags: - attack.persistence - attack.t1543.003 - attack.t1569.002 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml b/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml index f3293580964..b7d93cf2876 100644 --- a/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml +++ b/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml @@ -6,13 +6,13 @@ references: - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/06/03 -modified: 2021/11/27 +date: 2017-06-03 +modified: 2021-11-27 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml b/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml index 22367001c0d..9da9226b0ae 100644 --- a/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml +++ b/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml @@ -5,13 +5,13 @@ description: Detects a process access to verclsid.exe that injects shellcode fro references: - https://twitter.com/JohnLaTwC/status/837743453039534080 author: John Lambert (tech), Florian Roth (Nextron Systems) -date: 2017/03/04 -modified: 2021/11/27 +date: 2017-03-04 +modified: 2021-11-27 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_access product: windows diff --git a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml index f4596170e37..a6eb9f685b7 100644 --- a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml +++ b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml @@ -6,16 +6,16 @@ references: - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 author: Florian Roth (Nextron Systems), Tom Ueltschi -date: 2019/01/16 -modified: 2022/12/15 +date: 2019-01-16 +modified: 2022-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - attack.t1070.001 - - attack.credential_access + - attack.credential-access - attack.t1003.001 - car.2016-04-002 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml b/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml index e6c5c0f0e20..5c4b90c595e 100644 --- a/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml +++ b/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml @@ -6,13 +6,13 @@ references: - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ author: Florian Roth (Nextron Systems) -date: 2017/06/12 -modified: 2023/02/03 +date: 2017-06-12 +modified: 2023-02-03 tags: - attack.s0013 - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml b/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml index 51e8590c46d..526e33f1d28 100644 --- a/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml +++ b/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml @@ -5,13 +5,13 @@ description: This method detects a service install of the malicious Microsoft Ne references: - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ author: Florian Roth (Nextron Systems) -date: 2017/03/07 -modified: 2021/11/30 +date: 2017-03-07 +modified: 2021-11-30 tags: - attack.persistence - attack.g0064 - attack.t1543.003 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml b/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml index 20ffd682792..c365b84e4d7 100644 --- a/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml +++ b/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml @@ -5,19 +5,19 @@ description: Detects WannaCry ransomware activity references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro -date: 2019/01/16 -modified: 2023/02/03 +date: 2019-01-16 +modified: 2023-02-03 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - attack.discovery - attack.t1083 - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.001 - attack.impact - attack.t1486 - attack.t1490 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml b/rules-emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml index c9a25e892f0..f7ab1ce7f29 100644 --- a/rules-emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml +++ b/rules-emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml @@ -5,13 +5,13 @@ description: Detects potential process and execution activity related to APT10 C references: - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf author: Florian Roth (Nextron Systems) -date: 2017/04/07 -modified: 2023/03/08 +date: 2017-04-07 +modified: 2023-03-08 tags: - attack.execution - attack.g0045 - attack.t1059.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml b/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml index b21b69fe37f..fb69934e96f 100644 --- a/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml +++ b/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml @@ -5,14 +5,14 @@ description: Detects renamed SysInternals tool execution with a binary named ps. references: - https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth (Nextron Systems) -date: 2017/10/22 -modified: 2023/05/02 +date: 2017-10-22 +modified: 2023-05-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.g0035 - attack.t1036.003 - car.2013-05-009 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml index fbf7da355f5..626ef71ea8c 100644 --- a/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml +++ b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml @@ -6,13 +6,13 @@ references: - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 author: Florian Roth (Nextron Systems) -date: 2017/04/15 -modified: 2021/11/27 +date: 2017-04-15 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.g0020 - attack.t1041 - - detection.emerging_threats + - detection.emerging-threats logsource: category: firewall detection: diff --git a/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml b/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml index 5845cd19793..e9758f1b592 100644 --- a/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml +++ b/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml @@ -5,12 +5,12 @@ description: Detects binaries used by the Lazarus group which use system names b references: - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) -date: 2020/06/03 -modified: 2023/03/10 +date: 2020-06-03 +modified: 2023-03-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml b/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml index b6bd6caafc5..3c364eb3626 100644 --- a/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml +++ b/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml @@ -6,13 +6,13 @@ references: - Internal Research - https://attack.mitre.org/groups/G0010/ author: Markus Neis -date: 2017/11/06 -modified: 2021/11/27 +date: 2017-11-06 +modified: 2021-11-27 tags: - attack.g0010 - attack.execution - attack.t1106 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: pipe_created diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml index 437e24c7789..1fed02ec236 100644 --- a/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml +++ b/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml @@ -5,13 +5,13 @@ description: This method detects a service install of malicious services mention references: - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ author: Florian Roth (Nextron Systems) -date: 2017/03/31 -modified: 2021/11/30 +date: 2017-03-31 +modified: 2021-11-30 tags: - attack.persistence - attack.g0010 - attack.t1543.003 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml index bc83f7e4525..b1b89ef6824 100644 --- a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml +++ b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml @@ -5,13 +5,13 @@ description: This method detects malicious services mentioned in Turla PNG dropp references: - https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ author: Florian Roth (Nextron Systems) -date: 2018/11/23 -modified: 2021/11/30 +date: 2018-11-23 +modified: 2021-11-30 tags: - attack.persistence - attack.g0010 - attack.t1543.003 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml b/rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml index 551b0efdc0a..331779396da 100644 --- a/rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml +++ b/rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml @@ -5,13 +5,13 @@ description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VP references: - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/ author: Bhabesh Raj -date: 2020/12/08 -modified: 2023/01/02 +date: 2020-12-08 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2018.13379 - - detection.emerging_threats + - cve.2018-13379 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yml b/rules-emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yml index 79e5e5a3aa2..53aeb47c34f 100644 --- a/rules-emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules-emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yml @@ -6,15 +6,15 @@ references: - https://twitter.com/pyn3rd/status/1020620932967223296 - https://github.com/LandGrey/CVE-2018-2894 author: Florian Roth (Nextron Systems) -date: 2018/07/22 -modified: 2023/01/02 +date: 2018-07-22 +modified: 2023-01-02 tags: - attack.t1190 - - attack.initial_access + - attack.initial-access - attack.persistence - attack.t1505.003 - - cve.2018.2894 - - detection.emerging_threats + - cve.2018-2894 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml b/rules-emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml index d1b92b65c2c..ebcbf0b4240 100644 --- a/rules-emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml +++ b/rules-emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml @@ -6,15 +6,15 @@ references: - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting - https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2018/01/31 -modified: 2023/03/09 +date: 2018-01-31 +modified: 2023-03-09 tags: - attack.g0030 - attack.g0050 - attack.s0081 - attack.execution - attack.t1059.003 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml b/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml index 7812dcabeb6..eb55fc440c3 100644 --- a/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml +++ b/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml @@ -7,13 +7,13 @@ references: - https://twitter.com/cyb3rops/status/1168863899531132929 - https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/ author: Florian Roth (Nextron Systems) -date: 2018/09/03 -modified: 2023/03/09 +date: 2018-09-03 +modified: 2023-03-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.g0027 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml b/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml index 2fd608d271f..d26593a3f0a 100644 --- a/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml +++ b/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml @@ -7,16 +7,16 @@ references: - https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110 - https://twitter.com/ClearskySec/status/960924755355369472 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2018/03/01 -modified: 2023/05/31 +date: 2018-03-01 +modified: 2023-05-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.g0007 - attack.t1059.003 - attack.t1218.011 - car.2013-10-002 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml b/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml index bbf33f2e4a2..d106fb093f4 100644 --- a/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml +++ b/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml @@ -9,12 +9,12 @@ references: - https://twitter.com/DrunkBinary/status/1063075530180886529 - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign author: '@41thexplorer' -date: 2018/11/20 -modified: 2023/02/20 +date: 2018-11-20 +modified: 2023-02-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml b/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml index d18f6cb7065..855a3cd55db 100644 --- a/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml +++ b/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml @@ -2,7 +2,7 @@ title: APT29 2018 Phishing Campaign CommandLine Indicators id: 7453575c-a747-40b9-839b-125a0aae324b related: - id: 033fe7d6-66d1-4240-ac6b-28908009c71f - type: obsoletes + type: obsolete status: stable description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant references: @@ -10,13 +10,13 @@ references: - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign author: Florian Roth (Nextron Systems), @41thexplorer -date: 2018/11/20 -modified: 2023/03/08 +date: 2018-11-20 +modified: 2023-03-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml b/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml index 7b5138e8323..93af1448760 100644 --- a/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml +++ b/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml @@ -6,12 +6,12 @@ references: - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ - https://github.com/eset/malware-ioc/tree/master/oceanlotus author: megan201296, Jonhnathan Ribeiro -date: 2019/04/14 -modified: 2023/09/28 +date: 2019-04-14 +modified: 2023-09-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_event product: windows diff --git a/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml b/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml index 0bc8d901ed1..01866f87444 100644 --- a/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml +++ b/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml @@ -5,12 +5,12 @@ description: Detects potential Muddywater APT activity references: - https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/10 +date: 2023-03-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.g0069 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml index 0b5ee7012bb..9887fdd3fe6 100644 --- a/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml @@ -12,19 +12,19 @@ description: Detects OilRig activity as reported by Nyotron in their March 2018 references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -modified: 2023/03/08 +date: 2018-03-23 +modified: 2023-03-08 tags: - attack.persistence - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml index 942171b5dc0..677e3d762d3 100644 --- a/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml @@ -12,19 +12,19 @@ description: Detects OilRig registry persistence as reported by Nyotron in their references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -modified: 2023/03/08 +date: 2018-03-23 +modified: 2023-03-08 tags: - attack.persistence - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_event product: windows diff --git a/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml index d96e56b803f..d797c0193af 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml @@ -12,19 +12,19 @@ description: Detects OilRig schedule task persistence as reported by Nyotron in references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -modified: 2023/03/08 +date: 2018-03-23 +modified: 2023-03-08 tags: - attack.persistence - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml index 67c8c5d5fdd..ea748e64f55 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml @@ -12,19 +12,19 @@ description: Detects OilRig schedule task persistence as reported by Nyotron in references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -modified: 2023/03/08 +date: 2018-03-23 +modified: 2023-03-08 tags: - attack.persistence - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml b/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml index 6af6aec3490..fe275344b6c 100644 --- a/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml +++ b/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml @@ -5,13 +5,13 @@ description: Detects the deactivation and disabling of the Scheduled defragmenta references: - https://securelist.com/apt-slingshot/84312/ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) -date: 2019/03/04 -modified: 2022/10/09 +date: 2019-03-04 +modified: 2022-10-09 tags: - attack.persistence - attack.t1053.005 - attack.s0111 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml b/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml index d2e8c9cd8e3..c5c66cf4c3b 100644 --- a/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml +++ b/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml @@ -8,13 +8,13 @@ description: Detects the deactivation and disabling of the Scheduled defragmenta references: - https://securelist.com/apt-slingshot/84312/ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) -date: 2019/03/04 -modified: 2022/11/27 +date: 2019-03-04 +modified: 2022-11-27 tags: - attack.persistence - attack.t1053 - attack.s0111 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml b/rules-emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml index eb693619abd..f8a485040d9 100644 --- a/rules-emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml +++ b/rules-emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml @@ -5,12 +5,12 @@ description: Detects TropicTrooper activity, an actor who targeted high-profile references: - https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ author: '@41thexplorer, Microsoft Defender ATP' -date: 2019/11/12 -modified: 2020/08/27 +date: 2019-11-12 +modified: 2020-08-27 tags: - attack.execution - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml b/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml index 699ab3f7d0b..d41cc4f1d82 100644 --- a/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml +++ b/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml @@ -5,13 +5,13 @@ description: Detects potential exploitation of the BearLPE exploit using Task Sc references: - https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp author: Olaf Hartong -date: 2019/05/22 -modified: 2023/01/26 +date: 2019-05-22 +modified: 2023-01-26 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.005 - car.2013-08-001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yml index 756ba1f4667..40f4a3b5e7c 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yml @@ -5,13 +5,13 @@ description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamol references: - https://www.exploit-db.com/exploits/47297 author: Florian Roth (Nextron Systems) -date: 2019/11/18 -modified: 2023/01/02 +date: 2019-11-18 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2019.11510 - - detection.emerging_threats + - cve.2019-11510 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml index 6ecabce62f8..e84490ea8c2 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml @@ -5,16 +5,16 @@ description: Detects exploitation attempt of privilege escalation vulnerability references: - https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -date: 2019/11/15 -modified: 2021/11/27 +date: 2019-11-15 +modified: 2021-11-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - attack.execution - attack.t1059.003 - attack.t1574 - - cve.2019.1378 - - detection.emerging_threats + - cve.2019-1378 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml index 343aad9ab2c..87ece1d91c7 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml @@ -6,13 +6,13 @@ references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388 - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege author: Florian Roth (Nextron Systems) -date: 2019/11/20 -modified: 2022/05/27 +date: 2019-11-20 +modified: 2022-05-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - cve.2019.1388 - - detection.emerging_threats + - cve.2019-1388 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yml index 22fdd1436aa..78a57cd6e88 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yml @@ -9,13 +9,13 @@ references: - https://twitter.com/mpgn_x64/status/1216787131210829826 - https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md author: Arnim Rupp, Florian Roth -date: 2020/01/02 -modified: 2023/01/02 +date: 2020-01-02 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2019.19781 - - detection.emerging_threats + - cve.2019-19781 + - detection.emerging-threats logsource: category: webserver definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.' diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml index 7210477bd9e..f0e48ddee13 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml @@ -5,13 +5,13 @@ description: Detects the exploitation of the Confluence vulnerability described references: - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181 author: Florian Roth (Nextron Systems) -date: 2020/05/26 -modified: 2023/01/02 +date: 2020-05-26 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2019.3398 - - detection.emerging_threats + - cve.2019-3398 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml b/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml index 1c0e3e1e650..1ed49d349e8 100644 --- a/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml +++ b/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml @@ -5,17 +5,17 @@ description: Detects activity that could be related to Baby Shark malware references: - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ author: Florian Roth (Nextron Systems) -date: 2019/02/24 -modified: 2023/03/08 +date: 2019-02-24 +modified: 2023-03-08 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.discovery - attack.t1012 - attack.t1059.003 - attack.t1059.001 - attack.t1218.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml b/rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml index 4c73c0f57fe..d941bd527d0 100644 --- a/rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml +++ b/rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml @@ -5,10 +5,10 @@ description: Detects HTTP request used by Chafer malware to receive data from it references: - https://securelist.com/chafer-used-remexi-malware/89538/ author: Florian Roth (Nextron Systems) -date: 2019/01/31 -modified: 2024/02/15 +date: 2019-01-31 +modified: 2024-02-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml b/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml index 7aaa79043d7..4dd71e5450e 100644 --- a/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml +++ b/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml @@ -6,16 +6,16 @@ references: - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 - https://redcanary.com/threat-detection-report/threats/dridex/ author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/10 -modified: 2023/02/03 +date: 2019-01-10 +modified: 2023-02-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - attack.discovery - attack.t1135 - attack.t1033 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml b/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml index b09706f95dd..108fd86e650 100644 --- a/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml +++ b/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml @@ -9,12 +9,12 @@ references: - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/ - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/30 -modified: 2023/02/03 +date: 2019-10-30 +modified: 2023-02-03 tags: - attack.impact - attack.t1490 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml b/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml index 6fba1a1e590..223126b3d94 100644 --- a/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml +++ b/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml @@ -8,14 +8,14 @@ references: - https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/ - https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/ author: Florian Roth (Nextron Systems) -date: 2019/09/30 -modified: 2023/02/04 +date: 2019-09-30 +modified: 2023-02-04 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml b/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml index 2758a1833cc..6d81e2930bc 100644 --- a/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml +++ b/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml @@ -8,12 +8,12 @@ references: - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -date: 2019/09/30 -modified: 2022/10/06 +date: 2019-09-30 +modified: 2022-10-06 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml b/rules-emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml index f9e2db5b00e..0f737589f66 100644 --- a/rules-emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml +++ b/rules-emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml @@ -7,12 +7,12 @@ references: - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/ - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/ author: Vasiliy Burov, oscd.community -date: 2020/10/18 -modified: 2023/02/03 +date: 2020-10-18 +modified: 2023-02-03 tags: - attack.impact - attack.t1486 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml b/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml index c0069c0c7a5..02d06b8baa5 100644 --- a/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml +++ b/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/killamjr/status/1179034907932315648 - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ author: Florian Roth (Nextron Systems) -date: 2019/10/01 -modified: 2023/02/03 +date: 2019-10-01 +modified: 2023-02-03 tags: - attack.execution - attack.t1059.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml b/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml index 7588a51af8c..8ec78b3feb0 100644 --- a/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml +++ b/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml @@ -4,19 +4,19 @@ related: - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27 type: similar - id: 0acaad27-9f02-4136-a243-c357202edd74 - type: obsoletes + type: obsolete status: stable description: Detects Ryuk ransomware activity references: - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/ - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) -date: 2019/12/16 -modified: 2023/02/03 +date: 2019-12-16 +modified: 2023-02-03 tags: - attack.persistence - attack.t1547.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml b/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml index e85aac7806e..faea3df8bc2 100644 --- a/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml +++ b/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml @@ -5,12 +5,12 @@ description: Detects specific process characteristics of Snatch ransomware word references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ author: Florian Roth (Nextron Systems) -date: 2020/08/26 -modified: 2023/02/13 +date: 2020-08-26 +modified: 2023-02-13 tags: - attack.execution - attack.t1204 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml b/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml index 4e3ae946ae1..bd63088d9ec 100644 --- a/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml +++ b/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml @@ -5,14 +5,14 @@ description: Detects Ursnif C2 traffic. references: - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html author: Thomas Patzke -date: 2019/12/19 -modified: 2021/08/09 +date: 2019-12-19 +modified: 2021-08-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 - attack.execution - attack.t1204.002 - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_download_url.yml b/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_download_url.yml index bcecae99053..c72792b5e45 100644 --- a/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_download_url.yml +++ b/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_download_url.yml @@ -5,12 +5,12 @@ description: Detects download of Ursnif malware done by dropper documents. references: - https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware author: Thomas Patzke -date: 2019/12/19 -modified: 2022/08/15 +date: 2019-12-19 +modified: 2022-08-15 logsource: category: proxy tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 detection: selection: diff --git a/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml b/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml index 0a8694ea6e1..13245e218c8 100644 --- a/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml +++ b/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml @@ -6,12 +6,12 @@ references: - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ author: megan201296 -date: 2019/02/13 -modified: 2023/02/07 +date: 2019-02-13 +modified: 2023-02-07 tags: - attack.execution - attack.t1112 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: registry_add diff --git a/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml b/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml index 7a03ad83df3..6cd18c00314 100644 --- a/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml +++ b/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml @@ -5,12 +5,12 @@ description: Detects potential BlueMushroom DLL loading activity via regsvr32 fr references: - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/02 -modified: 2023/03/29 +date: 2019-10-02 +modified: 2023-03-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml b/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml index b27308919bc..69a560650a8 100644 --- a/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml +++ b/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml @@ -5,15 +5,15 @@ description: Detects APT31 Judgement Panda activity as described in the Crowdstr references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Florian Roth (Nextron Systems) -date: 2019/02/21 -modified: 2023/03/10 +date: 2019-02-21 +modified: 2023-03-10 tags: - - attack.lateral_movement - - attack.credential_access + - attack.lateral-movement + - attack.credential-access - attack.g0128 - attack.t1003.001 - attack.t1560.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml b/rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml index 66143182d98..2a3ea6b97dc 100644 --- a/rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml +++ b/rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml @@ -5,10 +5,10 @@ description: Detects suspicious user agent string of APT40 Dropbox tool references: - Internal research from Florian Roth author: Thomas Patzke -date: 2019/11/12 -modified: 2023/05/18 +date: 2019-11-12 +modified: 2023-05-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - attack.exfiltration - attack.t1567.002 diff --git a/rules-emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml b/rules-emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml index 7e13d564f0c..22f0019998a 100644 --- a/rules-emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml +++ b/rules-emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml @@ -5,13 +5,13 @@ description: Detects Russian group activity as described in Global Threat Report references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Florian Roth (Nextron Systems) -date: 2019/02/21 -modified: 2023/03/08 +date: 2019-02-21 +modified: 2023-03-08 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - attack.t1003.003 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml b/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml index d14cb8f9618..da6f6944f62 100644 --- a/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml +++ b/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml @@ -6,12 +6,12 @@ references: - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ - https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -date: 2019/04/02 -modified: 2023/03/09 +date: 2019-04-02 +modified: 2023-03-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml b/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml index f223899dd68..387db7a6aab 100644 --- a/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml +++ b/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml @@ -6,13 +6,13 @@ references: - https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= - https://twitter.com/cyb3rops/status/972186477512839170 author: Florian Roth (Nextron Systems) -date: 2019/03/04 -modified: 2023/03/09 +date: 2019-03-04 +modified: 2023-03-09 tags: - attack.g0020 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml b/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml index e9371a21880..6b14a14ef95 100644 --- a/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml +++ b/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml @@ -7,12 +7,12 @@ references: - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/ - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations author: Florian Roth (Nextron Systems), oscd.community -date: 2019/10/30 -modified: 2021/11/27 +date: 2019-10-30 +modified: 2021-11-27 tags: - attack.t1587.001 - - attack.resource_development - - detection.emerging_threats + - attack.resource-development + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml b/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml index 4a5f5f8ec09..22a24d09e71 100644 --- a/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml +++ b/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml @@ -9,18 +9,18 @@ references: - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - https://twitter.com/SBousseaden/status/1207671369963646976 author: Florian Roth (Nextron Systems), frack113 -date: 2019/12/20 -modified: 2022/10/09 +date: 2019-12-20 +modified: 2022-10-09 tags: - attack.discovery - attack.t1012 - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.004 - attack.t1027 - attack.execution - attack.t1053.005 - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml b/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml index 9510e2acf60..4507c1bb2bf 100644 --- a/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml +++ b/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml @@ -7,18 +7,18 @@ references: - https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf - https://twitter.com/SBousseaden/status/1207671369963646976 author: Florian Roth (Nextron Systems), frack113 -date: 2019/12/20 -modified: 2022/11/27 +date: 2019-12-20 +modified: 2022-11-27 tags: - attack.discovery - attack.t1012 - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.004 - attack.t1027 - attack.execution - attack.t1053.005 - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_exchange_exploit.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_exchange_exploit.yml index 4d369797354..1cc2c265b00 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_exchange_exploit.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_exchange_exploit.yml @@ -5,13 +5,13 @@ description: Detects CVE-2020-0688 Exploitation attempts references: - https://github.com/Ridter/cve-2020-0688 author: NVISO -date: 2020/02/27 -modified: 2023/01/02 +date: 2020-02-27 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.0688 - - detection.emerging_threats + - cve.2020-0688 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_msexchange.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_msexchange.yml index 6533e9cc082..1cddc0fb054 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_msexchange.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_msexchange.yml @@ -5,13 +5,13 @@ description: Detects the exploitation of Microsoft Exchange vulnerability as des references: - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ author: Florian Roth (Nextron Systems) -date: 2020/02/29 -modified: 2023/01/02 +date: 2020-02-29 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.0688 - - detection.emerging_threats + - cve.2020-0688 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml index d44814f9436..0a67c50ae4f 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml @@ -6,13 +6,13 @@ references: - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ author: Florian Roth (Nextron Systems), wagga -date: 2020/02/29 -modified: 2022/12/25 +date: 2020-02-29 +modified: 2022-12-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.0688 - - detection.emerging_threats + - cve.2020-0688 + - detection.emerging-threats logsource: product: windows service: application diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-10148/web_cve_2020_10148_solarwinds_exploit.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-10148/web_cve_2020_10148_solarwinds_exploit.yml index eeec35e3768..6ddd9475d4a 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-10148/web_cve_2020_10148_solarwinds_exploit.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-10148/web_cve_2020_10148_solarwinds_exploit.yml @@ -5,13 +5,13 @@ description: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass a references: - https://kb.cert.org/vuls/id/843464 author: Bhabesh Raj, Tim Shelton -date: 2020/12/27 -modified: 2023/01/02 +date: 2020-12-27 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.10148 - - detection.emerging_threats + - cve.2020-10148 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml index 3978d45b80a..32ac98e6063 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml @@ -6,17 +6,17 @@ references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 author: Florian Roth (Nextron Systems) -date: 2020/03/25 -modified: 2023/01/21 +date: 2020-03-25 +modified: 2023-01-21 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.execution - attack.t1059.001 - attack.t1059.003 - attack.s0190 - - cve.2020.10189 - - detection.emerging_threats + - cve.2020-10189 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml index e366ff2b7f0..8b696259f8f 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml @@ -5,14 +5,14 @@ description: Detects new commands that add new printer port which point to suspi references: - https://windows-internals.com/printdemon-cve-2020-1048/ author: EagleEye Team, Florian Roth -date: 2020/05/13 -modified: 2021/11/27 +date: 2020-05-13 +modified: 2021-11-27 tags: - attack.persistence - attack.execution - attack.t1059.001 - - cve.2020.1048 - - detection.emerging_threats + - cve.2020-1048 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml index 75fd58d90b5..ef6f23a21bc 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml @@ -7,14 +7,14 @@ description: | references: - https://windows-internals.com/printdemon-cve-2020-1048/ author: EagleEye Team, Florian Roth (Nextron Systems), NVISO -date: 2020/05/13 -modified: 2024/03/25 +date: 2020-05-13 +modified: 2024-03-25 tags: - attack.persistence - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - cve.2020.1048 + - cve.2020-1048 logsource: product: windows category: registry_set diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml index 9f9435d3504..c92464cdb97 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml @@ -6,15 +6,15 @@ references: - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ - https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html author: Florian Roth (Nextron Systems) -date: 2020/07/15 -modified: 2022/07/12 +date: 2020-07-15 +modified: 2022-07-12 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.execution - attack.t1569.002 - - cve.2020.1350 - - detection.emerging_threats + - cve.2020-1350 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-14882/web_cve_2020_14882_weblogic_exploit.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-14882/web_cve_2020_14882_weblogic_exploit.yml index 7ef1b190cdf..71e2c1cdc0b 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-14882/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-14882/web_cve_2020_14882_weblogic_exploit.yml @@ -7,13 +7,13 @@ references: - https://twitter.com/jas502n/status/1321416053050667009?s=20 - https://twitter.com/sudo_sudoka/status/1323951871078223874 author: Florian Roth (Nextron Systems) -date: 2020/11/02 -modified: 2023/01/02 +date: 2020-11-02 +modified: 2023-01-02 tags: - attack.t1190 - - attack.initial_access - - cve.2020.14882 - - detection.emerging_threats + - attack.initial-access + - cve.2020-14882 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-28188/web_cve_2020_28188_terramaster_rce_exploit.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-28188/web_cve_2020_28188_terramaster_rce_exploit.yml index 2532ee91fa4..74554a297f5 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-28188/web_cve_2020_28188_terramaster_rce_exploit.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-28188/web_cve_2020_28188_terramaster_rce_exploit.yml @@ -6,13 +6,13 @@ references: - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ author: Bhabesh Raj -date: 2021/01/25 -modified: 2023/01/02 +date: 2021-01-25 +modified: 2023-01-02 tags: - attack.t1190 - - attack.initial_access - - cve.2020.28188 - - detection.emerging_threats + - attack.initial-access + - cve.2020-28188 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-3452/web_cve_2020_3452_cisco_asa_ftd.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-3452/web_cve_2020_3452_cisco_asa_ftd.yml index 631b14981de..9b228f6b139 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-3452/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-3452/web_cve_2020_3452_cisco_asa_ftd.yml @@ -6,13 +6,13 @@ references: - https://twitter.com/aboul3la/status/1286012324722155525 - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter author: Florian Roth (Nextron Systems) -date: 2021/01/07 -modified: 2023/01/02 +date: 2021-01-07 +modified: 2023-01-02 tags: - attack.t1190 - - attack.initial_access - - cve.2020.3452 - - detection.emerging_threats + - attack.initial-access + - cve.2020-3452 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-5902/web_cve_2020_5902_f5_bigip.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-5902/web_cve_2020_5902_f5_bigip.yml index 02eb6308523..50d48913ffa 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-5902/web_cve_2020_5902_f5_bigip.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-5902/web_cve_2020_5902_f5_bigip.yml @@ -8,13 +8,13 @@ references: - https://twitter.com/yorickkoster/status/1279709009151434754 - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/ author: Florian Roth (Nextron Systems) -date: 2020/07/05 -modified: 2023/01/02 +date: 2020-07-05 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.5902 - - detection.emerging_threats + - cve.2020-5902 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.yml index a0e6c7d38cf..7bb5e5cd591 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.yml @@ -7,14 +7,14 @@ references: - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/ - https://dmaasland.github.io/posts/citrix.html author: Florian Roth (Nextron Systems) -date: 2020/07/10 -modified: 2023/01/02 +date: 2020-07-10 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.8193 - - cve.2020.8195 - - detection.emerging_threats + - cve.2020-8193 + - cve.2020-8195 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml index 8dffd61b8fb..49aa7d15a71 100644 --- a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml +++ b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml @@ -8,13 +8,13 @@ description: Attempts to detect system changes made by Blue Mockingbird references: - https://redcanary.com/blog/blue-mockingbird-cryptominer/ author: Trent Liffick (@tliffick) -date: 2020/05/14 -modified: 2022/10/09 +date: 2020-05-14 +modified: 2022-10-09 tags: - attack.execution - attack.t1112 - attack.t1047 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml b/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml index f346161c7c8..b4a1693f3d7 100644 --- a/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml +++ b/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml @@ -5,11 +5,11 @@ description: Detects Turla ComRAT network communication. references: - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf author: Florian Roth (Nextron Systems) -date: 2020/05/26 -modified: 2024/02/26 +date: 2020-05-26 +modified: 2024-02-26 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 - attack.g0010 logsource: diff --git a/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml b/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml index 2c4388fc6e9..f807c753af0 100644 --- a/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml +++ b/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml @@ -6,12 +6,12 @@ references: - https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html - https://cyber.wtf/2021/11/15/guess-whos-back/ author: FPT.EagleEye -date: 2020/12/25 -modified: 2023/02/21 +date: 2020-12-25 +modified: 2023-02-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml b/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml index 242d1dfdbe2..bc4cca8e578 100644 --- a/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml +++ b/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml @@ -7,8 +7,8 @@ description: | references: - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new author: NVISO -date: 2020/06/09 -modified: 2024/03/20 +date: 2020-06-09 +modified: 2024-03-20 tags: - attack.persistence - attack.t1112 diff --git a/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml b/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml index 58866ae9baa..adac2bf9584 100644 --- a/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml +++ b/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml @@ -6,13 +6,13 @@ references: - https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ author: Markus Neis, Swisscom -date: 2020/06/18 -modified: 2023/03/10 +date: 2020-06-18 +modified: 2023-03-10 tags: - attack.g0004 - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml b/rules-emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml index 6d75822d024..54ceeb2470b 100644 --- a/rules-emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml +++ b/rules-emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml @@ -7,15 +7,15 @@ references: - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/ - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/ author: Florian Roth (Nextron Systems) -date: 2020/05/08 -modified: 2023/02/13 +date: 2020-05-08 +modified: 2023-02-13 tags: - attack.execution - attack.t1204.002 - attack.t1047 - attack.impact - attack.t1490 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml b/rules-emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml index 7a4b3698fba..940bead7b82 100644 --- a/rules-emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml +++ b/rules-emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml @@ -9,12 +9,12 @@ references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ author: Florian Roth (Nextron Systems) -date: 2020/11/26 -modified: 2021/11/27 +date: 2020-11-26 +modified: 2021-11-27 tags: - attack.execution - attack.t1559 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml b/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml index 8abe44593d0..930f8267529 100644 --- a/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml +++ b/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml @@ -6,12 +6,12 @@ references: - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ author: Florian Roth (Nextron Systems) -date: 2020/07/10 -modified: 2023/03/09 +date: 2020-07-10 +modified: 2023-03-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml b/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml index 02826244920..f9741258feb 100644 --- a/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml +++ b/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml @@ -6,15 +6,15 @@ references: - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml author: Tim Burrell -date: 2020/02/07 -modified: 2023/03/09 +date: 2020-02-07 +modified: 2023-03-09 tags: - - attack.credential_access - - attack.command_and_control + - attack.credential-access + - attack.command-and-control - attack.t1212 - attack.t1071 - attack.g0093 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml b/rules-emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml index da9bd3b2fbc..1bb1cba27dd 100644 --- a/rules-emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml +++ b/rules-emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml @@ -9,13 +9,13 @@ references: - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) author: Tim Burrell -date: 2020/02/07 -modified: 2023/01/02 +date: 2020-02-07 +modified: 2023-01-02 tags: - - attack.credential_access - - attack.command_and_control + - attack.credential-access + - attack.command-and-control - attack.t1071 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: dns-server-analytic diff --git a/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml b/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml index b3860c4ddae..af71f84386d 100644 --- a/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml +++ b/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml @@ -5,17 +5,17 @@ description: Detects tools and process executions used by Greenbug in their May references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia author: Florian Roth (Nextron Systems) -date: 2020/05/20 -modified: 2023/03/09 +date: 2020-05-20 +modified: 2023-03-09 tags: - attack.g0049 - attack.execution - attack.t1059.001 - - attack.command_and_control + - attack.command-and-control - attack.t1105 - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml b/rules-emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml index 5fe0e08cc3a..0019fe9b310 100644 --- a/rules-emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml +++ b/rules-emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml @@ -2,20 +2,20 @@ title: Lazarus Group Activity id: 24c4d154-05a4-4b99-b57d-9b977472443a related: - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e - type: obsoletes + type: obsolete status: test description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity references: - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ - https://www.hvs-consulting.de/lazarus-report/ author: Florian Roth (Nextron Systems), wagga -date: 2020/12/23 -modified: 2023/03/10 +date: 2020-12-23 +modified: 2023-03-10 tags: - attack.g0032 - attack.execution - attack.t1059 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml b/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml index 52c4d55a351..da0ce128255 100644 --- a/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml +++ b/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml @@ -5,12 +5,12 @@ description: Detects registry key used by Leviathan APT in Malaysian focused cam references: - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign author: Aidan Bracher -date: 2020/07/07 -modified: 2023/09/19 +date: 2020-07-07 +modified: 2023-09-19 tags: - attack.persistence - attack.t1547.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_event product: windows diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml index c383d3d1b90..3ae86ca4a96 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml @@ -5,12 +5,12 @@ description: Detects a specific process creation patterns as seen used by UNC245 references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Florian Roth (Nextron Systems) -date: 2021/01/22 -modified: 2023/09/12 +date: 2021-01-22 +modified: 2023-09-12 tags: - attack.execution - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats # - sunburst # - unc2452 logsource: diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml index d4fdd2f6bbd..43bdcd5a055 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml @@ -7,13 +7,13 @@ references: - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command author: Florian Roth (Nextron Systems) -date: 2021/01/20 -modified: 2022/10/09 +date: 2021-01-20 +modified: 2022-10-09 tags: - attack.execution - attack.t1059.001 - attack.t1047 - - detection.emerging_threats + - detection.emerging-threats # - sunburst logsource: category: process_creation diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml index 099f44914a8..64db6e2a668 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml @@ -5,12 +5,12 @@ description: Detects suspicious inline VBScript keywords as used by UNC2452 references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) -date: 2021/03/05 -modified: 2022/10/09 +date: 2021-03-05 +modified: 2022-10-09 tags: - attack.persistence - attack.t1547.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/web_solarwinds_supernova_webshell.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/web_solarwinds_supernova_webshell.yml index 6cb4f1ab618..4df6bafda30 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/web_solarwinds_supernova_webshell.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/web_solarwinds_supernova_webshell.yml @@ -6,12 +6,12 @@ references: - https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/ - https://www.anquanke.com/post/id/226029 author: Florian Roth (Nextron Systems) -date: 2020/12/17 -modified: 2023/01/02 +date: 2020-12-17 +modified: 2023-01-02 tags: - attack.persistence - attack.t1505.003 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml b/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml index b22f9316058..389743136a4 100644 --- a/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml +++ b/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml @@ -5,12 +5,12 @@ description: Detects specific process characteristics of Chinese TAIDOOR RAT mal references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a author: Florian Roth (Nextron Systems) -date: 2020/07/30 -modified: 2021/11/27 +date: 2020-07-30 +modified: 2021-11-27 tags: - attack.execution - attack.t1055.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml index fef1944010b..ca664b055a8 100644 --- a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml +++ b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml @@ -5,13 +5,13 @@ description: Detects specific process characteristics of Winnti malware noticed references: - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ author: Florian Roth (Nextron Systems), Markus Neis -date: 2020/02/01 -modified: 2021/11/27 +date: 2020-02-01 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.g0044 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml index 4bc4e518026..98bc54074b8 100644 --- a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml +++ b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml @@ -5,13 +5,13 @@ description: Detects specific process characteristics of Winnti Pipemon malware references: - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ author: Florian Roth (Nextron Systems), oscd.community -date: 2020/07/30 -modified: 2021/11/27 +date: 2020-07-30 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.g0044 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml index 6fb8305303b..672fda3460e 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml @@ -7,10 +7,10 @@ references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 author: Sittikorn S, Nuttakorn T, Tim Shelton -date: 2021/07/01 -modified: 2023/10/23 +date: 2021-07-01 +modified: 2023-10-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1055 logsource: category: antivirus diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml index 732e60b13cd..13082f6a4b0 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml @@ -7,15 +7,15 @@ references: - https://github.com/afwu/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 author: Florian Roth (Nextron Systems) -date: 2021/06/29 -modified: 2022/12/25 +date: 2021-06-29 +modified: 2022-12-25 tags: - attack.execution - - attack.privilege_escalation - - attack.resource_development + - attack.privilege-escalation + - attack.resource-development - attack.t1587 - - cve.2021.1675 - - detection.emerging_threats + - cve.2021-1675 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml index 316cbe81d02..008aa75f77f 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml @@ -7,13 +7,13 @@ references: - https://github.com/afwu/PrintNightmare - https://twitter.com/fuzzyf10w/status/1410202370835898371 author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton -date: 2021/06/30 -modified: 2022/11/15 +date: 2021-06-30 +modified: 2022-11-15 tags: - attack.execution - attack.t1569 - - cve.2021.1675 - - detection.emerging_threats + - cve.2021-1675 + - detection.emerging-threats logsource: product: windows service: printservice-admin diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml index 8acc1668bda..21eec5b9d2a 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -5,13 +5,13 @@ description: Detects driver load events print service operational log that are a references: - https://twitter.com/MalwareJake/status/1410421967463731200 author: Florian Roth (Nextron Systems) -date: 2021/07/01 -modified: 2022/10/09 +date: 2021-07-01 +modified: 2022-10-09 tags: - attack.execution - attack.t1569 - - cve.2021.1675 - - detection.emerging_threats + - cve.2021-1675 + - detection.emerging-threats logsource: product: windows service: printservice-operational diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml index ba211de2ffa..8d6ca93027d 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml @@ -5,14 +5,14 @@ description: Detects remote printer driver load from Detailed File Share in Secu references: - https://twitter.com/INIT_3/status/1410662463641731075 author: INIT_6 -date: 2021/07/02 -modified: 2022/10/05 +date: 2021-07-02 +modified: 2022-10-05 tags: - attack.execution - attack.t1569 - - cve.2021.1675 - - cve.2021.34527 - - detection.emerging_threats + - cve.2021-1675 + - cve.2021-34527 + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-2109/web_cve_2021_2109_weblogic_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-2109/web_cve_2021_2109_weblogic_rce_exploit.yml index 07307428a61..f418142bf3e 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-2109/web_cve_2021_2109_weblogic_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-2109/web_cve_2021_2109_weblogic_rce_exploit.yml @@ -6,13 +6,13 @@ references: - https://twitter.com/pyn3rd/status/1351696768065409026 - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw author: Bhabesh Raj -date: 2021/01/20 -modified: 2023/01/02 +date: 2021-01-20 +modified: 2023-01-02 tags: - attack.t1190 - - attack.initial_access - - cve.2021.2109 - - detection.emerging_threats + - attack.initial-access + - cve.2021-2109 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml index 2d26b9c5223..9bf9b01ee8f 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml @@ -7,13 +7,13 @@ references: - https://f5.pm/go-59627.html - https://swarm.ptsecurity.com/unauth-rce-vmware author: Bhabesh Raj -date: 2021/02/24 -modified: 2023/01/02 +date: 2021-02-24 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.21972 - - detection.emerging_threats + - cve.2021-21972 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml index b98bf2ccb91..f2c25cdbd09 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -6,13 +6,13 @@ references: - https://twitter.com/wugeej/status/1369476795255320580 - https://paper.seebug.org/1495/ author: Bhabesh Raj -date: 2020/03/10 -modified: 2023/01/02 +date: 2020-03-10 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.21978 - - detection.emerging_threats + - cve.2021-21978 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-22005/web_cve_2021_22005_vmware_file_upload.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-22005/web_cve_2021_22005_vmware_file_upload.yml index 15ab5f0d55a..0c7f2e6f373 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-22005/web_cve_2021_22005_vmware_file_upload.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-22005/web_cve_2021_22005_vmware_file_upload.yml @@ -6,13 +6,13 @@ references: - https://kb.vmware.com/s/article/85717 - https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server author: Sittikorn S -date: 2021/09/24 -modified: 2023/01/02 +date: 2021-09-24 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.22005 - - detection.emerging_threats + - cve.2021-22005 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-22123/web_cve_2021_22123_fortinet_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-22123/web_cve_2021_22123_fortinet_exploit.yml index d107b16fe65..f60a69b1a92 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-22123/web_cve_2021_22123_fortinet_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-22123/web_cve_2021_22123_fortinet_exploit.yml @@ -5,13 +5,13 @@ description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs references: - https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection author: Bhabesh Raj, Florian Roth -date: 2021/08/19 -modified: 2023/01/02 +date: 2021-08-19 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.22123 - - detection.emerging_threats + - cve.2021-22123 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-22893/web_cve_2021_22893_pulse_secure_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-22893/web_cve_2021_22893_pulse_secure_rce_exploit.yml index 53596e987dd..6c7eac62f44 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-22893/web_cve_2021_22893_pulse_secure_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-22893/web_cve_2021_22893_pulse_secure_rce_exploit.yml @@ -6,13 +6,13 @@ references: - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784 author: Sittikorn S -date: 2021/06/29 -modified: 2023/01/02 +date: 2021-06-29 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.22893 - - detection.emerging_threats + - cve.2021-22893 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml index be9db9507e2..71253eea598 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml @@ -7,15 +7,15 @@ references: - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html - https://github.com/h3v0x/CVE-2021-26084_Confluence author: Bhabesh Raj -date: 2021/09/08 -modified: 2023/02/13 +date: 2021-09-08 +modified: 2023-02-13 tags: - - attack.initial_access + - attack.initial-access - attack.execution - attack.t1190 - attack.t1059 - - cve.2021.26084 - - detection.emerging_threats + - cve.2021-26084 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml index 38e74f8dca5..11b367f60f0 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml @@ -8,13 +8,13 @@ references: - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html - https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/ author: Sittikorn S, Nuttakorn T -date: 2022/12/13 -modified: 2023/03/24 +date: 2022-12-13 +modified: 2023-03-24 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.26084 - - detection.emerging_threats + - cve.2021-26084 + - detection.emerging-threats logsource: category: webserver definition: 'Requirements: The POST request body data must be collected in order to make use of certain parts of this detection' diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26814/web_cve_2021_26814_wzuh_rce.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26814/web_cve_2021_26814_wzuh_rce.yml index 7fb0e85edfd..5b6579897b0 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26814/web_cve_2021_26814_wzuh_rce.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26814/web_cve_2021_26814_wzuh_rce.yml @@ -5,14 +5,14 @@ description: Detects the exploitation of the Wazuh RCE vulnerability described i references: - https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py author: Florian Roth (Nextron Systems) -date: 2021/05/22 -modified: 2023/01/02 +date: 2021-05-22 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.21978 - - cve.2021.26814 - - detection.emerging_threats + - cve.2021-21978 + - cve.2021-26814 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml index 2814b27485e..0e58b8333ac 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml @@ -5,13 +5,13 @@ description: Detects possible successful exploitation for vulnerability describe references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ author: Bhabesh Raj -date: 2021/03/03 -modified: 2023/02/07 +date: 2021-03-03 +modified: 2023-02-07 tags: - attack.t1203 - attack.execution - - cve.2021.26857 - - detection.emerging_threats + - cve.2021-26857 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml index fb306ec5e9b..89f8abfb7ac 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml @@ -8,13 +8,13 @@ description: | references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ author: Bhabesh Raj -date: 2021/03/03 -modified: 2022/10/09 +date: 2021-03-03 +modified: 2022-10-09 tags: - attack.t1203 - attack.execution - - cve.2021.26858 - - detection.emerging_threats + - cve.2021-26858 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml index d71abd00859..2c303cdb6e5 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml @@ -5,12 +5,12 @@ description: When exploiting this vulnerability with CVE-2021-26858, an SSRF att references: - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c author: frack113 -date: 2021/08/10 -modified: 2023/05/08 +date: 2021-08-10 +modified: 2023-05-08 tags: - - cve.2021.26858 - - detection.emerging_threats - - attack.initial_access + - cve.2021-26858 + - detection.emerging-threats + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml index 137cb1afc0b..a543dbf50bf 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml @@ -9,13 +9,13 @@ references: - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 - https://github.com/murataydemir/CVE-2021-27905 author: '@gott_cyber' -date: 2022/12/11 -modified: 2023/03/24 +date: 2022-12-11 +modified: 2023-03-24 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.27905 - - detection.emerging_threats + - cve.2021-27905 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml index f0fa5faaf8b..71352079024 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml @@ -5,13 +5,13 @@ description: Detects successful exploitation of Exchange vulnerability as report references: - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20 author: Florian Roth (Nextron Systems) -date: 2021/05/14 -modified: 2023/01/02 +date: 2021-05-14 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.28480 - - detection.emerging_threats + - cve.2021-28480 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml index 9412e771010..bfb33e8837c 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml @@ -5,13 +5,13 @@ description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerabi references: - https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2023/01/02 +date: 2021-08-30 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.33766 - - detection.emerging_threats + - cve.2021-33766 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml index ae86571a4b8..d7170608132 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml @@ -5,13 +5,13 @@ description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-3521 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth (Nextron Systems) -date: 2021/07/14 -modified: 2022/12/18 +date: 2021-07-14 +modified: 2022-12-18 tags: - attack.persistence - attack.t1136.001 - - cve.2021.35211 - - detection.emerging_threats + - cve.2021-35211 + - detection.emerging-threats # - threat_group.DEV-0322 logsource: category: process_creation diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml index 5a93cde8583..7c89888a30c 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 - https://twitter.com/vanitasnk/status/1437329511142420483?s=21 author: Florian Roth (Nextron Systems), Sittikorn S -date: 2021/09/10 -modified: 2023/06/22 +date: 2021-09-10 +modified: 2023-06-22 tags: - - attack.resource_development + - attack.resource-development - attack.t1587 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml index 432db6d0f6b..b3aa1b846f4 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml @@ -7,13 +7,13 @@ references: - https://twitter.com/neonprimetime/status/1435584010202255375 - https://www.joesandbox.com/analysis/476188/1/iochtml author: Florian Roth (Nextron Systems), @neonprimetime -date: 2021/09/08 -modified: 2023/02/04 +date: 2021-09-08 +modified: 2023-02-04 tags: - attack.execution - attack.t1059 - - cve.2021.40444 - - detection.emerging_threats + - cve.2021-40444 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml index 286d33c8301..557ba1d39fa 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml @@ -7,13 +7,13 @@ references: - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 author: Christian Burkard (Nextron Systems), @SBousseaden (idea) -date: 2022/06/02 -modified: 2023/02/04 +date: 2022-06-02 +modified: 2023-02-04 tags: - attack.execution - - attack.defense_evasion - - cve.2021.40444 - - detection.emerging_threats + - attack.defense-evasion + - cve.2021-40444 + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml index ced6e84b8a4..10bc4a142ce 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml @@ -5,12 +5,12 @@ description: Detects suspicious access to URLs that was noticed in cases in whic references: - https://us-cert.cisa.gov/ncas/alerts/aa21-259a author: Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems) -date: 2021/09/20 -modified: 2023/01/02 +date: 2021-09-20 +modified: 2023-01-02 tags: - - cve.2021.40539 - - detection.emerging_threats - - attack.initial_access + - cve.2021-40539 + - detection.emerging-threats + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_manageengine_adselfservice_exploit.yml index 01de77c1e77..675291f8d77 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_manageengine_adselfservice_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_manageengine_adselfservice_exploit.yml @@ -7,15 +7,15 @@ references: - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html - https://us-cert.cisa.gov/ncas/alerts/aa21-259a author: Sittikorn S, Nuttakorn Tungpoonsup -date: 2021/09/10 -modified: 2023/01/02 +date: 2021-09-10 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.persistence - attack.t1505.003 - - cve.2021.40539 - - detection.emerging_threats + - cve.2021-40539 + - detection.emerging-threats logsource: category: webserver definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs' diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml index 435a65dfaf1..516c52d50cb 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml @@ -6,12 +6,12 @@ references: - https://github.com/klinix5/InstallerFileTakeOver - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ author: Florian Roth (Nextron Systems) -date: 2021/11/22 -modified: 2022/12/25 +date: 2021-11-22 +modified: 2022-12-25 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml index 7a0472f42cd..90b5fb8cbdb 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml @@ -8,13 +8,13 @@ references: - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/ author: Florian Roth (Nextron Systems) -date: 2021/11/22 -modified: 2023/02/13 +date: 2021-11-22 +modified: 2023-02-13 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - cve.2021.41379 - - detection.emerging_threats + - cve.2021-41379 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml index 797de7af30c..1b208b43e5f 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml @@ -5,12 +5,12 @@ description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379 references: - https://github.com/klinix5/InstallerFileTakeOver author: Florian Roth (Nextron Systems) -date: 2021/11/22 -modified: 2022/07/12 +date: 2021-11-22 +modified: 2022-07-12 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: application diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml index b9bec4de812..0abef9538e2 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml @@ -15,13 +15,13 @@ references: - https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml - https://twitter.com/bl4sty/status/1445462677824761878 author: daffainfo, Florian Roth -date: 2021/10/05 -modified: 2023/01/02 +date: 2021-10-05 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.41773 - - detection.emerging_threats + - cve.2021-41773 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-42237/web_cve_2021_42237_sitecore_report_ashx.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-42237/web_cve_2021_42237_sitecore_report_ashx.yml index f0c139860da..3bc185978ce 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-42237/web_cve_2021_42237_sitecore_report_ashx.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-42237/web_cve_2021_42237_sitecore_report_ashx.yml @@ -6,13 +6,13 @@ references: - https://blog.assetnote.io/2021/11/02/sitecore-rce/ - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 author: Florian Roth (Nextron Systems) -date: 2021/11/17 -modified: 2023/01/02 +date: 2021-11-17 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.42237 - - detection.emerging_threats + - cve.2021-42237 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml index 13c9a2c6d8b..35cb6262bcd 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml @@ -11,13 +11,13 @@ description: | references: - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ author: frack113 -date: 2021/12/15 -modified: 2023/04/14 +date: 2021-12-15 +modified: 2023-04-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 - - cve.2021.42278 - - detection.emerging_threats + - cve.2021-42278 + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml index 3e1920597c6..fb9a6778a28 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml @@ -5,12 +5,12 @@ description: Detects the renaming of an existing computer account to a account n references: - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45 author: Florian Roth (Nextron Systems) -date: 2021/12/22 -modified: 2022/12/25 +date: 2021-12-22 +modified: 2022-12-25 tags: - - cve.2021.42287 - - detection.emerging_threats - - attack.defense_evasion + - cve.2021-42287 + - detection.emerging-threats + - attack.defense-evasion - attack.persistence - attack.t1036 - attack.t1098 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-43798/web_cve_2021_43798_grafana.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-43798/web_cve_2021_43798_grafana.yml index 7de10c0cc17..0aa78725964 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-43798/web_cve_2021_43798_grafana.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-43798/web_cve_2021_43798_grafana.yml @@ -6,13 +6,13 @@ references: - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ - https://github.com/search?q=CVE-2021-43798 author: Florian Roth (Nextron Systems) -date: 2021/12/08 -modified: 2023/01/02 +date: 2021-12-08 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.43798 - - detection.emerging_threats + - cve.2021-43798 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml index 579b9f5fb5d..ff82a21b5bb 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml @@ -6,11 +6,11 @@ references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/06 +date: 2022-06-06 tags: - attack.execution - - cve.2021.44077 - - detection.emerging_threats + - cve.2021-44077 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml index 28a988627e8..4ca92e77352 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml @@ -10,12 +10,12 @@ references: - https://github.com/YfryTchsGD/Log4jAttackSurface - https://twitter.com/shutingrz/status/1469255861394866177?s=21 author: Florian Roth (Nextron Systems) -date: 2021/12/10 -modified: 2022/02/06 +date: 2021-12-10 +modified: 2022-02-06 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml index 8707f74931c..f32e05d83c3 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml @@ -10,13 +10,13 @@ references: - https://github.com/YfryTchsGD/Log4jAttackSurface - https://twitter.com/shutingrz/status/1469255861394866177?s=21 author: Florian Roth (Nextron Systems) -date: 2021/12/10 -modified: 2023/01/02 +date: 2021-12-10 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.44228 - - detection.emerging_threats + - cve.2021-44228 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml index b7ac162c2f2..d26e16850ea 100644 --- a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml +++ b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml @@ -7,12 +7,12 @@ references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 author: Florian Roth (Nextron Systems), Rich Warren -date: 2021/08/07 -modified: 2023/01/02 +date: 2021-08-07 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell_successful.yml b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell_successful.yml index b0389a2d1cf..380619555d5 100644 --- a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell_successful.yml +++ b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell_successful.yml @@ -7,11 +7,11 @@ references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 author: Florian Roth (Nextron Systems), Rich Warren -date: 2021/08/09 -modified: 2023/01/02 +date: 2021-08-09 +modified: 2023-01-02 tags: - - attack.initial_access - - detection.emerging_threats + - attack.initial-access + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml index 150db91d60c..e44c7aef98f 100644 --- a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml +++ b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/j0nh4t/status/1429049506021138437 - https://streamable.com/q2dsji author: Florian Roth (Nextron Systems), Maxime Thiebaut -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1553 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml b/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml index 3cec35fb5c5..823044399a7 100644 --- a/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml +++ b/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml @@ -5,12 +5,12 @@ description: Detects an exploitation attempt of SystemNightmare in order to obta references: - https://github.com/GossiTheDog/SystemNightmare author: Florian Roth (Nextron Systems) -date: 2021/08/11 -modified: 2023/02/04 +date: 2021-08-11 +modified: 2023-02-04 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/web_sonicwall_jarrewrite_exploit.yml b/rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/web_sonicwall_jarrewrite_exploit.yml index 58e4efd6d7b..a477851bd9c 100644 --- a/rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/web_sonicwall_jarrewrite_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/web_sonicwall_jarrewrite_exploit.yml @@ -6,12 +6,12 @@ references: - https://web.archive.org/web/20210126045316/https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ - https://github.com/darrenmartyn/VisualDoor author: Florian Roth (Nextron Systems) -date: 2021/01/25 -modified: 2023/04/27 +date: 2021-01-25 +modified: 2023-04-27 tags: - attack.t1190 - - attack.initial_access - - detection.emerging_threats + - attack.initial-access + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml b/rules-emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml index f579a65b1ba..1fc3b0f0756 100644 --- a/rules-emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules-emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml @@ -6,15 +6,15 @@ references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ author: Sittikorn S -date: 2021/07/16 -modified: 2022/10/09 +date: 2021-07-16 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1566 - attack.t1203 - - cve.2021.33771 - - cve.2021.31979 - - detection.emerging_threats + - cve.2021-33771 + - cve.2021-31979 + - detection.emerging-threats # - threat_group.Sourgum logsource: product: windows diff --git a/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index 5f241efdc07..16223daa0cd 100644 --- a/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -6,15 +6,15 @@ references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ author: Sittikorn S, frack113 -date: 2021/07/16 -modified: 2023/08/17 +date: 2021-07-16 +modified: 2023-08-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1566 - attack.t1203 - - cve.2021.33771 - - cve.2021.31979 - - detection.emerging_threats + - cve.2021-33771 + - cve.2021-31979 + - detection.emerging-threats # - threat_group.Sourgum logsource: product: windows diff --git a/rules-emerging-threats/2021/Exploits/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml b/rules-emerging-threats/2021/Exploits/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml index e60ac7f602d..5ededa21ae8 100644 --- a/rules-emerging-threats/2021/Exploits/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml @@ -7,14 +7,14 @@ references: - https://www.tenable.com/security/research/tra-2021-13 - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild author: Bhabesh Raj -date: 2021/08/24 -modified: 2023/01/02 +date: 2021-08-24 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.20090 - - cve.2021.20091 - - detection.emerging_threats + - cve.2021-20090 + - cve.2021-20091 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml b/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml index d9a60810995..de165f3e921 100644 --- a/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml +++ b/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml @@ -5,12 +5,12 @@ description: Detects log entries that appear in exploitation attempts against MS references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 author: 'Florian Roth (Nextron Systems), @testanull' -date: 2021/11/18 -modified: 2022/07/12 +date: 2021-11-18 +modified: 2022-07-12 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: msexchange-management diff --git a/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml b/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml index 2ad066df41e..e5cf9ef8ab1 100644 --- a/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml +++ b/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml @@ -5,12 +5,12 @@ description: Detects command line patterns used by BlackByte ransomware in diffe references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) -date: 2022/02/25 -modified: 2023/02/08 +date: 2022-02-25 +modified: 2023-02-08 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1485 - attack.t1498 diff --git a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml index 976f3b30286..5c8f564dcd2 100644 --- a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml +++ b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -date: 2021/08/09 +date: 2021-08-09 tags: - attack.t1587.001 - - attack.resource_development - - detection.emerging_threats + - attack.resource-development + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml index 2c2bf7a2055..db7fd1bbee7 100644 --- a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml +++ b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -date: 2021/08/09 -modified: 2022/10/09 +date: 2021-08-09 +modified: 2022-10-09 tags: - attack.collection - attack.t1560 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml index 20e375e635b..787152827e7 100644 --- a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml +++ b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml @@ -6,13 +6,13 @@ references: - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19 author: frack113 -date: 2021/10/12 -modified: 2023/02/13 +date: 2021-10-12 +modified: 2023-02-13 tags: - attack.impact - attack.s0575 - attack.t1486 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml index f8dc2143157..442bd20391d 100644 --- a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml +++ b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml @@ -7,12 +7,12 @@ references: - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 author: frack113 -date: 2021/08/16 -modified: 2023/05/04 +date: 2021-08-16 +modified: 2023-05-04 tags: - attack.collection - attack.t1005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml b/rules-emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml index 57bf12bbe04..5950a1b1a0e 100644 --- a/rules-emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml +++ b/rules-emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml @@ -7,11 +7,11 @@ references: - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/ - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 author: Florian Roth (Nextron Systems) -date: 2021/05/14 +date: 2021-05-14 tags: - attack.execution - attack.t1204 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml index 63368bd53f0..2608a626942 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml @@ -5,10 +5,10 @@ description: Detects the creation of ".xml" and ".txt" files in folders of the " references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 +date: 2023-05-15 tags: - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml index b0c3624769e..d7c89048310 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml @@ -9,11 +9,11 @@ references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf - https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) -date: 2023/05/15 +date: 2023-05-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml index a741e1530cf..9126575839e 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml @@ -5,11 +5,11 @@ description: Detects potential C2 communication related to Devil Bait malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2023/08/23 +date: 2023-05-15 +modified: 2023-08-23 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml b/rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml index 18c657f76d1..25f5f5fd5ca 100644 --- a/rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml +++ b/rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml @@ -5,12 +5,12 @@ description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Florian Roth (Nextron Systems) -date: 2021/09/27 -modified: 2022/12/09 +date: 2021-09-27 +modified: 2022-12-09 tags: - - attack.resource_development + - attack.resource-development - attack.t1587 - - detection.emerging_threats + - detection.emerging-threats logsource: category: image_load product: windows diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml index a011d515529..65988e33261 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml @@ -5,11 +5,11 @@ description: Detects malicious indicators seen used by the Goofy Guineapig malwa references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/14 +date: 2023-05-14 tags: - attack.execution - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml index 1b60f29cf72..73d6976a29f 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml @@ -5,10 +5,10 @@ description: Detects a specific broken command that was used by Goofy-Guineapig references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: X__Junior (Nextron Systems) -date: 2023/05/14 +date: 2023-05-14 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml index b01465ca713..7cd983b2d59 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml @@ -5,10 +5,10 @@ description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 +date: 2023-05-15 tags: - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml index 56a12c8c75b..a41ba72d85f 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml @@ -5,10 +5,10 @@ description: Detects potential C2 communication related to Goofy Guineapig backd references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/14 +date: 2023-05-14 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml index a4f6d9eef59..3775939eeb0 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml @@ -5,10 +5,10 @@ description: Detects service creation persistence used by the Goofy Guineapig ba references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 +date: 2023-05-15 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml b/rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml index 3a0a1f288af..861eee5430c 100644 --- a/rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml +++ b/rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml @@ -8,13 +8,13 @@ description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in references: - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 author: Bhabesh Raj -date: 2021/05/06 -modified: 2023/05/05 +date: 2021-05-06 +modified: 2023-05-05 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml index 743db3a5161..0abc66e0466 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml @@ -11,12 +11,12 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj -date: 2021/05/05 -modified: 2023/02/17 +date: 2021-05-05 +modified: 2023-02-17 tags: - attack.persistence - attack.t1574.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml index ad9a1165aa5..8c00d5ef04b 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml @@ -11,12 +11,12 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj -date: 2021/05/05 -modified: 2023/02/17 +date: 2021-05-05 +modified: 2023-02-17 tags: - attack.persistence - attack.t1574.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: image_load diff --git a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml index f928d1f1cd6..0e132ce404d 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml @@ -11,12 +11,12 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj -date: 2021/05/05 -modified: 2023/02/17 +date: 2021-05-05 +modified: 2023-02-17 tags: - attack.persistence - attack.t1574.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml index 69b13e62a02..291cfbe4d06 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml @@ -5,11 +5,11 @@ description: Detects filename indicators that contain a specific typo seen used references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2023/05/19 +date: 2023-05-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml index ed55aa604bd..086615fd328 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml @@ -5,11 +5,11 @@ description: Detects specific command line argument being passed to a binary as references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/19 +date: 2023-05-19 tags: - attack.persistence - attack.t1574.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml index 45e49e8d3ed..545a8be9807 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml @@ -5,10 +5,10 @@ description: Detects potential C2 communication related to Small Sieve malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/19 +date: 2023-05-19 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml index 43c0d8a9f61..7b64efe9664 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml @@ -5,11 +5,11 @@ description: Detects registry value with specific intentional typo and strings s references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/19 -modified: 2023/08/17 +date: 2023-05-19 +modified: 2023-08-17 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml index 64f9681128e..df22ca9ee5a 100644 --- a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml +++ b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml @@ -9,14 +9,14 @@ references: - https://twitter.com/GadixCRK/status/1369313704869834753?s=20 - https://twitter.com/BleepinComputer/status/1372218235949617161 author: Florian Roth (Nextron Systems) -date: 2021/03/09 -modified: 2023/03/09 +date: 2021-03-09 +modified: 2023-03-09 tags: - attack.persistence - attack.t1546 - attack.t1053 - attack.g0125 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml b/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml index d09df9fad37..7fe447f135e 100644 --- a/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml +++ b/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml @@ -6,13 +6,13 @@ references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ author: Florian Roth (Nextron Systems) -date: 2021/03/03 -modified: 2023/01/02 +date: 2021-03-03 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.g0125 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml b/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml index d03b4361dc1..94bb8647c6c 100644 --- a/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml +++ b/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml @@ -9,13 +9,13 @@ references: - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ - https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/ author: Florian Roth (Nextron Systems) -date: 2021/07/03 -modified: 2022/05/20 +date: 2021-07-03 +modified: 2022-05-20 tags: - attack.execution - attack.t1059 - attack.g0115 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml b/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml index 445a5db8135..3e2f5523118 100644 --- a/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml +++ b/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml @@ -5,13 +5,13 @@ description: Detects an image load pattern as seen when a tool named PRIVATELOG references: - https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html author: Florian Roth (Nextron Systems) -date: 2021/09/07 -modified: 2022/10/09 +date: 2021-09-07 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - - detection.emerging_threats + - detection.emerging-threats logsource: category: image_load product: windows diff --git a/rules-emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml b/rules-emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml index 23ce3055ebc..51aba798f31 100644 --- a/rules-emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml +++ b/rules-emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml @@ -7,14 +7,14 @@ references: - https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ author: MSTIC, FPT.EagleEye -date: 2021/06/15 -modified: 2022/10/09 +date: 2021-06-15 +modified: 2022-10-09 tags: - attack.t1546 - attack.t1546.015 - attack.persistence - - attack.privilege_escalation - - detection.emerging_threats + - attack.privilege-escalation + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2021/TA/UNC2546/web_unc2546_dewmode_php_webshell.yml b/rules-emerging-threats/2021/TA/UNC2546/web_unc2546_dewmode_php_webshell.yml index 3dff842efb7..74cf3dfcb21 100644 --- a/rules-emerging-threats/2021/TA/UNC2546/web_unc2546_dewmode_php_webshell.yml +++ b/rules-emerging-threats/2021/TA/UNC2546/web_unc2546_dewmode_php_webshell.yml @@ -5,12 +5,12 @@ description: Detects access to DEWMODE webshell as described in FIREEYE report references: - https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion author: Florian Roth (Nextron Systems) -date: 2021/02/22 -modified: 2023/01/02 +date: 2021-02-22 +modified: 2023-01-02 tags: - attack.persistence - attack.t1505.003 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml index 30168bc4ff5..9111b00b07b 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml @@ -5,12 +5,12 @@ description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumpe references: - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/12 +date: 2023-04-12 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.execution - - cve.2023.21554 - - detection.emerging_threats + - cve.2023-21554 + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml index c08e2900633..9deaf0c716b 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml @@ -8,12 +8,12 @@ references: - https://github.com/hieuminhnv/CVE-2022-21587-POC - https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/ author: Isa Almannaei -date: 2023/02/13 +date: 2023-02-13 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.21587 - - detection.emerging_threats + - cve.2022-21587 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml index a1034de7429..de600e03baa 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml @@ -5,12 +5,12 @@ description: Detects files created during the local privilege exploitation of CV references: - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/ author: Florian Roth (Nextron Systems) -date: 2022/04/13 +date: 2022-04-13 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1059.001 - - cve.2022.24527 - - detection.emerging_threats + - cve.2022-24527 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml index 5c46a52bbec..3d5ee19a1f8 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml @@ -8,15 +8,15 @@ references: - https://twitter.com/cyb3rops/status/1514217991034097664 - https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/ author: Florian Roth (Nextron Systems) -date: 2022/04/13 -modified: 2023/02/03 +date: 2022-04-13 +modified: 2023-02-03 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.execution - attack.t1569.002 - - cve.2022.26809 - - detection.emerging_threats + - cve.2022-26809 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml index 8902fad19a0..fcd65df6e60 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml @@ -7,13 +7,13 @@ references: - https://www.yang99.top/index.php/archives/82/ - https://github.com/vnhacker1337/CVE-2022-27925-PoC author: '@gott_cyber' -date: 2022/08/17 -modified: 2023/01/02 +date: 2022-08-17 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.27925 - - detection.emerging_threats + - cve.2022-27925 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml index 8cd0fe17492..dc5bd970f8f 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml @@ -9,12 +9,12 @@ references: - https://github.com/kagancapar/CVE-2022-29072 - https://twitter.com/kagancapar/status/1515219358234161153 author: frack113 -date: 2022/04/17 -modified: 2023/02/07 +date: 2022-04-17 +modified: 2023-02-07 tags: - attack.execution - - cve.2022.29072 - - detection.emerging_threats + - cve.2022-29072 + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml index debb9be8298..45b141547df 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml @@ -6,10 +6,10 @@ references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ author: Sittikorn S -date: 2020/05/31 -modified: 2023/08/17 +date: 2020-05-31 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1221 logsource: product: windows diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml index 051ba454096..b7d3bc82d72 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml @@ -8,13 +8,13 @@ description: | references: - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2023/01/02 +date: 2022-08-12 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.31656 - - detection.emerging_threats + - cve.2022-31656 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml index 01ef72fc07d..02ddd4061e1 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml @@ -5,13 +5,13 @@ description: Detects possible exploitation of VMware Workspace ONE Access Admin references: - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2023/01/02 +date: 2022-08-12 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.31659 - - detection.emerging_threats + - cve.2022-31659 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml index ec4286e571c..cd7829b9239 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml @@ -7,13 +7,13 @@ references: - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html - https://github.com/apache/spark/pull/36315/files author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/19 -modified: 2023/01/02 +date: 2022-07-19 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.33891 - - detection.emerging_threats + - cve.2022-33891 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml index 161dd5a6a5c..5faef40266c 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml @@ -8,13 +8,13 @@ references: - https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html - https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/29 -modified: 2023/01/02 +date: 2022-09-29 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.36804 - - detection.emerging_threats + - cve.2022-36804 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.yml index 93a744cd75d..8fddcaa4268 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.yml @@ -6,9 +6,9 @@ references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/22 +date: 2022-12-22 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: proxy diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml index bbfdda302a3..23f5815f794 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml @@ -7,9 +7,9 @@ references: - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/22 +date: 2022-12-22 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: proxy diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.yml index 89ef59b0358..7d7ee44df45 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.yml @@ -6,12 +6,12 @@ references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/22 -modified: 2023/01/02 +date: 2022-12-22 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml index af04159771c..ccae761baff 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml @@ -7,12 +7,12 @@ references: - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/22 -modified: 2023/01/02 +date: 2022-12-22 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index 0b02f74d85f..f0cf1fe2ee6 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -7,13 +7,13 @@ references: - https://twitter.com/filip_dragovic/status/1590052248260055041 - https://twitter.com/filip_dragovic/status/1590104354727436290 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault) -date: 2022/11/10 -modified: 2023/10/23 +date: 2022-11-10 +modified: 2023-10-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - cve.2022.41120 - - detection.emerging_threats + - cve.2022-41120 + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml index 37f152df342..f483b6e47d1 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml @@ -8,11 +8,11 @@ references: - https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 author: Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75 -date: 2024/02/08 +date: 2024-02-08 tags: - - attack.initial_access - - cve.2022.42475 - - detection.emerging_threats + - attack.initial-access + - cve.2022-42475 + - detection.emerging-threats logsource: product: fortios service: sslvpnd diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml index 9c1ef9ed6b1..675ac8c9d0e 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml @@ -6,12 +6,12 @@ references: - https://seclists.org/fulldisclosure/2023/Jan/1 - https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/20 +date: 2023-01-20 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.44877 - - detection.emerging_threats + - cve.2022-44877 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml index 649685829f5..a057ec3e30d 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml @@ -7,13 +7,13 @@ references: - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf - https://github.com/rapid7/metasploit-framework/pull/17407 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/27 -modified: 2023/01/02 +date: 2022-12-27 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.46169 - - detection.emerging_threats + - cve.2022-46169 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml b/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml index e4c1f2d2600..ceb837f93a8 100644 --- a/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml +++ b/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml @@ -5,11 +5,11 @@ description: Detect access to files and shares with names and extensions used by references: - https://unit42.paloaltonetworks.com/bluesky-ransomware/ author: j4son -date: 2023/05/23 +date: 2023-05-23 tags: - attack.impact - attack.t1486 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml b/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml index 0b71e049a6a..58e81dd9701 100644 --- a/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml +++ b/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml @@ -5,13 +5,13 @@ description: Detects remote thread injection events based on action seen used by references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/27 +date: 2022-09-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.011 - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: create_remote_thread diff --git a/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml b/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml index 7abb433b491..6e387929610 100644 --- a/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml +++ b/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml @@ -5,13 +5,13 @@ description: Detects process execution patterns found in intrusions related to t references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia author: Florian Roth (Nextron Systems) -date: 2022/02/25 -modified: 2022/09/09 +date: 2022-02-25 +modified: 2022-09-09 tags: - attack.execution - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml index e8800536468..49395ce7dfe 100644 --- a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml +++ b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml @@ -5,11 +5,11 @@ description: Detects commandline containing reference to files ending with a "." author: Nasreddine Bencherchali (Nextron Systems) references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ -date: 2022/10/28 -modified: 2023/02/05 +date: 2022-10-28 +modified: 2023-02-05 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml b/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml index bbf92d0e55b..68638151073 100644 --- a/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml +++ b/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml @@ -5,12 +5,12 @@ description: This rule detects the execution of the extended storage procedure b references: - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 author: Denis Szadkowski, DIRT / DCSO CyTec -date: 2022/10/09 -modified: 2022/10/09 +date: 2022-10-09 +modified: 2022-10-09 tags: - attack.persistence - attack.t1546 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: application diff --git a/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml b/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml index bd763eebf38..d8f9daa99c2 100644 --- a/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml +++ b/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml @@ -5,13 +5,13 @@ description: Detects specific process parameters as used by ACTINIUM scheduled t references: - https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations author: Andreas Hunkeler (@Karneades) -date: 2022/02/07 -modified: 2023/03/18 +date: 2022-02-07 +modified: 2023-03-18 tags: - attack.persistence - attack.t1053 - attack.t1053.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml b/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml index f2b09fcbdd2..6ba6df87dbf 100644 --- a/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml +++ b/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml @@ -5,13 +5,13 @@ description: Detects suspicious command line patterns seen being used by MERCURY references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ author: Florian Roth (Nextron Systems) -date: 2022/08/26 -modified: 2023/03/10 +date: 2022-08-26 +modified: 2023-03-10 tags: - attack.execution - attack.t1059.001 - attack.g0069 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml index 914e5b02c97..8740d34657b 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml @@ -8,12 +8,12 @@ references: - https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py - https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal author: Nasreddine Bencherchali (Nextron Systems), Rohit Jain -date: 2024/06/25 +date: 2024-06-25 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.1389 + - cve.2023-1389 logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml index 751e476b51d..435b685782f 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml @@ -6,11 +6,11 @@ references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/ author: Lars B. P. Frydenskov (Trifork Security) -date: 2023/10/20 +date: 2023-10-20 tags: - - attack.privilege_escalation - - attack.initial_access - - detection.emerging_threats + - attack.privilege-escalation + - attack.initial-access + - detection.emerging-threats logsource: product: cisco service: syslog diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml index 244cb6ae49f..f8536343146 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml @@ -11,14 +11,14 @@ references: - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment - https://github.com/ForceFledgling/CVE-2023-22518 author: Andreas Braathen (mnemonic.io) -date: 2023/11/14 +date: 2023-11-14 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.execution - attack.t1059 - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.22518 + - cve.2023-22518 logsource: category: process_creation product: linux diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml index 0177ca6d902..c4644193a21 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml @@ -11,14 +11,14 @@ references: - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment - https://github.com/ForceFledgling/CVE-2023-22518 author: Andreas Braathen (mnemonic.io) -date: 2023/11/14 +date: 2023-11-14 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.execution - attack.t1059 - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.22518 + - cve.2023-22518 logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml index 7abb0ab2c76..195eddee17d 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml @@ -11,12 +11,12 @@ references: - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment - https://github.com/ForceFledgling/CVE-2023-22518 author: Andreas Braathen (mnemonic.io) -date: 2023/11/14 +date: 2023-11-14 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.22518 + - cve.2023-22518 logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml index 431dcd2e524..9d49404ce96 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml @@ -11,12 +11,12 @@ references: - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment - https://github.com/ForceFledgling/CVE-2023-22518 author: Andreas Braathen (mnemonic.io) -date: 2023/11/14 +date: 2023-11-14 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.22518 + - cve.2023-22518 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml index cc8c4871a88..b23322796e8 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml @@ -9,12 +9,12 @@ references: - https://www.blumira.com/cve-2023-2283/ - https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283 author: Florian Roth (Nextron Systems) -date: 2023/06/09 +date: 2023-06-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.2283 - - detection.emerging_threats + - cve.2023-2283 + - detection.emerging-threats logsource: product: linux service: sshd diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml index 0fa291b5da9..7692901a2f0 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml @@ -5,13 +5,13 @@ description: Detects changes to the registry values related to outlook that indi references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/05 -modified: 2023/08/17 +date: 2023-04-05 +modified: 2023-08-17 tags: - attack.persistence - attack.t1137 - - cve.2023.23397 - - detection.emerging_threats + - cve.2023-23397 + - detection.emerging-threats logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml index 339cf4adaa4..22d3d975120 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml @@ -3,15 +3,15 @@ id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c status: test description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation. author: Robert Lee @quantum_cookie -date: 2023/03/16 -modified: 2023/03/22 +date: 2023-03-16 +modified: 2023-03-22 references: - https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/ tags: - - attack.credential_access - - attack.initial_access - - cve.2023.23397 - - detection.emerging_threats + - attack.credential-access + - attack.initial-access + - cve.2023-23397 + - detection.emerging-threats logsource: service: security product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml index 06a5f7e2c34..3f53e26b3ed 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml @@ -5,12 +5,12 @@ description: Detects (failed) outbound connection attempts to internet facing SM references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/05 -modified: 2024/03/13 +date: 2023-04-05 +modified: 2024-03-13 tags: - attack.exfiltration - - cve.2023.23397 - - detection.emerging_threats + - cve.2023-23397 + - detection.emerging-threats logsource: product: windows service: smbclient-connectivity diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml index 013f7bf3384..d49863552be 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml @@ -6,12 +6,12 @@ references: - https://xz.aliyun.com/t/12175 - https://twitter.com/momika233/status/1626464189261942786 author: Bhabesh Raj -date: 2023/02/23 +date: 2023-02-23 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.23752 - - detection.emerging_threats + - cve.2023-23752 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml index f925b9797df..50c0b08df2a 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml @@ -7,11 +7,11 @@ references: - https://twitter.com/parzel2/status/1665726454489915395 - https://github.com/advisories/GHSA-7g5f-wrx8-5ccf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/14 +date: 2023-06-14 tags: - - attack.initial_access - - cve.2023.25157 - - detection.emerging_threats + - attack.initial-access + - cve.2023-25157 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml index 511b3e0cdbf..f48bbfe343d 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml @@ -5,12 +5,12 @@ description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote references: - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/30 +date: 2023-05-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.25717 - - detection.emerging_threats + - cve.2023-25717 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml index 730fecf86da..72a6705ec73 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml @@ -7,12 +7,12 @@ references: - https://www.zerodayinitiative.com/advisories/ZDI-23-491/ - https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/ author: Gregory -date: 2023/10/11 +date: 2023-10-11 tags: - attack.persistence - attack.t1505.001 - - cve.2023.27363 - - detection.emerging_threats + - cve.2023-27363 + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml index 2aea39b1520..043bf3705f4 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml @@ -10,12 +10,12 @@ references: - https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/ - https://labs.watchtowr.com/xortigate-or-cve-2023-27997/ author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/28 +date: 2023-07-28 tags: - - cve.2023.27997 - - attack.initial_access + - cve.2023-27997 + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml index d4a4760be1d..6836e626d87 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml @@ -8,13 +8,13 @@ references: - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/01 -modified: 2023/06/03 +date: 2023-06-01 +modified: 2023-06-03 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.34362 - - detection.emerging_threats + - cve.2023-34362 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml index b445db95cee..5c4f047e579 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml @@ -6,11 +6,11 @@ references: - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/03 -modified: 2023/07/28 +date: 2023-06-03 +modified: 2023-07-28 tags: - - cve.2023.34362 - - detection.emerging_threats + - cve.2023-34362 + - detection.emerging-threats - attack.persistence - attack.t1505.003 logsource: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml index f965e14bb59..e961d5c116c 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml @@ -6,11 +6,11 @@ references: - https://github.com/Wh04m1001/CVE-2023-36874 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/23 +date: 2023-08-23 tags: - attack.execution - - cve.2023.36874 - - detection.emerging_threats + - cve.2023-36874 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml index 74a0f7cc8d4..4cf28f65147 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml @@ -6,12 +6,12 @@ references: - https://github.com/Wh04m1001/CVE-2023-36874 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/23 -modified: 2023/10/08 +date: 2023-08-23 +modified: 2023-10-08 tags: - attack.execution - - cve.2023.36874 - - detection.emerging_threats + - cve.2023-36874 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml index f1715309151..1fc4c9b19d8 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml @@ -6,11 +6,11 @@ references: - https://github.com/Wh04m1001/CVE-2023-36874 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/23 +date: 2023-08-23 tags: - attack.execution - - cve.2023.36874 - - detection.emerging_threats + - cve.2023-36874 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml index 34a52fafcb9..f8d0f70beab 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml @@ -7,12 +7,12 @@ references: - https://twitter.com/wdormann/status/1679184475677130755 - https://twitter.com/r00tbsd/status/1679042071477338114/photo/1 author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2023/07/13 +date: 2023-07-13 tags: - attack.persistence - - attack.defense_evasion - - cve.2023.36884 - - detection.emerging_threats + - attack.defense-evasion + - cve.2023-36884 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml index 50d2ed37735..30552f7eb8c 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml @@ -5,11 +5,11 @@ description: Detects a unique pattern seen being used by RomCom potentially expl references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior -date: 2023/07/12 +date: 2023-07-12 tags: - - attack.command_and_control - - cve.2023.36884 - - detection.emerging_threats + - attack.command-and-control + - cve.2023-36884 + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml index 302f27643e6..40618ff9cbe 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml @@ -5,11 +5,11 @@ description: Detects a specific URL pattern containing a specific extension and references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior -date: 2023/07/12 +date: 2023-07-12 tags: - - attack.command_and_control - - cve.2023.36884 - - detection.emerging_threats + - attack.command-and-control + - cve.2023-36884 + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml index 17582b026ad..44598677c2e 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml @@ -5,11 +5,11 @@ description: Detects files seen being requested by RomCom while potentially expl references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior -date: 2023/07/12 +date: 2023-07-12 tags: - - attack.command_and_control - - cve.2023.36884 - - detection.emerging_threats + - attack.command-and-control + - cve.2023-36884 + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml index a0423c78b6e..2c72bb5e206 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml @@ -5,11 +5,11 @@ description: Detects a unique URL marker seen being used by RomCom potentially e references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior -date: 2023/07/12 +date: 2023-07-12 tags: - - attack.command_and_control - - cve.2023.36884 - - detection.emerging_threats + - attack.command-and-control + - cve.2023-36884 + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml index ba5cc73c9c1..5a83f9fbb2b 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -5,11 +5,11 @@ description: Detects access to a file share with a naming schema seen being used references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/13 +date: 2023-07-13 tags: - - attack.command_and_control - - cve.2023.36884 - - detection.emerging_threats + - attack.command-and-control + - cve.2023-36884 + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml index 11f214495db..c2b3a4a44b0 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml @@ -9,11 +9,11 @@ references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/30 +date: 2023-08-30 tags: - attack.execution - - cve.2023.38331 - - detection.emerging_threats + - cve.2023-38331 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml index 8a952a8f0d6..c097cace1af 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml @@ -9,13 +9,13 @@ references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io) -date: 2023/08/30 -modified: 2024/01/22 +date: 2023-08-30 +modified: 2024-01-22 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.execution - attack.t1203 - - cve.2023.38331 + - cve.2023-38331 logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml index dc4e8d698c5..b17649a195f 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml @@ -7,11 +7,11 @@ references: - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC - https://www.rarlab.com/vuln_rev3_names.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/31 +date: 2023-08-31 tags: - attack.execution - - cve.2023.40477 - - detection.emerging_threats + - cve.2023-40477 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml index 753faf9dd2a..f3935c39176 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml @@ -7,11 +7,11 @@ references: - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC - https://www.rarlab.com/vuln_rev3_names.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/31 +date: 2023-08-31 tags: - attack.execution - - cve.2023.40477 - - detection.emerging_threats + - cve.2023-40477 + - detection.emerging-threats logsource: product: windows service: application diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml index cf6ec6475c5..6c52dc6757f 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml @@ -12,13 +12,13 @@ references: - https://github.com/win3zz/CVE-2023-43261 - https://vulncheck.com/blog/real-world-cve-2023-43261 author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -date: 2023/10/20 -modified: 2023/10/30 +date: 2023-10-20 +modified: 2023-10-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.43621 - - detection.emerging_threats + - cve.2023-43621 + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml index bf74e77f8d4..159fc6365b5 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml @@ -12,13 +12,13 @@ references: - https://github.com/win3zz/CVE-2023-43261 - https://vulncheck.com/blog/real-world-cve-2023-43261 author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -date: 2023/10/20 -modified: 2023/10/30 +date: 2023-10-20 +modified: 2023-10-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.43621 - - detection.emerging_threats + - cve.2023-43621 + - detection.emerging-threats logsource: category: webserver definition: 'Requirements: In order for this detection to trigger, access logs of the router must be collected.' diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml index 91662b74cfc..874de100c01 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml @@ -11,12 +11,12 @@ references: - https://blog.hrncirik.net/cve-2023-46214-analysis - https://advisory.splunk.com/advisories/SVD-2023-1104 author: Nasreddine Bencherchali (Nextron Systems), Bhavin Patel (STRT) -date: 2023/11/27 +date: 2023-11-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - - cve.2023.46214 - - detection.emerging_threats + - cve.2023-46214 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml index d6836d181ff..afa5ecccf93 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml @@ -11,11 +11,11 @@ references: - https://blog.hrncirik.net/cve-2023-46214-analysis - https://advisory.splunk.com/advisories/SVD-2023-1104 author: Lars B. P. Frydenskov(Trifork Security) -date: 2023/11/27 +date: 2023-11-27 tags: - - cve.2023.46214 - - detection.emerging_threats - - attack.lateral_movement + - cve.2023-46214 + - detection.emerging-threats + - attack.lateral-movement - attack.t1210 logsource: category: webserver diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml index 2f0091f14c7..b41777dbd84 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml @@ -11,12 +11,12 @@ references: - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/08 +date: 2023-11-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats - - cve.2023.46747 + - detection.emerging-threats + - cve.2023-46747 logsource: category: proxy definition: 'Requirements: The POST request body data must be collected in order to make use of this detection' diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml index e839e5e08dd..5877736d0b1 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml @@ -11,12 +11,12 @@ references: - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/08 +date: 2023-11-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats - - cve.2023.46747 + - detection.emerging-threats + - cve.2023-46747 logsource: category: webserver definition: 'Requirements: The POST request body data must be collected in order to make use of this detection' diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml index d0be325218d..7631cdfa2d3 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml @@ -16,12 +16,12 @@ references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/28 +date: 2023-11-28 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.4966 + - cve.2023-4966 logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml index 2c5ec469558..3112cb17a52 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml @@ -16,12 +16,12 @@ references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT) -date: 2023/11/28 +date: 2023-11-28 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.4966 + - cve.2023-4966 logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml index 9c2798d65ed..54c0337e717 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml @@ -16,12 +16,12 @@ references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT) -date: 2023/11/28 +date: 2023-11-28 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.4966 + - cve.2023-4966 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml index 45babdc0274..fa3d4a59ffa 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml @@ -16,12 +16,12 @@ references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/28 +date: 2023-11-28 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.4966 + - cve.2023-4966 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml index 2febe5e8b1a..52e4e0e6bdd 100644 --- a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml +++ b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml @@ -6,10 +6,10 @@ references: - https://github.com/SigmaHQ/sigma/pull/3946 - https://twitter.com/hackerfantastic/status/1616455335203438592?s=20 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali -date: 2023/01/21 +date: 2023-01-21 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 logsource: category: process_creation diff --git a/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml b/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml index 43a2e2704ee..f5844d8b643 100644 --- a/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml +++ b/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml @@ -5,10 +5,10 @@ description: Detects corrupted packets sent to the MSMQ service. Could potential references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/21 +date: 2023-04-21 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: application diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml index 41b37aa3756..354176b8cb0 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml @@ -5,11 +5,11 @@ description: Detects the creation of a file named "dllhost.exe" in the "C:\users references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/30 +date: 2023-04-30 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml index f148f5f4254..a9297e71015 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml @@ -5,11 +5,11 @@ description: Detects the creation of a file in a specific location and with a sp references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: X__Junior (Nextron Systems) -date: 2023/04/30 +date: 2023-04-30 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml index de1b29d530e..2cc5fefcdaf 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml @@ -6,11 +6,11 @@ description: | references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/02 +date: 2023-05-02 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: product: windows category: image_load diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml index ced5e608d53..a515c593106 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml @@ -5,11 +5,11 @@ description: Detects the creation of a process executing as user called "ANONYMO references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/30 +date: 2023-04-30 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml index 904cd08149e..769328190a0 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml @@ -5,11 +5,11 @@ description: Detects the creation of a "rundll32" process from the ColdSteel per references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/30 +date: 2023-04-30 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml index 3f68e1c21b0..26d3eb27bbb 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml @@ -5,11 +5,11 @@ description: Detects the creation of an "svchost" process with specific command references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: X__Junior (Nextron Systems) -date: 2023/04/30 +date: 2023-04-30 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml index 3a5ccd60164..c64fb7ca07c 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml @@ -5,11 +5,11 @@ description: Detects creation of a new user profile with a specific username, se references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/02 -modified: 2023/08/17 +date: 2023-05-02 +modified: 2023-08-17 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml index 2b9ee8af61a..8e73e21373d 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml @@ -5,11 +5,11 @@ description: Detects the creation of new services potentially related to COLDSTE references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/02 +date: 2023-05-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml index 47840068341..991c48dbd0d 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml @@ -11,13 +11,13 @@ references: - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware - https://github.com/pr0xylife/DarkGate/tree/main author: Micah Babinski -date: 2023/10/15 +date: 2023-10-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1105 - attack.t1059 - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml index efe050924bf..54553892cde 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml @@ -10,11 +10,11 @@ references: - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware - https://github.com/pr0xylife/DarkGate/tree/main author: Micah Babinski -date: 2023/10/15 +date: 2023-10-15 tags: - attack.execution - attack.t1059 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml index 25677494056..bf34f3a418f 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml @@ -5,12 +5,12 @@ description: Detects creation of local users via the net.exe command with the na references: - Internal Research author: X__Junior (Nextron Systems) -date: 2023/08/27 -modified: 2023/10/15 +date: 2023-08-27 +modified: 2023-10-15 tags: - attack.persistence - attack.t1136.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml b/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml index 5704ee15534..4c7e7da940f 100644 --- a/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml +++ b/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml @@ -5,10 +5,10 @@ description: Detects process execution patterns related to Griffon malware as re references: - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/09 +date: 2023-03-09 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml index 8e62c81b525..66474ffbbd7 100644 --- a/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml +++ b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml @@ -6,11 +6,11 @@ references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/31 +date: 2023-08-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml index 947b1c75024..ae214147a61 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml @@ -9,12 +9,12 @@ references: - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt author: Andreas Braathen (mnemonic.io) -date: 2023/10/27 -modified: 2024/01/26 +date: 2023-10-27 +modified: 2024-01-26 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1573 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: network_connection diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml index fec001ba329..b20001764f2 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml @@ -9,13 +9,13 @@ references: - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt author: Alejandro Houspanossian ('@lekz86') -date: 2024/01/02 +date: 2024-01-02 tags: - attack.execution - attack.t1059.003 - attack.t1105 - attack.t1218 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml index 44d235606c5..d9b56e2f14a 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml @@ -8,14 +8,14 @@ references: - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242 - https://tria.ge/231023-lpw85she57/behavioral2 author: Andreas Braathen (mnemonic.io) -date: 2023/10/27 -modified: 2024/01/26 +date: 2023-10-27 +modified: 2024-01-26 tags: - attack.discovery - attack.t1016 - attack.t1049 - attack.t1087 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml index 902fdf7ca5b..05bbad68d24 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml @@ -9,12 +9,12 @@ references: - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt author: Andreas Braathen (mnemonic.io) -date: 2023/10/27 -modified: 2024/01/26 +date: 2023-10-27 +modified: 2024-01-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.012 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml index 9fe2c92419f..67a0f2aed3b 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml @@ -9,10 +9,10 @@ references: - https://www.virustotal.com/gui/file/56db0c4842a63234ab7fe2dda6eeb63aa7bb68f9a456985b519122f74dea37e2/behavior - https://tria.ge/231212-r1bpgaefar/behavioral2 author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2024/01/26 +date: 2024-01-26 tags: - - detection.emerging_threats - - attack.defense_evasion + - detection.emerging-threats + - attack.defense-evasion - attack.execution logsource: product: windows diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index 20e56a1c975..76bc58c80e4 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -5,12 +5,12 @@ description: Detects a specific command line of "regsvr32" where the "calc" keyw references: - https://github.com/pr0xylife/Qakbot/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/26 -modified: 2024/03/05 +date: 2023-05-26 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml index e5c57fe7b3e..99d65ad5b5c 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml @@ -5,11 +5,11 @@ description: Detects specific process tree behavior of a "rundll32" execution of references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems) -date: 2023/05/24 +date: 2023-05-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml index 24689638426..181cee7774c 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -5,12 +5,12 @@ description: Detects specific process tree behavior of a "rundll32" execution wi references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems) -date: 2023/05/24 -modified: 2023/05/30 +date: 2023-05-24 +modified: 2023-05-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml index 710a5c5b10c..68ab9c99807 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -5,11 +5,11 @@ description: Detects specific process tree behavior of a "rundll32" execution wh references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/24 +date: 2023-05-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml index f5a066ee698..ae0ba2bc3a4 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml @@ -7,10 +7,10 @@ references: - https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community - https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community author: Florian Roth (Nextron Systems) -date: 2023/08/31 -modified: 2023/09/01 +date: 2023-08-31 +modified: 2023-09-01 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.execution logsource: category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml b/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml index 4ecc9b1098a..4ff2340751b 100644 --- a/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml +++ b/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml @@ -8,12 +8,12 @@ references: - https://www.joesandbox.com/analysis/790122/0/html - https://twitter.com/anfam17/status/1607477672057208835 author: TropChaud -date: 2023/01/26 -modified: 2023/02/05 +date: 2023-01-26 +modified: 2023-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml index a180ce93495..ad65e967c10 100644 --- a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml +++ b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml @@ -5,14 +5,14 @@ description: Detects Rorschach ransomware execution activity references: - https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/ author: X__Junior (Nextron Systems) -date: 2023/04/04 -modified: 2023/04/22 +date: 2023-04-04 +modified: 2023-04-22 tags: - attack.execution - attack.t1059.003 - attack.t1059.001 - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml index d29e486f37f..c051e16a117 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml @@ -5,10 +5,10 @@ description: Detects SNAKE malware kernel driver file indicator references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/10 +date: 2023-05-10 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml index 879097f9e42..91da1017b05 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml @@ -5,10 +5,10 @@ description: Detects filename indicators associated with the SNAKE malware as re references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/10 +date: 2023-05-10 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml index 1c4baed9fa0..9cba0dfc38e 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml @@ -5,11 +5,11 @@ description: Detects the creation of a file named "WerFault.exe" in the WinSxS d references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/10 -modified: 2023/05/18 +date: 2023-05-10 +modified: 2023-05-18 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml index 1983488b525..7690ec1d875 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml @@ -5,10 +5,10 @@ description: Detects a specific command line arguments sequence seen used by SNA references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml index 0d8c2309408..c22c9e38fb4 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml @@ -5,10 +5,10 @@ description: Detects a specific binary name seen used by SNAKE malware during it references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml index 6041bf8a868..5f0581111c9 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml @@ -5,10 +5,10 @@ description: Detects a specific child/parent process relationship indicative of references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml b/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml index ceb6ccb75d8..e79887aec69 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml @@ -5,10 +5,10 @@ description: Detects any registry event that targets the key 'SECURITY\Policy\Se references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/11 +date: 2023-05-11 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_event product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml b/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml index 6641eb5bcf3..8aed60de56a 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml @@ -5,11 +5,11 @@ description: Detects the creation of a registry value in the ".wav\OpenWithProgI references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/10 -modified: 2023/08/17 +date: 2023-05-10 +modified: 2023-08-17 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml b/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml index c6788a232ba..bb74ac415ef 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml @@ -5,10 +5,10 @@ description: Detects the creation of a service named "WerFaultSvc" which seems t references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/10 +date: 2023-05-10 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml index b9df2c515a4..ae2fe2e10e0 100644 --- a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml +++ b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml @@ -7,11 +7,11 @@ references: - https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations - https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update author: Dusty Miller -date: 2023/02/23 +date: 2023-02-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: dns_query diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml index c2f3cf3d95c..ccbaa307c7e 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml @@ -20,11 +20,11 @@ description: Detects potential beaconing activity to domains related to 3CX 3CXD references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 -modified: 2023/03/31 +date: 2023-03-29 +modified: 2023-03-31 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: dns_query product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml index bc018e9a87b..05341bdc13f 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml @@ -20,10 +20,10 @@ description: Detects DLL load activity of known compromised DLLs used in by the references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/31 +date: 2023-03-31 tags: - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: image_load product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml index bc4c7360b09..4e91a26420b 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml @@ -20,11 +20,11 @@ description: Detects potential beaconing activity to domains related to 3CX 3CXD references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 -modified: 2023/03/31 +date: 2023-03-29 +modified: 2023-03-31 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: network_connection product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml index 6c87274d4f7..187e04614a6 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml @@ -20,13 +20,13 @@ description: Detects execution of known compromised version of 3CXDesktopApp references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 -modified: 2023/03/31 +date: 2023-03-29 +modified: 2023-03-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml index 30679a9b6eb..f0967eb28b7 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml @@ -21,12 +21,12 @@ references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ - https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 +date: 2023-03-29 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1218 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml index ea8e3ef0151..001f09e3250 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml @@ -21,12 +21,12 @@ references: - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/ - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 +date: 2023-03-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml index 4e915b81f18..aa471628feb 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml @@ -20,11 +20,11 @@ description: Detects potential beaconing activity to domains related to 3CX 3CXD references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 -modified: 2023/05/18 +date: 2023-03-29 +modified: 2023-05-18 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml index 08f6fa5a93d..29b654f517c 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml @@ -21,10 +21,10 @@ references: - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/31 +date: 2023-03-31 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml index 6d466fe3e1f..228682aaf7c 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml @@ -5,9 +5,9 @@ description: Hunts known SVR-specific DLL names. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: CISA -date: 2023/12/18 +date: 2023-12-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: image_load diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml index 7bc11682ecb..e7fcf0f10d3 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml @@ -8,7 +8,7 @@ description: Hunts for known SVR-specific scheduled task names author: CISA references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a -date: 2023/12/18 +date: 2023-12-18 tags: - attack.persistence logsource: diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml index 0afd02e2418..19c8867bc35 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml @@ -8,7 +8,7 @@ description: Hunts for known SVR-specific scheduled task names author: CISA references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a -date: 2023/12/18 +date: 2023-12-18 tags: - attack.persistence logsource: diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml index dd8eea66367..60363ca0947 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml @@ -5,10 +5,10 @@ description: Detects DNS queries related to Diamond Sleet APT activity references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: product: windows category: dns_query diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml index 6c3bc997cc8..11959b9cbdc 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml @@ -5,10 +5,10 @@ description: Detects file creation activity that is related to Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml index feed15f302b..d4d0bac8baf 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml @@ -5,11 +5,11 @@ description: Detects DLL sideloading activity seen used by Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: image_load diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml index c1bbf8fb41f..5d98be1edc5 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml @@ -5,10 +5,10 @@ description: Detects process creation activity indicators related to Diamond Sle references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml index 583e61a8a76..1cb6ea199db 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml @@ -6,11 +6,11 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: registry_event diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml index 7f9df765bd0..7a3d5065765 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml @@ -6,13 +6,13 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1053.005 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml index d1df8163926..b30c5d55872 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml @@ -9,11 +9,11 @@ references: - https://securelist.com/operation-triangulation/109842/ - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp author: Florian Roth (Nextron Systems) -date: 2023/06/01 +date: 2023-06-01 tags: - - attack.command_and_control + - attack.command-and-control - attack.g0020 - - detection.emerging_threats + - detection.emerging-threats logsource: category: dns detection: diff --git a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml index 9279b1cfdef..163b164cbbe 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml @@ -9,11 +9,11 @@ references: - https://securelist.com/operation-triangulation/109842/ - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp author: Florian Roth (Nextron Systems) -date: 2023/06/01 +date: 2023-06-01 tags: - - attack.command_and_control + - attack.command-and-control - attack.g0020 - - detection.emerging_threats + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml index bd534689ce1..a8b110e331f 100644 --- a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml +++ b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml @@ -5,11 +5,11 @@ description: Detects PowerShell script file creation with specific name or suffi references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - attack.g0046 - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml index dd4828d7aca..80482f9d987 100644 --- a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml +++ b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml @@ -5,12 +5,12 @@ description: Detects execution of the POWERHOLD script seen used by FIN7 as repo references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - attack.t1059.001 - attack.g0046 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: ps_script diff --git a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml index 38519e2c8c2..295d4537e47 100644 --- a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml +++ b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml @@ -5,12 +5,12 @@ description: Detects potential execution of the PowerShell script POWERTRASH references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - attack.t1059.001 - attack.g0046 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: ps_script diff --git a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml index 7e74903f581..75aea2f00fb 100644 --- a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml +++ b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml @@ -7,11 +7,11 @@ references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - attack.g0046 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml index 3d2ac26c8d2..39229e476a7 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml @@ -5,10 +5,10 @@ description: Detects PowerShell script file creation with specific names or suff references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/09 +date: 2023-11-09 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml index 7a8a8ddfdc6..daaf4621f61 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml @@ -6,11 +6,11 @@ description: | references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/09 +date: 2023-11-09 tags: - attack.execution - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: ps_script diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml index a8cb343ff01..1bbdcdf8a1b 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml @@ -6,11 +6,11 @@ description: | references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/09 +date: 2023-11-09 tags: - attack.execution - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: ps_script diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml index c6e118e5ef8..2668b724493 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml @@ -5,10 +5,10 @@ description: Detects specific command line execution used by Lace Tempest to dow references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/09 +date: 2023-11-09 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml index 911078ce8fb..2f090535868 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of a specific binary based on filename and hash u references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/09 +date: 2023-11-09 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml index c9323758cf8..b9bbfecc6ef 100644 --- a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml +++ b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -6,14 +6,14 @@ references: - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ - https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/ author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/18 +date: 2023-10-18 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 - attack.g0032 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: image_load diff --git a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml index 1763ac602e8..e5b7683d993 100644 --- a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml +++ b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml @@ -5,11 +5,11 @@ description: Detects suspicious execution from AsperaFaspex as seen used by Mint references: - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) -date: 2023/04/20 -modified: 2023/04/25 +date: 2023-04-20 +modified: 2023-04-25 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml index 9cee8be1793..d9b9c1b1cf8 100644 --- a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml +++ b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml @@ -5,11 +5,11 @@ description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm references: - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) -date: 2023/04/20 -modified: 2023/11/29 +date: 2023-04-20 +modified: 2023-11-29 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml index 06ca88def73..80939e29eec 100644 --- a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml +++ b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml @@ -5,11 +5,11 @@ description: Detects suspicious execution from ManageEngine as seen used by Mint references: - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) -date: 2023/04/20 -modified: 2023/04/25 +date: 2023-04-20 +modified: 2023-04-25 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml index 57898277171..0c11ac921ff 100644 --- a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml +++ b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml @@ -5,11 +5,11 @@ description: Detects specific command line execution used by Mustang Panda in a references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 +date: 2023-05-15 tags: - attack.execution - attack.g0129 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml b/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml index b7fa0d1b57e..5db5d4e613a 100644 --- a/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml +++ b/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml @@ -5,13 +5,13 @@ description: | Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement. author: Muhammad Faisal (@faisalusuf) -date: 2023/10/25 +date: 2023-10-25 references: - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach - https://developer.okta.com/docs/reference/api/event-types/ tags: - - attack.credential_access - - detection.emerging_threats + - attack.credential-access + - detection.emerging-threats logsource: service: okta product: okta diff --git a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml index 078b4e92ba2..953359270b3 100644 --- a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml @@ -5,10 +5,10 @@ description: Detects file creation activity that is related to Onyx Sleet APT ac references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml b/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml index c0e3e34bc7e..61e79ebaaa2 100644 --- a/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml +++ b/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml @@ -6,10 +6,10 @@ references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/25 +date: 2023-04-25 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml b/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml index 1e99819736c..7d79e5bba31 100644 --- a/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml +++ b/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml @@ -6,11 +6,11 @@ references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software - https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml author: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea) -date: 2023/04/20 -modified: 2023/04/25 +date: 2023-04-20 +modified: 2023-04-25 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml index b1b7387747f..48d394c3a12 100644 --- a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml +++ b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/MsftSecIntel/status/1737895710169628824 - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details author: X__Junior (Nextron Systems) -date: 2024/01/15 +date: 2024-01-15 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml index 8c1f71408a3..3bcb089e9ba 100644 --- a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/MsftSecIntel/status/1737895710169628824 - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details author: X__Junior (Nextron Systems) -date: 2024/01/15 +date: 2024-01-15 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml index d9679eec399..23aae15e271 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml @@ -5,12 +5,12 @@ description: Detects filename pattern of email related data used by UNC4841 for references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - attack.execution - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: product: linux category: file_event diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml index 03a3fc7e7b7..5de541d7870 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml @@ -5,12 +5,12 @@ description: Detects file indicators as seen used by UNC4841 during their Barrac references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - attack.execution - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: product: linux category: file_event diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml index 8d310102575..d00c1ce2a33 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml @@ -5,11 +5,11 @@ description: Detects the execution of "openssl" to connect to an IP address. Thi references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - - detection.emerging_threats + - detection.emerging-threats logsource: product: linux category: process_creation diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml index 797ffe90f9a..e5d4acd43f2 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml @@ -5,11 +5,11 @@ description: Detects execution of "wget" to download a ".zip" or ".rar" files fr references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - - detection.emerging_threats + - detection.emerging-threats logsource: product: linux category: process_creation diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml index d66d14c1ef7..5bd1f1def1c 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml @@ -5,11 +5,11 @@ description: Detects execution of "wget" to download a "tar" from an IP address references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - - detection.emerging_threats + - detection.emerging-threats logsource: product: linux category: process_creation diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml index 26a0081f9f5..8ffcc201014 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of specific named binaries which were used by UNC references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: linux category: process_creation diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml index 58206c36b95..55bceb4ee5b 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml @@ -8,10 +8,10 @@ references: - https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py - https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/03/20 +date: 2024-03-20 tags: - - attack.initial_access - - cve.2024.1212 + - attack.initial-access + - cve.2024-1212 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml index 9650c830550..51d4f2d343f 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml @@ -11,10 +11,10 @@ references: - https://www.cve.org/CVERecord?id=CVE-2024-1709 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress -date: 2024/02/21 +date: 2024-02-21 tags: - attack.persistence - - cve.2024.1708 + - cve.2024-1708 logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml index df61cf549b1..a5b7c079d12 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml @@ -12,11 +12,11 @@ references: - https://www.cve.org/CVERecord?id=CVE-2024-1708 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass author: Matt Anderson, Caleb Stewart, Huntress -date: 2024/02/20 +date: 2024-02-20 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - cve.2024.1708 + - cve.2024-1708 logsource: product: windows service: security diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml index 928b3d6ac6f..651a9363f40 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml @@ -12,10 +12,10 @@ references: - https://www.cve.org/CVERecord?id=CVE-2024-1709 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress -date: 2024/02/21 +date: 2024-02-21 tags: - attack.persistence - - cve.2024.1709 + - cve.2024-1709 logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml index f3a15c5519a..4914ee493d8 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml @@ -8,11 +8,11 @@ references: - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass - https://www.cve.org/CVERecord?id=CVE-2024-1709 author: Matt Anderson, Huntress -date: 2024/02/20 +date: 2024-02-20 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - cve.2024.1709 + - cve.2024-1709 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml index 3e62f8f6011..f63b2547f00 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml @@ -13,10 +13,10 @@ references: - https://www.cve.org/CVERecord?id=CVE-2024-1709 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass author: Matt Anderson, Kris Luzadre, Andrew Schwartz, Huntress -date: 2024/02/20 +date: 2024-02-20 tags: - - attack.defense_evasion - - cve.2024.1709 + - attack.defense-evasion + - cve.2024-1709 logsource: product: windows service: security diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml index 3b408e84614..cc851977685 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml @@ -6,11 +6,11 @@ description: | references: - https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke -date: 2024/04/01 -modified: 2024/07/03 +date: 2024-04-01 +modified: 2024-07-03 tags: - attack.execution - - cve.2024.3094 + - cve.2024-3094 logsource: category: process_creation product: linux diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-3400/file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-3400/file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml index 395c65bdc71..b8ecc548b07 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-3400/file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-3400/file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml @@ -8,11 +8,11 @@ references: - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ - https://nvd.nist.gov/vuln/detail/CVE-2024-3400 author: Andreas Braathen (mnemonic.io) -date: 2024/04/25 +date: 2024-04-25 tags: - attack.execution - - cve.2024.3400 - - detection.emerging_threats + - cve.2024-3400 + - detection.emerging-threats logsource: product: paloalto service: globalprotect diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml index 8be57e3bb69..310b73120b2 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml @@ -9,14 +9,14 @@ references: - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ - https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/18 -modified: 2024/04/25 +date: 2024-04-18 +modified: 2024-04-25 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - cve.2024.3400 + - attack.privilege-escalation + - attack.defense-evasion + - cve.2024-3400 logsource: category: appliance product: paloalto diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml index 2fb7fdbe5da..5837c6fd54a 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml @@ -8,11 +8,11 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ author: frack113 -date: 2024/07/29 +date: 2024-07-29 tags: - attack.execution - - cve.2024.37085 - - detection.emerging_threats + - cve.2024-37085 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml index 34f6f3578e2..5523d8faff8 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml @@ -8,11 +8,11 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/30 +date: 2024-07-30 tags: - attack.execution - - cve.2024.37085 - - detection.emerging_threats + - cve.2024-37085 + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml index fd3ed84cede..f4f11c950a4 100644 --- a/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml +++ b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml @@ -7,9 +7,9 @@ references: - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ author: Luca Di Bartolomeo -date: 2024/06/22 +date: 2024-06-22 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: image_load diff --git a/rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml b/rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml index 27ebc10bae4..20cbb7c4ed9 100644 --- a/rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml +++ b/rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml @@ -6,7 +6,7 @@ references: - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ - https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html author: Tomasz Dyduch, Josh Nickels -date: 2024/05/31 +date: 2024-05-31 tags: - attack.execution - attack.t1059 diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml index 426ca1fe832..fdedc59a001 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml @@ -7,11 +7,11 @@ description: | references: - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2024/03/22 +date: 2024-03-22 tags: - attack.execution - attack.t1059 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml index 1d4b78007d3..2f7e2ac822a 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml @@ -8,10 +8,10 @@ references: - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ - https://tria.ge/240123-rapteaahhr/behavioral1 author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2024/03/22 +date: 2024-03-22 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml index 23b7ee21d9e..8db60f70e9c 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml @@ -6,11 +6,11 @@ description: | references: - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ author: Nasreddine Bencherchali (Nextron Systems), X__Junior -date: 2024/03/22 +date: 2024-03-22 tags: - attack.persistence - attack.t1547.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml index 5bf32408bc7..62e73b4fd28 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml @@ -10,11 +10,11 @@ references: - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ - https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html author: Swachchhanda Shrawan Poudel -date: 2024/07/31 +date: 2024-07-31 tags: - - detection.emerging_threats - - attack.defense_evasion - - attack.privilege_escalation + - detection.emerging-threats + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml index a261d6924cd..24eb3cbda42 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml @@ -8,10 +8,10 @@ references: - https://tria.ge/240226-fhbe7sdc39/behavioral1 - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ author: Swachchhanda Shrawan Poudel -date: 2024/03/07 +date: 2024-03-07 tags: - - detection.emerging_threats - - attack.defense_evasion + - detection.emerging-threats + - attack.defense-evasion - attack.execution - attack.t1218.011 logsource: diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml index 15515594952..2128bcd2113 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml @@ -13,11 +13,11 @@ references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ author: Swachchhanda Shrawan Poudel -date: 2024/07/31 +date: 2024-07-31 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml b/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml index c5b7d837afc..572df19c08a 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml @@ -8,9 +8,9 @@ references: - https://labs.withsecure.com/publications/kapeka - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/03 +date: 2024-07-03 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml b/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml index cccf6173d51..5bfcf91899e 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml @@ -8,11 +8,11 @@ references: - https://labs.withsecure.com/publications/kapeka - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ author: Swachchhanda Shrawan Poudel -date: 2024/07/03 +date: 2024-07-03 tags: - attack.execution - attack.t1204.002 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: image_load diff --git a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml index 6b75fe377d9..72c97eb8060 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml @@ -12,7 +12,7 @@ references: - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior author: Swachchhanda Shrawan Poudel -date: 2024/07/03 +date: 2024-07-03 tags: - attack.persistence - attack.t1053.005 diff --git a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml index 6c70a28848f..26ae013395d 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml @@ -7,9 +7,9 @@ references: - https://labs.withsecure.com/publications/kapeka - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/03 +date: 2024-07-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml index 612cd9611ae..b51438407a5 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml @@ -9,7 +9,7 @@ references: - https://labs.withsecure.com/publications/kapeka - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ author: Swachchhanda Shrawan Poudel -date: 2024/07/03 +date: 2024-07-03 tags: - attack.persistence - attack.t1547.001 diff --git a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml index 75b4f0bb5ad..b5b3550af4a 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml @@ -8,10 +8,10 @@ references: - https://labs.withsecure.com/publications/kapeka - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ author: Swachchhanda Shrawan Poudel -date: 2024/07/03 +date: 2024-07-03 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.003 logsource: category: registry_set diff --git a/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml b/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml index f620fe2ef04..ed29411f078 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml @@ -11,10 +11,10 @@ references: - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior author: Swachchhanda Shrawan Poudel -date: 2024/07/03 +date: 2024-07-03 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1053.005 logsource: diff --git a/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml b/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml index 7e65cbc748a..e40426947ff 100644 --- a/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml +++ b/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml @@ -5,10 +5,10 @@ description: Detects DNS queries for C2 domains used by DPRK Threat actors. references: - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/20 +date: 2024-02-20 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: product: windows category: dns_query diff --git a/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml b/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml index c1ab0cd151a..d6820aac86e 100644 --- a/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml +++ b/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml @@ -7,7 +7,7 @@ description: | references: - https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ author: Alex Walston (@4ayymm) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.execution - attack.t1059.001 diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml index 25f916ae77c..aa08309b718 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml @@ -7,10 +7,10 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/23 -modified: 2024/07/11 +date: 2024-04-23 +modified: 2024-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: file_event diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml index 1e64dedad52..a7ff6dd5fc4 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml @@ -7,9 +7,9 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/23 +date: 2024-04-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: file_event diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml index f3ed7fd446b..840901fde94 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml @@ -7,10 +7,10 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/23 -modified: 2024/05/11 +date: 2024-04-23 +modified: 2024-05-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml index 07a673e6ac7..5c473b1cae9 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml @@ -7,7 +7,7 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/23 +date: 2024-04-23 tags: - attack.persistence - attack.t1547.001 diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml index d1de35a7a38..d4c6b548fa8 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml @@ -7,7 +7,7 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/23 +date: 2024-04-23 tags: - attack.persistence - attack.t1547.001 diff --git a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml index 01dcb6a5c96..f4d21e4595a 100644 --- a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml +++ b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml @@ -6,9 +6,9 @@ description: | references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 +date: 2024-02-23 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml index 72d0d3b1773..f0b367d0490 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml @@ -5,10 +5,10 @@ description: Detects accounts that are created or deleted by non-approved users. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' -date: 2022/08/11 -modified: 2023/12/15 +date: 2022-08-11 +modified: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml index 283feef536f..1705bafb17d 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml @@ -5,8 +5,8 @@ description: Detects user signs ins outside of normal business hours. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' -date: 2022/08/11 -modified: 2023/12/15 +date: 2022-08-11 +modified: 2023-12-15 tags: - attack.persistence - attack.t1078 diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml index 1c27a3645ac..6a5c87b898d 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml @@ -5,11 +5,11 @@ description: Detects failed sign-in from a PAW or SAW device references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 -modified: 2023/12/15 +date: 2022-08-11 +modified: 2023-12-15 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml index 4171d33299e..a9e85a7862a 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml @@ -5,10 +5,10 @@ description: Detects failed sign-in due to user not meeting expected controls fo references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 -modified: 2023/12/15 +date: 2022-08-11 +modified: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml index 8845899de8f..86c1029e676 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml @@ -5,8 +5,8 @@ description: Detects account sign ins outside of normal hours or uncommon locati references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 -modified: 2023/12/15 +date: 2022-08-11 +modified: 2023-12-15 tags: - attack.persistence - attack.t1078 diff --git a/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml b/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml index e045b0a3f1f..a2e3a718001 100644 --- a/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml +++ b/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml @@ -7,12 +7,12 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964 author: frack113 -date: 2022/10/14 -modified: 2023/12/14 +date: 2022-10-14 +modified: 2023-12-14 tags: - - attack.defense_evasion - - attack.lateral_movement - - attack.credential_access + - attack.defense-evasion + - attack.lateral-movement + - attack.credential-access - attack.t1558 - attack.t1649 - attack.t1550 diff --git a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml index 744f8f53154..4a34b31f900 100644 --- a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml +++ b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml @@ -6,12 +6,12 @@ references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/ author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community -date: 2020/10/15 -modified: 2023/12/15 +date: 2020-10-15 +modified: 2023-12-15 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - cve.2020.1472 + - cve.2020-1472 logsource: product: windows service: security diff --git a/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml index b8d9399d598..b1bce3bb40a 100644 --- a/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml +++ b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml @@ -5,10 +5,10 @@ description: Detects the attack technique pass the hash which is used to move la references: - https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) -date: 2017/03/08 -modified: 2023/12/15 +date: 2017-03-08 +modified: 2023-12-15 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.002 - car.2016-04-004 logsource: diff --git a/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml index 76f300a1120..a76fd16a654 100644 --- a/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml +++ b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml @@ -5,11 +5,11 @@ description: Remote registry management using REG utility from non-admin worksta references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2023/12/15 +date: 2019-10-22 +modified: 2023-12-15 tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.discovery - attack.s0075 - attack.t1012 diff --git a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml index 13a8d1c7a81..165e78f1d0f 100644 --- a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml +++ b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml @@ -5,10 +5,10 @@ description: Detects interactive console logons to Server Systems references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/03/17 -modified: 2023/12/15 +date: 2017-03-17 +modified: 2023-12-15 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1078 logsource: product: windows diff --git a/rules-placeholder/windows/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml b/rules-placeholder/windows/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml index 20927bb4ac4..977b73b8d6d 100644 --- a/rules-placeholder/windows/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml +++ b/rules-placeholder/windows/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml @@ -5,9 +5,9 @@ description: Detects an RDP connection originating from a domain controller. references: - Internal Research author: Josh Nickels -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021 logsource: product: windows diff --git a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml index 54f3f4c898f..1457ba277af 100644 --- a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml +++ b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml @@ -6,8 +6,8 @@ references: - https://www.arxiv-vanity.com/papers/2008.04676/ - https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/ author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2023/02/09 -modified: 2024/08/01 +date: 2023-02-09 +modified: 2024-08-01 tags: - attack.discovery - attack.t1016 diff --git a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml index 9f11571c9d3..0fb920cc85b 100644 --- a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml +++ b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml @@ -5,11 +5,11 @@ description: Detects email forwarding or redirecting acitivty in O365 Audit logs references: - https://redcanary.com/blog/email-forwarding-rules/ author: RedCanary Team (idea), Harjot Singh @cyb3rjy0t -date: 2023/10/11 +date: 2023-10-11 tags: - attack.exfiltration - attack.t1020 - - detection.threat_hunting + - detection.threat-hunting logsource: service: audit product: m365 diff --git a/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml b/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml index 66a7163e071..7adda976246 100644 --- a/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml +++ b/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml @@ -7,10 +7,10 @@ description: | references: - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach author: Muhammad Faisal (@faisalusuf) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.credential_access - - detection.threat_hunting + - attack.credential-access + - detection.threat-hunting logsource: service: okta product: okta diff --git a/rules-threat-hunting/linux/file/file_event/file_event_lnx_python_path_configuration_files.yml b/rules-threat-hunting/linux/file/file_event/file_event_lnx_python_path_configuration_files.yml index 7d95de42e64..7f4375995bc 100644 --- a/rules-threat-hunting/linux/file/file_event/file_event_lnx_python_path_configuration_files.yml +++ b/rules-threat-hunting/linux/file/file_event/file_event_lnx_python_path_configuration_files.yml @@ -15,11 +15,11 @@ references: - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac - https://docs.python.org/3/library/site.html author: Andreas Braathen (mnemonic.io) -date: 2024/04/25 +date: 2024-04-25 tags: - attack.execution - attack.t1059.006 - - detection.threat_hunting + - detection.threat-hunting logsource: product: linux category: file_event diff --git a/rules-threat-hunting/macos/file/file_event/file_event_macos_python_path_configuration_files.yml b/rules-threat-hunting/macos/file/file_event/file_event_macos_python_path_configuration_files.yml index 911eb0d6940..bca41a94b95 100644 --- a/rules-threat-hunting/macos/file/file_event/file_event_macos_python_path_configuration_files.yml +++ b/rules-threat-hunting/macos/file/file_event/file_event_macos_python_path_configuration_files.yml @@ -15,11 +15,11 @@ references: - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac - https://docs.python.org/3/library/site.html author: Andreas Braathen (mnemonic.io) -date: 2024/04/25 +date: 2024-04-25 tags: - attack.execution - attack.t1059.006 - - detection.threat_hunting + - detection.threat-hunting logsource: product: macos category: file_event diff --git a/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml b/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml index 875b285279c..8e9e4a13f82 100644 --- a/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml +++ b/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml @@ -12,12 +12,12 @@ references: - https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b - https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF author: Daniel Cortez -date: 2024/07/30 +date: 2024-07-30 tags: - attack.collection - - attack.credential_access + - attack.credential-access - attack.t1115 - - detection.threat_hunting + - detection.threat-hunting logsource: product: macos category: process_creation diff --git a/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml b/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml index 9b912cc0280..42d0b02d1fc 100644 --- a/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml +++ b/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml @@ -7,11 +7,11 @@ description: | references: - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades) -date: 2021/12/21 -modified: 2024/02/26 +date: 2021-12-21 +modified: 2024-02-26 tags: - - attack.initial_access - - detection.threat_hunting + - attack.initial-access + - detection.threat-hunting logsource: category: proxy detection: diff --git a/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index be353c24051..f2c55c45ce8 100644 --- a/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -5,12 +5,12 @@ description: Detects when a rule has been modified in the Windows firewall excep references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 -date: 2022/02/19 -modified: 2024/01/22 +date: 2022-02-19 +modified: 2024-01-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows service: firewall-as diff --git a/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml index 48dc06bc9e2..3c0619b8ba7 100644 --- a/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml +++ b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml @@ -6,14 +6,14 @@ references: - https://twitter.com/matthewdunwoody/status/1352356685982146562 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 author: David Strassegger, Tim Shelton -date: 2021/01/22 -modified: 2023/01/20 +date: 2021-01-22 +modified: 2023-01-20 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-08-001 - attack.t1053.005 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows service: security diff --git a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml index 60bc3502b8d..da7b5d252fb 100644 --- a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml @@ -5,12 +5,12 @@ description: Detects potential use of CreateRemoteThread api and LoadLibrary fun references: - https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/11 -modified: 2024/01/22 +date: 2019-08-11 +modified: 2024-01-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: create_remote_thread diff --git a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml index e147ca2d5ad..fa2e37e1e93 100644 --- a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml @@ -8,12 +8,12 @@ description: Detects the creation of a remote thread from a Powershell process t references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community -date: 2020/10/06 -modified: 2023/11/10 +date: 2020-10-06 +modified: 2023-11-10 tags: - attack.execution - attack.t1059.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: create_remote_thread diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml index 87580e5f0a8..a6091aabc79 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml @@ -7,11 +7,11 @@ description: | references: - Internal Research author: X__Junior (Nextron Systems) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.t1003 - - attack.credential_access - - detection.threat_hunting + - attack.credential-access + - detection.threat-hunting logsource: category: file_access product: windows diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml index 3774dd6163c..8172b8be016 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml @@ -9,12 +9,12 @@ references: - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users - https://github.com/lclevy/firepwd author: frack113, X__Junior (Nextron Systems) -date: 2022/04/09 -modified: 2024/07/29 +date: 2022-04-09 +modified: 2024-07-29 tags: - attack.t1003 - - attack.credential_access - - detection.threat_hunting + - attack.credential-access + - detection.threat-hunting logsource: category: file_access product: windows diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml index 4372c24f694..c5c62f3a420 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml @@ -9,12 +9,12 @@ references: - https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2 - https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows author: frack113 -date: 2024/05/10 -modified: 2024/07/29 +date: 2024-05-10 +modified: 2024-07-29 tags: - attack.t1070.008 - - attack.defense_evasion - - detection.threat_hunting + - attack.defense-evasion + - detection.threat-hunting logsource: category: file_access product: windows diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml index 6397395d01a..316a0d08b08 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml @@ -5,11 +5,11 @@ description: Detects file access requests to the Windows Sysvol Policies Share b references: - https://github.com/vletoux/pingcastle author: frack113 -date: 2023/12/21 +date: 2023-12-21 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 - - detection.threat_hunting + - detection.threat-hunting logsource: category: file_access product: windows diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml index 8c33a42b71c..05bfeb77572 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml @@ -5,12 +5,12 @@ description: Detects file access requests to files ending with either the ".hive references: - https://github.com/tccontre/Reg-Restore-Persistence-Mole author: frack113 -date: 2023/09/15 -modified: 2024/07/29 +date: 2023-09-15 +modified: 2024-07-29 tags: - attack.t1112 - - attack.defense_evasion - - detection.threat_hunting + - attack.defense-evasion + - detection.threat-hunting logsource: category: file_access product: windows diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml index 1233f841c1d..f59209aaed2 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml @@ -7,11 +7,11 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: frack113 -date: 2024/07/22 +date: 2024-07-22 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_access diff --git a/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml b/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml index b2a1b53419f..be652cdc842 100644 --- a/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml +++ b/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml @@ -8,11 +8,11 @@ description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can le references: - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ author: frack113 -date: 2023/09/04 +date: 2023-09-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_delete diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml index 79e5c0ffa2f..cb40910c2ea 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml @@ -5,10 +5,10 @@ description: Detects the creation of a file with the ".dmp"/".hdmp" extension. O references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/07 +date: 2023-09-07 tags: - - attack.defense_evasion - - detection.threat_hunting + - attack.defense-evasion + - detection.threat-hunting logsource: category: file_event product: windows diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml index b693a1cda35..b226767514b 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml @@ -15,11 +15,11 @@ references: - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac - https://docs.python.org/3/library/site.html author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/25 +date: 2024-04-25 tags: - attack.execution - attack.t1059.006 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_event diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml index 14cb6421963..8917061fcff 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml @@ -6,15 +6,15 @@ references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ - https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5 author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team -date: 2023/09/27 +date: 2023-09-27 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.005 - attack.s0111 - car.2013-08-001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_event diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml index 606322b7ee1..9ecf86a3d8b 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml @@ -5,12 +5,12 @@ description: Detects the creation of an executable by another executable. references: - Internal Research author: frack113 -date: 2022/03/09 -modified: 2023/11/06 +date: 2022-03-09 +modified: 2023-11-06 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_event diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml index b535650171c..6eb4fcc37b4 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml @@ -7,10 +7,10 @@ references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control - - detection.threat_hunting + - attack.command-and-control + - detection.threat-hunting logsource: category: file_event product: windows diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml index 4f0a3c60c47..696765cc497 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml @@ -10,12 +10,12 @@ references: - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 - https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 author: Micah Babinski -date: 2023/08/21 +date: 2023-08-21 tags: - - attack.initial_access + - attack.initial-access - attack.t1584 - attack.t1566 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_event diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml index 1f663fc292c..6db891ec2f8 100644 --- a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml +++ b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml @@ -7,12 +7,12 @@ references: - https://twitter.com/ffforward/status/1481672378639912960 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location author: frack113 -date: 2022/02/19 -modified: 2023/11/11 +date: 2022-02-19 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.008 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_rename diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml b/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml index f407340e9ab..f2f7a0b5745 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml @@ -7,13 +7,13 @@ references: - https://github.com/TheD1rkMtr/AMSI_patch - https://github.com/surya-dev-singh/AmsiBypass-OpenSession author: frack113 -date: 2023/03/12 -modified: 2023/12/18 +date: 2023-03-12 +modified: 2023-12-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1490 - - detection.threat_hunting + - detection.threat-hunting logsource: category: image_load product: windows diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml b/rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml index aaa0a894725..545605a972b 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml @@ -14,12 +14,12 @@ references: - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 author: Perez Diego (@darkquassar), oscd.community, Ecco -date: 2019/10/27 -modified: 2024/03/01 +date: 2019-10-27 +modified: 2024-03-01 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: image_load product: windows diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml b/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml index a7988aaaacb..b8e96e32988 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml @@ -6,12 +6,12 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/02/22 +date: 2020-05-02 +modified: 2023-02-22 tags: - attack.collection - attack.t1113 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: image_load diff --git a/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml b/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml index aeb45f6b292..37f47cd15a9 100644 --- a/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml @@ -5,11 +5,11 @@ description: Detects Microsoft Excel loading an Add-In (.xll) file references: - https://www.mandiant.com/resources/blog/lnk-between-browsers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/12 +date: 2023-05-12 tags: - attack.execution - attack.t1204.002 - - detection.threat_hunting + - detection.threat-hunting logsource: category: image_load product: windows diff --git a/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml b/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml index ca3d39063bc..83216e9d32e 100644 --- a/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml @@ -7,11 +7,11 @@ references: - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence - https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file author: Steffen Rogge (dr0pd34d) -date: 2024/07/10 +date: 2024-07-10 tags: - attack.execution - attack.t1204.002 - - detection.threat_hunting + - detection.threat-hunting logsource: category: image_load product: windows diff --git a/rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml b/rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml index d8ff52fd177..5ee453754c4 100644 --- a/rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml +++ b/rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml @@ -5,12 +5,12 @@ description: Detects WMI modules being loaded by an uncommon process references: - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -modified: 2023/12/11 +date: 2019-08-10 +modified: 2023-12-11 tags: - attack.execution - attack.t1047 - - detection.threat_hunting + - detection.threat-hunting logsource: category: image_load product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml index 81398e3364d..9ed2da51da6 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml @@ -5,12 +5,12 @@ description: Detects network connections from "dfsvc.exe" used to handled ClickO references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/12 -modified: 2024/03/12 +date: 2023-06-12 +modified: 2024-03-12 tags: - attack.execution - attack.t1203 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml index f1c77fe1e04..8e4edf95401 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml @@ -5,8 +5,8 @@ description: Detects an initiated network connection over uncommon ports from "d references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/12 -modified: 2024/01/31 +date: 2023-06-12 +modified: 2024-01-31 tags: - attack.execution - attack.t1203 diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml index 844c7f35293..2c2ddb189d5 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml @@ -9,14 +9,14 @@ references: - https://redcanary.com/blog/child-processes/ - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 author: bartblaze -date: 2020/07/13 -modified: 2024/07/16 +date: 2020-07-13 +modified: 2024-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution - attack.t1559.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml index 0f7387bf59c..5bdef359f8f 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml @@ -10,11 +10,11 @@ references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/05 +date: 2022-10-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml index 245440121c2..a3a3c54f74a 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml @@ -9,12 +9,12 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 -date: 2022/01/16 -modified: 2024/07/16 +date: 2022-01-16 +modified: 2024-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml index ead5c6ac5f5..cfc045bbef7 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml @@ -8,12 +8,12 @@ description: | references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o author: Florian Roth (Nextron Systems) -date: 2017/03/13 -modified: 2024/03/13 +date: 2017-03-13 +modified: 2024-03-13 tags: - attack.execution - attack.t1059.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_susp_initaited_public_folder.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_susp_initaited_public_folder.yml index a92a8775c15..310c78f6cb1 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_susp_initaited_public_folder.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_susp_initaited_public_folder.yml @@ -11,11 +11,11 @@ description: | references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems) -date: 2024/05/31 +date: 2024-05-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml b/rules-threat-hunting/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml index f62db34d5dc..6e4e46fafb8 100644 --- a/rules-threat-hunting/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml +++ b/rules-threat-hunting/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml @@ -9,13 +9,13 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke -date: 2017/06/12 -modified: 2022/10/09 +date: 2017-06-12 +modified: 2022-10-09 tags: - attack.execution - attack.t1569.002 - attack.s0029 - - detection.threat_hunting + - detection.threat-hunting logsource: category: pipe_created product: windows diff --git a/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index 5e3a69fe669..2dc975bf377 100644 --- a/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml +++ b/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -8,12 +8,12 @@ description: Detects alternate PowerShell hosts potentially bypassing detections references: - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/11 -modified: 2023/12/11 +date: 2019-08-11 +modified: 2023-12-11 tags: - attack.execution - attack.t1059.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_classic_start diff --git a/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml index 26f140e6631..97ca3b61d96 100644 --- a/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml +++ b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -date: 2023/07/13 +date: 2023-07-13 tags: - - detection.threat_hunting + - detection.threat-hunting - attack.discovery - attack.t1518.001 - attack.t1016 diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml index cb5b748326e..8fa81f9354c 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml @@ -7,12 +7,12 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/12/15 +date: 2019-10-21 +modified: 2023-12-15 tags: - attack.exfiltration - attack.t1560 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml index 3ee22df0d29..3246a0de376 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml @@ -5,11 +5,11 @@ description: Detects PowerShell scripts that try to access the default Windows M references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md author: frack113 -date: 2023/07/08 +date: 2023-07-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.008 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml index 17227ee720a..bee60950fa0 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml @@ -11,11 +11,11 @@ references: - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ author: frack113 -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml index ffb78320303..c2e172a7e65 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml @@ -10,11 +10,11 @@ references: - https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2022-ps - https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/ author: frack113 -date: 2023/07/21 +date: 2023-07-21 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1570 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index e1c0d42dc99..98c60418a3e 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -8,12 +8,12 @@ description: Detects PowerShell scripts with potential registry reconnaissance c references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md author: frack113 -date: 2023/07/02 +date: 2023-07-02 tags: - attack.discovery - attack.t1012 - attack.t1007 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml index 589b0c165b5..19dbde591bf 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml @@ -6,12 +6,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7 author: frack113 -date: 2022/01/15 -modified: 2022/03/17 +date: 2022-01-15 +modified: 2022-03-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml index 0c77e186ae1..a46eaaf1e77 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml @@ -12,12 +12,12 @@ description: Detects calls to WinAPI libraries from PowerShell scripts. Attacker references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/21 +date: 2023-07-21 tags: - attack.execution - attack.t1059.001 - attack.t1106 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml index 1cda9898eff..0a7df5b9ca3 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml @@ -12,12 +12,12 @@ description: Detects calls to WinAPI functions from PowerShell scripts. Attacker references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/21 +date: 2023-07-21 tags: - attack.execution - attack.t1059.001 - attack.t1106 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml index bbf75c211f7..203d037826a 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml @@ -2,7 +2,7 @@ title: Potential Credential Dumping Attempt Via PowerShell id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5 related: - id: 3f07b9d1-2082-4c56-9277-613a621983cc - type: obsoletes + type: obsolete - id: fb656378-f909-47c1-8747-278bf09f4f4f type: similar status: test @@ -10,12 +10,12 @@ description: Detects a PowerShell process requesting access to "lsass.exe", whic references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2023/11/28 +date: 2020-10-06 +modified: 2023-11-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: process_access diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml index 8176e25aee1..76ca3d3d8f1 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml @@ -9,10 +9,10 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth (Nextron Systems) -date: 2021/11/27 -modified: 2023/12/06 +date: 2021-11-27 +modified: 2023-12-06 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml index a29743a9c21..e66a60230a0 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml @@ -2,7 +2,7 @@ title: Uncommon GrantedAccess Flags On LSASS id: 678dfc63-fefb-47a5-a04c-26bcf8cc9f65 related: - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d - type: obsoletes + type: obsolete status: test description: Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410 references: @@ -12,13 +12,13 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth (Nextron Systems) -date: 2022/03/13 -modified: 2023/11/30 +date: 2022-03-13 +modified: 2023-11-30 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_access product: windows diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml b/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml index b7ec400670f..9d5f38714ba 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml @@ -5,13 +5,13 @@ description: Detects potential shellcode injection as seen used by tools such as references: - https://github.com/EmpireProject/PSInject author: Bhabesh Raj -date: 2022/03/11 -modified: 2024/07/02 +date: 2022-03-11 +modified: 2024-07-02 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_access product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml index d09b0e94f04..4d594d4bcc6 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml @@ -5,12 +5,12 @@ description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to ex references: - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/10 -modified: 2024/07/16 +date: 2023-03-10 +modified: 2024-07-16 tags: - attack.collection - attack.t1560.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml index 8bd8375afd3..91b43c38600 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml @@ -10,12 +10,12 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/ author: frack113 -date: 2022/02/04 -modified: 2023/03/14 +date: 2022-02-04 +modified: 2023-03-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml index b0a227f3759..b2778eabe94 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml @@ -8,10 +8,10 @@ references: - https://boinc.berkeley.edu/ - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: Matt Anderson (Huntress) -date: 2024/07/23 +date: 2024-07-23 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1553 logsource: category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml index aa6c72620f7..55f6e988c49 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml @@ -10,12 +10,12 @@ description: | references: - https://ss64.com/nt/syntax-redirection.html author: frack113 -date: 2022/01/22 -modified: 2024/03/19 +date: 2022-01-22 +modified: 2024-03-19 tags: - attack.discovery - attack.t1082 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml index e3a10f28f4e..d87ce4179d1 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml @@ -10,9 +10,9 @@ description: | references: - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/23 +date: 2024-07-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1059.003 logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml index bfcd0d25495..68dd42702d0 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml @@ -11,11 +11,11 @@ references: - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ - https://twitter.com/gN3mes1s/status/1206874118282448897 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/02 +date: 2023-08-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.004 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml index ae6d38c1586..11a02e00f0b 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml @@ -10,12 +10,12 @@ description: Detects file download using curl.exe references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 author: Florian Roth (Nextron Systems) -date: 2022/07/05 -modified: 2023/02/21 +date: 2022-07-05 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_execution.yml index 204c7c21985..5199f389052 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_execution.yml @@ -8,12 +8,12 @@ description: Detects a curl process start on Windows, which could indicates a fi references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 author: Florian Roth (Nextron Systems) -date: 2022/07/05 -modified: 2023/02/21 +date: 2022-07-05 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml index 62673a95f60..98ad58c77a4 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml @@ -8,13 +8,13 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file - https://curl.se/docs/manpage.html author: Florian Roth (Nextron Systems), Cedric MAURUGEON (Update) -date: 2020/07/03 -modified: 2023/05/02 +date: 2020-07-03 +modified: 2023-05-02 tags: - attack.exfiltration - attack.t1567 - attack.t1105 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_useragent.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_useragent.yml index 0822c3f4dc9..639d1767eb0 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_useragent.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_useragent.yml @@ -6,12 +6,12 @@ references: - https://curl.se/docs/manpage.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd author: frack113 -date: 2022/01/23 -modified: 2023/02/21 +date: 2022-01-23 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml index c9a79e1f3fd..8b60e8d805b 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml @@ -5,11 +5,11 @@ description: Detects child processes of "dfsvc" which indicates a ClickOnce depl references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/12 +date: 2023-06-12 tags: - attack.execution - - attack.defense_evasion - - detection.threat_hunting + - attack.defense-evasion + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml index 1ab85af2c8a..153e3b3c4b4 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml @@ -17,12 +17,12 @@ references: - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow author: Harjot Singh @cyb3rjy0t -date: 2023/09/15 +date: 2023-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml index a37c0af1407..baf4ce03af2 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml @@ -18,13 +18,13 @@ references: - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow author: Ivan Dyachkov, oscd.community -date: 2020/10/07 -modified: 2024/03/13 +date: 2020-10-07 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml index f6c3175fafc..3d52b839a36 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml @@ -10,12 +10,12 @@ references: - https://twitter.com/CyberRaiju/status/1273597319322058752 - https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative -date: 2020/10/05 -modified: 2024/06/21 +date: 2020-10-05 +modified: 2024-06-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml index ad3536933bd..a35cec479a8 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml @@ -6,11 +6,11 @@ references: - https://steflan-security.com/windows-privilege-escalation-credential-harvesting/ - https://adsecurity.org/?p=2288 author: Josh Nickels -date: 2023/05/18 +date: 2023-05-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml index 2587e50c187..f8d49065d19 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml @@ -11,11 +11,11 @@ references: - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/02/05 +date: 2024-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml index 3a74bf6392b..9857b40668f 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml @@ -13,11 +13,11 @@ references: - https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior author: Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/01/19 +date: 2024-01-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml index c365ccaeaa7..91204396735 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml @@ -9,8 +9,8 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) -date: 2019/01/16 -modified: 2022/07/11 +date: 2019-01-16 +modified: 2022-07-11 tags: - attack.discovery - attack.t1007 @@ -22,10 +22,10 @@ tags: - attack.t1069.002 - attack.t1087.001 - attack.t1087.002 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.s0039 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml index 3dc27858d88..3e4ecb4313d 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml @@ -9,11 +9,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md - https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/ author: frack113 -date: 2023/07/21 +date: 2023-07-21 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1570 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml index dfc1a5c21ae..6846eb04ba7 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml @@ -8,12 +8,12 @@ references: - https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic - https://github.com/med0x2e/vba2clr author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/13 -modified: 2023/12/19 +date: 2022-10-13 +modified: 2023-12-19 tags: - attack.execution - - attack.defense_evasion - - detection.threat_hunting + - attack.defense-evasion + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml index 15b6d4dcc4f..c6e7bd3f6f6 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml @@ -5,12 +5,12 @@ description: Detects unusually long PowerShell command lines with a length of 10 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2023/04/14 +date: 2020-10-06 +modified: 2023-04-14 tags: - attack.execution - attack.t1059.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml index 141304cc4dd..0c086f5f2b5 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml @@ -10,12 +10,12 @@ references: - https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html - https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2 author: Andreas Braathen (mnemonic.io) -date: 2023/12/01 +date: 2023-12-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1027.010 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml index 2779d662318..d5881c60f7c 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml @@ -6,11 +6,11 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/09 -modified: 2023/12/01 +date: 2023-05-09 +modified: 2023-12-01 tags: - attack.execution - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml index 26a029b1658..cdec6d92c52 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml @@ -11,7 +11,7 @@ references: - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ author: frack113 -date: 2024/05/03 +date: 2024-05-03 logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml index 36105803233..33c15cca9c8 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml @@ -7,12 +7,12 @@ description: | references: - https://twitter.com/ankit_anubhav/status/1518835408502620162 author: Florian Roth (Nextron Systems), Tim Shelton -date: 2022/04/26 -modified: 2024/07/16 +date: 2022-04-26 +modified: 2024-07-16 tags: - attack.execution - attack.t1059.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml index 3acfdf49847..599882c5b24 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml @@ -13,11 +13,11 @@ references: - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver - https://ss64.com/nt/regsvr32.html author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/17 +date: 2023-10-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml index 957437465c7..432593f2bdd 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml @@ -12,11 +12,11 @@ description: | references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 -modified: 2024/02/26 +date: 2024-02-23 +modified: 2024-02-26 tags: - attack.execution - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml index bf4274cce00..2ad6fc2d477 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml @@ -8,12 +8,12 @@ references: - https://twitter.com/cyb3rops/status/1186631731543236608 - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ author: Florian Roth (Nextron Systems) -date: 2019/10/22 -modified: 2024/07/16 +date: 2019-10-22 +modified: 2024-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml index f38872e0767..7fa3c27662c 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml @@ -11,11 +11,11 @@ references: - https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver author: Andreas Braathen (mnemonic.io) -date: 2023/10/17 +date: 2023-10-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml index 39b21139e76..0e521cbb888 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml @@ -5,12 +5,12 @@ description: Detects execution of "sc.exe" to query information about registered references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery author: frack113 -date: 2021/12/06 -modified: 2024/02/08 +date: 2021-12-06 +modified: 2024-02-08 tags: - attack.discovery - attack.t1007 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml index fb27e0f1c2a..647f988983d 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml @@ -7,12 +7,12 @@ description: | references: - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/ author: Florian Roth (Nextron Systems) -date: 2022/02/23 -modified: 2024/05/13 +date: 2022-02-23 +modified: 2024-05-13 tags: - attack.execution - attack.t1053.005 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml index 271528a27a9..17d10b745f7 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml @@ -5,12 +5,12 @@ description: Detects potentially suspicious command line arguments of common dat references: - https://twitter.com/SBousseaden/status/1184067445612535811 author: Florian Roth (Nextron Systems), Samir Bousseaden -date: 2019/10/15 -modified: 2023/08/29 +date: 2019-10-15 +modified: 2023-08-29 tags: - attack.collection - attack.t1560.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml index 1f7e0e41f74..90c97d973d5 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml @@ -9,13 +9,13 @@ description: | references: - https://github.com/Wh04m1001/SysmonEoP author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2023/11/23 +date: 2023-11-23 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.execution - attack.t1059 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml index b6b6ca91c8a..7f5a1827a69 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml @@ -12,12 +12,12 @@ references: - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/20 -modified: 2024/01/24 +date: 2023-11-20 +modified: 2024-01-24 tags: - attack.t1552 - - attack.credential_access - - detection.threat_hunting + - attack.credential-access + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml index bd178338a5f..0aa29848166 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml @@ -7,12 +7,12 @@ description: | references: - https://twitter.com/Kostastsale/status/1565257924204986369 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/01 -modified: 2023/03/02 +date: 2022-09-01 +modified: 2023-03-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml index a6069d00a68..e367284d8a6 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml @@ -6,12 +6,12 @@ description: | references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2019/01/16 -modified: 2024/01/18 +date: 2019-01-16 +modified: 2024-01-18 tags: - attack.persistence - attack.t1505.003 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml index be399292008..d9bf88a93ab 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml @@ -5,15 +5,15 @@ description: Detects the execution of well known tools that can be abused for da author: Daniil Yugoslavskiy, oscd.community references: - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ -date: 2019/10/24 -modified: 2024/01/18 +date: 2019-10-24 +modified: 2024-01-18 tags: - attack.exfiltration - - attack.command_and_control + - attack.command-and-control - attack.t1041 - attack.t1572 - attack.t1071.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml index 09435200619..b65cefdc208 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml @@ -7,12 +7,12 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11) - https://github.com/swagkarna/Defeat-Defender-V1.2.0 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/23 -modified: 2023/11/21 +date: 2019-10-23 +modified: 2023-11-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml index 6a1d451ff79..cd49e96d9ea 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml @@ -7,12 +7,12 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process author: frack113 -date: 2021/12/26 -modified: 2023/11/06 +date: 2021-12-26 +modified: 2023-11-06 tags: - attack.impact - attack.t1489 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml index 03c3bcec0fc..3d64fc060e8 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml @@ -5,12 +5,12 @@ description: Adversaries may attempt to get information about running processes references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist author: frack113 -date: 2021/12/11 -modified: 2022/12/25 +date: 2021-12-11 +modified: 2022-12-25 tags: - attack.discovery - attack.t1057 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml index ebf0769598d..0821f2af420 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml @@ -16,12 +16,12 @@ references: - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/ - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/12/19 +date: 2023-12-19 updated: 2024/01/15 tags: - attack.discovery - attack.t1082 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml index d8f7b21ddfc..949c14dd827 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml @@ -2,7 +2,7 @@ title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript id: 1e33157c-53b1-41ad-bbcc-780b80b58288 related: - id: 23250293-eed5-4c39-b57a-841c8933a57d - type: obsoletes + type: obsolete - id: cea72823-df4d-4567-950c-0b579eaf0846 type: derived status: test @@ -11,13 +11,13 @@ references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ - https://redcanary.com/blog/gootloader/ author: Michael Haag -date: 2019/01/16 -modified: 2023/05/15 +date: 2019-01-16 +modified: 2023-05-15 tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml index 9a73274ebc2..bafbd689edb 100644 --- a/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml @@ -6,15 +6,15 @@ references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ - https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5 author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team -date: 2023/09/27 +date: 2023-09-27 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.s0111 - attack.t1053.005 - car.2013-08-001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: registry_event diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml index aae279cb70e..3d0365a1218 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml @@ -8,12 +8,12 @@ description: Detects changes to the registry keys related to "Trusted Location" references: - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/21 -modified: 2023/08/17 +date: 2023-06-21 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - detection.threat_hunting + - detection.threat-hunting logsource: category: registry_set product: windows diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml index 843ab1db2fa..9dcd72d35a9 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -9,13 +9,13 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0 - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/ author: Andreas Braathen (mnemonic.io) -date: 2023/12/01 +date: 2023-12-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1027.010 - attack.t1547.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: registry_set diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml index 57b81304175..3ec4f793b5b 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml @@ -2,7 +2,7 @@ title: Service Binary in User Controlled Folder id: 277dc340-0540-42e7-8efb-5ff460045e07 related: - id: 277dc340-0540-42e7-8efb-5ff460045e07 - type: obsoletes + type: obsolete status: experimental description: | Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". @@ -12,12 +12,12 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/05/02 -modified: 2024/03/25 +date: 2022-05-02 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - detection.threat_hunting + - detection.threat-hunting logsource: category: registry_set product: windows diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml index c563c2cfc20..138f44b31d7 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml @@ -5,10 +5,10 @@ description: Detects changes to shell context menu commands. Use this rule to hu references: - https://mrd0x.com/sentinelone-persistence-via-menu-context/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/03/06 +date: 2024-03-06 tags: - attack.persistence - - detection.threat_hunting + - detection.threat-hunting logsource: category: registry_set product: windows diff --git a/rules/application/django/appframework_django_exceptions.yml b/rules/application/django/appframework_django_exceptions.yml index 8042c1fb8c4..6b6b08ca2c3 100644 --- a/rules/application/django/appframework_django_exceptions.yml +++ b/rules/application/django/appframework_django_exceptions.yml @@ -6,10 +6,10 @@ references: - https://docs.djangoproject.com/en/1.11/ref/exceptions/ - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security author: Thomas Patzke -date: 2017/08/05 -modified: 2020/09/01 +date: 2017-08-05 +modified: 2020-09-01 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml index 7a2cc3b397e..27eed567755 100644 --- a/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml +++ b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml @@ -6,9 +6,9 @@ references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs - https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0 author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/jvm/java_local_file_read.yml b/rules/application/jvm/java_local_file_read.yml index c271a0fe2a2..ef1d8ae886b 100644 --- a/rules/application/jvm/java_local_file_read.yml +++ b/rules/application/jvm/java_local_file_read.yml @@ -7,9 +7,9 @@ description: | references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml index 9154fb000da..2e833a53c82 100644 --- a/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml +++ b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml @@ -8,12 +8,12 @@ description: | references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2017.5638 - - cve.2022.26134 + - cve.2017-5638 + - cve.2022-26134 logsource: category: application product: jvm diff --git a/rules/application/jvm/java_rce_exploitation_attempt.yml b/rules/application/jvm/java_rce_exploitation_attempt.yml index 3d122585c71..88de8c22b21 100644 --- a/rules/application/jvm/java_rce_exploitation_attempt.yml +++ b/rules/application/jvm/java_rce_exploitation_attempt.yml @@ -5,9 +5,9 @@ description: Detects process execution related exceptions in JVM based apps, oft references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/jvm/java_xxe_exploitation_attempt.yml b/rules/application/jvm/java_xxe_exploitation_attempt.yml index 95689d5aa3e..2049fdfd3b4 100644 --- a/rules/application/jvm/java_xxe_exploitation_attempt.yml +++ b/rules/application/jvm/java_xxe_exploitation_attempt.yml @@ -7,9 +7,9 @@ references: - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml index eaae8522036..49a30944206 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml @@ -10,11 +10,11 @@ references: - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ - https://security.padok.fr/en/blog/kubernetes-webhook-attackers author: kelnage -date: 2024/07/11 +date: 2024-07-11 tags: - attack.persistence - attack.t1078 - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.007 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml b/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml index b36ff1d3055..bba85418986 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml @@ -12,10 +12,10 @@ references: - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ - https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob author: kelnage -date: 2024/07/11 +date: 2024-07-11 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.execution logsource: product: kubernetes diff --git a/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml index 09a4e75db4b..4663c8029aa 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml @@ -7,7 +7,7 @@ description: | references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1498 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml index 0bf5fc60a9f..d7dafc6eb7a 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml @@ -10,7 +10,7 @@ description: | references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1070 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml index 1e4b37253a9..8c6ca815397 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml @@ -6,7 +6,7 @@ description: | references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1609 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml index f4b074a18e2..fe9e05c30ef 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml @@ -9,7 +9,7 @@ references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ - https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1611 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml index dc9877f1ed9..512c0e2fba8 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml @@ -9,7 +9,7 @@ description: | references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1036.005 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml index ccdcff12f63..a9a04702bed 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml @@ -11,7 +11,7 @@ references: - https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html - https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1611 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml index 0e41fb7c2d9..cefd4c4b86c 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml @@ -9,7 +9,7 @@ description: | references: - https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1069.003 - attack.t1087.004 diff --git a/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml b/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml index 04d6a861ff8..d1f141b0c86 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml @@ -10,9 +10,9 @@ references: - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ - https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab author: kelnage -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: kubernetes service: audit diff --git a/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml index 6dc529595c0..0dc2b66d1af 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml @@ -8,7 +8,7 @@ description: Detects enumeration of Kubernetes secrets. references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1552.007 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml index 822e7ce27da..2dda1ef23b8 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml @@ -10,9 +10,9 @@ references: - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ - https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ author: kelnage -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.credential_access + - attack.credential-access logsource: product: kubernetes service: audit diff --git a/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml b/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml index 7316b841069..6c41efac815 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml @@ -9,7 +9,7 @@ description: | references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1136 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml index e2bdefd17e3..4ff32df2898 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml @@ -10,7 +10,7 @@ references: - https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1609 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml b/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml index da021782b3c..a564e870815 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml @@ -8,9 +8,9 @@ references: - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ - https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues author: kelnage -date: 2024/04/12 +date: 2024-04-12 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: kubernetes service: audit diff --git a/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml index 95f812860ac..f9956d91dd5 100644 --- a/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml +++ b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml @@ -5,9 +5,9 @@ description: Detects process execution related errors in NodeJS. If the exceptio references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/opencanary/opencanary_ftp_login_attempt.yml b/rules/application/opencanary/opencanary_ftp_login_attempt.yml index 5de2b206d2e..46632d2320b 100644 --- a/rules/application/opencanary/opencanary_ftp_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ftp_login_attempt.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access + - attack.initial-access - attack.exfiltration - attack.t1190 - attack.t1021 diff --git a/rules/application/opencanary/opencanary_git_clone_request.yml b/rules/application/opencanary/opencanary_git_clone_request.yml index f361cc86adb..cb928c35577 100644 --- a/rules/application/opencanary/opencanary_git_clone_request.yml +++ b/rules/application/opencanary/opencanary_git_clone_request.yml @@ -6,7 +6,7 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - attack.collection - attack.t1213 diff --git a/rules/application/opencanary/opencanary_http_get.yml b/rules/application/opencanary/opencanary_http_get.yml index 11886a7e915..c65cc666337 100644 --- a/rules/application/opencanary/opencanary_http_get.yml +++ b/rules/application/opencanary/opencanary_http_get.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/opencanary/opencanary_http_post_login_attempt.yml b/rules/application/opencanary/opencanary_http_post_login_attempt.yml index bf5d4a219ba..1bc99bf01aa 100644 --- a/rules/application/opencanary/opencanary_http_post_login_attempt.yml +++ b/rules/application/opencanary/opencanary_http_post_login_attempt.yml @@ -7,9 +7,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml index 93ee36d5990..20693573c29 100644 --- a/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml +++ b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml @@ -7,10 +7,10 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access - - attack.defense_evasion + - attack.initial-access + - attack.defense-evasion - attack.t1090 logsource: category: application diff --git a/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml b/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml index 045feea7a18..66e236c2620 100644 --- a/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml +++ b/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml @@ -7,9 +7,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1003 - attack.t1213 diff --git a/rules/application/opencanary/opencanary_mssql_login_winauth.yml b/rules/application/opencanary/opencanary_mssql_login_winauth.yml index af3443b4153..a731303ab90 100644 --- a/rules/application/opencanary/opencanary_mssql_login_winauth.yml +++ b/rules/application/opencanary/opencanary_mssql_login_winauth.yml @@ -7,9 +7,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1003 - attack.t1213 diff --git a/rules/application/opencanary/opencanary_mysql_login_attempt.yml b/rules/application/opencanary/opencanary_mysql_login_attempt.yml index 17185498044..405c03c8604 100644 --- a/rules/application/opencanary/opencanary_mysql_login_attempt.yml +++ b/rules/application/opencanary/opencanary_mysql_login_attempt.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1003 - attack.t1213 diff --git a/rules/application/opencanary/opencanary_ntp_monlist.yml b/rules/application/opencanary/opencanary_ntp_monlist.yml index 403d4f58f76..e6ae4e0d9ba 100644 --- a/rules/application/opencanary/opencanary_ntp_monlist.yml +++ b/rules/application/opencanary/opencanary_ntp_monlist.yml @@ -6,7 +6,7 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - attack.impact - attack.t1498 diff --git a/rules/application/opencanary/opencanary_redis_command.yml b/rules/application/opencanary/opencanary_redis_command.yml index 8f72baca5d9..9a18bee4af8 100644 --- a/rules/application/opencanary/opencanary_redis_command.yml +++ b/rules/application/opencanary/opencanary_redis_command.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1003 - attack.t1213 diff --git a/rules/application/opencanary/opencanary_sip_request.yml b/rules/application/opencanary/opencanary_sip_request.yml index 12388c79be8..56f71242ab1 100644 --- a/rules/application/opencanary/opencanary_sip_request.yml +++ b/rules/application/opencanary/opencanary_sip_request.yml @@ -6,7 +6,7 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - attack.collection - attack.t1123 diff --git a/rules/application/opencanary/opencanary_smb_file_open.yml b/rules/application/opencanary/opencanary_smb_file_open.yml index 543a490d3e8..7c12e2563e2 100644 --- a/rules/application/opencanary/opencanary_smb_file_open.yml +++ b/rules/application/opencanary/opencanary_smb_file_open.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.collection - attack.t1021 - attack.t1005 diff --git a/rules/application/opencanary/opencanary_snmp_cmd.yml b/rules/application/opencanary/opencanary_snmp_cmd.yml index 26a207ce5ff..deb9ee93584 100644 --- a/rules/application/opencanary/opencanary_snmp_cmd.yml +++ b/rules/application/opencanary/opencanary_snmp_cmd.yml @@ -6,10 +6,10 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - attack.discovery - - attack.lateral_movement + - attack.lateral-movement - attack.t1016 - attack.t1021 logsource: diff --git a/rules/application/opencanary/opencanary_ssh_login_attempt.yml b/rules/application/opencanary/opencanary_ssh_login_attempt.yml index 1e7a6691c5a..431b5fe18eb 100644 --- a/rules/application/opencanary/opencanary_ssh_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ssh_login_attempt.yml @@ -6,10 +6,10 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access - - attack.lateral_movement + - attack.initial-access + - attack.lateral-movement - attack.persistence - attack.t1133 - attack.t1021 diff --git a/rules/application/opencanary/opencanary_ssh_new_connection.yml b/rules/application/opencanary/opencanary_ssh_new_connection.yml index eba6b2a9ede..223bcd0e1c5 100644 --- a/rules/application/opencanary/opencanary_ssh_new_connection.yml +++ b/rules/application/opencanary/opencanary_ssh_new_connection.yml @@ -6,10 +6,10 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access - - attack.lateral_movement + - attack.initial-access + - attack.lateral-movement - attack.persistence - attack.t1133 - attack.t1021 diff --git a/rules/application/opencanary/opencanary_telnet_login_attempt.yml b/rules/application/opencanary/opencanary_telnet_login_attempt.yml index c3f853d7199..f3bb08fabd8 100644 --- a/rules/application/opencanary/opencanary_telnet_login_attempt.yml +++ b/rules/application/opencanary/opencanary_telnet_login_attempt.yml @@ -6,10 +6,10 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access - - attack.command_and_control + - attack.initial-access + - attack.command-and-control - attack.t1133 - attack.t1078 logsource: diff --git a/rules/application/opencanary/opencanary_tftp_request.yml b/rules/application/opencanary/opencanary_tftp_request.yml index 0d35635ed7c..dfd59599810 100644 --- a/rules/application/opencanary/opencanary_tftp_request.yml +++ b/rules/application/opencanary/opencanary_tftp_request.yml @@ -6,7 +6,7 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - attack.exfiltration - attack.t1041 diff --git a/rules/application/opencanary/opencanary_vnc_connection_attempt.yml b/rules/application/opencanary/opencanary_vnc_connection_attempt.yml index 03255b07398..b9b99a2e106 100644 --- a/rules/application/opencanary/opencanary_vnc_connection_attempt.yml +++ b/rules/application/opencanary/opencanary_vnc_connection_attempt.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021 logsource: category: application diff --git a/rules/application/python/app_python_sql_exceptions.yml b/rules/application/python/app_python_sql_exceptions.yml index 2dcda667973..3747365940a 100644 --- a/rules/application/python/app_python_sql_exceptions.yml +++ b/rules/application/python/app_python_sql_exceptions.yml @@ -5,10 +5,10 @@ description: Generic rule for SQL exceptions in Python according to PEP 249 references: - https://www.python.org/dev/peps/pep-0249/#exceptions author: Thomas Patzke -date: 2017/08/12 -modified: 2020/09/01 +date: 2017-08-12 +modified: 2020-09-01 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index 72daaa379c2..6ac53cc75e2 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1053 - attack.t1053.002 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml index 02bbc17b410..a1ba2edcdee 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -8,8 +8,8 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml index eacca06307f..d9cc4500419 100644 --- a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml +++ b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.t1033 - attack.discovery diff --git a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml index d201aed3de8..6dc013cb5f5 100644 --- a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml index 34dba98f064..5e771c2258b 100644 --- a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml @@ -6,8 +6,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index 4fc39008f49..23bc57ec4f4 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1053 - attack.t1053.002 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml index da9c85a62d2..c9fc1fe4960 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml index 7421bda6001..c1c333d017b 100644 --- a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -10,10 +10,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml index 7183cad1b6a..63f73572096 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml @@ -7,10 +7,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.003 - attack.t1047 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index da5006fabf0..ecc7d1d5fff 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1112 logsource: product: rpc_firewall diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml index 2d759374551..bed30e219c6 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml index b1d115149d3..035ec3c18b1 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml index e081565981a..5c0fb86f55e 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1569.002 logsource: product: rpc_firewall diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index ce90a2426cb..8480cab760a 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1053 - attack.t1053.002 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml index a9eb4ff1525..68bd6857196 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/11/17 +date: 2022-01-01 +modified: 2022-11-17 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml index 075d48fe4ce..82ee574386a 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.t1087 - attack.discovery diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml index 46dcb6b7097..b5de4dddaee 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.t1033 logsource: diff --git a/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml index 661780aff01..16ad53536bf 100644 --- a/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml +++ b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml @@ -8,10 +8,10 @@ references: - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception - https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb author: Thomas Patzke -date: 2017/08/06 -modified: 2020/09/01 +date: 2017-08-06 +modified: 2020-09-01 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/spring/spring_application_exceptions.yml b/rules/application/spring/spring_application_exceptions.yml index d6020c98ac5..69140660d7f 100644 --- a/rules/application/spring/spring_application_exceptions.yml +++ b/rules/application/spring/spring_application_exceptions.yml @@ -5,10 +5,10 @@ description: Detects suspicious Spring framework exceptions that could indicate references: - https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html author: Thomas Patzke -date: 2017/08/06 -modified: 2020/09/01 +date: 2017-08-06 +modified: 2020-09-01 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/spring/spring_spel_injection.yml b/rules/application/spring/spring_spel_injection.yml index 4f021ab7e40..ac5414705e9 100644 --- a/rules/application/spring/spring_spel_injection.yml +++ b/rules/application/spring/spring_spel_injection.yml @@ -6,9 +6,9 @@ references: - https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/sql/app_sqlinjection_errors.yml b/rules/application/sql/app_sqlinjection_errors.yml index f7447aefb48..9f287245cec 100644 --- a/rules/application/sql/app_sqlinjection_errors.yml +++ b/rules/application/sql/app_sqlinjection_errors.yml @@ -5,10 +5,10 @@ description: Detects SQL error messages that indicate probing for an injection a references: - http://www.sqlinjection.net/errors author: Bjoern Kimminich -date: 2017/11/27 -modified: 2023/02/12 +date: 2017-11-27 +modified: 2023-02-12 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/velocity/velocity_ssti_injection.yml b/rules/application/velocity/velocity_ssti_injection.yml index b8dbea1c7b8..f5c4674054f 100644 --- a/rules/application/velocity/velocity_ssti_injection.yml +++ b/rules/application/velocity/velocity_ssti_injection.yml @@ -6,9 +6,9 @@ references: - https://antgarsil.github.io/posts/velocity/ - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/category/antivirus/av_exploiting.yml b/rules/category/antivirus/av_exploiting.yml index 78b08f72cc7..f5a4c1a949e 100644 --- a/rules/category/antivirus/av_exploiting.yml +++ b/rules/category/antivirus/av_exploiting.yml @@ -8,12 +8,12 @@ references: - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424 - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2018/09/09 -modified: 2024/07/17 +date: 2018-09-09 +modified: 2024-07-17 tags: - attack.execution - attack.t1203 - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: antivirus diff --git a/rules/category/antivirus/av_hacktool.yml b/rules/category/antivirus/av_hacktool.yml index a98e084ed92..154a63e98a8 100644 --- a/rules/category/antivirus/av_hacktool.yml +++ b/rules/category/antivirus/av_hacktool.yml @@ -6,8 +6,8 @@ references: - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2021/08/16 -modified: 2024/07/17 +date: 2021-08-16 +modified: 2024-07-17 tags: - attack.execution - attack.t1204 diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml index a8f289522bb..3e8454bdc0f 100644 --- a/rules/category/antivirus/av_password_dumper.yml +++ b/rules/category/antivirus/av_password_dumper.yml @@ -7,10 +7,10 @@ references: - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619 - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 author: Florian Roth (Nextron Systems) -date: 2018/09/09 -modified: 2024/07/17 +date: 2018-09-09 +modified: 2024-07-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1558 - attack.t1003.001 diff --git a/rules/category/antivirus/av_ransomware.yml b/rules/category/antivirus/av_ransomware.yml index f8c4ea8d51b..b4fa40e1a20 100644 --- a/rules/category/antivirus/av_ransomware.yml +++ b/rules/category/antivirus/av_ransomware.yml @@ -10,8 +10,8 @@ references: - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2022/05/12 -modified: 2023/02/03 +date: 2022-05-12 +modified: 2023-02-03 tags: - attack.t1486 logsource: diff --git a/rules/category/antivirus/av_relevant_files.yml b/rules/category/antivirus/av_relevant_files.yml index da78ffe2371..eaa8530204b 100644 --- a/rules/category/antivirus/av_relevant_files.yml +++ b/rules/category/antivirus/av_relevant_files.yml @@ -5,10 +5,10 @@ description: Detects an Antivirus alert in a highly relevant file path or with a references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2018/09/09 -modified: 2024/07/17 +date: 2018-09-09 +modified: 2024-07-17 tags: - - attack.resource_development + - attack.resource-development - attack.t1588 logsource: category: antivirus diff --git a/rules/category/antivirus/av_webshell.yml b/rules/category/antivirus/av_webshell.yml index 3df9c71ed3a..bd756b6fa5c 100644 --- a/rules/category/antivirus/av_webshell.yml +++ b/rules/category/antivirus/av_webshell.yml @@ -16,8 +16,8 @@ references: - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2018/09/09 -modified: 2024/07/17 +date: 2018-09-09 +modified: 2024-07-17 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/category/database/db_anomalous_query.yml b/rules/category/database/db_anomalous_query.yml index 2810e8541a4..d0c416958a2 100644 --- a/rules/category/database/db_anomalous_query.yml +++ b/rules/category/database/db_anomalous_query.yml @@ -3,13 +3,13 @@ id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5 status: test description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields author: '@juju4' -date: 2022/12/27 +date: 2022-12-27 references: - https://github.com/sqlmapproject/sqlmap tags: - attack.exfiltration - - attack.initial_access - - attack.privilege_escalation + - attack.initial-access + - attack.privilege-escalation - attack.t1190 - attack.t1505.001 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml index 783dceb324e..2f6237ee89d 100644 --- a/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml @@ -7,10 +7,10 @@ description: | references: - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html author: Austin Songer -date: 2021/09/23 -modified: 2022/10/09 +date: 2021-09-23 +modified: 2022-10-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml index eeae3dc7ac5..2d3a442468d 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml @@ -5,10 +5,10 @@ description: Detects disabling, deleting and updating of a Trail references: - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html author: vitaliy0x1 -date: 2020/01/21 -modified: 2022/10/09 +date: 2020-01-21 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml index c57c3fa03d0..9cd318eba44 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml @@ -9,10 +9,10 @@ references: - https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ - https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1078 - attack.t1078.002 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml index 73f3f9d2c36..0cf8446e3ee 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml @@ -6,9 +6,9 @@ description: | references: - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml index c252e5a8ff7..fde37df276c 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml @@ -6,9 +6,9 @@ description: | references: - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml index f82383259b9..def7e7acee9 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml @@ -7,9 +7,9 @@ description: | references: - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml index 66697f617a8..e12ccff9cf8 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml @@ -7,9 +7,9 @@ description: | references: - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml index a552c03badb..fee5d6d7a6b 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml @@ -7,9 +7,9 @@ description: | references: - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml index cefc201e17e..26a01f517d6 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml @@ -6,9 +6,9 @@ description: | references: - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1566 - attack.t1566.002 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml b/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml index ea3d2e7b330..b35bff7e39b 100644 --- a/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml +++ b/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml @@ -5,10 +5,10 @@ description: Detects AWS Config Service disabling references: - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html author: vitaliy0x1 -date: 2020/01/21 -modified: 2022/10/09 +date: 2020-01-21 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml index 8e70b1e852d..0cd347efae5 100644 --- a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml +++ b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml @@ -8,9 +8,9 @@ references: - https://github.com/NetSPI/aws_consoler - https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/ author: Chester Le Bron (@123Le_Bron) -date: 2024/02/26 +date: 2024-02-26 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.007 - attack.t1550.001 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml index c52d5975b10..b4109e543a9 100644 --- a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml +++ b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml @@ -5,10 +5,10 @@ description: Detects an instance of an SES identity being deleted via the "Delet references: - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ author: Janantha Marasinghe -date: 2022/12/13 -modified: 2022/12/28 +date: 2022-12-13 +modified: 2022-12-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml index e3694277be0..ec6e805d955 100644 --- a/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml +++ b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml @@ -5,7 +5,7 @@ description: Detects when S3 bucket versioning is disabled. Threat actors use th references: - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 author: Sean Johnstone | Unit 42 -date: 2023/10/28 +date: 2023-10-28 tags: - attack.impact - attack.t1490 diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml b/rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml index ff2d9cd140e..a57f6d4d364 100644 --- a/rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml +++ b/rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml @@ -7,8 +7,8 @@ description: | references: - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html author: Sittikorn S -date: 2021/06/29 -modified: 2021/08/20 +date: 2021-06-29 +modified: 2021-08-20 tags: - attack.impact - attack.t1486 diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml b/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml index 8a171545438..82996a92447 100644 --- a/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml @@ -5,8 +5,8 @@ description: Detects changes to the EC2 instance startup script. The shell scrip references: - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9 author: faloker -date: 2020/02/12 -modified: 2022/06/07 +date: 2020-02-12 +modified: 2022-06-07 tags: - attack.execution - attack.t1059.001 diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml index 7b4a0e5da6c..5c216ee4c75 100644 --- a/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml @@ -5,8 +5,8 @@ description: An attempt to export an AWS EC2 instance has been detected. A VM Ex references: - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance author: Diogo Braz -date: 2020/04/16 -modified: 2022/10/05 +date: 2020-04-16 +modified: 2022-10-05 tags: - attack.collection - attack.t1005 diff --git a/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml b/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml index 09eac93acd0..8e83279b5d7 100644 --- a/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml +++ b/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml @@ -9,8 +9,8 @@ references: - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html author: Darin Smith -date: 2022/06/07 -modified: 2023/04/24 +date: 2022-06-07 +modified: 2023-04-24 tags: - attack.persistence - attack.t1525 diff --git a/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml index d4df9c3cf24..cc63f74c68f 100644 --- a/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml +++ b/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml @@ -8,8 +8,8 @@ description: | references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html author: Austin Songer @austinsonger -date: 2021/08/15 -modified: 2022/10/09 +date: 2021-08-15 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml index da66ea29aac..989ecd5a689 100644 --- a/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml +++ b/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Detects when a EFS Fileshare Mount is modified or deleted. An adver references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html author: Austin Songer @austinsonger -date: 2021/08/15 -modified: 2022/10/09 +date: 2021-08-15 +modified: 2022-10-09 tags: - attack.impact - attack.t1485 diff --git a/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml index 24183547577..4ddccd00256 100644 --- a/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when an EKS cluster is created or deleted. references: - https://any-api.com/amazonaws_com/eks/docs/API_Description author: Austin Songer -date: 2021/08/16 -modified: 2022/10/09 +date: 2021-08-16 +modified: 2022-10-09 tags: - attack.impact - attack.t1485 diff --git a/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml b/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml index 415f69cb17b..84368ab44d8 100644 --- a/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml +++ b/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml @@ -5,8 +5,8 @@ description: Detects when an ElastiCache security group has been created. references: - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/10/09 +date: 2021-07-24 +modified: 2022-10-09 tags: - attack.persistence - attack.t1136 diff --git a/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml index 8c162d317e8..a842e1da5a3 100644 --- a/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml +++ b/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when an ElastiCache security group has been modified or references: - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/10/09 +date: 2021-07-24 +modified: 2022-10-09 tags: - attack.impact - attack.t1531 diff --git a/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml b/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml index 4287c4a8c7a..237441fcd25 100644 --- a/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml +++ b/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml @@ -10,8 +10,8 @@ references: - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/ author: Christopher Peacock @securepeacock, SCYTHE @scythe_io -date: 2023/01/06 -modified: 2024/07/10 +date: 2023-01-06 +modified: 2024-07-10 tags: - attack.discovery - attack.t1580 diff --git a/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml b/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml index b81f188c40b..cfa960aa093 100644 --- a/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml +++ b/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml @@ -5,10 +5,10 @@ description: Detects updates of the GuardDuty list of trusted IPs, perhaps to di references: - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9 author: faloker -date: 2020/02/11 -modified: 2022/10/09 +date: 2020-02-11 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml index 085d768cfa1..e3734e6a985 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py author: faloker -date: 2020/02/12 -modified: 2022/10/09 +date: 2020-02-12 +modified: 2022-10-09 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml index d21df2190e4..ca9d50ae7ac 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml @@ -5,7 +5,7 @@ description: Detects S3 Browser utility performing reconnaissance looking for ex references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor author: daniel.bohannon@permiso.io (@danielhbohannon) -date: 2023/05/17 +date: 2023-05-17 tags: - attack.execution - attack.persistence diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml index abb9586eabe..a31499f9715 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml @@ -5,8 +5,8 @@ description: Detects S3 browser utility creating Inline IAM policy containing de references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor author: daniel.bohannon@permiso.io (@danielhbohannon) -date: 2023/05/17 -modified: 2023/05/17 +date: 2023-05-17 +modified: 2023-05-17 tags: - attack.execution - attack.t1059.009 diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml index 1fd5582964c..fd4bf7a39a3 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml @@ -5,7 +5,7 @@ description: Detects S3 Browser utility creating IAM User or AccessKey. references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor author: daniel.bohannon@permiso.io (@danielhbohannon) -date: 2023/05/17 +date: 2023-05-17 tags: - attack.execution - attack.persistence diff --git a/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml index f7b05b387ed..bf87bd659dd 100644 --- a/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml @@ -6,10 +6,10 @@ references: - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html author: Austin Songer @austinsonger -date: 2021/10/03 -modified: 2022/12/18 +date: 2021-10-03 +modified: 2022-12-18 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml b/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml index c3b990d9df2..db15a891261 100644 --- a/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml +++ b/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml @@ -5,8 +5,8 @@ description: Detects the change of database master password. It may be a part of references: - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py author: faloker -date: 2020/02/12 -modified: 2022/10/05 +date: 2020-02-12 +modified: 2022-10-05 tags: - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml b/rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml index 597a66a6f06..56ad8e88e63 100644 --- a/rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml @@ -5,8 +5,8 @@ description: Detects the recovery of a new public database instance from a snaps references: - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py author: faloker -date: 2020/02/12 -modified: 2022/10/09 +date: 2020-02-12 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml b/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml index 5470622d771..0127c7b60d7 100644 --- a/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml @@ -5,10 +5,10 @@ description: Detects AWS root account usage references: - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html author: vitaliy0x1 -date: 2020/01/21 -modified: 2022/10/09 +date: 2020-01-21 +modified: 2022-10-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078.004 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml index bf738eff0b3..4e809335422 100644 --- a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml @@ -7,11 +7,11 @@ references: - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html author: Elastic, Austin Songer @austinsonger -date: 2021/07/22 -modified: 2022/10/09 +date: 2021-07-22 +modified: 2022-10-09 tags: - attack.persistence - - attack.credential_access + - attack.credential-access - attack.t1098 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml index 599badbcdc6..9bfe871a868 100644 --- a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml +++ b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml @@ -5,11 +5,11 @@ description: Detects when a request has been made to transfer a Route 53 domain references: - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml author: Elastic, Austin Songer @austinsonger -date: 2021/07/22 -modified: 2022/10/09 +date: 2021-07-22 +modified: 2022-10-09 tags: - attack.persistence - - attack.credential_access + - attack.credential-access - attack.t1098 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml b/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml index 393dbbc73b3..c99611b0752 100644 --- a/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml +++ b/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml @@ -11,8 +11,8 @@ references: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/10/09 +date: 2021-07-24 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1537 diff --git a/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml b/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml index a32ca648666..d92a071d8fb 100644 --- a/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml @@ -5,9 +5,9 @@ description: Detects the modification of the findings on SecurityHub. references: - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ author: Sittikorn S -date: 2021/06/28 +date: 2021-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml index ced4493a53f..eb714338491 100644 --- a/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml +++ b/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml @@ -5,8 +5,8 @@ description: Detects the modification of an EC2 snapshot's permissions to enable references: - https://www.justice.gov/file/1080281/download author: Darin Smith -date: 2021/05/17 -modified: 2021/08/19 +date: 2021-05-17 +modified: 2021-08-19 tags: - attack.exfiltration - attack.t1537 diff --git a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml index b9963f627b8..1bb277fc1eb 100644 --- a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml +++ b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml @@ -9,7 +9,7 @@ references: - https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html author: Michael McIntyre @wtfender -date: 2023/09/27 +date: 2023-09-27 tags: - attack.persistence - attack.t1556 diff --git a/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml index bc0615dcfc9..88ce08bd6d3 100644 --- a/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml @@ -6,11 +6,11 @@ references: - https://github.com/elastic/detection-rules/pull/1214 - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/10/09 +date: 2021-07-24 +modified: 2022-10-09 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.t1548 - attack.t1550 - attack.t1550.001 diff --git a/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml index 817c97a064f..a0dece9ed56 100644 --- a/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml +++ b/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml @@ -6,11 +6,11 @@ references: - https://github.com/elastic/detection-rules/pull/1213 - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/10/09 +date: 2021-07-24 +modified: 2022-10-09 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.t1548 - attack.t1550 - attack.t1550.001 diff --git a/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml b/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml index 531596e17d2..2d60672a72f 100644 --- a/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml +++ b/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml @@ -6,14 +6,14 @@ references: - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html author: Austin Songer -date: 2021/09/22 -modified: 2022/12/18 +date: 2021-09-22 +modified: 2022-12-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 - - attack.lateral_movement + - attack.lateral-movement - attack.t1548 - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1550 - attack.t1550.001 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml b/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml index 7c7698b451d..7e9abb1baec 100644 --- a/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml +++ b/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation author: toffeebr33k -date: 2021/08/09 -modified: 2024/04/26 +date: 2021-08-09 +modified: 2024-04-26 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml index 3305905355f..6decf5e45c4 100644 --- a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml +++ b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml @@ -8,10 +8,10 @@ description: | references: - https://o365blog.com/post/hybridhealthagent/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -modified: 2023/10/11 +date: 2021-08-26 +modified: 2023-10-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1578 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml index e3b8547b6bb..992e7deff3f 100644 --- a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml +++ b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml @@ -8,10 +8,10 @@ description: | references: - https://o365blog.com/post/hybridhealthagent/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -modified: 2023/10/11 +date: 2021-08-26 +modified: 2023-10-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1578.003 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml index cb49283056b..cbd52eb85d3 100644 --- a/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml +++ b/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml @@ -5,11 +5,11 @@ description: User Added to an Administrator's Azure AD Role references: - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ author: Raphaël CALVET, @MetallicHack -date: 2021/10/04 -modified: 2022/10/09 +date: 2021-10-04 +modified: 2022-10-09 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098.003 - attack.t1078 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_app_credential_modification.yml b/rules/cloud/azure/activity_logs/azure_app_credential_modification.yml index 4bc842cffc7..e38f45ef8f3 100644 --- a/rules/cloud/azure/activity_logs/azure_app_credential_modification.yml +++ b/rules/cloud/azure/activity_logs/azure_app_credential_modification.yml @@ -5,8 +5,8 @@ description: Identifies when a application credential is modified. references: - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ author: Austin Songer @austinsonger -date: 2021/09/02 -modified: 2022/10/09 +date: 2021-09-02 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_application_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_deleted.yml index 13d25e102cd..40ca452bdd0 100644 --- a/rules/cloud/azure/activity_logs/azure_application_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_application_deleted.yml @@ -5,10 +5,10 @@ description: Identifies when a application is deleted in Azure. references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger -date: 2021/09/03 -modified: 2022/10/09 +date: 2021-09-03 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1489 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml index be418b360ff..f99ed2b5f86 100644 --- a/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a application gateway is modified or deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml index a4b509a239d..8e118979094 100644 --- a/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a application security group is modified or deleted references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml index 34cd7abe561..ee1d5ea334f 100644 --- a/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml @@ -9,8 +9,8 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml index e7363dca4b1..895337e6f62 100644 --- a/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml +++ b/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml @@ -5,8 +5,8 @@ description: Number of VM creations or deployment activities occur in Azure via references: - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml author: sawwinnnaung -date: 2020/05/07 -modified: 2023/10/11 +date: 2020-05-07 +modified: 2023-10-11 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml index 52becf2010c..670cbb9dc03 100644 --- a/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml @@ -5,8 +5,8 @@ description: Identifies when a device in azure is no longer managed or compliant references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory author: Austin Songer @austinsonger -date: 2021/09/03 -modified: 2022/10/09 +date: 2021-09-03 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml index 4ffcf901f26..af364619f3d 100644 --- a/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a device or device configuration in azure is modifi references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory author: Austin Songer @austinsonger -date: 2021/09/03 -modified: 2022/10/09 +date: 2021-09-03 +modified: 2022-10-09 tags: - attack.impact - attack.t1485 diff --git a/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml index fcc37df0998..7b84ea6e554 100644 --- a/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when DNS zone is modified or deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact - attack.t1565.001 diff --git a/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml index bd484ffe455..308a2ddf426 100644 --- a/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when a firewall is created, modified, or deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml index 2f1f7eb4e53..aa4959357c5 100644 --- a/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when Rule Collections (Application, NAT, and Network) is references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml b/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml index 58cb33d52f5..db30c8f5810 100644 --- a/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml @@ -5,8 +5,8 @@ description: Identifies IPs from which users grant access to other users on azur references: - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml author: sawwinnnaung -date: 2020/05/07 -modified: 2023/10/11 +date: 2020-05-07 +modified: 2023-10-11 tags: - attack.persistence - attack.t1098.003 diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml index c30cf660a40..1af0486fe0a 100644 --- a/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when a Keyvault Key is modified or deleted in Azure. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.001 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml index 0d2a7fc7258..2adb90bfaf8 100644 --- a/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when a key vault is modified or deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.001 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml index 1024e04c96e..7f60999b8b0 100644 --- a/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when secrets are modified or deleted in Azure. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.001 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml index 2693117bbe9..0576c63b9c0 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml @@ -12,12 +12,12 @@ description: | references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes author: Austin Songer @austinsonger -date: 2021/11/25 -modified: 2022/12/18 +date: 2021-11-25 +modified: 2022-12-18 tags: - attack.persistence - attack.t1078 - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.007 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml index e0d9f688041..d32a1e46e1b 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml @@ -9,8 +9,8 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml index 98d46a71d93..c2a773f661a 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml @@ -11,12 +11,12 @@ references: - https://kubernetes.io/docs/concepts/workloads/controllers/job/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ author: Austin Songer @austinsonger -date: 2021/11/22 -modified: 2022/12/18 +date: 2021-11-22 +modified: 2022-12-18 tags: - attack.persistence - attack.t1053.003 - - attack.privilege_escalation + - attack.privilege-escalation - attack.execution logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml index 4b8f5a9ab48..d62ee0cd530 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/08/23 +date: 2021-07-24 +modified: 2022-08-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 - attack.t1562.001 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml index 969204b0807..c17c51eef07 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml @@ -9,11 +9,11 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact - - attack.credential_access + - attack.credential-access logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml index 51dc1ba1556..a23378299d9 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/08/23 +date: 2021-07-24 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml index c6c2d6f0efe..0c45a88e088 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml @@ -9,8 +9,8 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml index 14603bdfcf7..d0a2f82fd63 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -9,11 +9,11 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact - - attack.credential_access + - attack.credential-access logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml index d13ce24c0ef..b396303cd74 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml @@ -9,8 +9,8 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml index 31158d90953..da26074fbe8 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml @@ -9,8 +9,8 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact - attack.t1531 diff --git a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml index 2287dcb5956..09ffe08efc1 100644 --- a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml +++ b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml @@ -5,7 +5,7 @@ description: Detection for when multi factor authentication has been disabled, w references: - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates author: '@ionsor' -date: 2022/02/08 +date: 2022-02-08 tags: - attack.persistence - attack.t1556 diff --git a/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml index f9340d105a3..41b8038b32a 100644 --- a/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when a Firewall Policy is Modified or Deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/09/02 -modified: 2022/08/23 +date: 2021-09-02 +modified: 2022-08-23 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.007 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml index 72af9a29df5..36d7c17311f 100644 --- a/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a Firewall Rule Configuration is Modified or Delete references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml index 20895725c5d..2f9513e01e5 100644 --- a/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a Point-to-site VPN is Modified or Deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml index 100be5dd1f8..d2a20104767 100644 --- a/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a network security configuration is modified or del references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml index 41d8c4301dc..147b364d4f8 100644 --- a/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml @@ -7,8 +7,8 @@ description: | references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml b/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml index 3f05939c959..9107020bc5d 100644 --- a/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml +++ b/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml @@ -5,8 +5,8 @@ description: Identifies when a new cloudshell is created inside of Azure portal. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer -date: 2021/09/21 -modified: 2022/08/23 +date: 2021-09-21 +modified: 2022-08-23 tags: - attack.execution - attack.t1059 diff --git a/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml index 62c8df70e9e..7f2bf081c95 100644 --- a/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml +++ b/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml @@ -5,10 +5,10 @@ description: Identifies when a owner is was removed from a application or servic references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger -date: 2021/09/03 -modified: 2022/10/09 +date: 2021-09-03 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_rare_operations.yml b/rules/cloud/azure/activity_logs/azure_rare_operations.yml index f7776cf79ba..6572248daca 100644 --- a/rules/cloud/azure/activity_logs/azure_rare_operations.yml +++ b/rules/cloud/azure/activity_logs/azure_rare_operations.yml @@ -5,8 +5,8 @@ description: Identifies IPs from which users grant access to other users on azur references: - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml author: sawwinnnaung -date: 2020/05/07 -modified: 2023/10/11 +date: 2020-05-07 +modified: 2023-10-11 tags: - attack.t1003 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_service_principal_created.yml b/rules/cloud/azure/activity_logs/azure_service_principal_created.yml index 559276da933..a1827b78be4 100644 --- a/rules/cloud/azure/activity_logs/azure_service_principal_created.yml +++ b/rules/cloud/azure/activity_logs/azure_service_principal_created.yml @@ -5,10 +5,10 @@ description: Identifies when a service principal is created in Azure. references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger -date: 2021/09/02 -modified: 2022/10/09 +date: 2021-09-02 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml b/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml index f7e74e449a1..66b134d7ade 100644 --- a/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml +++ b/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml @@ -5,10 +5,10 @@ description: Identifies when a service principal was removed in Azure. references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger -date: 2021/09/03 -modified: 2022/10/09 +date: 2021-09-03 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml index 6e22ea3190f..b646976e511 100644 --- a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -8,10 +8,10 @@ description: | references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization author: Austin Songer @austinsonger -date: 2021/11/26 -modified: 2022/08/23 +date: 2021-11-26 +modified: 2022-08-23 tags: - - attack.initial_access + - attack.initial-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml b/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml index 6b232786868..b775471f5c2 100644 --- a/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml @@ -5,8 +5,8 @@ description: Identifies when a suppression rule is created in Azure. Adversary's references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml index ecc062e157a..91808642ad1 100644 --- a/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a Virtual Network is modified or deleted in Azure. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml index 6357240331b..e5ba58eac4b 100644 --- a/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a VPN connection is modified or deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml index 3e51384d7e5..a7872f2d1c6 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml @@ -5,9 +5,9 @@ description: Monitor and alert on conditional access changes where non approved references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Corissa Koopmans, '@corissalea' -date: 2022/07/19 +date: 2022-07-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1548 - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml index 7abe79baa58..09903cbc1c9 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml @@ -5,10 +5,10 @@ description: Monitor and alert on conditional access changes. Is Initiated by (a references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Corissa Koopmans, '@corissalea' -date: 2022/07/19 -modified: 2024/05/28 +date: 2022-07-19 +modified: 2024-05-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1548 - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml index dda18e6ce72..6ad71d86ce8 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml @@ -5,9 +5,9 @@ description: Monitor and alert on conditional access changes. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure author: Corissa Koopmans, '@corissalea' -date: 2022/07/18 +date: 2022-07-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1548 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml index c4fc2281a9a..87506b737e8 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml @@ -5,10 +5,10 @@ description: Detects when an account was created and deleted in a short period o references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton -date: 2022/08/11 -modified: 2022/08/18 +date: 2022-08-11 +modified: 2022-08-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml index 33a2a6516b2..f6dddd75104 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml @@ -5,9 +5,9 @@ description: Monitor and alert for Bitlocker key retrieval. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval author: Michael Epping, '@mepples21' -date: 2022/06/28 +date: 2022-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml b/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml index 257183afa30..109fbc699c0 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml @@ -6,10 +6,10 @@ references: - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ author: Harjot Shah Singh, '@cyb3rjy0t' -date: 2024/03/26 +date: 2024-03-26 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1556 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml b/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml index 1c179fb9bed..a1b25eac8a6 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml @@ -5,10 +5,10 @@ description: Monitor and alert for changes to the device registration policy. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy author: Michael Epping, '@mepples21' -date: 2022/06/28 +date: 2022-06-28 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1484 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml index caf50500ba7..4191de418b6 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml @@ -5,9 +5,9 @@ description: Detects guest users being invited to tenant by non-approved inviter references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins author: MikeDuddington, '@dudders1' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml b/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml index f659142a4f3..e440d33a786 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml @@ -6,10 +6,10 @@ references: - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ author: Harjot Shah Singh, '@cyb3rjy0t' -date: 2024/03/26 +date: 2024-03-26 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1556 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml index ed7877ba335..6e78827ae02 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml @@ -5,10 +5,10 @@ description: Monitor and alert for users added to device admin roles. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles author: Michael Epping, '@mepples21' -date: 2022/06/28 +date: 2022-06-28 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml index ee212875e3b..778913cd8d1 100644 --- a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml +++ b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml @@ -5,11 +5,11 @@ description: Detects when a configuration change is made to an applications AppI references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/06/02 +date: 2022-06-02 tags: - attack.persistence - - attack.credential_access - - attack.privilege_escalation + - attack.credential-access + - attack.privilege-escalation - attack.t1552 - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_app_credential_added.yml b/rules/cloud/azure/audit_logs/azure_app_credential_added.yml index cbbc388db32..b9493d2d4b7 100644 --- a/rules/cloud/azure/audit_logs/azure_app_credential_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_credential_added.yml @@ -5,7 +5,7 @@ description: Detects when a new credential is added to an existing application. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/05/26 +date: 2022-05-26 tags: - attack.t1098.001 - attack.persistence diff --git a/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml b/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml index dce9b89e0ef..ad000b060c0 100644 --- a/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml +++ b/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml @@ -5,9 +5,9 @@ description: Detects when highly privileged delegated permissions are granted on references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml b/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml index 1a9ec243fe5..17c03d79e69 100644 --- a/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml +++ b/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml @@ -5,9 +5,9 @@ description: Detects when an end user consents to an application references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml b/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml index 667f6ef72d9..3fe5ceeaecf 100644 --- a/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml +++ b/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml @@ -5,9 +5,9 @@ description: Detects when end user consent is blocked due to risk-based consent. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/10 +date: 2022-07-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_owner_added.yml b/rules/cloud/azure/audit_logs/azure_app_owner_added.yml index a02e561928c..d539f840d87 100644 --- a/rules/cloud/azure/audit_logs/azure_app_owner_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_owner_added.yml @@ -5,10 +5,10 @@ description: Detects when a new owner is added to an application. This gives tha references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/06/02 +date: 2022-06-02 tags: - attack.t1552 - - attack.credential_access + - attack.credential-access logsource: product: azure service: auditlogs diff --git a/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml b/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml index f6522e4053d..3af593fc388 100644 --- a/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml +++ b/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml @@ -5,9 +5,9 @@ description: Detects when an application is granted delegated or app role permis references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/10 +date: 2022-07-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml b/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml index c58eae3b78f..d1a4e8af499 100644 --- a/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml +++ b/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml @@ -2,17 +2,17 @@ title: App Granted Privileged Delegated Or App Permissions id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f related: - id: ba2a7c80-027b-460f-92e2-57d113897dbc - type: obsoletes + type: obsolete status: test description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/28 -modified: 2023/03/29 +date: 2022-07-28 +modified: 2023-03-29 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098.003 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_role_added.yml b/rules/cloud/azure/audit_logs/azure_app_role_added.yml index 6cf587b1eb1..acfa45c0fd6 100644 --- a/rules/cloud/azure/audit_logs/azure_app_role_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_role_added.yml @@ -5,10 +5,10 @@ description: Detects when an app is assigned Azure AD roles, such as global admi references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/19 +date: 2022-07-19 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098.003 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml index 957d11f6d99..1913528e04e 100644 --- a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml +++ b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml @@ -7,13 +7,13 @@ description: | references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/06/02 +date: 2022-06-02 tags: - attack.t1528 - attack.t1078.004 - attack.persistence - - attack.credential_access - - attack.privilege_escalation + - attack.credential-access + - attack.privilege-escalation logsource: product: azure service: auditlogs diff --git a/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml b/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml index d5e821568e6..f01c64bc323 100644 --- a/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml +++ b/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml @@ -7,7 +7,7 @@ references: - https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 author: andrewdanis -date: 2024/06/26 +date: 2024-06-26 tags: - attack.t1098.005 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml index ede8166bdca..65c1be6c9b2 100644 --- a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml +++ b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml @@ -5,13 +5,13 @@ description: Change to authentication method could be an indicator of an attacke references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ -date: 2021/10/10 -modified: 2022/12/25 +date: 2021-10-10 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1556 - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1098 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_federation_modified.yml b/rules/cloud/azure/audit_logs/azure_federation_modified.yml index 65b7e669e68..ce6330749a8 100644 --- a/rules/cloud/azure/audit_logs/azure_federation_modified.yml +++ b/rules/cloud/azure/audit_logs/azure_federation_modified.yml @@ -5,10 +5,10 @@ description: Identifies when an user or application modified the federation sett references: - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes author: Austin Songer -date: 2021/09/06 -modified: 2022/06/08 +date: 2021-09-06 +modified: 2022-06-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml index 398b777843f..89d51accc4b 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml @@ -5,9 +5,9 @@ description: Monitor and alert on group membership additions of groups that have references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' -date: 2022/08/04 +date: 2022-08-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1548 - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml index 5b610b73b1f..8b8d5506875 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml @@ -5,9 +5,9 @@ description: Monitor and alert on group membership removal of groups that have C references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' -date: 2022/08/04 +date: 2022-08-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1548 - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml index e6dc35bc102..5e9d2abde0b 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml @@ -5,10 +5,10 @@ description: Detects when a user that doesn't have permissions to invite a guest references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/10 +date: 2022-08-10 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml index dc5561d700f..63d4ca7c664 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml @@ -5,10 +5,10 @@ description: Detects the change of user type from "Guest" to "Member" for potent references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins author: MikeDuddington, '@dudders1' -date: 2022/06/30 +date: 2022-06-30 tags: - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml index 790dbae1c68..3a55d20216e 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml @@ -5,9 +5,9 @@ description: Detects when a PIM elevation is approved or denied. Outside of norm references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/09 +date: 2022-08-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml index 8803800ae11..b12ef942497 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml @@ -5,10 +5,10 @@ description: Detects when PIM alerts are set to disabled. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/09 +date: 2022-08-09 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml index 0c70fec2b3e..1f3db29d25f 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml @@ -5,9 +5,9 @@ description: Detects when changes are made to PIM roles references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/09 +date: 2022-08-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml index 45826985cfc..31c4513202f 100644 --- a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml +++ b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml @@ -5,10 +5,10 @@ description: Detects when a user is added to a privileged role. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/06 +date: 2022-08-06 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml index 9e01f26d04a..6ce06e8eece 100644 --- a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml +++ b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml @@ -5,7 +5,7 @@ description: Detects when a user is removed from a privileged role. Bulk changes references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/05 +date: 2022-08-05 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml index e216fc0d120..faf5fcfb0ae 100644 --- a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml +++ b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml @@ -5,11 +5,11 @@ description: Detects when a new admin is created. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton -date: 2022/08/11 -modified: 2022/08/16 +date: 2022-08-11 +modified: 2022-08-16 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml index 2b89508d928..0f545eee16f 100644 --- a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml +++ b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml @@ -8,10 +8,10 @@ description: | references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation author: Austin Songer @austinsonger -date: 2021/11/26 -modified: 2022/12/25 +date: 2021-11-26 +modified: 2022-12-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_tap_added.yml b/rules/cloud/azure/audit_logs/azure_tap_added.yml index a2c1c700e31..7bf89b16413 100644 --- a/rules/cloud/azure/audit_logs/azure_tap_added.yml +++ b/rules/cloud/azure/audit_logs/azure_tap_added.yml @@ -5,7 +5,7 @@ description: Detects when a temporary access pass (TAP) is added to an account. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/10 +date: 2022-08-10 tags: - attack.persistence - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_user_password_change.yml b/rules/cloud/azure/audit_logs/azure_user_password_change.yml index 48e9c96e65c..6b51691ac37 100644 --- a/rules/cloud/azure/audit_logs/azure_user_password_change.yml +++ b/rules/cloud/azure/audit_logs/azure_user_password_change.yml @@ -5,10 +5,10 @@ description: Detect when a user has reset their password in Azure AD references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: YochanaHenderson, '@Yochana-H' -date: 2022/08/03 +date: 2022-08-03 tags: - attack.persistence - - attack.credential_access + - attack.credential-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml index b5e041b58f0..03b51c9574d 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow' -date: 2023/08/07 +date: 2023-08-07 tags: - attack.t1528 - - attack.credential_access + - attack.credential-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml index 8cc25c64131..e20d60d2cb5 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml @@ -6,7 +6,7 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1098 - attack.persistence diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml index a8749edfb7f..e4e45b83f1c 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml index 556bdc52cdf..baabd5b53c8 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0 - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address author: Gloria Lee, '@gleeiamglo' -date: 2023/08/22 +date: 2023-08-22 tags: - attack.t1528 - - attack.credential_access + - attack.credential-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml index 2c01f60d955..43a9039f344 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml index 31eec3df3d1..97ca81fa424 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml index 7fb671c20b4..616f344b628 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1140 - - attack.defense_evasion + - attack.defense-evasion logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml index d2e8b849d61..9969d55f7f4 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1140 - - attack.defense_evasion + - attack.defense-evasion logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml index 34aa974f361..f1f25a93222 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml @@ -6,7 +6,7 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1589 - attack.reconnaissance diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml index 7221d8ad3a0..bf5ad5d1168 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/07 +date: 2023-09-07 tags: - attack.t1090 - - attack.command_and_control + - attack.command-and-control logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml index 064c2f24473..0b9b6ddc314 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/07 +date: 2023-09-07 tags: - attack.t1090 - - attack.command_and_control + - attack.command-and-control logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml index 29c83729a89..f1fe92abf4d 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1090 - - attack.command_and_control + - attack.command-and-control logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml index d2739ae6649..4e6c6bc87e6 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml index dd01d4ffea9..0ecf9fbacea 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1110 - - attack.credential_access + - attack.credential-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml index 76e38687e4a..fa3110b0a1f 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/07 +date: 2023-09-07 tags: - attack.t1528 - - attack.credential_access + - attack.credential-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml index 1e437ccb62e..7f1ba0cb15c 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml index 1180430554d..f8d49a138fd 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml @@ -7,13 +7,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/07 +date: 2023-09-07 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml index a1a71314321..9549ab00822 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1606 - - attack.credential_access + - attack.credential-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml index dc27a47744c..d4f00afca9c 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml index 57ff7fd7d28..c6bf45cc8aa 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml @@ -5,11 +5,11 @@ description: Identifies when an account hasn't signed in during the past n numbe references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml index 46e06757aaa..dfcef1f54ff 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml @@ -5,11 +5,11 @@ description: Identifies when an organization doesn't have the proper license for references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml index 1563eda0694..33f0d647f8b 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml @@ -5,11 +5,11 @@ description: Identifies when a privilege role assignment has taken place outside references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml index 3064e61c8a9..ae57b20f480 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml @@ -5,11 +5,11 @@ description: Identifies when the same privilege role has multiple activations by references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml index 7bb31ea202e..eda10ef3b1d 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml @@ -5,11 +5,11 @@ description: Identifies when a privilege role can be activated without performin references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml index e0cfcc5b344..066bc8cc74f 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml @@ -5,11 +5,11 @@ description: Identifies when a user has been assigned a privilege role and are n references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml index 06e46b94262..4d783c3397f 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml @@ -5,11 +5,11 @@ description: Identifies an event where there are there are too many accounts ass references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/signin_logs/azure_account_lockout.yml b/rules/cloud/azure/signin_logs/azure_account_lockout.yml index d5b0cda9b65..f1c58e59b67 100644 --- a/rules/cloud/azure/signin_logs/azure_account_lockout.yml +++ b/rules/cloud/azure/signin_logs/azure_account_lockout.yml @@ -5,10 +5,10 @@ description: Identifies user account which has been locked because the user trie references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ -date: 2021/10/10 -modified: 2022/12/25 +date: 2021-10-10 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1110 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml index 1ea9bb1fa28..79f8cd90b97 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml @@ -5,9 +5,9 @@ description: Detects when sign-ins increased by 10% or greater. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' -date: 2022/08/11 +date: 2022-08-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml index 22453a187b2..3655641d13d 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml @@ -5,10 +5,10 @@ description: Detects when successful sign-ins increased by 10% or greater. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton -date: 2022/08/11 -modified: 2022/08/18 +date: 2022-08-11 +modified: 2022-08-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml index 7988b73e239..218170dec84 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml @@ -5,9 +5,9 @@ description: Detect when authentications to important application(s) only requir references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml index 7cfc4496e72..3232199473c 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml @@ -5,10 +5,10 @@ description: Detect successful authentications from countries you do not operate references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml b/rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml index 0974584320d..75f55928e55 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml @@ -5,7 +5,7 @@ description: Detects AzureHound (A BloodHound data collector for Microsoft Azure references: - https://github.com/BloodHoundAD/AzureHound author: Janantha Marasinghe -date: 2022/11/27 +date: 2022-11-27 tags: - attack.discovery - attack.t1087.004 diff --git a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml index 23b4c37e798..53ebb0788e3 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml @@ -5,9 +5,9 @@ description: Monitor and alert for device registration or join events where MFA references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy author: Michael Epping, '@mepples21' -date: 2022/06/28 +date: 2022-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml index 50e3c2939f3..45ffc7ed427 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml @@ -5,10 +5,10 @@ description: Detect failed authentications from countries you do not operate out references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml index 94f1d0dcc63..ef13cded4fe 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml @@ -5,10 +5,10 @@ description: Detect when users are authenticating without MFA being required. references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' -date: 2022/07/27 +date: 2022-07-27 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1556.006 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml index b170e8edc51..8acdaf59657 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml @@ -5,9 +5,9 @@ description: Detects risky authentication from a non AD registered device withou references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in author: Harjot Singh, '@cyb3rjy0t' -date: 2023/01/10 +date: 2023-01-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml index a1ae251b735..1d3d97c9ee3 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -5,9 +5,9 @@ description: Monitor and alert for sign-ins where the device was non-compliant. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in author: Michael Epping, '@mepples21' -date: 2022/06/28 +date: 2022-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml index 661bbf4ae46..3b48259961e 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml @@ -5,10 +5,10 @@ description: Monitor and alert for Sign-ins by unknown devices from non-Trusted references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in author: Michael Epping, '@mepples21' -date: 2022/06/28 -modified: 2022/10/05 +date: 2022-06-28 +modified: 2022-10-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml index a906a4fd304..f09a59aadee 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml @@ -6,10 +6,10 @@ references: - https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 - https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/ author: Harjot Singh, '@cyb3rjy0t' -date: 2023/03/20 +date: 2023-03-20 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml b/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml index b8bbb76d5c6..7341517eb24 100644 --- a/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml +++ b/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml @@ -8,13 +8,13 @@ description: | references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/06/01 +date: 2022-06-01 tags: - attack.t1078 - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: signinlogs diff --git a/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml b/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml index 46fb9933b0e..a7430a81f0e 100644 --- a/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml +++ b/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml @@ -7,13 +7,13 @@ description: | references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/06/01 +date: 2022-06-01 tags: - attack.t1078 - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: signinlogs diff --git a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml index 93840374755..d648bff0b6d 100644 --- a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml +++ b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml @@ -5,9 +5,9 @@ description: Detects when an account is disabled or blocked for sign in but trie references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts author: Yochana Henderson, '@Yochana-H' -date: 2022/06/17 +date: 2022-06-17 tags: - - attack.initial_access + - attack.initial-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml index bbe017c0899..5cb94a415b1 100644 --- a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml +++ b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml @@ -5,10 +5,10 @@ description: Define a baseline threshold for failed sign-ins due to Conditional references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts author: Yochana Henderson, '@Yochana-H' -date: 2022/06/01 +date: 2022-06-01 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1110 - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml index d0b1d6fb4fe..271bcdb9896 100644 --- a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml +++ b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml @@ -5,10 +5,10 @@ description: Alert on when legacy authentication has been used on an account references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts author: Yochana Henderson, '@Yochana-H' -date: 2022/06/17 +date: 2022-06-17 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml index d62152f5f85..009484b495f 100644 --- a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml +++ b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml @@ -5,10 +5,10 @@ description: Detect failed attempts to sign in to disabled accounts. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ -date: 2021/10/10 -modified: 2022/12/25 +date: 2021-10-10 +modified: 2022-12-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_mfa_denies.yml b/rules/cloud/azure/signin_logs/azure_mfa_denies.yml index 975236d4525..189524079f5 100644 --- a/rules/cloud/azure/signin_logs/azure_mfa_denies.yml +++ b/rules/cloud/azure/signin_logs/azure_mfa_denies.yml @@ -5,10 +5,10 @@ description: User has indicated they haven't instigated the MFA prompt and could references: - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ author: AlertIQ -date: 2022/03/24 +date: 2022-03-24 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 - attack.t1621 diff --git a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml index ddd625324e1..a4edd40a054 100644 --- a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml @@ -5,11 +5,11 @@ description: Identifies user login with multifactor authentication failures, whi references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ -date: 2021/10/10 -modified: 2022/12/18 +date: 2021-10-10 +modified: 2022-12-18 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 - attack.t1621 diff --git a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml index fe9f718b3ff..586aa6bbbab 100644 --- a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml +++ b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml @@ -5,10 +5,10 @@ description: Detects when there is a interruption in the authentication process. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: Austin Songer @austinsonger -date: 2021/11/26 -modified: 2022/12/18 +date: 2021-11-26 +modified: 2022-12-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml index 234607a0114..a2f503b2876 100644 --- a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml +++ b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml @@ -7,11 +7,11 @@ description: | references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ -date: 2021/10/10 -modified: 2022/12/25 +date: 2021-10-10 +modified: 2022-12-25 tags: - - attack.credential_access - - attack.initial_access + - attack.credential-access + - attack.initial-access - attack.t1110 - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml index 33b337adf8d..88f9060785c 100644 --- a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml +++ b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml @@ -5,9 +5,9 @@ description: Detect when users in your Azure AD tenant are authenticating to oth references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins author: MikeDuddington, '@dudders1' -date: 2022/06/30 +date: 2022-06-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml index 8face071a5c..ab30043f2fa 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml @@ -6,7 +6,7 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.collection - attack.t1213.003 diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml index 8d6c3ed7658..2e920a4e307 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml @@ -6,10 +6,10 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml index 1adf39cac70..6e8bda2c16c 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml @@ -6,9 +6,9 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml index 9562f501a28..39179f0e763 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml @@ -6,10 +6,10 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.lateral_movement - - attack.defense_evasion + - attack.lateral-movement + - attack.defense-evasion - attack.t1562.001 - attack.t1021.004 logsource: diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml index d974e932ce6..ce0a8b0aa98 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml @@ -5,9 +5,9 @@ description: Detects changes to the bitbucket audit log configuration. references: - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml index c5c9bc28c37..b1baeb37115 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml @@ -6,9 +6,9 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml index a0c1bca55f5..6019e448233 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml @@ -6,9 +6,9 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml index 2524ed63a41..5ef1c1901ed 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml @@ -6,9 +6,9 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml index 938e8ee634e..08ebde49a7c 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml @@ -5,9 +5,9 @@ description: Detects unauthorized access attempts to a resource. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.resource_development + - attack.resource-development - attack.t1586 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml index b48f50abcc9..ebb2f462150 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml @@ -6,10 +6,10 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.collection - - attack.resource_development + - attack.resource-development - attack.t1213.003 - attack.t1586 logsource: diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml index adeda03de9e..a0e96ebd384 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml @@ -6,7 +6,7 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.collection - attack.reconnaissance diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml index f2662be83d6..7eed1a8403e 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml @@ -7,10 +7,10 @@ description: | references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion - - attack.credential_access + - attack.defense-evasion + - attack.credential-access - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml index 3a0016ff622..9e9a0cebde4 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml @@ -8,7 +8,7 @@ references: - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.t1021.004 - attack.t1110 diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml index a60e8d47744..221d4a24fc9 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml @@ -6,7 +6,7 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.reconnaissance - attack.t1213 diff --git a/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml b/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml index 16887e301f0..1fc5764c2f9 100644 --- a/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml +++ b/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml @@ -8,11 +8,11 @@ references: - https://duo.com/docs/adminapi#logs - https://help.duo.com/s/article/6327?language=en_US author: Nikita Khalimonenkov -date: 2024/04/17 +date: 2024-04-17 tags: - - attack.credential_access - - attack.defense_evasion - - attack.initial_access + - attack.credential-access + - attack.defense-evasion + - attack.initial-access logsource: product: cisco service: duo diff --git a/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml b/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml index 02359805cb0..68171169a64 100644 --- a/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml @@ -9,10 +9,10 @@ references: - https://cloud.google.com/logging/docs/audit/understanding-audit-logs - https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog author: Bryan Lim -date: 2024/01/12 +date: 2024-01-12 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098 logsource: product: gcp diff --git a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml index 6b68e791ea2..ce1f5b63e04 100644 --- a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml +++ b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml @@ -6,9 +6,9 @@ description: | references: - https://cloud.google.com/binary-authorization author: Bryan Lim -date: 2024/01/12 +date: 2024-01-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1548 logsource: product: gcp diff --git a/rules/cloud/gcp/audit/gcp_bucket_enumeration.yml b/rules/cloud/gcp/audit/gcp_bucket_enumeration.yml index 35c71fe4c4c..77b916f3e62 100644 --- a/rules/cloud/gcp/audit/gcp_bucket_enumeration.yml +++ b/rules/cloud/gcp/audit/gcp_bucket_enumeration.yml @@ -5,8 +5,8 @@ description: Detects when storage bucket is enumerated in Google Cloud. references: - https://cloud.google.com/storage/docs/json_api/v1/buckets author: Austin Songer @austinsonger -date: 2021/08/14 -modified: 2022/10/09 +date: 2021-08-14 +modified: 2022-10-09 tags: - attack.discovery logsource: diff --git a/rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml index ac0ecb40d7b..7af5b627651 100644 --- a/rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Detects when storage bucket is modified or deleted in Google Cloud. references: - https://cloud.google.com/storage/docs/json_api/v1/buckets author: Austin Songer @austinsonger -date: 2021/08/14 -modified: 2022/10/09 +date: 2021-08-14 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml b/rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml index 99e162b554a..4c1c0729314 100644 --- a/rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml +++ b/rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml @@ -5,8 +5,8 @@ description: Identifies when sensitive information is re-identified in google Cl references: - https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify author: Austin Songer @austinsonger -date: 2021/08/15 -modified: 2022/10/09 +date: 2021-08-15 +modified: 2022-10-09 tags: - attack.impact - attack.t1565 diff --git a/rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml index 324e4982683..6e7fcb91b8d 100644 --- a/rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a DNS Zone is modified or deleted in Google Cloud. references: - https://cloud.google.com/dns/docs/reference/v1/managedZones author: Austin Songer @austinsonger -date: 2021/08/15 -modified: 2022/10/09 +date: 2021-08-15 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml index c9efa342b6a..67178b20f7e 100644 --- a/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml @@ -6,10 +6,10 @@ references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html author: Austin Songer @austinsonger -date: 2021/08/13 -modified: 2022/10/09 +date: 2021-08-13 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: gcp diff --git a/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml b/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml index ebd5bc62370..cce5f8a6adc 100644 --- a/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml +++ b/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml @@ -6,8 +6,8 @@ references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html author: Austin Songer @austinsonger -date: 2021/08/13 -modified: 2022/10/09 +date: 2021-08-13 +modified: 2022-10-09 tags: - attack.collection - attack.t1074 diff --git a/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml index 7e8288d79ae..09434b208af 100644 --- a/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml +++ b/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml @@ -11,12 +11,12 @@ description: | references: - https://cloud.google.com/kubernetes-engine/docs author: Austin Songer @austinsonger -date: 2021/11/25 -modified: 2022/12/18 +date: 2021-11-25 +modified: 2022-12-18 tags: - attack.persistence - attack.t1078 - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.007 logsource: diff --git a/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml b/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml index 42f21598b65..c4a14af460a 100644 --- a/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml +++ b/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml @@ -10,11 +10,11 @@ references: - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ - https://kubernetes.io/docs/concepts/workloads/controllers/job/ author: Austin Songer @austinsonger -date: 2021/11/22 -modified: 2022/12/25 +date: 2021-11-22 +modified: 2022-12-25 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.execution logsource: product: gcp diff --git a/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml index 384ce9060fe..688614980e4 100644 --- a/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml +++ b/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml @@ -9,10 +9,10 @@ references: - https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging author: Austin Songer @austinsonger -date: 2021/08/09 -modified: 2022/10/09 +date: 2021-08-09 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access logsource: product: gcp service: gcp.audit diff --git a/rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml index 2ca21ae8f47..7035f54b627 100644 --- a/rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml @@ -5,10 +5,10 @@ description: Identifies when the Secrets are Modified or Deleted. references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging author: Austin Songer @austinsonger -date: 2021/08/09 -modified: 2022/10/09 +date: 2021-08-09 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access logsource: product: gcp service: gcp.audit diff --git a/rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml b/rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml index 687c5f03264..93ad5ff44f2 100644 --- a/rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a service account is disabled or deleted in Google references: - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts author: Austin Songer @austinsonger -date: 2021/08/14 -modified: 2022/10/09 +date: 2021-08-14 +modified: 2022-10-09 tags: - attack.impact - attack.t1531 diff --git a/rules/cloud/gcp/audit/gcp_service_account_modified.yml b/rules/cloud/gcp/audit/gcp_service_account_modified.yml index 0962aef4068..ce71de60fbb 100644 --- a/rules/cloud/gcp/audit/gcp_service_account_modified.yml +++ b/rules/cloud/gcp/audit/gcp_service_account_modified.yml @@ -5,8 +5,8 @@ description: Identifies when a service account is modified in Google Cloud. references: - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts author: Austin Songer @austinsonger -date: 2021/08/14 -modified: 2022/10/09 +date: 2021-08-14 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml index 725703e98e7..9b592112238 100644 --- a/rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Detect when a Cloud SQL DB has been modified or deleted. references: - https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update author: Austin Songer @austinsonger -date: 2021/10/15 -modified: 2022/12/25 +date: 2021-10-15 +modified: 2022-12-25 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml index d22cd01f13b..042c3c699f8 100644 --- a/rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud. references: - https://any-api.com/googleapis_com/compute/docs/vpnTunnels author: Austin Songer @austinsonger -date: 2021/08/16 -modified: 2022/10/09 +date: 2021-08-16 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml index 9632a4d0b53..2e1ee57f77a 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml @@ -9,10 +9,10 @@ references: - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings - https://support.google.com/a/answer/9261439 author: Bryan Lim -date: 2024/01/12 +date: 2024-01-12 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098.003 logsource: product: gcp diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml index bd00afe3dba..6728c7c9275 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml @@ -7,8 +7,8 @@ references: - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST author: Austin Songer -date: 2021/08/26 -modified: 2023/10/11 +date: 2021-08-26 +modified: 2023-10-11 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml index 332ea09bfea..9bc68121ac2 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml @@ -6,8 +6,8 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS author: Austin Songer -date: 2021/08/23 -modified: 2023/10/11 +date: 2021-08-23 +modified: 2023-10-11 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml index 14b5c94b154..cbe0d68010e 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml @@ -7,8 +7,8 @@ references: - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION author: Austin Songer -date: 2021/08/26 -modified: 2023/10/11 +date: 2021-08-26 +modified: 2023-10-11 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml index dd6fee807f8..06806f4ba97 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings author: Austin Songer -date: 2021/08/24 -modified: 2023/10/11 +date: 2021-08-24 +modified: 2023-10-11 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml index 6732d34b663..65d9bb869cb 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml @@ -6,8 +6,8 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings author: Austin Songer -date: 2021/08/24 -modified: 2023/10/11 +date: 2021-08-24 +modified: 2023-10-11 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml index 321fa59ff97..ddb75111782 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml @@ -6,8 +6,8 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE author: Austin Songer -date: 2021/08/23 -modified: 2023/10/11 +date: 2021-08-23 +modified: 2023-10-11 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/cloud/github/github_delete_action_invoked.yml index 15a7e5e9f3b..86ec50604ce 100644 --- a/rules/cloud/github/github_delete_action_invoked.yml +++ b/rules/cloud/github/github_delete_action_invoked.yml @@ -3,7 +3,7 @@ id: 16a71777-0b2e-4db7-9888-9d59cb75200b status: test description: Detects delete action in the Github audit logs for codespaces, environment, project and repo. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/19 +date: 2023-01-19 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions tags: diff --git a/rules/cloud/github/github_disable_high_risk_configuration.yml b/rules/cloud/github/github_disable_high_risk_configuration.yml index cc02a58540f..1e9081c2c68 100644 --- a/rules/cloud/github/github_disable_high_risk_configuration.yml +++ b/rules/cloud/github/github_disable_high_risk_configuration.yml @@ -8,11 +8,11 @@ references: - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise author: Muhammad Faisal (@faisalusuf) -date: 2023/01/29 -modified: 2024/07/22 +date: 2023-01-29 +modified: 2024-07-22 tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.persistence - attack.t1556 logsource: diff --git a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml index a6ab69436e5..c0e6f1dd29b 100644 --- a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml +++ b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml @@ -5,12 +5,12 @@ description: | Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/27 +date: 2023-01-27 references: - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization tags: - - attack.initial_access + - attack.initial-access - attack.t1195.001 logsource: product: github diff --git a/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml b/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml index e4872ce95e5..0f4e0ceec16 100644 --- a/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml +++ b/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml @@ -6,7 +6,7 @@ description: | references: - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking author: Romain Gaillard (@romain-gaillard) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.persistence - attack.t1020 diff --git a/rules/cloud/github/github_new_org_member.yml b/rules/cloud/github/github_new_org_member.yml index ac17b72bd35..8a15a998ac9 100644 --- a/rules/cloud/github/github_new_org_member.yml +++ b/rules/cloud/github/github_new_org_member.yml @@ -3,7 +3,7 @@ id: 3908d64a-3c06-4091-b503-b3a94424533b status: test description: Detects when a new member is added or invited to a github organization. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/29 +date: 2023-01-29 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions tags: diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml index f5741c62025..5658c6e9590 100644 --- a/rules/cloud/github/github_new_secret_created.yml +++ b/rules/cloud/github/github_new_secret_created.yml @@ -3,14 +3,14 @@ id: f9405037-bc97-4eb7-baba-167dad399b83 status: test description: Detects when a user creates action secret for the organization, environment, codespaces or repository. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/20 +date: 2023-01-20 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.t1078.004 logsource: product: github diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml index 3fa79ec55b5..d9c35e5325a 100644 --- a/rules/cloud/github/github_outside_collaborator_detected.yml +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -4,7 +4,7 @@ status: test description: | Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/20 +date: 2023-01-20 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization diff --git a/rules/cloud/github/github_push_protection_bypass_detected.yml b/rules/cloud/github/github_push_protection_bypass_detected.yml index 371e0b3307a..7e537f304b3 100644 --- a/rules/cloud/github/github_push_protection_bypass_detected.yml +++ b/rules/cloud/github/github_push_protection_bypass_detected.yml @@ -6,9 +6,9 @@ references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html author: Muhammad Faisal (@faisalusuf) -date: 2024/03/07 +date: 2024-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: github diff --git a/rules/cloud/github/github_push_protection_disabled.yml b/rules/cloud/github/github_push_protection_disabled.yml index ed6cebfa4f9..dff55ef9118 100644 --- a/rules/cloud/github/github_push_protection_disabled.yml +++ b/rules/cloud/github/github_push_protection_disabled.yml @@ -6,9 +6,9 @@ references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html author: Muhammad Faisal (@faisalusuf) -date: 2024/03/07 +date: 2024-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: github diff --git a/rules/cloud/github/github_repo_or_org_transferred.yml b/rules/cloud/github/github_repo_or_org_transferred.yml index ecbed9617c2..17bb54e727a 100644 --- a/rules/cloud/github/github_repo_or_org_transferred.yml +++ b/rules/cloud/github/github_repo_or_org_transferred.yml @@ -8,7 +8,7 @@ references: - https://docs.github.com/en/migrations - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration author: Romain Gaillard (@romain-gaillard) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.persistence - attack.t1020 diff --git a/rules/cloud/github/github_secret_scanning_feature_disabled.yml b/rules/cloud/github/github_secret_scanning_feature_disabled.yml index ce8821fead9..a0a258a0dec 100644 --- a/rules/cloud/github/github_secret_scanning_feature_disabled.yml +++ b/rules/cloud/github/github_secret_scanning_feature_disabled.yml @@ -5,10 +5,10 @@ description: Detects if the secret scanning feature is disabled for an enterpris references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning author: Muhammad Faisal (@faisalusuf) -date: 2024/03/07 -modified: 2024/07/19 +date: 2024-03-07 +modified: 2024-07-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: github diff --git a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml index 1c5088f655a..581325863af 100644 --- a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml +++ b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml @@ -6,7 +6,7 @@ description: | This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/27 +date: 2023-01-27 references: - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation @@ -14,10 +14,10 @@ tags: - attack.impact - attack.discovery - attack.collection - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.t1526 - attack.t1213.003 - attack.t1078.004 diff --git a/rules/cloud/github/github_ssh_certificate_config_changed.yml b/rules/cloud/github/github_ssh_certificate_config_changed.yml index 6f53bba27cb..4cd9733ad57 100644 --- a/rules/cloud/github/github_ssh_certificate_config_changed.yml +++ b/rules/cloud/github/github_ssh_certificate_config_changed.yml @@ -6,10 +6,10 @@ references: - https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority author: Romain Gaillard (@romain-gaillard) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078.004 logsource: product: github diff --git a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml index f2c9c39d29e..e5212e691c7 100644 --- a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml +++ b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml @@ -5,7 +5,7 @@ description: Detects disabling of Multi Factor Authentication. references: - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) -date: 2023/09/18 +date: 2023-09-18 tags: - attack.persistence - attack.t1556 diff --git a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml index 15a46cb76df..957b04d3b5d 100644 --- a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml +++ b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml @@ -9,7 +9,7 @@ references: - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/ - https://o365blog.com/post/aadbackdoor/ author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) -date: 2023/09/18 +date: 2023-09-18 tags: - attack.persistence - attack.t1136.003 diff --git a/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml b/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml index 12563859a1f..07400d11a6e 100644 --- a/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml +++ b/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml @@ -12,7 +12,7 @@ references: - https://www.sygnia.co/golden-saml-advisory - https://o365blog.com/post/aadbackdoor/ author: Splunk Threat Research Team (original rule), '@ionsor (rule)' -date: 2022/02/08 +date: 2022-02-08 tags: - attack.persistence - attack.t1136.003 diff --git a/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml b/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml index f9a91c0a6ad..4f75437643e 100644 --- a/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml +++ b/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml @@ -8,10 +8,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1573 logsource: service: threat_detection diff --git a/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml index af6c28ab0e3..93b8e534dbf 100644 --- a/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml @@ -8,8 +8,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml index 5cbd3069e65..fee3b5f67f2 100644 --- a/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1573 logsource: service: threat_management diff --git a/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml index 5a624c4236f..2019496b612 100644 --- a/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1573 logsource: service: threat_management diff --git a/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml index ea287786921..2c39b190ae1 100644 --- a/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1537 diff --git a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml index 53b51031aa3..196109e677d 100644 --- a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2020/07/06 -modified: 2021/11/27 +date: 2020-07-06 +modified: 2021-11-27 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: service: threat_management diff --git a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml index a875b60a924..776e8140b8c 100644 --- a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: service: threat_management diff --git a/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml index 822e7ccca56..7f7eedff190 100644 --- a/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: austinsonger -date: 2021/08/19 -modified: 2022/10/09 +date: 2021-08-19 +modified: 2022-10-09 tags: - attack.impact - attack.t1486 diff --git a/rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml b/rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml index 0e05c502b3e..97c469db042 100644 --- a/rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml +++ b/rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml @@ -8,8 +8,8 @@ description: Alert on when a user has performed an eDiscovery search or exported references: - https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide author: Sorina Ionescu -date: 2022/02/08 -modified: 2022/11/17 +date: 2022-02-08 +modified: 2022-11-17 tags: - attack.collection - attack.t1114 diff --git a/rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml b/rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml index 71405590f66..9b91ef0c331 100644 --- a/rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml +++ b/rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml @@ -8,7 +8,7 @@ description: Alert when a user has performed an export to a search using 'New-Co references: - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps author: Nikita Khalimonenkov -date: 2022/11/17 +date: 2022-11-17 tags: - attack.collection - attack.t1114 diff --git a/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml b/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml index 135ab543275..836f1862e25 100644 --- a/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml +++ b/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/22 -modified: 2022/10/09 +date: 2021-08-22 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml b/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml index a5e1d9fca79..65ac5bccb31 100644 --- a/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - attack.exfiltration logsource: diff --git a/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml index 49f97ef05a6..2eb3cc9d991 100644 --- a/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml +++ b/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: austinsonger -date: 2021/08/19 -modified: 2022/10/09 +date: 2021-08-19 +modified: 2022-10-09 tags: - attack.impact - attack.t1485 diff --git a/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml index 7620ba619ec..bdb895930cf 100644 --- a/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml +++ b/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: austinsonger -date: 2021/08/19 -modified: 2022/10/09 +date: 2021-08-19 +modified: 2022-10-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1199 logsource: service: threat_management diff --git a/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml b/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml index dd6a9957a21..7b9cadb89f7 100644 --- a/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml +++ b/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml @@ -7,9 +7,9 @@ references: - https://dataconomy.com/2023/10/23/okta-data-breach/ - https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/ author: Muhammad Faisal @faisalusuf -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.credential_access + - attack.credential-access logsource: service: okta product: okta diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml index 5a03726691b..4a2e0abf3a4 100644 --- a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml +++ b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.persistence - attack.t1098.003 diff --git a/rules/cloud/okta/okta_admin_role_assignment_created.yml b/rules/cloud/okta/okta_admin_role_assignment_created.yml index e16a60c69f6..615706388bf 100644 --- a/rules/cloud/okta/okta_admin_role_assignment_created.yml +++ b/rules/cloud/okta/okta_admin_role_assignment_created.yml @@ -6,7 +6,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Nikita Khalimonenkov -date: 2023/01/19 +date: 2023-01-19 tags: - attack.persistence logsource: diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml index b2e259f85a9..4545592dbf3 100644 --- a/rules/cloud/okta/okta_api_token_created.yml +++ b/rules/cloud/okta/okta_api_token_created.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.persistence logsource: diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/cloud/okta/okta_api_token_revoked.yml index e57121bfaec..404b072bcd4 100644 --- a/rules/cloud/okta/okta_api_token_revoked.yml +++ b/rules/cloud/okta/okta_api_token_revoked.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml index 800cb86988b..21e31cb6313 100644 --- a/rules/cloud/okta/okta_application_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml index 8d77d6eb59b..7c7d86ee991 100644 --- a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_fastpass_phishing_detection.yml b/rules/cloud/okta/okta_fastpass_phishing_detection.yml index 1928185e8eb..baabd6db43b 100644 --- a/rules/cloud/okta/okta_fastpass_phishing_detection.yml +++ b/rules/cloud/okta/okta_fastpass_phishing_detection.yml @@ -7,9 +7,9 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2023/05/07 +date: 2023-05-07 tags: - - attack.initial_access + - attack.initial-access - attack.t1566 logsource: product: okta diff --git a/rules/cloud/okta/okta_identity_provider_created.yml b/rules/cloud/okta/okta_identity_provider_created.yml index 03bb1d9257e..9cdb42b5df3 100644 --- a/rules/cloud/okta/okta_identity_provider_created.yml +++ b/rules/cloud/okta/okta_identity_provider_created.yml @@ -6,7 +6,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection author: kelnage -date: 2023/09/07 +date: 2023-09-07 tags: - attack.persistence - attack.t1098.001 diff --git a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml index 2ffd5a7cf57..ebb382786ad 100644 --- a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml +++ b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml @@ -6,12 +6,12 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/21 -modified: 2022/10/09 +date: 2021-09-21 +modified: 2022-10-09 tags: - attack.persistence - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.t1556.006 logsource: product: okta diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml index 5e348ee53b6..bc3ef31cf11 100644 --- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml +++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_new_behaviours_admin_console.yml b/rules/cloud/okta/okta_new_behaviours_admin_console.yml index ae5728da746..f84a4e1756f 100644 --- a/rules/cloud/okta/okta_new_behaviours_admin_console.yml +++ b/rules/cloud/okta/okta_new_behaviours_admin_console.yml @@ -6,10 +6,10 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection author: kelnage -date: 2023/09/07 -modified: 2024/06/26 +date: 2023-09-07 +modified: 2024-06-26 tags: - - attack.initial_access + - attack.initial-access - attack.t1078.004 logsource: product: okta diff --git a/rules/cloud/okta/okta_password_in_alternateid_field.yml b/rules/cloud/okta/okta_password_in_alternateid_field.yml index 6328e5e3ea4..30daec17d92 100644 --- a/rules/cloud/okta/okta_password_in_alternateid_field.yml +++ b/rules/cloud/okta/okta_password_in_alternateid_field.yml @@ -9,10 +9,10 @@ references: - https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data - https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm author: kelnage -date: 2023/04/03 -modified: 2023/10/25 +date: 2023-04-03 +modified: 2023-10-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1552 logsource: product: okta diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_modified_or_deleted.yml index 547fcadcd6a..536b76f3251 100644 --- a/rules/cloud/okta/okta_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_modified_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml index 958e131d33d..76e02fd5682 100644 --- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml index c060324cadf..cae93bca42e 100644 --- a/rules/cloud/okta/okta_security_threat_detected.yml +++ b/rules/cloud/okta/okta_security_threat_detected.yml @@ -7,10 +7,10 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control logsource: product: okta service: okta diff --git a/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml b/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml index 75e09e6a91b..a0f40fa35cc 100644 --- a/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml +++ b/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml @@ -6,9 +6,9 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md author: kelnage -date: 2023/09/07 +date: 2023-09-07 tags: - - attack.resource_development + - attack.resource-development - attack.t1586.003 logsource: product: okta diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml index 0206a7b963a..07d397a67cd 100644 --- a/rules/cloud/okta/okta_unauthorized_access_to_app.yml +++ b/rules/cloud/okta/okta_unauthorized_access_to_app.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_user_account_locked_out.yml b/rules/cloud/okta/okta_user_account_locked_out.yml index 6a55d16e373..0c5949c2ae9 100644 --- a/rules/cloud/okta/okta_user_account_locked_out.yml +++ b/rules/cloud/okta/okta_user_account_locked_out.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact - attack.t1531 diff --git a/rules/cloud/okta/okta_user_created.yml b/rules/cloud/okta/okta_user_created.yml index 7f29524c2f2..43a0a2b18bf 100644 --- a/rules/cloud/okta/okta_user_created.yml +++ b/rules/cloud/okta/okta_user_created.yml @@ -3,11 +3,11 @@ id: b6c718dd-8f53-4b9f-98d8-93fdca966969 status: experimental description: Detects new user account creation author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 references: - https://developer.okta.com/docs/reference/api/event-types/ tags: - - attack.credential_access + - attack.credential-access logsource: service: okta product: okta diff --git a/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml b/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml index 37cb9e1045f..30bd4efb98d 100644 --- a/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml +++ b/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml @@ -6,9 +6,9 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection author: kelnage -date: 2023/09/07 +date: 2023-09-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.006 logsource: product: okta diff --git a/rules/cloud/onelogin/onelogin_assumed_another_user.yml b/rules/cloud/onelogin/onelogin_assumed_another_user.yml index 642afaaac0a..a9d86ad2470 100644 --- a/rules/cloud/onelogin/onelogin_assumed_another_user.yml +++ b/rules/cloud/onelogin/onelogin_assumed_another_user.yml @@ -5,8 +5,8 @@ description: Detects when an user assumed another user account. references: - https://developers.onelogin.com/api-docs/1/events/event-resource author: Austin Songer @austinsonger -date: 2021/10/12 -modified: 2022/12/25 +date: 2021-10-12 +modified: 2022-12-25 tags: - attack.impact logsource: diff --git a/rules/cloud/onelogin/onelogin_user_account_locked.yml b/rules/cloud/onelogin/onelogin_user_account_locked.yml index 5ee7ed79755..90139c2f214 100644 --- a/rules/cloud/onelogin/onelogin_user_account_locked.yml +++ b/rules/cloud/onelogin/onelogin_user_account_locked.yml @@ -5,8 +5,8 @@ description: Detects when an user account is locked or suspended. references: - https://developers.onelogin.com/api-docs/1/events/event-resource/ author: Austin Songer @austinsonger -date: 2021/10/12 -modified: 2022/12/25 +date: 2021-10-12 +modified: 2022-12-25 tags: - attack.impact logsource: diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index f17099bb5ae..f4fdad7254b 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -10,9 +10,9 @@ references: - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists author: Alexandr Yampolskyi, SOC Prime -date: 2019/03/26 +date: 2019-03-26 tags: - - attack.initial_access + - attack.initial-access # - CSC4 # - CSC4.2 # - NIST CSF 1.1 PR.AC-4 diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml index 4db3823ddc0..1677b7eccab 100644 --- a/rules/compliance/host_without_firewall.yml +++ b/rules/compliance/host_without_firewall.yml @@ -7,8 +7,8 @@ references: - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf author: Alexandr Yampolskyi, SOC Prime -date: 2019/03/19 -modified: 2022/10/05 +date: 2019-03-19 +modified: 2022-10-05 # tags: # - CSC9 # - CSC9.4 diff --git a/rules/compliance/netflow_cleartext_protocols.yml b/rules/compliance/netflow_cleartext_protocols.yml index cbcda8ea153..eb72f0f058c 100644 --- a/rules/compliance/netflow_cleartext_protocols.yml +++ b/rules/compliance/netflow_cleartext_protocols.yml @@ -10,10 +10,10 @@ references: - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf author: Alexandr Yampolskyi, SOC Prime -date: 2019/03/26 -modified: 2022/11/18 +date: 2019-03-26 +modified: 2022-11-18 tags: - - attack.credential_access + - attack.credential-access # - CSC4 # - CSC4.5 # - CSC14 diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml index 50f45bc6e11..0151e8182ed 100644 --- a/rules/linux/auditd/lnx_auditd_audio_capture.yml +++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -6,8 +6,8 @@ references: - https://linux.die.net/man/1/arecord - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa author: 'Pawel Mazur' -date: 2021/09/04 -modified: 2022/10/09 +date: 2021-09-04 +modified: 2022-10-09 tags: - attack.collection - attack.t1123 diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index 8b6e756b387..05f4975db74 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -6,10 +6,10 @@ references: - https://github.com/Neo23x0/auditd/blob/master/audit.rules - Self Experience author: Mikhail Larin, oscd.community -date: 2019/10/25 -modified: 2021/11/27 +date: 2019-10-25 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.006 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_binary_padding.yml b/rules/linux/auditd/lnx_auditd_binary_padding.yml index 968099af1da..a625c742319 100644 --- a/rules/linux/auditd/lnx_auditd_binary_padding.yml +++ b/rules/linux/auditd/lnx_auditd_binary_padding.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md author: Igor Fits, oscd.community -date: 2020/10/13 -modified: 2023/05/03 +date: 2020-10-13 +modified: 2023-05-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.001 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml index 87da3bbb5ef..8b2d48a6112 100644 --- a/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml +++ b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml @@ -6,7 +6,7 @@ references: - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor author: Rafal Piasecki -date: 2022/08/10 +date: 2022-08-10 tags: - attack.execution - attack.t1106 diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml index 4ea35cbb860..20d3adf0b83 100644 --- a/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml +++ b/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml @@ -8,9 +8,9 @@ references: - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor author: Rafal Piasecki -date: 2022/08/10 +date: 2022-08-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml index 0efda4f22ba..1102264f1d9 100644 --- a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml @@ -8,11 +8,11 @@ references: - https://mn3m.info/posts/suid-vs-capabilities/ - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099 author: 'Pawel Mazur' -date: 2021/11/28 -modified: 2022/12/25 +date: 2021-11-28 +modified: 2022-12-25 tags: - attack.collection - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1123 - attack.t1548 logsource: diff --git a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml index b86345eac68..48fdc5bd09c 100644 --- a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml +++ b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml @@ -5,10 +5,10 @@ description: Detect file time attribute change to hide new or changes to existin references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md author: 'Igor Fits, oscd.community' -date: 2020/10/15 -modified: 2022/11/28 +date: 2020-10-15 +modified: 2022-11-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.006 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml b/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml index 50d720de36b..5121bf17c38 100644 --- a/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml +++ b/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml @@ -5,10 +5,10 @@ description: Detects removing immutable file attribute. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md author: Jakob Weinzettl, oscd.community -date: 2019/09/23 -modified: 2022/11/26 +date: 2019-09-23 +modified: 2022-11-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml index d7f6633ff3b..5a9df631442 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml @@ -9,8 +9,8 @@ references: - https://linux.die.net/man/1/xclip - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ author: 'Pawel Mazur' -date: 2021/09/24 -modified: 2022/11/26 +date: 2021-09-24 +modified: 2022-11-26 tags: - attack.collection - attack.t1115 diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml index 0064fb44335..006ea96d06e 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -8,8 +8,8 @@ description: | references: - https://linux.die.net/man/1/xclip author: 'Pawel Mazur' -date: 2021/10/01 -modified: 2022/10/09 +date: 2021-10-01 +modified: 2022-10-09 tags: - attack.collection - attack.t1115 diff --git a/rules/linux/auditd/lnx_auditd_coinminer.yml b/rules/linux/auditd/lnx_auditd_coinminer.yml index fd45113d6b7..f1b8ee148f2 100644 --- a/rules/linux/auditd/lnx_auditd_coinminer.yml +++ b/rules/linux/auditd/lnx_auditd_coinminer.yml @@ -5,10 +5,10 @@ description: Detects command line parameter very often used with coin miners references: - https://xmrig.com/docs/miner/command-line-options author: Florian Roth (Nextron Systems) -date: 2021/10/09 -modified: 2022/12/25 +date: 2021-10-09 +modified: 2022-12-25 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index 71a21f5b26d..6ada819f2c5 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -7,8 +7,8 @@ references: - https://access.redhat.com/articles/4409591#audit-record-types-2 - https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07 author: Marie Euler, Pawel Mazur -date: 2020/05/18 -modified: 2022/12/20 +date: 2020-05-18 +modified: 2022-12-20 tags: - attack.t1136.001 - attack.persistence diff --git a/rules/linux/auditd/lnx_auditd_data_compressed.yml b/rules/linux/auditd/lnx_auditd_data_compressed.yml index 480b03092ff..1a54bfcf4c2 100644 --- a/rules/linux/auditd/lnx_auditd_data_compressed.yml +++ b/rules/linux/auditd/lnx_auditd_data_compressed.yml @@ -5,8 +5,8 @@ description: An adversary may compress data (e.g., sensitive documents) that is references: - https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/07/28 +date: 2019-10-21 +modified: 2023-07-28 tags: - attack.exfiltration - attack.t1560.001 diff --git a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml index 1beb9d63caa..314f2ed7391 100644 --- a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml +++ b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml @@ -8,8 +8,8 @@ references: - https://linux.die.net/man/1/wget - https://gtfobins.github.io/gtfobins/wget/ author: 'Pawel Mazur' -date: 2021/11/18 -modified: 2022/12/25 +date: 2021-11-18 +modified: 2022-12-25 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/linux/auditd/lnx_auditd_dd_delete_file.yml b/rules/linux/auditd/lnx_auditd_dd_delete_file.yml index 3cb8f77c61f..6fa3ffb31e7 100644 --- a/rules/linux/auditd/lnx_auditd_dd_delete_file.yml +++ b/rules/linux/auditd/lnx_auditd_dd_delete_file.yml @@ -5,7 +5,7 @@ description: Detects overwriting (effectively wiping/deleting) of a file. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md author: Jakob Weinzettl, oscd.community -date: 2019/10/23 +date: 2019-10-23 tags: - attack.impact - attack.t1485 diff --git a/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml index f25bf12f5f7..85f985e3045 100644 --- a/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml +++ b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md - https://firewalld.org/documentation/man-pages/firewall-cmd.html author: 'Pawel Mazur' -date: 2022/01/22 +date: 2022-01-22 tags: - attack.t1562.004 - - attack.defense_evasion + - attack.defense-evasion logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml b/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml index 9ba7d2e7346..b6a6f107c17 100644 --- a/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml +++ b/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml @@ -5,10 +5,10 @@ description: Detects file and folder permission changes. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md author: Jakob Weinzettl, oscd.community -date: 2019/09/23 -modified: 2021/11/27 +date: 2019-09-23 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml index 67ac87b8d13..4838d797d7a 100644 --- a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml +++ b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml @@ -5,10 +5,10 @@ description: 'Detecting attempts to extract passwords with grep' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: 'Igor Fits, oscd.community' -date: 2020/10/15 -modified: 2023/04/30 +date: 2020-10-15 +modified: 2023-04-30 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml index ea5f53b8d00..d0ae6033ece 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml @@ -8,9 +8,9 @@ description: Detects calls to hidden files or files located in hidden directorie references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md author: David Burkett, @signalblur -date: 2022/12/30 +date: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.001 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index b7fa135205b..afd7da3fc1d 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -5,10 +5,10 @@ description: Detects adversary creating hidden file or directory, by detecting d references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md author: 'Pawel Mazur' -date: 2021/09/06 -modified: 2022/10/09 +date: 2021-09-06 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml index 584fbe36389..54699ee356b 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml @@ -5,10 +5,10 @@ description: Detects appending of zip file to image references: - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ author: 'Pawel Mazur' -date: 2021/09/09 -modified: 2022/10/09 +date: 2021-09-09 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml index fdf65128103..0e74a32ccf8 100644 --- a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml +++ b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml @@ -8,10 +8,10 @@ references: - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing - https://access.redhat.com/articles/4409591#audit-record-types-2 author: 'Pawel Mazur' -date: 2021/05/24 -modified: 2022/12/18 +date: 2021-05-24 +modified: 2022-12-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1056.001 logsource: diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index 742164d4909..63b46b9de6b 100644 --- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.006 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_load_module_insmod.yml b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml index 108f57e50d8..1aa091c82ff 100644 --- a/rules/linux/auditd/lnx_auditd_load_module_insmod.yml +++ b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml @@ -10,11 +10,11 @@ references: - https://linux.die.net/man/8/insmod - https://man7.org/linux/man-pages/man8/kmod.8.html author: 'Pawel Mazur' -date: 2021/11/02 -modified: 2022/12/25 +date: 2021-11-02 +modified: 2022-12-25 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1547.006 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index db00c3f2221..92ff9509c84 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -5,10 +5,10 @@ description: Detect changes of syslog daemons configuration files references: - self experience author: Mikhail Larin, oscd.community -date: 2019/10/25 -modified: 2021/11/27 +date: 2019-10-25 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.006 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index 253fa5aa571..2f3378f77df 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/08/22 +date: 2019-10-21 +modified: 2023-08-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml b/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml index 3a042511c1d..5c8561fe79d 100644 --- a/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml +++ b/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml @@ -11,10 +11,10 @@ references: - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html - https://blog.aquasec.com/container-security-tnt-container-attack author: IAI -date: 2023/03/06 +date: 2023-03-06 tags: - attack.t1562.004 - - attack.defense_evasion + - attack.defense-evasion logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_network_service_scanning.yml b/rules/linux/auditd/lnx_auditd_network_service_scanning.yml index 9606fc5ae44..498333b0a10 100644 --- a/rules/linux/auditd/lnx_auditd_network_service_scanning.yml +++ b/rules/linux/auditd/lnx_auditd_network_service_scanning.yml @@ -8,8 +8,8 @@ description: Detects enumeration of local or remote network services. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md author: Alejandro Ortuno, oscd.community -date: 2020/10/21 -modified: 2023/09/26 +date: 2020-10-21 +modified: 2023-09-26 tags: - attack.discovery - attack.t1046 diff --git a/rules/linux/auditd/lnx_auditd_network_sniffing.yml b/rules/linux/auditd/lnx_auditd_network_sniffing.yml index f0b51e62987..0a41e4b26e7 100644 --- a/rules/linux/auditd/lnx_auditd_network_sniffing.yml +++ b/rules/linux/auditd/lnx_auditd_network_sniffing.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2022/12/18 +date: 2019-10-21 +modified: 2022-12-18 tags: - - attack.credential_access + - attack.credential-access - attack.discovery - attack.t1040 logsource: diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml index c899ed623ba..9c1282641a2 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -9,11 +9,11 @@ references: - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - https://github.com/Azure/Azure-Sentinel/pull/3059 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/09/17 -modified: 2022/11/26 +date: 2021-09-17 +modified: 2022-11-26 tags: - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.execution - attack.t1068 - attack.t1190 diff --git a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml index a167a859dc8..1b99271476e 100644 --- a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -8,8 +8,8 @@ references: - https://man7.org/linux/man-pages/man1/passwd.1.html - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu author: Ömer Günal, oscd.community, Pawel Mazur -date: 2020/10/08 -modified: 2022/12/18 +date: 2020-10-08 +modified: 2022-12-18 tags: - attack.discovery - attack.t1201 diff --git a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml index 1dbbda8d870..4542567b73f 100644 --- a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml +++ b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml @@ -5,8 +5,8 @@ description: Detects a reload or a start of a service. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md author: Jakob Weinzettl, oscd.community -date: 2019/09/23 -modified: 2021/11/27 +date: 2019-09-23 +modified: 2021-11-27 tags: - attack.persistence - attack.t1543.002 diff --git a/rules/linux/auditd/lnx_auditd_screencapture_import.yml b/rules/linux/auditd/lnx_auditd_screencapture_import.yml index 083ec68bbf0..2192ebadc58 100644 --- a/rules/linux/auditd/lnx_auditd_screencapture_import.yml +++ b/rules/linux/auditd/lnx_auditd_screencapture_import.yml @@ -10,8 +10,8 @@ references: - https://linux.die.net/man/1/import - https://imagemagick.org/ author: 'Pawel Mazur' -date: 2021/09/21 -modified: 2022/10/09 +date: 2021-09-21 +modified: 2022-10-09 tags: - attack.collection - attack.t1113 diff --git a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml index 86ecd900b4f..409f8b1ea5b 100644 --- a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml +++ b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture - https://linux.die.net/man/1/xwd author: 'Pawel Mazur' -date: 2021/09/13 -modified: 2022/12/18 +date: 2021-09-13 +modified: 2022-12-18 tags: - attack.collection - attack.t1113 diff --git a/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml b/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml index 0878a35b3f1..96c850cde1b 100644 --- a/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml +++ b/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml @@ -5,8 +5,8 @@ description: 'Detection use of the command "split" to split files into parts and references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md author: 'Igor Fits, oscd.community' -date: 2020/10/15 -modified: 2022/11/28 +date: 2020-10-15 +modified: 2022-11-28 tags: - attack.exfiltration - attack.t1030 diff --git a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml index 6408e58e783..ff5ed5d240d 100644 --- a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml @@ -5,10 +5,10 @@ description: Detects embedding of files with usage of steghide binary, the adver references: - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ author: 'Pawel Mazur' -date: 2021/09/11 -modified: 2022/10/09 +date: 2021-09-11 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml index 269f1c388dd..e9d6cf6d2f2 100644 --- a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml @@ -5,10 +5,10 @@ description: Detects extraction of files with usage of steghide binary, the adve references: - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ author: 'Pawel Mazur' -date: 2021/09/11 -modified: 2022/10/09 +date: 2021-09-11 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml index 47b0228101d..62161920caf 100644 --- a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml +++ b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/Neo23x0/auditd author: Marie Euler -date: 2020/05/18 -modified: 2021/11/27 +date: 2020-05-18 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index 2845a12e1b3..1791136a65a 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -5,8 +5,8 @@ description: Detects relevant commands often related to malware or hacking activ references: - Internal Research - mostly derived from exploit code including code in MSF author: Florian Roth (Nextron Systems) -date: 2017/12/12 -modified: 2022/10/05 +date: 2017-12-12 +modified: 2022-10-05 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 86b4ea4f8a2..cf0bdf53dcb 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -5,12 +5,12 @@ description: Detects program executions in suspicious non-program folders relate references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2018/01/23 -modified: 2021/11/27 +date: 2018-01-23 +modified: 2021-11-27 tags: - attack.t1587 - attack.t1584 - - attack.resource_development + - attack.resource-development logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index 63c13cebcd5..79eecb0421f 100644 --- a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -5,10 +5,10 @@ description: 'Detects commandline operations on shell history files' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md author: 'Mikhail Larin, oscd.community' -date: 2020/10/17 -modified: 2022/11/28 +date: 2020-10-17 +modified: 2022-11-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml index 40eb3f94a0d..24a2ee31f5b 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -5,8 +5,8 @@ description: Detects System Information Discovery commands references: - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md author: Pawel Mazur -date: 2021/09/03 -modified: 2023/03/06 +date: 2021-09-03 +modified: 2023-03-06 tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml index 637b70e2c21..09289371e7e 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml @@ -8,8 +8,8 @@ description: Detects system information discovery commands references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware author: Ömer Günal, oscd.community -date: 2020/10/08 -modified: 2022/11/26 +date: 2020-10-08 +modified: 2022-11-26 tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml index 8910fea3922..e5770d53dff 100644 --- a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml +++ b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml @@ -5,8 +5,8 @@ description: Adversaries may shutdown/reboot systems to interrupt access to, or references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md author: 'Igor Fits, oscd.community' -date: 2020/10/15 -modified: 2022/11/26 +date: 2020-10-15 +modified: 2022-11-26 tags: - attack.impact - attack.t1529 diff --git a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml index e856859f392..528056f660b 100644 --- a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml +++ b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml @@ -5,8 +5,8 @@ description: Detects a creation of systemd services which could be used by adver references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md author: 'Pawel Mazur' -date: 2022/02/03 -modified: 2022/02/06 +date: 2022-02-03 +modified: 2022-02-06 tags: - attack.persistence - attack.t1543.002 diff --git a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml index 125006950c0..541b7fce57b 100644 --- a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml +++ b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml @@ -2,7 +2,7 @@ title: Unix Shell Configuration Modification id: a94cdd87-6c54-4678-a6cc-2814ffe5a13d related: - id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 - type: obsoletes + type: obsolete status: test description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened. references: @@ -10,8 +10,8 @@ references: - https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat author: Peter Matkovski, IAI -date: 2023/03/06 -modified: 2023/03/15 +date: 2023-03-06 +modified: 2023-03-15 tags: - attack.persistence - attack.t1546.004 diff --git a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml index 6509ff29d77..2f053b55adb 100644 --- a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml @@ -5,10 +5,10 @@ description: Detects extracting of zip file from image file references: - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ author: 'Pawel Mazur' -date: 2021/09/09 -modified: 2022/10/09 +date: 2021-09-09 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index 2468ebdf083..0bfbbf39799 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -5,8 +5,8 @@ description: Adversaries may use the information from System Owner/User Discover references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2021/11/27 +date: 2019-10-21 +modified: 2021-11-27 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index 047a72c2040..e81fdc90f9c 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -5,8 +5,8 @@ description: Detects possible command execution by web application/web shell references: - Personal Experience of the Author author: Ilyas Ochkov, Beyu Denis, oscd.community -date: 2019/10/12 -modified: 2022/12/25 +date: 2019-10-12 +modified: 2022-12-25 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml index 27829b53931..7e671643998 100644 --- a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml +++ b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml @@ -5,10 +5,10 @@ description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs references: - https://twitter.com/wdormann/status/1486161836961579020 author: Sreeman -date: 2022/01/26 -modified: 2023/01/23 +date: 2022-01-26 +modified: 2023-01-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548.001 logsource: product: linux diff --git a/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml b/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml index 43da1ba42ce..7f35fd59897 100644 --- a/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml +++ b/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml @@ -5,9 +5,9 @@ description: Detects relevant ClamAV messages references: - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml author: Florian Roth (Nextron Systems) -date: 2017/03/01 +date: 2017-03-01 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.001 logsource: product: linux diff --git a/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml b/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml index fc07550d22e..480ae81f646 100644 --- a/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml +++ b/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml @@ -5,7 +5,7 @@ description: Detects suspicious modification of crontab file. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md author: Pawel Mazur -date: 2022/04/16 +date: 2022-04-16 tags: - attack.persistence - attack.t1053.003 diff --git a/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml b/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml index 616740cba0e..c16c3615776 100644 --- a/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml +++ b/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml @@ -5,10 +5,10 @@ description: Detects suspicious session with two users present references: - https://research.checkpoint.com/2020/apache-guacamole-rce/ author: Florian Roth (Nextron Systems) -date: 2020/07/03 -modified: 2021/11/27 +date: 2020-07-03 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1212 logsource: product: linux diff --git a/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml index 3022534da16..e922a0dfc94 100755 --- a/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml +++ b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml @@ -5,8 +5,8 @@ description: Detects suspicious shell commands used in various Equation Group sc references: - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 author: Florian Roth (Nextron Systems) -date: 2017/04/09 -modified: 2021/11/27 +date: 2017-04-09 +modified: 2021-11-27 tags: - attack.execution - attack.g0020 diff --git a/rules/linux/builtin/lnx_buffer_overflows.yml b/rules/linux/builtin/lnx_buffer_overflows.yml index 17bb8612fd5..32d428ffa1d 100644 --- a/rules/linux/builtin/lnx_buffer_overflows.yml +++ b/rules/linux/builtin/lnx_buffer_overflows.yml @@ -5,10 +5,10 @@ description: Detects buffer overflow attempts in Unix system log files references: - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml author: Florian Roth (Nextron Systems) -date: 2017/03/01 +date: 2017-03-01 tags: - attack.t1068 - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: linux detection: diff --git a/rules/linux/builtin/lnx_clear_syslog.yml b/rules/linux/builtin/lnx_clear_syslog.yml index af04269f549..079fdfc8e5d 100644 --- a/rules/linux/builtin/lnx_clear_syslog.yml +++ b/rules/linux/builtin/lnx_clear_syslog.yml @@ -5,8 +5,8 @@ description: Detects specific commands commonly used to remove or empty the sysl references: - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474 author: Max Altgelt (Nextron Systems) -date: 2021/09/10 -modified: 2022/11/26 +date: 2021-09-10 +modified: 2022-11-26 tags: - attack.impact - attack.t1565.001 diff --git a/rules/linux/builtin/lnx_file_copy.yml b/rules/linux/builtin/lnx_file_copy.yml index 1bb1facc868..223fcda0ff2 100644 --- a/rules/linux/builtin/lnx_file_copy.yml +++ b/rules/linux/builtin/lnx_file_copy.yml @@ -5,10 +5,10 @@ description: Detects the use of tools that copy files from or to remote systems references: - https://attack.mitre.org/techniques/T1105/ author: Ömer Günal -date: 2020/06/18 +date: 2020-06-18 tags: - - attack.command_and_control - - attack.lateral_movement + - attack.command-and-control + - attack.lateral-movement - attack.t1105 logsource: product: linux diff --git a/rules/linux/builtin/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml index fe3b96902d9..6f3bddb5380 100644 --- a/rules/linux/builtin/lnx_ldso_preload_injection.yml +++ b/rules/linux/builtin/lnx_ldso_preload_injection.yml @@ -5,11 +5,11 @@ description: Detects the ld.so preload persistence file. See `man ld.so` for mor references: - https://man7.org/linux/man-pages/man8/ld.so.8.html author: Christian Burkard (Nextron Systems) -date: 2021/05/05 -modified: 2022/10/09 +date: 2021-05-05 +modified: 2022-10-09 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.006 logsource: product: linux diff --git a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml index 91ef302ee22..75e939f0681 100644 --- a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml +++ b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml @@ -6,10 +6,10 @@ references: - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ - https://github.com/Immersive-Labs-Sec/nimbuspwn author: Bhabesh Raj -date: 2022/05/04 -modified: 2023/01/23 +date: 2022-05-04 +modified: 2023-01-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 logsource: product: linux diff --git a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml index 624efdca8ca..00fa9e19acf 100644 --- a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml +++ b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml @@ -6,10 +6,10 @@ references: - https://redcanary.com/blog/ebpf-malware/ - https://man7.org/linux/man-pages/man7/bpf-helpers.7.html author: Red Canary (idea), Nasreddine Bencherchali -date: 2023/01/25 +date: 2023-01-25 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion logsource: product: linux detection: diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml index 1882648793b..44d9931fdb5 100644 --- a/rules/linux/builtin/lnx_privileged_user_creation.yml +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -7,7 +7,7 @@ references: - https://linux.die.net/man/8/useradd - https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid author: Pawel Mazur -date: 2022/12/21 +date: 2022-12-21 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/linux/builtin/lnx_shell_clear_cmd_history.yml b/rules/linux/builtin/lnx_shell_clear_cmd_history.yml index 58e06994857..72009ad1439 100644 --- a/rules/linux/builtin/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/builtin/lnx_shell_clear_cmd_history.yml @@ -9,10 +9,10 @@ references: - https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics - https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ author: Patrick Bareiss -date: 2019/03/24 -modified: 2024/04/17 +date: 2019-03-24 +modified: 2024-04-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 # Example config for this one (place it in .bash_profile): # (is_empty=false; inotifywait -m .bash_history | while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) & diff --git a/rules/linux/builtin/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml index dc901ee3b54..78ba2b5cf66 100644 --- a/rules/linux/builtin/lnx_shell_susp_commands.yml +++ b/rules/linux/builtin/lnx_shell_susp_commands.yml @@ -8,8 +8,8 @@ references: - http://pastebin.com/FtygZ1cg - https://artkond.com/2017/03/23/pivoting-guide/ author: Florian Roth (Nextron Systems) -date: 2017/08/21 -modified: 2021/11/27 +date: 2017-08-21 +modified: 2021-11-27 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/builtin/lnx_shell_susp_log_entries.yml b/rules/linux/builtin/lnx_shell_susp_log_entries.yml index caa3385bade..35d0e403725 100644 --- a/rules/linux/builtin/lnx_shell_susp_log_entries.yml +++ b/rules/linux/builtin/lnx_shell_susp_log_entries.yml @@ -5,8 +5,8 @@ description: Detects suspicious log entries in Linux log files references: - https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml author: Florian Roth (Nextron Systems) -date: 2017/03/25 -modified: 2021/11/27 +date: 2017-03-25 +modified: 2021-11-27 tags: - attack.impact logsource: diff --git a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml index 58d50b2a24f..ea5e843107a 100644 --- a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml +++ b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml @@ -5,8 +5,8 @@ description: Detects suspicious shell commands or program code that may be execu references: - https://alamot.github.io/reverse_shells/ author: Florian Roth (Nextron Systems) -date: 2019/04/02 -modified: 2021/11/27 +date: 2019-04-02 +modified: 2021-11-27 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/builtin/lnx_shellshock.yml b/rules/linux/builtin/lnx_shellshock.yml index 8e9b5d2f417..dc1d28a91ef 100644 --- a/rules/linux/builtin/lnx_shellshock.yml +++ b/rules/linux/builtin/lnx_shellshock.yml @@ -5,8 +5,8 @@ description: Detects shellshock expressions in log files references: - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf author: Florian Roth (Nextron Systems) -date: 2017/03/14 -modified: 2022/10/09 +date: 2017-03-14 +modified: 2022-10-09 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/linux/builtin/lnx_space_after_filename_.yml b/rules/linux/builtin/lnx_space_after_filename_.yml index 722dd1e6758..0a58e45b1e0 100644 --- a/rules/linux/builtin/lnx_space_after_filename_.yml +++ b/rules/linux/builtin/lnx_space_after_filename_.yml @@ -5,8 +5,8 @@ description: Detects space after filename references: - https://attack.mitre.org/techniques/T1064 author: Ömer Günal -date: 2020/06/17 -modified: 2021/11/27 +date: 2020-06-17 +modified: 2021-11-27 tags: - attack.execution logsource: diff --git a/rules/linux/builtin/lnx_susp_dev_tcp.yml b/rules/linux/builtin/lnx_susp_dev_tcp.yml index d8f68a34fc6..5b0fe6b0286 100644 --- a/rules/linux/builtin/lnx_susp_dev_tcp.yml +++ b/rules/linux/builtin/lnx_susp_dev_tcp.yml @@ -7,8 +7,8 @@ references: - https://book.hacktricks.xyz/shells/shells/linux - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan author: frack113 -date: 2021/12/10 -modified: 2023/01/06 +date: 2021-12-10 +modified: 2023-01-06 tags: - attack.reconnaissance logsource: diff --git a/rules/linux/builtin/lnx_susp_jexboss.yml b/rules/linux/builtin/lnx_susp_jexboss.yml index eceedcdb6e2..1fea76f4f89 100644 --- a/rules/linux/builtin/lnx_susp_jexboss.yml +++ b/rules/linux/builtin/lnx_susp_jexboss.yml @@ -5,8 +5,8 @@ description: Detects suspicious command sequence that JexBoss references: - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A author: Florian Roth (Nextron Systems) -date: 2017/08/24 -modified: 2022/07/07 +date: 2017-08-24 +modified: 2022-07-07 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/builtin/lnx_symlink_etc_passwd.yml b/rules/linux/builtin/lnx_symlink_etc_passwd.yml index 75393a3b996..fa126b32f3d 100644 --- a/rules/linux/builtin/lnx_symlink_etc_passwd.yml +++ b/rules/linux/builtin/lnx_symlink_etc_passwd.yml @@ -5,8 +5,8 @@ description: Detects suspicious command lines that look as if they would create references: - https://www.qualys.com/2021/05/04/21nails/21nails.txt author: Florian Roth (Nextron Systems) -date: 2019/04/05 -modified: 2021/11/27 +date: 2019-04-05 +modified: 2021-11-27 tags: - attack.t1204.001 - attack.execution diff --git a/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml b/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml index f9c561aaa5e..3975548b9b3 100644 --- a/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml +++ b/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml @@ -5,8 +5,8 @@ description: Detects exploitation attempt using public exploit code for CVE-2018 references: - https://github.com/Rhynorater/CVE-2018-15473-Exploit author: Florian Roth (Nextron Systems) -date: 2017/08/24 -modified: 2021/11/27 +date: 2017-08-24 +modified: 2021-11-27 tags: - attack.reconnaissance - attack.t1589 diff --git a/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml b/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml index 8584d39b6dc..d89bcc20e35 100644 --- a/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml +++ b/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml @@ -6,10 +6,10 @@ references: - https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml author: Florian Roth (Nextron Systems) -date: 2017/06/30 -modified: 2021/11/27 +date: 2017-06-30 +modified: 2021-11-27 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: linux diff --git a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml index 20808e855f9..d2df0e0e8dd 100644 --- a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml @@ -10,13 +10,13 @@ references: - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 author: Florian Roth (Nextron Systems) -date: 2019/10/15 -modified: 2022/11/26 +date: 2019-10-15 +modified: 2022-11-26 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - attack.t1548.003 - - cve.2019.14287 + - cve.2019-14287 logsource: product: linux service: sudo diff --git a/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml b/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml index 0ae57f85439..76ec9b5b57e 100644 --- a/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml +++ b/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml @@ -8,10 +8,10 @@ description: Detects disabling security tools references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md author: Ömer Günal, Alejandro Ortuno, oscd.community -date: 2020/06/17 -modified: 2022/11/26 +date: 2020-06-17 +modified: 2022-11-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: linux diff --git a/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml b/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml index 86afe19fd25..34cbba11747 100644 --- a/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml +++ b/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml @@ -5,10 +5,10 @@ description: Detects suspicious DNS error messages that indicate a fatal or susp references: - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml author: Florian Roth (Nextron Systems) -date: 2018/02/20 -modified: 2022/10/05 +date: 2018-02-20 +modified: 2022-10-05 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: linux diff --git a/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml b/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml index bbdfe379f53..d91978ed380 100644 --- a/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml +++ b/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml @@ -5,10 +5,10 @@ description: Detects suspicious VSFTPD error messages that indicate a fatal or s references: - https://github.com/dagwieers/vsftpd/ author: Florian Roth (Nextron Systems) -date: 2017/07/05 -modified: 2021/11/27 +date: 2017-07-05 +modified: 2021-11-27 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: linux diff --git a/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml b/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml index be5bdee6f68..f92735f301d 100644 --- a/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml +++ b/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml @@ -6,10 +6,10 @@ references: - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/ - https://www.makeuseof.com/how-to-install-and-use-doas/ author: Sittikorn S, Teoderick Contreras -date: 2022/01/20 -modified: 2022/12/31 +date: 2022-01-20 +modified: 2022-12-31 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: product: linux diff --git a/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml b/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml index cd9e431c878..e02b5abf5fb 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml @@ -5,8 +5,8 @@ description: Detects creation of cron file or files in Cron directories which co references: - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/12/31 +date: 2021-10-15 +modified: 2022-12-31 tags: - attack.persistence - attack.t1053.003 diff --git a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml index 1ba00ab8ec1..27dca4e9c42 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml @@ -5,8 +5,8 @@ description: Detects creation of sudoers file or files in "sudoers.d" directory references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/05 -modified: 2022/12/31 +date: 2022-07-05 +modified: 2022-12-31 tags: - attack.persistence - attack.t1053.003 diff --git a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml index 02764040e45..c3043b6c577 100644 --- a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml +++ b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml @@ -8,7 +8,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.persistence logsource: diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml index 4c56cf49f65..426c2a1f010 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml @@ -5,10 +5,10 @@ description: Detects the creation of the file "rootlog" which is used by the Tri references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/05 -modified: 2022/12/31 +date: 2022-07-05 +modified: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: linux category: file_event diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml index 81fc28ec889..317ebc444e8 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml @@ -5,11 +5,11 @@ description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and " references: - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/05 -modified: 2022/12/31 +date: 2022-07-05 +modified: 2022-12-31 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1053.003 logsource: diff --git a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml index 14d61ef7f1a..54b932957f4 100644 --- a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml +++ b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml @@ -8,9 +8,9 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: linux diff --git a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml index e6337afbc0b..888515b0d23 100644 --- a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml +++ b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml @@ -5,8 +5,8 @@ description: Detects a bash contecting to a remote IP address (often found when references: - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md author: Florian Roth (Nextron Systems) -date: 2021/10/16 -modified: 2022/12/25 +date: 2021-10-16 +modified: 2022-12-25 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml b/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml index 4bb860662d0..4d21a10a891 100644 --- a/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml +++ b/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml @@ -5,7 +5,7 @@ description: Detects process connections to a Monero crypto mining pool references: - https://www.poolwatch.io/coin/monero author: Florian Roth (Nextron Systems) -date: 2021/10/26 +date: 2021-10-26 tags: - attack.impact - attack.t1496 diff --git a/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml b/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml index b9ffc29a693..3332ea6e263 100644 --- a/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml +++ b/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml @@ -9,9 +9,9 @@ references: - https://localtonet.com/documents/supported-tunnels - https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications author: Andreas Braathen (mnemonic.io) -date: 2024/06/17 +date: 2024-06-17 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 - attack.t1090 - attack.t1102 diff --git a/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml b/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml index 4496a3c0158..9d5d9fdf14e 100644 --- a/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml +++ b/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/hakluke/status/1587733971814977537/photo/1 - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent author: Florian Roth (Nextron Systems) -date: 2022/11/03 +date: 2022-11-03 tags: - attack.exfiltration - - attack.command_and_control + - attack.command-and-control - attack.t1567 - attack.t1568.002 - attack.t1572 diff --git a/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml b/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml index 3864d356d6d..9d7cc8a1a10 100644 --- a/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml +++ b/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml @@ -13,10 +13,10 @@ references: - https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors author: hasselj -date: 2024/05/10 +date: 2024-05-10 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1571 logsource: category: network_connection diff --git a/rules/linux/process_creation/proc_creation_lnx_at_command.yml b/rules/linux/process_creation/proc_creation_lnx_at_command.yml index 8ba08536c1a..d2126c9e0c8 100644 --- a/rules/linux/process_creation/proc_creation_lnx_at_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_at_command.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md author: Ömer Günal, oscd.community -date: 2020/10/06 -modified: 2022/07/07 +date: 2020-10-06 +modified: 2022-07-07 tags: - attack.persistence - attack.t1053.002 diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml index f73fc3efe0a..11b1943f67a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml @@ -5,10 +5,10 @@ description: Detects usage of base64 utility to decode arbitrary base64-encoded references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2021/11/27 +date: 2020-10-19 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml index c3ea5de42ad..71af7da3ba3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml @@ -6,10 +6,10 @@ references: - https://github.com/arget13/DDexec - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: pH-T (Nextron Systems) -date: 2022/07/26 -modified: 2023/06/16 +date: 2022-07-26 +modified: 2023-06-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml index b5017a42ecc..35be59a78c0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml @@ -6,9 +6,9 @@ references: - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml b/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml index 5867934c307..739fda4b357 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml @@ -7,7 +7,7 @@ references: - https://www.revshells.com/ - https://linux.die.net/man/1/bash author: '@d4ns4n_' -date: 2023/04/07 +date: 2023-04-07 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml index eb6839b7bfe..8c1535caf0c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml @@ -7,10 +7,10 @@ references: - https://bpftrace.org/ - https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/25 +date: 2023-01-25 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml index 8ffc0608f65..31f65a21904 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml @@ -6,7 +6,7 @@ references: - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ - https://bpftrace.org/ author: Andreas Hunkeler (@Karneades) -date: 2022/02/11 +date: 2022-02-11 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml index ff14daba38f..87811e044d4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml @@ -7,8 +7,8 @@ references: - https://github.com/carlospolop/PEASS-ng - https://github.com/diego-treitos/linux-smart-enumeration author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/28 -modified: 2024/03/05 +date: 2022-12-28 +modified: 2024-03-05 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml index 68763fafd90..f1dde2f9bc1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml @@ -5,8 +5,8 @@ description: Detects the execution of a cat /etc/sudoers to list all users that references: - https://github.com/sleventyeleven/linuxprivchecker/ author: Florian Roth (Nextron Systems) -date: 2022/06/20 -modified: 2022/09/15 +date: 2022-06-20 +modified: 2022-09-15 tags: - attack.reconnaissance - attack.t1592.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml index 3d3a589c9df..41186cae01f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml +++ b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml @@ -8,9 +8,9 @@ description: Detects usage of the 'chattr' utility to remove immutable file attr references: - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml index 37aee1399f2..202156876d6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml @@ -5,10 +5,10 @@ description: Detects attempts to clear logs on the system. Adversaries may clear references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md author: Ömer Günal, oscd.community -date: 2020/10/07 -modified: 2022/09/15 +date: 2020-10-07 +modified: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.002 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml index ff5820eb550..fc1ec32b09f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml @@ -5,10 +5,10 @@ description: Detects specific commands commonly used to remove or empty the sysl references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/09/15 +date: 2021-10-15 +modified: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.002 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml index bf691a47d37..65df521210d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml @@ -7,8 +7,8 @@ description: | references: - https://www.packetlabs.net/posts/clipboard-data-security/ author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/09/15 +date: 2021-10-15 +modified: 2022-09-15 tags: - attack.collection - attack.t1115 diff --git a/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml b/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml index 585d63236b1..97b01638eaf 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml @@ -6,9 +6,9 @@ references: - https://blogs.blackberry.com/ - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/01/31 +date: 2023-01-31 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml index f92b908ab73..7966a068cd3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml @@ -8,7 +8,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.discovery - attack.t1007 diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml index 419d47d549c..1b9559e5095 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml @@ -7,9 +7,9 @@ description: | references: - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml index 3d998d06cd3..f0457cf0ee0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml @@ -5,8 +5,8 @@ description: Detects command line parameters or strings often used by crypto min references: - https://www.poolwatch.io/coin/monero author: Florian Roth (Nextron Systems) -date: 2021/10/26 -modified: 2022/12/25 +date: 2021-10-26 +modified: 2022-12-25 tags: - attack.impact - attack.t1496 diff --git a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml index 1e80ebbf8fd..2799dbbc50c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml @@ -5,9 +5,9 @@ description: Detects a curl process start on linux, which indicates a file downl references: - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml b/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml index fa251f6e97f..cb7decc2bea 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml @@ -8,13 +8,13 @@ description: Detects spawning of suspicious child processes by Atlassian Conflue references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/03 +date: 2022-06-03 tags: - - attack.initial_access + - attack.initial-access - attack.execution - attack.t1190 - attack.t1059 - - cve.2022.26134 + - cve.2022-26134 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml b/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml index aef001baf61..a92e6acfa0f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml @@ -7,11 +7,11 @@ references: - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html - https://github.com/apache/spark/pull/36315/files author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/20 +date: 2022-07-20 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.33891 + - cve.2022-33891 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml b/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml index 71ffcad28cd..73e15abcbe9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml @@ -5,8 +5,8 @@ description: Detects potential overwriting and deletion of a file using DD. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/07/07 +date: 2021-10-15 +modified: 2022-07-07 tags: - attack.impact - attack.t1485 diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml index 4d7d8fbbb32..468b38d9650 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml @@ -6,9 +6,9 @@ references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh author: Joseph Kamau -date: 2023/12/01 +date: 2023-12-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.009 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml index f99cf647cbd..8cf9eb0f232 100644 --- a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml @@ -6,9 +6,9 @@ references: - https://blogs.blackberry.com/ - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/01/18 +date: 2023-01-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml index 564c37a36b4..900d56296e6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml @@ -6,9 +6,9 @@ references: - https://research.splunk.com/endpoint/linux_doas_tool_execution/ - https://www.makeuseof.com/how-to-install-and-use-doas/ author: Sittikorn S, Teoderick Contreras -date: 2022/01/20 +date: 2022-01-20 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml index c41dc38f2e9..01f9f2a1e7d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml @@ -6,7 +6,7 @@ references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html author: Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml index dfc63fc1cf2..e0d84eb4083 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml @@ -5,7 +5,7 @@ description: Detects execution of the "esxcli" command with the "system" and "pe references: - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/04 +date: 2023-09-04 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml index af6e9829d22..112773edc9b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml @@ -7,7 +7,7 @@ references: - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml index 845319727e7..7a9aaa4022f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml @@ -6,9 +6,9 @@ references: - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html author: Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.t1562.003 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml index eee3487fc8b..b3e56ea01d9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml @@ -6,7 +6,7 @@ references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html author: Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml index 0b5069ed56b..fa7319486c7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml @@ -5,7 +5,7 @@ description: Detects user account creation on ESXi system via esxcli references: - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html author: Cedric Maurugeon -date: 2023/08/22 +date: 2023-08-22 tags: - attack.persistence - attack.t1136 diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml index b93f97ad0d4..503618cb215 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml @@ -8,7 +8,7 @@ references: - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html author: Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml index 42df2b18703..9afeb12b41f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml @@ -8,7 +8,7 @@ references: - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml index 2eede884801..844503adc2c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml @@ -7,7 +7,7 @@ references: - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml index a7c0e3ce83c..1238daa1a9f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities to discover files and directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/11/25 +date: 2020-10-19 +modified: 2022-11-25 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml index 47adf83de28..6f3a01262e5 100644 --- a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml +++ b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml @@ -5,10 +5,10 @@ description: Detects file deletion using "rm", "shred" or "unlink" commands whic references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md author: Ömer Günal, oscd.community -date: 2020/10/07 -modified: 2022/09/15 +date: 2020-10-07 +modified: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml index ea1e5b0c9ec..fff00b0951b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml @@ -9,7 +9,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml index 6d10e5a4f6b..26fd46ff229 100644 --- a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml +++ b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml @@ -8,7 +8,7 @@ references: - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ - https://linux.die.net/man/8/groupdel author: Tuan Le (NCSGroup) -date: 2022/12/26 +date: 2022-12-26 tags: - attack.impact - attack.t1531 diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml index 2ef7e1b58d2..c5f75e71dc0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml @@ -6,7 +6,7 @@ references: - https://gtfobins.github.io/gtfobins/apt/ - https://gtfobins.github.io/gtfobins/apt-get/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/28 +date: 2022-12-28 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml index de4f854c365..0228c228358 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml @@ -7,7 +7,7 @@ references: - https://gtfobins.github.io/gtfobins/rvim/ - https://gtfobins.github.io/gtfobins/vimdiff/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/28 +date: 2022-12-28 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml b/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml index ea8e6b830b1..8e7bdba0b3e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml +++ b/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml @@ -5,10 +5,10 @@ description: Detects installation of new certificate on the system which attacke references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: Ömer Günal, oscd.community -date: 2020/10/05 -modified: 2022/07/07 +date: 2020-10-05 +modified: 2022-07-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml index 48712c358db..723a99b5e8e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml +++ b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml @@ -5,9 +5,9 @@ description: Detects installation of suspicious packages using system installati references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/03 +date: 2023-01-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml index 7c13288f271..d4524534f95 100644 --- a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml @@ -7,9 +7,9 @@ references: - https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/01/18 +date: 2023-01-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml index 1ebfc0e5c98..0dd9466797b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml +++ b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml @@ -6,9 +6,9 @@ references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html - https://www.cyberciti.biz/faq/how-force-kill-process-linux/ author: Tuan Le (NCSGroup) -date: 2023/03/16 +date: 2023-03-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index 8bd382f44e2..35b1422283e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local systeam accounts. This information can references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md author: Alejandro Ortuno, oscd.community -date: 2020/10/08 -modified: 2022/11/27 +date: 2020-10-08 +modified: 2022-11-27 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml index 3cfe8edcd08..3cd4f9b6f51 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local system groups. Adversaries may attempt references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: Ömer Günal, Alejandro Ortuno, oscd.community -date: 2020/10/11 -modified: 2022/11/27 +date: 2020-10-11 +modified: 2022-11-27 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml index eabb5c08beb..1508c6c0ced 100644 --- a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml @@ -7,7 +7,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml index 737e41af771..9f7174fcfa3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml @@ -6,7 +6,7 @@ references: - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml index 250cba342db..f24488fd89d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml @@ -9,7 +9,7 @@ references: - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml index 2629345c566..28715cccf69 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml @@ -7,9 +7,9 @@ references: - https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/01/12 +date: 2023-01-12 tags: - - attack.credential_access + - attack.credential-access - attack.t1564 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml index 2e43b72af9f..d1c9106c6d2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml @@ -9,7 +9,7 @@ references: - https://www.infosecademy.com/netcat-reverse-shells/ - https://man7.org/linux/man-pages/man1/ncat.1.html author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' -date: 2023/04/07 +date: 2023-04-07 tags: - attack.execution - attack.t1059 diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup.yml b/rules/linux/process_creation/proc_creation_lnx_nohup.yml index dedce2fb1bf..d3ddc5983ee 100644 --- a/rules/linux/process_creation/proc_creation_lnx_nohup.yml +++ b/rules/linux/process_creation/proc_creation_lnx_nohup.yml @@ -7,7 +7,7 @@ references: - https://en.wikipedia.org/wiki/Nohup - https://www.computerhope.com/unix/unohup.htm author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2022/06/06 +date: 2022-06-06 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml index 03af205e6fb..9bd6a20b566 100644 --- a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml @@ -11,7 +11,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml index 7711f5db5ec..6e568c3093a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml +++ b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml @@ -11,11 +11,11 @@ references: - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - https://github.com/Azure/Azure-Sentinel/pull/3059 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/10/05 +date: 2021-10-15 +modified: 2022-10-05 tags: - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.execution - attack.t1068 - attack.t1190 diff --git a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml index 5dbd85298ab..b985e82b4b8 100644 --- a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml @@ -9,11 +9,11 @@ references: - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - https://github.com/Azure/Azure-Sentinel/pull/3059 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/10/05 +date: 2021-10-15 +modified: 2022-10-05 tags: - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.execution - attack.t1068 - attack.t1190 diff --git a/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml index 54d39c73038..4cec24ad152 100644 --- a/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml @@ -6,7 +6,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' -date: 2023/04/07 +date: 2023-04-07 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml index 4dc456108d2..b2958fe5647 100644 --- a/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml @@ -8,7 +8,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_' -date: 2023/04/07 +date: 2023-04-07 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml b/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml index 5424c0eb861..ef24826f143 100644 --- a/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml +++ b/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml @@ -5,7 +5,7 @@ description: | Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT author: David Burkett (@signalblur) -date: 2024/04/16 +date: 2024-04-16 references: - https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence - https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf diff --git a/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml index f61dbffc925..ccb7e71601b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md author: Ömer Günal, oscd.community -date: 2020/10/06 -modified: 2022/07/07 +date: 2020-10-06 +modified: 2022-07-07 tags: - attack.discovery - attack.t1057 diff --git a/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml b/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml index 7670709865e..7ff8d5f5a44 100644 --- a/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml @@ -5,10 +5,10 @@ description: Detects setting proxy configuration references: - https://attack.mitre.org/techniques/T1090/ author: Ömer Günal -date: 2020/06/17 -modified: 2022/10/05 +date: 2020-06-17 +modified: 2022-10-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1090 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index d42e55c0a72..a75bd0cbd09 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -8,8 +8,8 @@ description: Detects python spawning a pretty tty which could be indicative of p references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ author: Nextron Systems -date: 2022/06/03 -modified: 2023/06/16 +date: 2022-06-03 +modified: 2023-06-16 tags: - attack.execution - attack.t1059 diff --git a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml index b138ebc9e0f..218f8e6e99c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml @@ -9,7 +9,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' -date: 2023/04/24 +date: 2023-04-24 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml index 27c08b20dfa..0ddc7f59fb2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml @@ -12,9 +12,9 @@ description: | references: - Internal Research author: Josh Nickels, Qi Nan -date: 2024/03/11 +date: 2024-03-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml index 9faab9fe433..23052b47d8b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml @@ -5,8 +5,8 @@ description: Detects the enumeration of other remote systems. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: Alejandro Ortuno, oscd.community -date: 2020/10/22 -modified: 2021/11/27 +date: 2020-10-22 +modified: 2021-11-27 tags: - attack.discovery - attack.t1018 diff --git a/rules/linux/process_creation/proc_creation_lnx_remove_package.yml b/rules/linux/process_creation/proc_creation_lnx_remove_package.yml index 06346824c76..5dd05a15716 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remove_package.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remove_package.yml @@ -8,9 +8,9 @@ references: - https://linuxhint.com/uninstall_yum_package/ - https://linuxhint.com/uninstall-debian-packages/ author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/09 +date: 2023-03-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml index 6bacb829c38..d82b70d9f53 100644 --- a/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml @@ -6,7 +6,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_' -date: 2023/04/07 +date: 2023-04-07 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml b/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml index b9f627587c3..fbaa7c54a1e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml +++ b/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml @@ -5,12 +5,12 @@ description: Detects abuse of the cron utility to perform task scheduling for in references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md author: Alejandro Ortuno, oscd.community -date: 2020/10/06 -modified: 2022/11/27 +date: 2020-10-06 +modified: 2022-11-27 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.003 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml index 5101c2e7565..bf3d1b3bde6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities (only grep and egrep for now) to references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/11/27 +date: 2020-10-19 +modified: 2022-11-27 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml index fa83e7f3899..8e553910065 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml @@ -5,10 +5,10 @@ description: Detects disabling security tools references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md author: Ömer Günal, Alejandro Ortuno, oscd.community -date: 2020/06/17 -modified: 2022/10/09 +date: 2020-06-17 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml index 4cd16414042..4d559978134 100644 --- a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml +++ b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml @@ -5,9 +5,9 @@ description: Detects the usage of utilities such as 'systemctl', 'service'...etc references: - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml index f807d3c6010..3df87f2ff55 100644 --- a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md - https://attack.mitre.org/techniques/T1548/001/ author: Ömer Günal -date: 2020/06/16 -modified: 2022/10/05 +date: 2020-06-16 +modified: 2022-10-05 tags: - attack.persistence - attack.t1548.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml index b50cf0f0822..3f24ef84158 100644 --- a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml +++ b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml @@ -7,9 +7,9 @@ references: - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ author: Muhammad Faisal -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.command_and_control + - attack.command-and-control - attack.persistence - attack.t1219 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml index 3226bafe730..5cf978a1d1b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml @@ -7,13 +7,13 @@ references: - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 author: Florian Roth (Nextron Systems) -date: 2019/10/15 -modified: 2022/10/05 +date: 2019-10-15 +modified: 2022-10-05 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - attack.t1548.003 - - cve.2019.14287 + - cve.2019-14287 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml b/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml index e570ccd0daf..b24b41b5b97 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml @@ -6,9 +6,9 @@ references: - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2022/06/03 +date: 2022-06-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml index fa82f89141f..4403c74abce 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml @@ -9,7 +9,7 @@ tags: - attack.discovery - attack.t1082 author: Seth Hanford -date: 2023/08/23 +date: 2023-08-23 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml index 13629815405..3a5ebc00b6a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -12,8 +12,8 @@ references: - https://curl.se/docs/manpage.html - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update) -date: 2022/09/15 -modified: 2023/05/02 +date: 2022-09-15 +modified: 2023-05-02 tags: - attack.exfiltration - attack.t1567 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml index 33e5eb9871e..81717c6850a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml @@ -8,9 +8,9 @@ description: Detects a suspicious curl process start on linux with set useragent references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml index 2e4c41830bc..f0729ae0ee0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml @@ -9,7 +9,7 @@ tags: - attack.discovery - attack.t1082 author: Seth Hanford -date: 2023/08/23 +date: 2023-08-23 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml index 98d0b807449..aa8b8c6146f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml @@ -8,9 +8,9 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml index 7c15f0efb51..9c301f67240 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml @@ -8,7 +8,7 @@ description: Detects usage of "find" binary in a suspicious manner to perform di references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/28 +date: 2022-12-28 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml index 8abc41bc303..52a4ba438d4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml @@ -5,8 +5,8 @@ description: Detects execution of "git" in order to clone a remote repository th references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/03 -modified: 2023/01/05 +date: 2023-01-03 +modified: 2023-01-05 tags: - attack.reconnaissance - attack.t1593.003 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml index f520d0b930c..a886e3f95e8 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -6,8 +6,8 @@ references: - https://github.com/sleventyeleven/linuxprivchecker/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md author: Florian Roth (Nextron Systems) -date: 2022/06/20 -modified: 2022/09/15 +date: 2022-06-20 +modified: 2022-09-15 tags: - attack.impact - attack.t1565.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml index 74f8b622958..f67989cb00f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -6,8 +6,8 @@ references: - https://github.com/sleventyeleven/linuxprivchecker/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md author: Florian Roth (Nextron Systems) -date: 2022/06/20 -modified: 2022/09/15 +date: 2022-06-20 +modified: 2022-09-15 tags: - attack.reconnaissance - attack.t1592.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml index 32f9da31bd3..4b41010ac4e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml @@ -13,11 +13,11 @@ references: - https://github.com/Ne0nd0g/merlin - https://github.com/Pennyw0rth/NetExec/ author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure]) -date: 2023/01/03 -modified: 2023/10/25 +date: 2023-01-03 +modified: 2023-10-25 tags: - attack.execution - - attack.resource_development + - attack.resource-development - attack.t1587 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml b/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml index 9e052d5454c..057cbb35df9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml @@ -9,7 +9,7 @@ tags: - attack.discovery - attack.t1082 author: Seth Hanford -date: 2023/08/23 +date: 2023-08-23 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml index f4d1b909489..f7314d15cf7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml @@ -5,10 +5,10 @@ description: Detects suspicious interactive bash as a parent to rather uncommon references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2022/03/14 +date: 2022-03-14 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.004 - attack.t1036 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml b/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml index 4e910659634..322cd563e32 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml @@ -5,7 +5,7 @@ description: Detects java process spawning suspicious children references: - https://www.tecmint.com/different-types-of-linux-shells/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/03 +date: 2022-06-03 tags: - attack.execution - attack.t1059 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml index 8111a5334b1..9dd224d6b9f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml @@ -7,8 +7,8 @@ references: - https://github.com/projectdiscovery/naabu - https://github.com/Tib3rius/AutoRecon author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) -date: 2020/10/21 -modified: 2023/10/25 +date: 2020-10-21 +modified: 2023-10-25 tags: - attack.discovery - attack.t1046 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml index ea7c51a21ba..558728a330f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml @@ -5,10 +5,10 @@ description: Detects suspicious process command line that starts with a shell th references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2022/03/14 -modified: 2022/07/26 +date: 2022-03-14 +modified: 2022-07-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml b/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml index d2581b08100..23ace9edfd4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml @@ -5,11 +5,11 @@ description: Detects events with patterns found in commands used for reconnaissa references: - https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py author: Florian Roth (Nextron Systems) -date: 2022/06/20 +date: 2022-06-20 tags: - attack.reconnaissance - attack.t1592.004 - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml index a7353a4ff92..d56ff8274da 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml @@ -5,7 +5,7 @@ description: Detects changes of sensitive and critical files. Monitors files tha references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor author: '@d4ns4n_ (Wuerth-Phoenix)' -date: 2023/05/30 +date: 2023-05-30 tags: - attack.impact - attack.t1565.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml index 600a994ff1b..a38d2322d8f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml @@ -8,7 +8,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml index 514239ba619..8819b59ec4f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml @@ -8,7 +8,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml index f45de992bbb..ec5d3f4a7e7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml @@ -5,8 +5,8 @@ description: Detects system information discovery commands references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md author: Ömer Günal, oscd.community -date: 2020/10/08 -modified: 2021/09/14 +date: 2020-10-08 +modified: 2021-09-14 tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml index 0b2ca2e7a92..7beb43031ba 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities to discover system network connec references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2023/01/17 +date: 2020-10-19 +modified: 2023-01-17 tags: - attack.discovery - attack.t1049 diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml index 69a1c879999..647835e76ba 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local network configuration references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md author: Ömer Günal and remotephone, oscd.community -date: 2020/10/06 -modified: 2022/09/15 +date: 2020-10-06 +modified: 2022-09-15 tags: - attack.discovery - attack.t1016 diff --git a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml index ac6b07c9c02..b3ed4dc1b1c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml @@ -6,9 +6,9 @@ references: - https://blogs.blackberry.com/ - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.006 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml index 31d219dc919..cbf35716893 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml @@ -5,10 +5,10 @@ description: Detects execution of a the file "execve_hijack" which is used by th references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/05 +date: 2022-07-05 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml index f7d1534ee36..40b2fc6dc37 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml @@ -5,9 +5,9 @@ description: Detects default install commands of the Triple Cross eBPF rootkit b references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/05 +date: 2022-07-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1014 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_userdel.yml b/rules/linux/process_creation/proc_creation_lnx_userdel.yml index eed85d3c1d3..e31b7ce3af1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_userdel.yml +++ b/rules/linux/process_creation/proc_creation_lnx_userdel.yml @@ -8,7 +8,7 @@ references: - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ - https://linux.die.net/man/8/userdel author: Tuan Le (NCSGroup) -date: 2022/12/26 +date: 2022-12-26 tags: - attack.impact - attack.t1531 diff --git a/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml index 15e18c81605..739ac09ec00 100644 --- a/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml +++ b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml @@ -6,9 +6,9 @@ references: - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ - https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/ author: TuanLe (GTSC) -date: 2022/12/21 +date: 2022-12-21 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml index 8cf0416cf31..11140a97aed 100644 --- a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml @@ -6,8 +6,8 @@ references: - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/10/15 -modified: 2022/12/28 +date: 2021-10-15 +modified: 2022-12-28 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml index 1b4668243bd..736add1f2a1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml +++ b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml @@ -8,9 +8,9 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml index 85a089c1188..1a05768ddc4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml @@ -6,7 +6,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_' -date: 2023/04/24 +date: 2023-04-24 tags: - attack.execution - attack.t1059 diff --git a/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml b/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml index 5307aa8a63a..d7997433959 100644 --- a/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml +++ b/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml @@ -6,11 +6,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 author: Alejandro Ortuno, oscd.community -date: 2020/10/23 -modified: 2021/11/27 +date: 2020-10-23 +modified: 2021-11-27 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.014 logsource: category: file_event diff --git a/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml b/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml index 263f13b5a48..9a9e0ec58ea 100644 --- a/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml +++ b/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml @@ -9,11 +9,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md - https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html author: Alejandro Ortuno, oscd.community -date: 2020/10/14 -modified: 2024/08/11 +date: 2020-10-14 +modified: 2024-08-11 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1037.005 logsource: category: file_event diff --git a/rules/macos/process_creation/proc_creation_macos_applescript.yml b/rules/macos/process_creation/proc_creation_macos_applescript.yml index a12eeeaa6a1..200543bcfe1 100644 --- a/rules/macos/process_creation/proc_creation_macos_applescript.yml +++ b/rules/macos/process_creation/proc_creation_macos_applescript.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md - https://redcanary.com/blog/applescript/ author: Alejandro Ortuno, oscd.community -date: 2020/10/21 -modified: 2023/02/01 +date: 2020-10-21 +modified: 2023-02-01 tags: - attack.execution - attack.t1059.002 diff --git a/rules/macos/process_creation/proc_creation_macos_base64_decode.yml b/rules/macos/process_creation/proc_creation_macos_base64_decode.yml index 89667d96eea..7c0cd7b35a6 100644 --- a/rules/macos/process_creation/proc_creation_macos_base64_decode.yml +++ b/rules/macos/process_creation/proc_creation_macos_base64_decode.yml @@ -5,10 +5,10 @@ description: Detects usage of base64 utility to decode arbitrary base64-encoded references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/11/26 +date: 2020-10-19 +modified: 2022-11-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml index 55dd6c029e3..6e3aa15f961 100644 --- a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml +++ b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml @@ -7,10 +7,10 @@ references: - https://linux.die.net/man/1/truncate - https://linux.die.net/man/1/dd author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 -modified: 2023/02/17 +date: 2020-10-19 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.001 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml b/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml index ae85c6f8532..ceb3df825f9 100644 --- a/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml +++ b/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml @@ -5,10 +5,10 @@ description: Detect file time attribute change to hide new or changes to existin references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md author: Igor Fits, Mikhail Larin, oscd.community -date: 2020/10/19 -modified: 2022/01/12 +date: 2020-10-19 +modified: 2022-01-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.006 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml index 0b81ac8b06e..121e3a8f913 100644 --- a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml +++ b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml @@ -5,10 +5,10 @@ description: Detects deletion of local audit logs references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md author: remotephone, oscd.community -date: 2020/10/11 -modified: 2022/09/16 +date: 2020-10-11 +modified: 2022-09-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.002 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml b/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml index 4e7ef66d7a8..ef92da21431 100644 --- a/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml +++ b/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml @@ -8,7 +8,7 @@ description: Detects possible collection of data from the clipboard via executio references: - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ author: Sohan G (D4rkCiph3r) -date: 2023/01/31 +date: 2023-01-31 tags: - attack.collection - attack.execution diff --git a/rules/macos/process_creation/proc_creation_macos_create_account.yml b/rules/macos/process_creation/proc_creation_macos_create_account.yml index f8028065a1c..b6c287a97d2 100644 --- a/rules/macos/process_creation/proc_creation_macos_create_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_create_account.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md - https://ss64.com/osx/sysadminctl.html author: Alejandro Ortuno, oscd.community -date: 2020/10/06 -modified: 2023/02/18 +date: 2020-10-06 +modified: 2023-02-18 tags: - attack.t1136.001 - attack.persistence diff --git a/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml b/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml index 99775193998..1b87357e68a 100644 --- a/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml @@ -5,10 +5,10 @@ description: Detects creation of a hidden user account on macOS (UserID < 500) o references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/10 -modified: 2021/11/27 +date: 2020-10-10 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.002 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml b/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml index 6ca0e5c269f..c97cc545b43 100644 --- a/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml +++ b/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md - https://gist.github.com/Capybara/6228955 author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) -date: 2020/10/19 -modified: 2021/11/27 +date: 2020-10-19 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.001 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml b/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml index 15570945f0e..69c47afe7fb 100644 --- a/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml +++ b/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml @@ -9,7 +9,7 @@ references: - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/ - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/01/02 +date: 2024-01-02 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml b/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml index 82dd7b5e87a..1790b6dcb14 100644 --- a/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml +++ b/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml @@ -9,7 +9,7 @@ references: - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/ - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/01/02 +date: 2024-01-02 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml b/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml index edde80cf917..651aaac827d 100644 --- a/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml +++ b/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml @@ -5,10 +5,10 @@ description: Detects disabling security tools references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2021/11/27 +date: 2020-10-19 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml index b847f32c748..b07a2082ea6 100644 --- a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml @@ -2,17 +2,17 @@ title: User Added To Admin Group Via Dscl id: b743623c-2776-40e0-87b1-682b975d0ca5 related: - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b - type: obsoletes + type: obsolete status: test description: Detects attempts to create and add an account to the admin group via "dscl" references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos - https://ss64.com/osx/dscl.html author: Sohan G (D4rkCiph3r) -date: 2023/03/19 +date: 2023-03-19 tags: - - attack.initial_access - - attack.privilege_escalation + - attack.initial-access + - attack.privilege-escalation - attack.t1078.003 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml index 1835065729a..7750a439aa5 100644 --- a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos - https://ss64.com/osx/dseditgroup.html author: Sohan G (D4rkCiph3r) -date: 2023/08/22 +date: 2023-08-22 tags: - - attack.initial_access - - attack.privilege_escalation + - attack.initial-access + - attack.privilege-escalation - attack.t1078.003 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml index 6329028d797..8c65fef061e 100644 --- a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml @@ -7,12 +7,12 @@ references: - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml - https://ss64.com/osx/dsenableroot.html author: Sohan G (D4rkCiph3r) -date: 2023/08/22 +date: 2023-08-22 tags: - attack.t1078 - attack.t1078.001 - attack.t1078.003 - - attack.initial_access + - attack.initial-access - attack.persistence logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml b/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml index 4aca758c0e2..0594770a536 100644 --- a/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities to discover files and directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/11/25 +date: 2020-10-19 +modified: 2022-11-25 tags: - attack.discovery - attack.t1083 diff --git a/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml b/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml index 099c35e679a..d6dab1a8777 100644 --- a/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml +++ b/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml @@ -5,10 +5,10 @@ description: Detecting attempts to extract passwords with grep and laZagne references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 -modified: 2021/11/27 +date: 2020-10-19 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml index 59f5616cd86..dd931957b18 100644 --- a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml +++ b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ author: remotephone, oscd.community -date: 2020/10/13 -modified: 2022/12/25 +date: 2020-10-13 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1056.002 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml b/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml index 7e6ec47bf93..b5e119db81c 100644 --- a/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml +++ b/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml @@ -7,7 +7,7 @@ references: - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ - https://ss64.com/mac/hdiutil.html author: Omar Khaled (@beacon_exe) -date: 2024/08/10 +date: 2024-08-10 tags: - attack.exfiltration logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml b/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml index ee3ae233f60..5463640d8ce 100644 --- a/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml +++ b/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml @@ -7,9 +7,9 @@ references: - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ - https://ss64.com/mac/hdiutil.html author: Omar Khaled (@beacon_exe) -date: 2024/08/10 +date: 2024-08-10 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 - attack.t1560.001 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml b/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml index c0104c9ec61..4329d11b7f5 100644 --- a/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml +++ b/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml @@ -6,14 +6,14 @@ references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml author: Sohan G (D4rkCiph3r) -date: 2023/02/18 +date: 2023-02-18 tags: - attack.t1059 - attack.t1059.007 - attack.t1071 - attack.t1071.001 - attack.execution - - attack.command_and_control + - attack.command-and-control logsource: category: process_creation product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml b/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml index 3a042212c04..79956ea7dae 100644 --- a/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml @@ -11,8 +11,8 @@ references: - https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior - https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/12/20 -modified: 2024/01/02 +date: 2023-12-20 +modified: 2024-01-02 tags: - attack.discovery - attack.t1082 diff --git a/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml b/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml index 9d326c3a9e0..28f3c5337f4 100644 --- a/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml +++ b/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml @@ -7,7 +7,7 @@ references: - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/22 +date: 2023-08-22 tags: - attack.execution logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml b/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml index 414ef823603..6f407c9e7e8 100644 --- a/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml +++ b/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml @@ -8,7 +8,7 @@ references: - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html author: Jay Pandit -date: 2023/08/22 +date: 2023-08-22 tags: - attack.execution logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml index d17fb3ffd98..731fbda274a 100644 --- a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml @@ -8,7 +8,7 @@ description: Detects possible malicious execution of JXA in-memory via OSAScript references: - https://redcanary.com/blog/applescript/ author: Sohan G (D4rkCiph3r) -date: 2023/01/31 +date: 2023-01-31 tags: - attack.t1059.002 - attack.t1059.007 diff --git a/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml b/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml index ce721a9c8e3..aabc461339d 100644 --- a/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml @@ -9,7 +9,7 @@ references: - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html - https://www.loobins.io/binaries/launchctl/ author: Pratinav Chandra -date: 2024/05/13 +date: 2024-05-13 tags: - attack.execution - attack.persistence diff --git a/rules/macos/process_creation/proc_creation_macos_local_account.yml b/rules/macos/process_creation/proc_creation_macos_local_account.yml index 51871afe38b..f3f0ad86624 100644 --- a/rules/macos/process_creation/proc_creation_macos_local_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_local_account.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local systeam accounts on MacOS references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md author: Alejandro Ortuno, oscd.community -date: 2020/10/08 -modified: 2022/11/27 +date: 2020-10-08 +modified: 2022-11-27 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/macos/process_creation/proc_creation_macos_local_groups.yml b/rules/macos/process_creation/proc_creation_macos_local_groups.yml index 43c241a02a6..a25fadffc44 100644 --- a/rules/macos/process_creation/proc_creation_macos_local_groups.yml +++ b/rules/macos/process_creation/proc_creation_macos_local_groups.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local system groups references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: Ömer Günal, Alejandro Ortuno, oscd.community -date: 2020/10/11 -modified: 2022/11/27 +date: 2020-10-11 +modified: 2022-11-27 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml b/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml index 55f66033961..7a0c704e8f8 100644 --- a/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml +++ b/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local or remote network services. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md author: Alejandro Ortuno, oscd.community -date: 2020/10/21 -modified: 2021/11/27 +date: 2020-10-21 +modified: 2021-11-27 tags: - attack.discovery - attack.t1046 diff --git a/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml b/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml index 325859b70b3..c4b0eccc68b 100644 --- a/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml +++ b/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml @@ -7,11 +7,11 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md author: Alejandro Ortuno, oscd.community -date: 2020/10/14 -modified: 2022/11/26 +date: 2020-10-14 +modified: 2022-11-26 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1040 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml b/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml index cab90630b93..69ec424a0bf 100644 --- a/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml +++ b/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml @@ -7,10 +7,10 @@ references: - https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl - https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd author: Daniel Cortez -date: 2024/06/04 +date: 2024-06-04 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml b/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml index 84af621ca79..98655b4d96a 100644 --- a/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml +++ b/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml @@ -6,8 +6,8 @@ references: - https://redcanary.com/blog/applescript/ - https://objective-see.org/blog/blog_0x4B.html author: Sohan G (D4rkCiph3r) -date: 2023/01/31 -modified: 2023/02/04 +date: 2023-01-31 +modified: 2023-02-04 tags: - attack.execution - attack.persistence diff --git a/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml b/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml index ed9df6e6a6c..182e656dc3f 100644 --- a/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/applescript/ - https://ss64.com/osx/osacompile.html author: Sohan G (D4rkCiph3r) -date: 2023/01/31 +date: 2023-01-31 tags: - attack.t1059.002 - attack.execution diff --git a/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml b/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml index 1d1cbbc2d32..87eda5e0b02 100644 --- a/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml +++ b/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml @@ -5,13 +5,13 @@ description: Detects when a built-in utility is used to decode and decrypt a pay references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823 author: Tim Rauch (rule), Elastic (idea) -date: 2022/10/17 +date: 2022-10-17 tags: - attack.t1059 - attack.t1204 - attack.execution - attack.t1140 - - attack.defense_evasion + - attack.defense-evasion - attack.s0482 - attack.s0402 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml index 9ea30486925..b69e77d7b68 100644 --- a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml +++ b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ - https://www.manpagez.com/man/8/PlistBuddy/ author: Sohan G (D4rkCiph3r) -date: 2023/02/18 +date: 2023-02-18 tags: - attack.persistence - attack.t1543.001 diff --git a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml index 510078c7069..3ccdd9b1251 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml @@ -12,9 +12,9 @@ description: | references: - Internal Research author: Josh Nickels, Qi Nan -date: 2024/03/11 +date: 2024-03-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml index 40d2eed7e15..19f8bf9e9cf 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml @@ -5,8 +5,8 @@ description: Detects the enumeration of other remote systems. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: Alejandro Ortuno, oscd.community -date: 2020/10/22 -modified: 2021/11/27 +date: 2020-10-22 +modified: 2021-11-27 tags: - attack.discovery - attack.t1018 diff --git a/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml b/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml index 08aebeaecda..00950715f13 100644 --- a/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml +++ b/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml @@ -5,12 +5,12 @@ description: Detects abuse of the cron utility to perform task scheduling for in references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md author: Alejandro Ortuno, oscd.community -date: 2020/10/06 -modified: 2022/11/27 +date: 2020-10-06 +modified: 2022-11-27 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.003 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_screencapture.yml b/rules/macos/process_creation/proc_creation_macos_screencapture.yml index 865a81a202f..572ad6d4ad5 100644 --- a/rules/macos/process_creation/proc_creation_macos_screencapture.yml +++ b/rules/macos/process_creation/proc_creation_macos_screencapture.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py author: remotephone, oscd.community -date: 2020/10/13 -modified: 2021/11/27 +date: 2020-10-13 +modified: 2021-11-27 tags: - attack.collection - attack.t1113 diff --git a/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml b/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml index c07596097c0..88ed5f7b8bf 100644 --- a/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities (only grep for now) to discover s references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/11/27 +date: 2020-10-19 +modified: 2022-11-27 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml b/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml index 4570e106d75..781e0f0ac96 100644 --- a/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml +++ b/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml @@ -5,10 +5,10 @@ description: Detects attempts to masquerade as legitimate files by adding a spac references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md author: remotephone -date: 2021/11/20 -modified: 2023/01/04 +date: 2021-11-20 +modified: 2023-01-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.006 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml b/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml index 0c7efb3d50e..feec9c3f46e 100644 --- a/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml +++ b/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml @@ -5,8 +5,8 @@ description: Detection use of the command "split" to split files into parts and references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/15 -modified: 2021/11/27 +date: 2020-10-15 +modified: 2021-11-27 tags: - attack.exfiltration - attack.t1030 diff --git a/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml b/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml index 20424bbdc65..701f098564a 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml @@ -6,9 +6,9 @@ references: - https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml author: Sohan G (D4rkCiph3r) -date: 2023/04/05 +date: 2023-04-05 tags: - - attack.initial_access + - attack.initial-access - attack.execution - attack.t1189 - attack.t1203 diff --git a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml index 9590d7a9226..5f031bcb9f1 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml @@ -6,15 +6,15 @@ author: Tim Rauch (rule), Elastic (idea) references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685 - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/ -date: 2022/10/21 -modified: 2022/12/28 +date: 2022-10-21 +modified: 2022-12-28 logsource: category: process_creation product: macos tags: - attack.t1566 - attack.t1566.002 - - attack.initial_access + - attack.initial-access - attack.t1059 - attack.t1059.002 - attack.t1204 @@ -22,7 +22,7 @@ tags: - attack.execution - attack.persistence - attack.t1553 - - attack.defense_evasion + - attack.defense-evasion detection: selection_parent: ParentImage|endswith: '/Script Editor' diff --git a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml index 9aebe117cfa..862cfc10a9e 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml @@ -8,7 +8,7 @@ description: Detects usage of "find" binary in a suspicious manner to perform di references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/28 +date: 2022-12-28 tags: - attack.discovery - attack.t1083 diff --git a/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml b/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml index 48557ffb62d..e191add1b9f 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml @@ -5,10 +5,10 @@ description: Detects commandline operations on shell history files references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md author: 'Mikhail Larin, oscd.community' -date: 2020/10/17 -modified: 2021/11/27 +date: 2020-10-17 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.003 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml b/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml index 30e7de4628b..ba21295677b 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml @@ -5,9 +5,9 @@ description: Detects potential in-memory downloading and compiling of applets us references: - https://redcanary.com/blog/mac-application-bundles/ author: Sohan G (D4rkCiph3r), Red Canary (idea) -date: 2023/08/22 +date: 2023-08-22 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1059.007 - attack.t1105 diff --git a/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml b/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml index cf04547cd4e..b245c5f0e8a 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml @@ -7,8 +7,8 @@ references: - https://www.manpagez.com/man/8/firmwarepasswd/ - https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web author: Austin Songer @austinsonger -date: 2021/09/30 -modified: 2022/10/09 +date: 2021-09-30 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml index 38e8911a2a8..099e0f3f25d 100644 --- a/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml +++ b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml @@ -5,7 +5,7 @@ description: Detects potential suspicious applet or osascript executing "osacomp references: - https://redcanary.com/blog/mac-application-bundles/ author: Sohan G (D4rkCiph3r), Red Canary (Idea) -date: 2023/04/03 +date: 2023-04-03 tags: - attack.execution - attack.t1059.002 diff --git a/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml b/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml index 8ff85e62f46..e98c15627b3 100644 --- a/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml @@ -7,7 +7,7 @@ references: - https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior - https://ss64.com/osx/sw_vers.html author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/12/20 +date: 2023-12-20 tags: - attack.discovery - attack.t1082 diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml index c44d3ee8491..17b0026dc1a 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml @@ -2,17 +2,17 @@ title: User Added To Admin Group Via Sysadminctl id: 652c098d-dc11-4ba6-8566-c20e89042f2b related: - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b - type: obsoletes + type: obsolete status: test description: Detects attempts to create and add an account to the admin group via "sysadminctl" references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos - https://ss64.com/osx/sysadminctl.html author: Sohan G (D4rkCiph3r) -date: 2023/03/19 +date: 2023-03-19 tags: - - attack.initial_access - - attack.privilege_escalation + - attack.initial-access + - attack.privilege-escalation - attack.t1078.003 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml index a9bfa4c0890..354dcb77b5a 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml @@ -5,9 +5,9 @@ description: Detects attempts to enable the guest account using the sysadminctl references: - https://ss64.com/osx/sysadminctl.html author: Sohan G (D4rkCiph3r) -date: 2023/02/18 +date: 2023-02-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 - attack.t1078.001 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml b/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml index 06113ec554c..db1a2af4493 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml @@ -13,9 +13,9 @@ references: - https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior - https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior author: Pratinav Chandra -date: 2024/05/27 +date: 2024-05-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1497.001 - attack.discovery - attack.t1082 diff --git a/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml b/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml index de11916adaf..f5de845711c 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities to discover system network connec references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/12/28 +date: 2020-10-19 +modified: 2022-12-28 tags: - attack.discovery - attack.t1049 diff --git a/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml b/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml index 32242df97cc..690993b3b3b 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local network configuration references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md author: remotephone, oscd.community -date: 2020/10/06 -modified: 2022/12/28 +date: 2020-10-06 +modified: 2022-12-28 tags: - attack.discovery - attack.t1016 diff --git a/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml b/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml index ca2c895bd3d..2035384e5e8 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml @@ -12,10 +12,10 @@ references: - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/ - https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af author: Stephen Lincoln `@slincoln_aiq` (AttackIQ) -date: 2024/01/02 +date: 2024-01-02 tags: - attack.discovery - - attack.defense_evasion + - attack.defense-evasion - attack.t1082 - attack.t1497.001 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml b/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml index cf4abd528aa..407bdd4e19f 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml +++ b/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml @@ -5,8 +5,8 @@ description: Adversaries may shutdown/reboot systems to interrupt access to, or references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 -modified: 2022/11/26 +date: 2020-10-19 +modified: 2022-11-26 tags: - attack.impact - attack.t1529 diff --git a/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml b/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml index 2ea720557f9..6d5e3933ad6 100644 --- a/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml +++ b/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml @@ -7,9 +7,9 @@ references: - https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior - https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/12/20 +date: 2023-12-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml b/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml index 1f4dd23ac94..c35b0f18de5 100644 --- a/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml +++ b/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine - https://www.loobins.io/binaries/tmutil/ author: Pratinav Chandra -date: 2024/05/29 +date: 2024-05-29 tags: - attack.impact - attack.t1490 diff --git a/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml b/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml index 42fc5013de8..abeed71c433 100644 --- a/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml +++ b/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine - https://www.loobins.io/binaries/tmutil/ author: Pratinav Chandra -date: 2024/05/29 +date: 2024-05-29 tags: - attack.impact - attack.t1490 diff --git a/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml b/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml index d02100cd7db..04a1e2e1c47 100644 --- a/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml +++ b/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine - https://www.loobins.io/binaries/tmutil/ author: Pratinav Chandra -date: 2024/05/29 +date: 2024-05-29 tags: - attack.impact - attack.t1490 diff --git a/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml b/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml index a93bd9b958a..693066ec9d1 100644 --- a/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml +++ b/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml @@ -7,9 +7,9 @@ references: - https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset - https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/ author: Tim Rauch (rule), Elastic (idea) -date: 2022/10/17 +date: 2022-10-17 tags: - - attack.command_and_control + - attack.command-and-control logsource: category: process_creation product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml b/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml index 6a3aed53834..1525ff58c1f 100644 --- a/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml +++ b/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md - https://www.loobins.io/binaries/xattr/ author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2024/04/18 +date: 2020-10-19 +modified: 2024-04-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.001 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml b/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml index 91529f371b1..2064fed936d 100644 --- a/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml +++ b/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml @@ -6,9 +6,9 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08 - https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset author: Tim Rauch (rule), Elastic (idea) -date: 2022/10/17 +date: 2022-10-17 tags: - - attack.command_and_control + - attack.command-and-control logsource: category: process_creation product: macos diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index e32eba875c4..543be076f71 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -6,10 +6,10 @@ references: - https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 author: Austin Clark -date: 2019/08/12 -modified: 2023/05/26 +date: 2019-08-12 +modified: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 logsource: product: cisco diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index a735063db82..dafb8093281 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -7,11 +7,11 @@ references: - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html author: Austin Clark -date: 2019/08/11 -modified: 2023/01/04 +date: 2019-08-11 +modified: 2023-01-04 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1087.001 - attack.t1552.001 diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index 3485e200ea1..6656c54dffc 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -5,11 +5,11 @@ description: Show when private keys are being exported from the device, or when references: - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.t1553.004 - attack.t1552.004 logsource: diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index 06711af2975..6eea7252689 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -5,10 +5,10 @@ description: Turn off logging locally or remote references: - https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf author: Austin Clark -date: 2019/08/11 -modified: 2023/01/04 +date: 2019-08-11 +modified: 2023-01-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: cisco diff --git a/rules/network/cisco/aaa/cisco_cli_discovery.yml b/rules/network/cisco/aaa/cisco_cli_discovery.yml index 5d657406737..6a66a8d8fd5 100644 --- a/rules/network/cisco/aaa/cisco_cli_discovery.yml +++ b/rules/network/cisco/aaa/cisco_cli_discovery.yml @@ -5,8 +5,8 @@ description: Find information about network devices that is not stored in config references: - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - attack.discovery - attack.t1083 diff --git a/rules/network/cisco/aaa/cisco_cli_dos.yml b/rules/network/cisco/aaa/cisco_cli_dos.yml index e2455a3bc96..b1279b6db7e 100644 --- a/rules/network/cisco/aaa/cisco_cli_dos.yml +++ b/rules/network/cisco/aaa/cisco_cli_dos.yml @@ -3,8 +3,8 @@ id: d94a35f0-7a29-45f6-90a0-80df6159967c status: test description: Detect a system being shutdown or put into different boot mode author: Austin Clark -date: 2019/08/15 -modified: 2023/01/04 +date: 2019-08-15 +modified: 2023-01-04 tags: - attack.impact - attack.t1495 diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index beedf97933d..917a540896b 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -3,10 +3,10 @@ id: 71d65515-c436-43c0-841b-236b1f32c21e status: test description: See what files are being deleted from flash file systems author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1070.004 - attack.t1561.001 diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml index ccd20f84a59..55b4622e6b4 100644 --- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml +++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -3,10 +3,10 @@ id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b status: test description: See what commands are being input into the device by other people, full credentials can be in the history author: Austin Clark -date: 2019/08/11 -modified: 2023/01/04 +date: 2019-08-11 +modified: 2023-01-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.003 logsource: product: cisco diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml index 6787735651b..e1d47c0bcfc 100644 --- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml +++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -3,8 +3,8 @@ id: 6d844f0f-1c18-41af-8f19-33e7654edfc3 status: test description: Find local accounts being created or modified as well as remote authentication configurations author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index 699678c942c..70c52e3a416 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -3,8 +3,8 @@ id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b status: test description: Modifications to a config that will serve an adversary's impacts or persistence author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - attack.persistence - attack.impact diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml index a5068ab1def..2b8196ca573 100644 --- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -3,12 +3,12 @@ id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59 status: test description: Various protocols maybe used to put data on the device for exfil or infil author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - attack.collection - - attack.lateral_movement - - attack.command_and_control + - attack.lateral-movement + - attack.command-and-control - attack.exfiltration - attack.t1074 - attack.t1105 diff --git a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml index e5063d4dcf6..c55cd087c92 100644 --- a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml +++ b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml @@ -3,10 +3,10 @@ id: b9e1f193-d236-4451-aaae-2f3d2102120d status: test description: Show when a monitor or a span/rspan is setup or modified author: Austin Clark -date: 2019/08/11 -modified: 2023/01/04 +date: 2019-08-11 +modified: 2023-01-04 tags: - - attack.credential_access + - attack.credential-access - attack.discovery - attack.t1040 logsource: diff --git a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml index c7161576533..1ce546fcfde 100644 --- a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml +++ b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml @@ -5,14 +5,14 @@ description: Detects BGP failures which may be indicative of brute force attacks references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf author: Tim Brown -date: 2023/01/09 -modified: 2023/01/23 +date: 2023-01-09 +modified: 2023-01-23 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.credential_access + - attack.privilege-escalation + - attack.defense-evasion + - attack.credential-access - attack.collection - attack.t1078 - attack.t1110 diff --git a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml index 10800ba25f8..d8827cb7afe 100644 --- a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml +++ b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml @@ -5,13 +5,13 @@ description: Detects LDP failures which may be indicative of brute force attacks references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf author: Tim Brown -date: 2023/01/09 +date: 2023-01-09 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.credential_access + - attack.privilege-escalation + - attack.defense-evasion + - attack.credential-access - attack.collection - attack.t1078 - attack.t1110 diff --git a/rules/network/dns/net_dns_external_service_interaction_domains.yml b/rules/network/dns/net_dns_external_service_interaction_domains.yml index a0cc8cdd08f..c5844d93205 100644 --- a/rules/network/dns/net_dns_external_service_interaction_domains.yml +++ b/rules/network/dns/net_dns_external_service_interaction_domains.yml @@ -5,9 +5,9 @@ description: Detects suspicious DNS queries to external service interaction doma references: - https://twitter.com/breakersall/status/1533493587828260866 author: Florian Roth (Nextron Systems), Matt Kelly (list of domains) -date: 2022/06/07 +date: 2022-06-07 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.reconnaissance - attack.t1595.002 diff --git a/rules/network/dns/net_dns_mal_cobaltstrike.yml b/rules/network/dns/net_dns_mal_cobaltstrike.yml index e88298a07b4..b09887d679e 100644 --- a/rules/network/dns/net_dns_mal_cobaltstrike.yml +++ b/rules/network/dns/net_dns_mal_cobaltstrike.yml @@ -6,10 +6,10 @@ references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ author: Florian Roth (Nextron Systems) -date: 2018/05/10 -modified: 2022/10/09 +date: 2018-05-10 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 logsource: category: dns diff --git a/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml b/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml index 97e90addca5..d980f568948 100644 --- a/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml +++ b/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml @@ -5,7 +5,7 @@ description: Detects suspicious DNS queries to Monero mining pools references: - https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/ author: Florian Roth (Nextron Systems) -date: 2021/10/24 +date: 2021-10-24 tags: - attack.impact - attack.t1496 diff --git a/rules/network/dns/net_dns_susp_b64_queries.yml b/rules/network/dns/net_dns_susp_b64_queries.yml index 3ef23ee855e..fa5084bc596 100644 --- a/rules/network/dns/net_dns_susp_b64_queries.yml +++ b/rules/network/dns/net_dns_susp_b64_queries.yml @@ -5,12 +5,12 @@ description: Detects suspicious DNS queries using base64 encoding references: - https://github.com/krmaxwell/dns-exfiltration author: Florian Roth (Nextron Systems) -date: 2018/05/10 -modified: 2022/10/09 +date: 2018-05-10 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1048.003 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 logsource: category: dns diff --git a/rules/network/dns/net_dns_susp_telegram_api.yml b/rules/network/dns/net_dns_susp_telegram_api.yml index fa940cc9297..56a3929bae7 100644 --- a/rules/network/dns/net_dns_susp_telegram_api.yml +++ b/rules/network/dns/net_dns_susp_telegram_api.yml @@ -8,10 +8,10 @@ references: - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ author: Florian Roth (Nextron Systems) -date: 2018/06/05 -modified: 2022/10/09 +date: 2018-06-05 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102.002 logsource: category: dns diff --git a/rules/network/dns/net_dns_susp_txt_exec_strings.yml b/rules/network/dns/net_dns_susp_txt_exec_strings.yml index 76dcb90121c..ea44dfd0b4b 100644 --- a/rules/network/dns/net_dns_susp_txt_exec_strings.yml +++ b/rules/network/dns/net_dns_susp_txt_exec_strings.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/stvemillertime/status/1024707932447854592 - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1 author: Markus Neis -date: 2018/08/08 -modified: 2021/11/27 +date: 2018-08-08 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 logsource: category: dns diff --git a/rules/network/dns/net_dns_wannacry_killswitch_domain.yml b/rules/network/dns/net_dns_wannacry_killswitch_domain.yml index dbf91f08b6a..85bc230241d 100644 --- a/rules/network/dns/net_dns_wannacry_killswitch_domain.yml +++ b/rules/network/dns/net_dns_wannacry_killswitch_domain.yml @@ -5,10 +5,10 @@ description: Detects wannacry killswitch domain dns queries references: - https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign author: Mike Wade -date: 2020/09/16 -modified: 2022/03/24 +date: 2020-09-16 +modified: 2022-03-24 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: dns diff --git a/rules/network/firewall/net_firewall_cleartext_protocols.yml b/rules/network/firewall/net_firewall_cleartext_protocols.yml index 6bc0432ed35..4e8935c7f58 100644 --- a/rules/network/firewall/net_firewall_cleartext_protocols.yml +++ b/rules/network/firewall/net_firewall_cleartext_protocols.yml @@ -9,10 +9,10 @@ references: - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf author: Alexandr Yampolskyi, SOC Prime, Tim Shelton -date: 2019/03/26 -modified: 2022/10/10 +date: 2019-03-26 +modified: 2022-10-10 tags: - - attack.credential_access + - attack.credential-access # - CSC4 # - CSC4.5 # - CSC14 diff --git a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml index 5021d7aed6c..4843bcbe6a8 100644 --- a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml +++ b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml @@ -5,14 +5,14 @@ description: Detects BGP failures which may be indicative of brute force attacks references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf author: Tim Brown -date: 2023/01/09 -modified: 2023/01/23 +date: 2023-01-09 +modified: 2023-01-23 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.credential_access + - attack.privilege-escalation + - attack.defense-evasion + - attack.credential-access - attack.collection - attack.t1078 - attack.t1110 diff --git a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml index 1982086a117..78cb752e322 100644 --- a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml +++ b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml @@ -5,14 +5,14 @@ description: Detects juniper BGP missing MD5 digest. Which may be indicative of references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf author: Tim Brown -date: 2023/01/09 -modified: 2023/01/23 +date: 2023-01-09 +modified: 2023-01-23 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.credential_access + - attack.privilege-escalation + - attack.defense-evasion + - attack.credential-access - attack.collection - attack.t1078 - attack.t1110 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index ec3b2988a7a..0df94623804 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -5,8 +5,8 @@ description: 'Windows DCE-RPC functions which indicate an execution techniques o references: - https://github.com/mitre-attack/bzar#indicators-for-attck-execution author: '@neu5ron, SOC Prime' -date: 2020/03/19 -modified: 2021/11/27 +date: 2020-03-19 +modified: 2021-11-27 tags: - attack.execution - attack.t1047 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index a5bbc4c1ac5..31fa8d65f26 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -5,8 +5,8 @@ description: 'Windows DCE-RPC functions which indicate a persistence techniques references: - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence author: '@neu5ron, SOC Prime' -date: 2020/03/19 -modified: 2021/11/27 +date: 2020-03-19 +modified: 2021-11-27 tags: - attack.persistence - attack.t1547.004 diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index 3ff369979ae..bb632c13a84 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -12,8 +12,8 @@ references: - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf - https://threatpost.com/microsoft-petitpotam-poc/168163/ author: '@neu5ron, @Antonlovesdnb, Mike Remen' -date: 2021/08/17 -modified: 2022/11/28 +date: 2021-08-17 +modified: 2022-11-28 tags: - attack.t1557.001 - attack.t1187 diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index 4a188b5e948..41d9d2aa516 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -16,13 +16,13 @@ references: - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ author: '@neu5ron (Nate Guagenti)' -date: 2021/08/23 -modified: 2022/07/07 +date: 2021-08-23 +modified: 2022-07-07 tags: - attack.execution - - cve.2021.1678 - - cve.2021.1675 - - cve.2021.34527 + - cve.2021-1678 + - cve.2021-1675 + - cve.2021-34527 logsource: product: zeek service: dce_rpc diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index 3e3c14fb143..645e5b4e371 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -7,10 +7,10 @@ references: - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ - https://twitter.com/_dirkjan/status/1309214379003588608 author: OTR (Open Threat Research), @neu5ron -date: 2018/11/28 -modified: 2022/10/09 +date: 2018-11-28 +modified: 2022-10-09 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: zeek diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index ff65bc439b8..9d8ed45fd89 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -5,10 +5,10 @@ description: Detects the presence of default Cobalt Strike certificate in the HT references: - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 author: Bhabesh Raj -date: 2021/06/23 -modified: 2022/10/09 +date: 2021-06-23 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.s0154 logsource: product: zeek diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index a715f2934e5..4439d628a1f 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -5,8 +5,8 @@ description: Identifies clients that may be performing DNS lookups associated wi references: - https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml author: Saw Winn Naung, Azure-Sentinel, @neu5ron -date: 2021/08/19 -modified: 2022/07/07 +date: 2021-08-19 +modified: 2022-07-07 tags: - attack.execution - attack.t1569.002 diff --git a/rules/network/zeek/zeek_dns_nkn.yml b/rules/network/zeek/zeek_dns_nkn.yml index 6e96c4e49a8..c91edb615b0 100644 --- a/rules/network/zeek/zeek_dns_nkn.yml +++ b/rules/network/zeek/zeek_dns_nkn.yml @@ -7,9 +7,9 @@ references: - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ - https://github.com/Maka8ka/NGLite author: Michael Portera (@mportatoes) -date: 2022/04/21 +date: 2022-04-21 tags: - - attack.command_and_control + - attack.command-and-control logsource: product: zeek service: dns diff --git a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml index 6f948522582..1e95fddf50f 100644 --- a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml @@ -13,12 +13,12 @@ references: - https://tools.ietf.org/html/rfc2929#section-2.1 - https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS author: '@neu5ron, SOC Prime Team, Corelight' -date: 2021/05/04 -modified: 2022/11/29 +date: 2021-05-04 +modified: 2022-11-29 tags: - attack.t1095 - attack.t1571 - - attack.command_and_control + - attack.command-and-control logsource: product: zeek service: dns diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 82e7d3aba7c..1cfa8e426e0 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -5,8 +5,8 @@ description: Identifies IPs performing DNS lookups associated with common Tor pr references: - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml author: Saw Winn Naung , Azure-Sentinel -date: 2021/08/15 -modified: 2022/10/09 +date: 2021-08-15 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index 40639e815fb..4f9c5036118 100644 --- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -6,10 +6,10 @@ references: - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html - https://github.com/OTRF/detection-hackathon-apt29 author: 'SOC Prime, Adam Swan' -date: 2020/05/01 -modified: 2021/11/27 +date: 2020-05-01 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: zeek diff --git a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml index 58a2c26ec33..2d77cb85d4b 100644 --- a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml +++ b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml @@ -9,13 +9,13 @@ references: - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - https://twitter.com/neu5ron/status/1438987292971053057?s=20 author: Nate Guagenti (neu5ron) -date: 2021/09/20 -modified: 2019/09/20 +date: 2021-09-20 +modified: 2019-09-20 tags: - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.execution - - attack.lateral_movement + - attack.lateral-movement - attack.t1068 - attack.t1190 - attack.t1203 diff --git a/rules/network/zeek/zeek_http_webdav_put_request.yml b/rules/network/zeek/zeek_http_webdav_put_request.yml index 32f66aed3e1..c0a987f2e83 100644 --- a/rules/network/zeek/zeek_http_webdav_put_request.yml +++ b/rules/network/zeek/zeek_http_webdav_put_request.yml @@ -5,8 +5,8 @@ description: A General detection for WebDav user-agent being used to PUT files o references: - https://github.com/OTRF/detection-hackathon-apt29/issues/17 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2024/03/13 +date: 2020-05-02 +modified: 2024-03-13 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index 1d142837bb7..a6c34b190b8 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -6,10 +6,10 @@ description: | references: - https://attack.mitre.org/techniques/T1021/001/ author: Josh Brower @DefensiveDepth -date: 2020/08/22 -modified: 2024/03/13 +date: 2020-08-22 +modified: 2024-03-13 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 logsource: product: zeek diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 54b3ac4afc9..65c68a83198 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -8,10 +8,10 @@ description: Detects remote task creation via at.exe or API interacting with ATS references: - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html author: 'Samir Bousseaden, @neu5rn' -date: 2020/04/03 -modified: 2022/12/27 +date: 2020-04-03 +modified: 2022-12-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.persistence - car.2013-05-004 - car.2015-04-001 diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 4b2fa257341..bc0ebc1bf1e 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -5,10 +5,10 @@ description: 'Detect AD credential dumping using impacket secretdump HKTL. Based references: - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html author: 'Samir Bousseaden, @neu5ron' -date: 2020/03/19 -modified: 2021/11/27 +date: 2020-03-19 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index 4f4173fc2ae..4fdf10b4eda 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -8,10 +8,10 @@ description: This detection excludes known namped pipes accessible remotely and references: - https://twitter.com/menasec1/status/1104489274387451904 author: Samir Bousseaden, @neu5ron, Tim Shelton -date: 2020/04/02 -modified: 2022/12/27 +date: 2020-04-02 +modified: 2022-12-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: zeek diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index c1940bef359..8a1d13566bf 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -8,10 +8,10 @@ description: detects execution of psexec or paexec with renamed service name, th references: - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html author: Samir Bousseaden, @neu5ron, Tim Shelton -date: 2020/04/02 -modified: 2022/12/27 +date: 2020-04-02 +modified: 2022-12-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: zeek diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index 63b86335244..32096ef4636 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -8,8 +8,8 @@ description: Detects known sensitive file extensions via Zeek references: - Internal Research author: Samir Bousseaden, @neu5ron -date: 2020/04/02 -modified: 2021/11/27 +date: 2020-04-02 +modified: 2021-11-27 tags: - attack.collection logsource: diff --git a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml index 80e974747e2..979a113bf67 100644 --- a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml +++ b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -8,10 +8,10 @@ description: Transferring files with well-known filenames (sensitive files with references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: '@neu5ron, Teymur Kheirkhabarov, oscd.community' -date: 2020/04/02 -modified: 2021/11/27 +date: 2020-04-02 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 5cc7d95f889..70e230989ce 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -5,10 +5,10 @@ description: Detects kerberos TGS request using RC4 encryption which may be indi references: - https://adsecurity.org/?p=3458 author: sigma -date: 2020/02/12 -modified: 2021/11/27 +date: 2020-02-12 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: product: zeek diff --git a/rules/web/product/apache/web_apache_segfault.yml b/rules/web/product/apache/web_apache_segfault.yml index cc262e02a8d..b09a2ee1ea0 100644 --- a/rules/web/product/apache/web_apache_segfault.yml +++ b/rules/web/product/apache/web_apache_segfault.yml @@ -5,8 +5,8 @@ description: Detects a segmentation fault error message caused by a crashing apa references: - http://www.securityfocus.com/infocus/1633 author: Florian Roth (Nextron Systems) -date: 2017/02/28 -modified: 2021/11/27 +date: 2017-02-28 +modified: 2021-11-27 tags: - attack.impact - attack.t1499.004 diff --git a/rules/web/product/apache/web_apache_threading_error.yml b/rules/web/product/apache/web_apache_threading_error.yml index 3fe9c383f5b..b103bf99b3c 100644 --- a/rules/web/product/apache/web_apache_threading_error.yml +++ b/rules/web/product/apache/web_apache_threading_error.yml @@ -5,11 +5,11 @@ description: Detects an issue in apache logs that reports threading related erro references: - https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md author: Florian Roth (Nextron Systems) -date: 2019/01/22 -modified: 2021/11/27 +date: 2019-01-22 +modified: 2021-11-27 tags: - - attack.initial_access - - attack.lateral_movement + - attack.initial-access + - attack.lateral-movement - attack.t1190 - attack.t1210 logsource: diff --git a/rules/web/product/nginx/web_nginx_core_dump.yml b/rules/web/product/nginx/web_nginx_core_dump.yml index 3450d965e90..02924b209c2 100644 --- a/rules/web/product/nginx/web_nginx_core_dump.yml +++ b/rules/web/product/nginx/web_nginx_core_dump.yml @@ -6,8 +6,8 @@ references: - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ author: Florian Roth (Nextron Systems) -date: 2021/05/31 -modified: 2023/05/08 +date: 2021-05-31 +modified: 2023-05-08 tags: - attack.impact - attack.t1499.004 diff --git a/rules/web/proxy_generic/proxy_download_susp_dyndns.yml b/rules/web/proxy_generic/proxy_download_susp_dyndns.yml index e5153abd1c7..7203074075f 100644 --- a/rules/web/proxy_generic/proxy_download_susp_dyndns.yml +++ b/rules/web/proxy_generic/proxy_download_susp_dyndns.yml @@ -5,11 +5,11 @@ description: Detects download of certain file types from hosts with dynamic DNS references: - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats author: Florian Roth (Nextron Systems) -date: 2017/11/08 -modified: 2023/05/18 +date: 2017-11-08 +modified: 2023-05-18 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1105 - attack.t1568 logsource: diff --git a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml index 36f89f5aeb6..8e667f1624c 100644 --- a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml +++ b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml @@ -11,10 +11,10 @@ references: - https://www.spamhaus.org/statistics/tlds/ - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ author: Florian Roth (Nextron Systems) -date: 2017/11/07 -modified: 2023/05/18 +date: 2017-11-07 +modified: 2023-05-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1566 - attack.execution - attack.t1203 diff --git a/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml b/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml index e405b04f6d3..b041d6b3986 100644 --- a/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml +++ b/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml @@ -8,10 +8,10 @@ description: Detects executable downloads from suspicious remote systems references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/03/13 -modified: 2023/05/18 +date: 2017-03-13 +modified: 2023-05-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1566 - attack.execution - attack.t1203 diff --git a/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml b/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml index 11340a82f18..0491d6dd36c 100644 --- a/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml +++ b/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml @@ -5,10 +5,10 @@ description: Detects WebDav DownloadCradle references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth (Nextron Systems) -date: 2018/04/06 -modified: 2021/11/27 +date: 2018-04-06 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml b/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml index ade684022fd..6a2f8c07bd8 100644 --- a/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml +++ b/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml @@ -10,9 +10,9 @@ references: - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516 author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -date: 2023/11/08 +date: 2023-11-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml b/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml index 517e51994ff..9007be2d216 100644 --- a/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml +++ b/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml @@ -5,10 +5,10 @@ description: Detects Baby Shark C2 Framework default communication patterns references: - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845 author: Florian Roth (Nextron Systems) -date: 2021/06/09 -modified: 2024/02/15 +date: 2021-06-09 +modified: 2024-02-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml b/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml index 6eaa03271f2..e758a828134 100644 --- a/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml +++ b/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml @@ -2,13 +2,13 @@ title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy id: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac related: - id: 953b895e-5cc9-454b-b183-7f3db555452e - type: obsoletes + type: obsolete - id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8 - type: obsoletes + type: obsolete - id: 37325383-740a-403d-b1a2-b2b4ab7992e7 - type: obsoletes + type: obsolete - id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc - type: obsoletes + type: obsolete status: test description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods). references: @@ -18,10 +18,10 @@ references: - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile author: Markus Neis, Florian Roth (Nextron Systems) -date: 2024/02/15 +date: 2024-02-15 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml b/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml index f7236717142..8e91d7e6173 100644 --- a/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml +++ b/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml @@ -5,11 +5,11 @@ description: Detects user agent and URI paths used by empire agents references: - https://github.com/BC-SECURITY/Empire author: Florian Roth (Nextron Systems) -date: 2020/07/13 -modified: 2024/02/26 +date: 2020-07-13 +modified: 2024-02-26 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml b/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml index b89fcf8d719..ef41f25b4b1 100644 --- a/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml +++ b/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml @@ -6,8 +6,8 @@ references: - https://www.advanced-ip-scanner.com/ - https://www.advanced-port-scanner.com/ author: Axel Olsson -date: 2022/08/14 -modified: 2024/02/15 +date: 2022-08-14 +modified: 2024-02-15 tags: - attack.discovery - attack.t1590 diff --git a/rules/web/proxy_generic/proxy_pwndrop.yml b/rules/web/proxy_generic/proxy_pwndrop.yml index f7959832dfe..271b9cf238e 100644 --- a/rules/web/proxy_generic/proxy_pwndrop.yml +++ b/rules/web/proxy_generic/proxy_pwndrop.yml @@ -5,10 +5,10 @@ description: Detects downloads from PwnDrp web servers developed for red team te references: - https://breakdev.org/pwndrop/ author: Florian Roth (Nextron Systems) -date: 2020/04/15 -modified: 2021/11/27 +date: 2020-04-15 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - attack.t1102.001 - attack.t1102.003 diff --git a/rules/web/proxy_generic/proxy_raw_paste_service_access.yml b/rules/web/proxy_generic/proxy_raw_paste_service_access.yml index 5a3d53fc412..c0443c5ffc0 100644 --- a/rules/web/proxy_generic/proxy_raw_paste_service_access.yml +++ b/rules/web/proxy_generic/proxy_raw_paste_service_access.yml @@ -5,14 +5,14 @@ description: Detects direct access to raw pastes in different paste services oft references: - https://www.virustotal.com/gui/domain/paste.ee/relations author: Florian Roth (Nextron Systems) -date: 2019/12/05 -modified: 2023/01/19 +date: 2019-12-05 +modified: 2023-01-19 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - attack.t1102.001 - attack.t1102.003 - - attack.defense_evasion + - attack.defense-evasion logsource: category: proxy detection: diff --git a/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml b/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml index 5d3e43ddd59..5a49114b99c 100644 --- a/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml +++ b/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml @@ -5,14 +5,14 @@ description: Detects a flashplayer update from an unofficial location references: - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb author: Florian Roth (Nextron Systems) -date: 2017/10/25 -modified: 2022/08/08 +date: 2017-10-25 +modified: 2022-08-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1189 - attack.execution - attack.t1204.002 - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml index d776a2950a3..36f7535dc62 100644 --- a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml +++ b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml @@ -7,9 +7,9 @@ references: - https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11 - https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638 author: Gavin Knapp -date: 2023/03/16 +date: 2023-03-16 tags: - - attack.credential_access + - attack.credential-access - attack.t1056 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_telegram_api.yml b/rules/web/proxy_generic/proxy_telegram_api.yml index 37f5d744ba1..b09d4a7d98b 100644 --- a/rules/web/proxy_generic/proxy_telegram_api.yml +++ b/rules/web/proxy_generic/proxy_telegram_api.yml @@ -7,11 +7,11 @@ references: - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ author: Florian Roth (Nextron Systems) -date: 2018/06/05 -modified: 2023/05/18 +date: 2018-06-05 +modified: 2023-05-18 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 - attack.t1102.002 logsource: diff --git a/rules/web/proxy_generic/proxy_ua_apt.yml b/rules/web/proxy_generic/proxy_ua_apt.yml index f8d276185a0..830baffd50d 100644 --- a/rules/web/proxy_generic/proxy_ua_apt.yml +++ b/rules/web/proxy_generic/proxy_ua_apt.yml @@ -5,10 +5,10 @@ description: Detects suspicious user agent strings used in APT malware in proxy references: - Internal Research author: Florian Roth (Nextron Systems), Markus Neis -date: 2019/11/12 -modified: 2024/02/15 +date: 2019-11-12 +modified: 2024-02-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_base64_encoded.yml b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml index 124a11a1873..9c0d77d1c73 100644 --- a/rules/web/proxy_generic/proxy_ua_base64_encoded.yml +++ b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml @@ -8,9 +8,9 @@ description: Detects suspicious encoded User-Agent strings, as seen used by some references: - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml index 043b61f6284..e7d0cb2f8ef 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml @@ -5,12 +5,12 @@ description: Detects Bitsadmin connections to IP addresses instead of FQDN names references: - https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 author: Florian Roth (Nextron Systems) -date: 2022/06/10 -modified: 2022/08/24 +date: 2022-06-10 +modified: 2022-08-24 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml index 8f541a58a25..86957937370 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ author: Florian Roth (Nextron Systems), Tim Shelton -date: 2019/03/07 -modified: 2023/05/17 +date: 2019-03-07 +modified: 2023-05-17 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/web/proxy_generic/proxy_ua_cryptominer.yml b/rules/web/proxy_generic/proxy_ua_cryptominer.yml index 04e5d7eba55..ca947fb1c80 100644 --- a/rules/web/proxy_generic/proxy_ua_cryptominer.yml +++ b/rules/web/proxy_generic/proxy_ua_cryptominer.yml @@ -6,10 +6,10 @@ references: - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65 - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h author: Florian Roth (Nextron Systems) -date: 2019/10/21 -modified: 2021/11/27 +date: 2019-10-21 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_empty.yml b/rules/web/proxy_generic/proxy_ua_empty.yml index d588f58c533..70b50e0d7a4 100644 --- a/rules/web/proxy_generic/proxy_ua_empty.yml +++ b/rules/web/proxy_generic/proxy_ua_empty.yml @@ -7,11 +7,11 @@ description: | references: - https://twitter.com/Carlos_Perez/status/883455096645931008 author: Florian Roth (Nextron Systems) -date: 2017/07/08 -modified: 2021/11/27 +date: 2017-07-08 +modified: 2021-11-27 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_frameworks.yml b/rules/web/proxy_generic/proxy_ua_frameworks.yml index 15c5d660adc..c6b89bc3f61 100644 --- a/rules/web/proxy_generic/proxy_ua_frameworks.yml +++ b/rules/web/proxy_generic/proxy_ua_frameworks.yml @@ -5,10 +5,10 @@ description: Detects suspicious user agent strings used by exploit / pentest fra references: - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ author: Florian Roth (Nextron Systems) -date: 2017/07/08 -modified: 2021/11/27 +date: 2017-07-08 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_hacktool.yml b/rules/web/proxy_generic/proxy_ua_hacktool.yml index e2878229843..b3a803ef553 100644 --- a/rules/web/proxy_generic/proxy_ua_hacktool.yml +++ b/rules/web/proxy_generic/proxy_ua_hacktool.yml @@ -6,12 +6,12 @@ references: - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules author: Florian Roth (Nextron Systems) -date: 2017/07/08 -modified: 2022/07/07 +date: 2017-07-08 +modified: 2022-07-07 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - attack.credential_access + - attack.credential-access - attack.t1110 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_malware.yml b/rules/web/proxy_generic/proxy_ua_malware.yml index 9b8246bd930..3705b7a2082 100644 --- a/rules/web/proxy_generic/proxy_ua_malware.yml +++ b/rules/web/proxy_generic/proxy_ua_malware.yml @@ -12,10 +12,10 @@ references: - https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large - https://twitter.com/crep1x/status/1635034100213112833 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2017/07/08 -modified: 2024/04/14 +date: 2017-07-08 +modified: 2024-04-14 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_powershell.yml b/rules/web/proxy_generic/proxy_ua_powershell.yml index 16357dd5fc2..59e9ab91c49 100644 --- a/rules/web/proxy_generic/proxy_ua_powershell.yml +++ b/rules/web/proxy_generic/proxy_ua_powershell.yml @@ -5,11 +5,11 @@ description: Detects Windows PowerShell Web Access references: - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest author: Florian Roth (Nextron Systems) -date: 2017/03/13 -modified: 2021/11/27 +date: 2017-03-13 +modified: 2021-11-27 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_rclone.yml b/rules/web/proxy_generic/proxy_ua_rclone.yml index d1dfdfd91f0..711fe14e8bc 100644 --- a/rules/web/proxy_generic/proxy_ua_rclone.yml +++ b/rules/web/proxy_generic/proxy_ua_rclone.yml @@ -6,7 +6,7 @@ references: - https://rclone.org/ - https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone author: Janantha Marasinghe -date: 2022/10/18 +date: 2022-10-18 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/web/proxy_generic/proxy_ua_susp.yml b/rules/web/proxy_generic/proxy_ua_susp.yml index f88ff970292..fa1f1b2a5c1 100644 --- a/rules/web/proxy_generic/proxy_ua_susp.yml +++ b/rules/web/proxy_generic/proxy_ua_susp.yml @@ -5,10 +5,10 @@ description: Detects suspicious malformed user agent strings in proxy logs references: - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb author: Florian Roth (Nextron Systems) -date: 2017/07/08 -modified: 2022/10/31 +date: 2017-07-08 +modified: 2022-10-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_susp_base64.yml b/rules/web/proxy_generic/proxy_ua_susp_base64.yml index 7b26ed5b152..8e5ceab6c59 100644 --- a/rules/web/proxy_generic/proxy_ua_susp_base64.yml +++ b/rules/web/proxy_generic/proxy_ua_susp_base64.yml @@ -9,10 +9,10 @@ references: - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop author: Florian Roth (Nextron Systems), Brian Ingram (update) -date: 2022/07/08 -modified: 2023/05/04 +date: 2022-07-08 +modified: 2023-05-04 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_webdav_external_execution.yml b/rules/web/proxy_generic/proxy_webdav_external_execution.yml index 162e07b85d5..c7e646534ee 100644 --- a/rules/web/proxy_generic/proxy_webdav_external_execution.yml +++ b/rules/web/proxy_generic/proxy_webdav_external_execution.yml @@ -12,9 +12,9 @@ references: - https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html author: Ahmed Farouk -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.initial_access + - attack.initial-access - attack.t1584 - attack.t1566 logsource: diff --git a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml index 17e3291c6d0..e57e2c6ea64 100644 --- a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml +++ b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml @@ -10,7 +10,7 @@ references: - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516 author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -date: 2023/11/08 +date: 2023-11-08 tags: - attack.execution - attack.t1190 diff --git a/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml b/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml index 5ae2c3ea656..73496d03328 100644 --- a/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml +++ b/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml @@ -7,10 +7,10 @@ references: - https://www.exploit-db.com/exploits/19525 - https://github.com/lijiejie/IIS_shortname_Scanner author: frack113 -date: 2021/10/06 -modified: 2023/01/02 +date: 2021-10-06 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml index 4de443dd8d9..4d3fb2da78a 100644 --- a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml +++ b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml @@ -9,12 +9,12 @@ references: - https://twitter.com/httpvoid0x2f/status/1532924261035384832 - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035 author: frack113, Harjot Singh, "@cyb3rjy0t" (update) -date: 2022/06/04 -modified: 2023/01/19 +date: 2022-06-04 +modified: 2023-01-19 tags: - - cve.2022.26134 - - cve.2021.26084 - - attack.initial_access + - cve.2022-26134 + - cve.2021-26084 + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_jndi_exploit.yml b/rules/web/webserver_generic/web_jndi_exploit.yml index 538c64f0b22..02b5c26a0ca 100644 --- a/rules/web/webserver_generic/web_jndi_exploit.yml +++ b/rules/web/webserver_generic/web_jndi_exploit.yml @@ -6,10 +6,10 @@ references: - https://github.com/pimps/JNDI-Exploit-Kit - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit author: Florian Roth (Nextron Systems) -date: 2021/12/12 -modified: 2022/12/25 +date: 2021-12-12 +modified: 2022-12-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml b/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml index a791a130fb1..3fba9d8e8e0 100644 --- a/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml +++ b/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml @@ -6,10 +6,10 @@ references: - https://github.com/projectdiscovery/nuclei-templates - https://book.hacktricks.xyz/pentesting-web/file-inclusion author: Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems) -date: 2021/09/25 -modified: 2023/08/31 +date: 2021-09-25 +modified: 2023-08-31 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_source_code_enumeration.yml b/rules/web/webserver_generic/web_source_code_enumeration.yml index 6ecfd798470..9f17c3de267 100644 --- a/rules/web/webserver_generic/web_source_code_enumeration.yml +++ b/rules/web/webserver_generic/web_source_code_enumeration.yml @@ -6,8 +6,8 @@ references: - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1 author: James Ahearn -date: 2019/06/08 -modified: 2022/10/05 +date: 2019-06-08 +modified: 2022-10-05 tags: - attack.discovery - attack.t1083 diff --git a/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml b/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml index 3d7daf35834..8de0913631f 100644 --- a/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml +++ b/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml @@ -9,10 +9,10 @@ references: - https://github.com/payloadbox/sql-injection-payload-list - https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank) -date: 2020/02/22 -modified: 2023/09/04 +date: 2020-02-22 +modified: 2023-09-04 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_ssti_in_access_logs.yml b/rules/web/webserver_generic/web_ssti_in_access_logs.yml index 1540ec405e2..ae334e32eb2 100644 --- a/rules/web/webserver_generic/web_ssti_in_access_logs.yml +++ b/rules/web/webserver_generic/web_ssti_in_access_logs.yml @@ -6,9 +6,9 @@ references: - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection - https://github.com/payloadbox/ssti-payloads author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/14 +date: 2022-06-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1221 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_susp_useragents.yml b/rules/web/webserver_generic/web_susp_useragents.yml index 189ba702e13..aa9c3b512c2 100644 --- a/rules/web/webserver_generic/web_susp_useragents.yml +++ b/rules/web/webserver_generic/web_susp_useragents.yml @@ -7,10 +7,10 @@ references: - https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst - https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92 author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton -date: 2022/07/19 -modified: 2023/01/02 +date: 2022-07-19 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_susp_windows_path_uri.yml b/rules/web/webserver_generic/web_susp_windows_path_uri.yml index f38d7742f9d..dcdfdbc7482 100644 --- a/rules/web/webserver_generic/web_susp_windows_path_uri.yml +++ b/rules/web/webserver_generic/web_susp_windows_path_uri.yml @@ -5,8 +5,8 @@ description: Detects suspicious Windows strings in URI which could indicate poss references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/06 -modified: 2023/01/02 +date: 2022-06-06 +modified: 2023-01-02 tags: - attack.persistence - attack.exfiltration diff --git a/rules/web/webserver_generic/web_webshell_regeorg.yml b/rules/web/webserver_generic/web_webshell_regeorg.yml index c5653e0a8aa..6e8f5100025 100644 --- a/rules/web/webserver_generic/web_webshell_regeorg.yml +++ b/rules/web/webserver_generic/web_webshell_regeorg.yml @@ -6,8 +6,8 @@ references: - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3 - https://github.com/sensepost/reGeorg author: Cian Heasley -date: 2020/08/04 -modified: 2023/01/02 +date: 2020-08-04 +modified: 2023-01-02 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml b/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml index 3d4bc3a9c4c..cf1becfe64b 100644 --- a/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml +++ b/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml @@ -6,8 +6,8 @@ references: - https://bad-jubies.github.io/RCE-NOW-WHAT/ - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2017/02/19 -modified: 2022/11/18 +date: 2017-02-19 +modified: 2022-11-18 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/web/webserver_generic/web_xss_in_access_logs.yml b/rules/web/webserver_generic/web_xss_in_access_logs.yml index 693863859ae..99ba9d73342 100644 --- a/rules/web/webserver_generic/web_xss_in_access_logs.yml +++ b/rules/web/webserver_generic/web_xss_in_access_logs.yml @@ -6,10 +6,10 @@ references: - https://github.com/payloadbox/xss-payload-list - https://portswigger.net/web-security/cross-site-scripting/contexts author: Saw Win Naung, Nasreddine Bencherchali -date: 2021/08/15 -modified: 2022/06/14 +date: 2021-08-15 +modified: 2022-06-14 tags: - - attack.initial_access + - attack.initial-access - attack.t1189 logsource: category: webserver diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml index 478f50e8c49..ec8c6bb71f5 100644 --- a/rules/windows/builtin/application/Other/win_av_relevant_match.yml +++ b/rules/windows/builtin/application/Other/win_av_relevant_match.yml @@ -9,10 +9,10 @@ references: - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01 - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2017/02/19 -modified: 2024/07/17 +date: 2017-02-19 +modified: 2024-07-17 tags: - - attack.resource_development + - attack.resource-development - attack.t1588 logsource: product: windows diff --git a/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml b/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml index 66006fdf0e3..fd5c9af50a3 100644 --- a/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml +++ b/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml @@ -9,10 +9,10 @@ references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 author: Florian Roth (Nextron Systems) -date: 2017/05/09 -modified: 2023/04/14 +date: 2017-05-09 +modified: 2023-04-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1211 - attack.t1562.001 logsource: diff --git a/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml b/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml index 354310fcbc5..bc259ba1bf6 100644 --- a/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml +++ b/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml @@ -7,9 +7,9 @@ references: - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/07 +date: 2022-12-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml index b6b20076a64..52b236c43ec 100644 --- a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml +++ b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/mgreen27/status/1558223256704122882 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 +date: 2022-08-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml index d7e97fa0578..fe91750165f 100644 --- a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml +++ b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/mgreen27/status/1558223256704122882 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 -modified: 2023/10/23 +date: 2022-08-14 +modified: 2023-10-23 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml b/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml index 1667f6cd703..590805da375 100644 --- a/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml +++ b/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml @@ -12,18 +12,18 @@ references: - https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed. - https://nullsec.us/windows-event-log-audit-cve/ author: Florian Roth (Nextron Systems), Zach Mathis -date: 2020/01/15 -modified: 2022/10/22 +date: 2020-01-15 +modified: 2022-10-22 tags: - attack.execution - attack.t1203 - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - attack.defense_evasion + - attack.defense-evasion - attack.t1211 - - attack.credential_access + - attack.credential-access - attack.t1212 - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - attack.impact - attack.t1499.004 diff --git a/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml b/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml index 871ca2a814d..72dad5d0fe2 100644 --- a/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml +++ b/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml @@ -6,10 +6,10 @@ references: - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection) -date: 2017/05/12 -modified: 2022/12/25 +date: 2017-05-12 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml index d88d265645f..0df2c011dd6 100644 --- a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml +++ b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv author: frack113 -date: 2023/01/12 +date: 2023-01-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1072 logsource: product: windows diff --git a/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml b/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml index 4f6bd8c47c0..ebfe282d258 100644 --- a/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml @@ -6,8 +6,8 @@ references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml - https://learn.microsoft.com/en-us/windows/win32/msi/event-logging author: frack113 -date: 2022/01/28 -modified: 2022/09/17 +date: 2022-01-28 +modified: 2022-09-17 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml index 85b1848faa6..06d5a78221c 100644 --- a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml +++ b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml @@ -5,8 +5,8 @@ description: Detects MSI package installation from suspicious locations references: - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/31 -modified: 2023/10/23 +date: 2022-08-31 +modified: 2023-10-23 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml index c6bd3ad8e9f..4e9d41ad790 100644 --- a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml +++ b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml @@ -5,10 +5,10 @@ description: Detects installation of a remote msi file from web. references: - https://twitter.com/_st0pp3r_/status/1583922009842802689 author: Stamatis Chatzimangou -date: 2022/10/23 -modified: 2022/10/23 +date: 2022-10-23 +modified: 2022-10-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1218.007 logsource: diff --git a/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml b/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml index 6fdb563ffef..9b4557c63f3 100644 --- a/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml +++ b/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml @@ -5,8 +5,8 @@ description: Detects successful installation of Atera Remote Monitoring & Manage references: - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent author: Bhabesh Raj -date: 2021/09/01 -modified: 2022/12/25 +date: 2021-09-01 +modified: 2022-12-25 tags: - attack.t1219 logsource: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml index 4b0abb91b14..c6fa02f6fc8 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml @@ -5,8 +5,8 @@ description: Detects when an attacker tries to backdoor the MSSQL server by addi references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/13 -modified: 2024/06/26 +date: 2022-07-13 +modified: 2024-06-26 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml index fef5c0328b3..ded6786fd3e 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml @@ -7,10 +7,10 @@ references: - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 - https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/13 -modified: 2024/06/26 +date: 2022-07-13 +modified: 2024-06-26 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: application diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml index 106195511a4..43e71d81701 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml @@ -9,10 +9,10 @@ references: - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html author: Nasreddine Bencherchali (Nextron Systems), j4son -date: 2023/10/11 -modified: 2024/06/26 +date: 2023-10-11 +modified: 2024-06-26 tags: - - attack.credential_access + - attack.credential-access - attack.t1110 logsource: product: windows diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml index 8ef4e47cfcd..1e1ed8cb292 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml @@ -9,10 +9,10 @@ references: - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html author: j4son -date: 2023/10/11 -modified: 2024/06/26 +date: 2023-10-11 +modified: 2024-06-26 tags: - - attack.credential_access + - attack.credential-access - attack.t1110 logsource: product: windows diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml index f00dcd98506..fd665d9ebe9 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml @@ -6,8 +6,8 @@ references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/13 -modified: 2024/06/26 +date: 2022-07-13 +modified: 2024-06-26 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml index 377bfa323a1..a1dc1641fd0 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml @@ -6,8 +6,8 @@ references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 -modified: 2024/06/26 +date: 2022-07-12 +modified: 2024-06-26 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml index c9f63d11d38..d552ec61a12 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml @@ -7,8 +7,8 @@ references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 -modified: 2024/06/26 +date: 2022-07-12 +modified: 2024-06-26 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml index 7ff83280ebe..3f457d197ae 100644 --- a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml +++ b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml @@ -9,7 +9,7 @@ references: - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling - https://github.com/SigmaHQ/sigma/pull/4467 author: Ali Alwashali -date: 2023/10/10 +date: 2023-10-10 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml index e7d582b5ee3..2cbd3dc6bea 100644 --- a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml +++ b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml @@ -9,7 +9,7 @@ references: - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling - https://github.com/SigmaHQ/sigma/pull/4467 author: Ali Alwashali -date: 2023/10/10 +date: 2023-10-10 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml index 2a1822b34c1..5e5ca6ee100 100644 --- a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml +++ b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml @@ -6,10 +6,10 @@ references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 author: Florian Roth (Nextron Systems) -date: 2017/05/09 -modified: 2023/04/14 +date: 2017-05-09 +modified: 2023-04-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1211 - attack.t1562.001 logsource: diff --git a/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml index 3cd264830da..09d71429850 100644 --- a/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml +++ b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml @@ -7,8 +7,8 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker - https://nxlog.co/documentation/nxlog-user-guide/applocker.html author: Pushkarev Dmitry -date: 2020/06/28 -modified: 2021/11/27 +date: 2020-06-28 +modified: 2021-11-27 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml index e7145460a01..ae6b708d206 100644 --- a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml +++ b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of Sysinternals tools via an AppX package. Attack references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 -modified: 2023/09/12 +date: 2023-01-16 +modified: 2023-09-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: product: windows diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml index 89a606da371..7dd5202187b 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv author: frack113 -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml index 3f25523bf3b..ead0d07f936 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml @@ -7,10 +7,10 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 -modified: 2023/01/12 +date: 2023-01-11 +modified: 2023-01-12 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml index 67f5cdd7928..61911603c47 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv author: frack113 -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml index e6e7a0a2a00..0def9b02204 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml index 34f841c4008..4609d8dc0f5 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml @@ -8,10 +8,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 -modified: 2024/02/09 +date: 2023-01-11 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml index 050c81c624e..cd524159b00 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index 76767c6bdd6..7e54e98286c 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml index 065666b0553..c5bf6d39fd1 100644 --- a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml +++ b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml @@ -6,9 +6,9 @@ references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 +date: 2023-01-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: product: windows diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml index 027a7c8b533..7ab2c352948 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml @@ -5,10 +5,10 @@ description: Detects the creation of a new bits job by Bitsadmin references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: frack113 -date: 2022/03/01 -modified: 2023/03/27 +date: 2022-03-01 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml index 9e2463ed36e..b5becafe0e1 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml @@ -5,10 +5,10 @@ description: Detects the creation of a new bits job by PowerShell references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: frack113 -date: 2022/03/01 -modified: 2023/03/27 +date: 2022-03-01 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml index aefbf76cd99..493d667abc2 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml @@ -5,10 +5,10 @@ description: Detects new BITS transfer job saving local files with potential sus references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: frack113 -date: 2022/03/01 -modified: 2023/03/27 +date: 2022-03-01 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml index 7291d4f8594..41986fcf02c 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml @@ -8,10 +8,10 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) -date: 2022/06/28 -modified: 2024/02/09 +date: 2022-06-28 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml index 240d923a445..9bcdf087d7c 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 -modified: 2023/03/27 +date: 2023-01-11 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml index 6af8db014f4..5f5fc4dce4f 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md - https://twitter.com/malmoeb/status/1535142803075960832 author: Florian Roth (Nextron Systems) -date: 2022/06/10 -modified: 2023/03/27 +date: 2022-06-10 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml b/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml index 17c7032ad77..1aedba92c0b 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml @@ -5,10 +5,10 @@ description: Detects new BITS transfer job where the LocalName/Saved file is sto references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: Florian Roth (Nextron Systems) -date: 2022/06/28 -modified: 2023/03/27 +date: 2022-06-28 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml b/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml index 2bb76c3f1f8..dd8a5d9abc9 100644 --- a/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml +++ b/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml @@ -5,9 +5,9 @@ description: Detects when an application acquires a certificate private key references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Zach Mathis -date: 2023/05/13 +date: 2023-05-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1649 logsource: product: windows diff --git a/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml b/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml index 72a7cee6090..4b53504b49b 100644 --- a/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml +++ b/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml @@ -5,9 +5,9 @@ description: Detects when an application exports a certificate (and potentially references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Zach Mathis -date: 2023/05/13 +date: 2023-05-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1649 logsource: product: windows diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 0c178bde098..f09c8ed6ca5 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/20 -modified: 2023/11/15 +date: 2022-01-20 +modified: 2023-11-15 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml index 8b489aeeda1..806153fcc9b 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml index 88f5cd8472a..4b31e41651a 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml @@ -7,10 +7,10 @@ references: - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/10 -modified: 2023/06/07 +date: 2022-11-10 +modified: 2023-06-07 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: product: windows diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml index 263a7748778..c85104a1cae 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: product: windows diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml index 5857197ab3b..a67becafc4f 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml index fa131873f6f..639299a5ac2 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml index 168ce438b64..7d530423ce5 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml index cfde6fdbd9b..10251e574f0 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml index 80107107604..2a922e6608c 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml index 1ff2d7fbddd..8132420bd57 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml @@ -7,10 +7,10 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 -modified: 2023/06/14 +date: 2023-06-06 +modified: 2023-06-14 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml index c5031c255ec..eb3ec37e67d 100644 --- a/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml +++ b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/nas_bench/status/1539679555908141061 - https://twitter.com/j00sean/status/1537750439701225472 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 +date: 2022-08-14 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml index 0bd1e22121a..5ea279d46e7 100644 --- a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml +++ b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml @@ -9,9 +9,9 @@ references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 +date: 2023-01-16 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 logsource: product: windows diff --git a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml index 6b34ee5bc6e..3dec408da8a 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml @@ -8,7 +8,7 @@ description: Detects DNS queries for anonfiles.com, which is an anonymous file u references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 +date: 2023-01-16 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml index 482d0af52de..c26c1601c62 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml @@ -8,7 +8,7 @@ description: Detects DNS queries for subdomains related to MEGA sharing website references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 +date: 2023-01-16 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml index d1fd8d13a45..6285befe47c 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml @@ -8,9 +8,9 @@ description: Detects DNS resolution of an .onion address related to Tor routing references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/20 +date: 2022-02-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.003 logsource: product: windows diff --git a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml index e5622c0cdf6..5665769bd8a 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml @@ -8,8 +8,8 @@ description: Detects DNS queries to "ufile.io", which was seen abused by malware references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 -modified: 2023/09/18 +date: 2023-01-16 +modified: 2023-09-18 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml b/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml index 6461916383c..f45594d4bb1 100644 --- a/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml +++ b/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml @@ -5,7 +5,7 @@ description: Detects when a DNS zone transfer failed. references: - https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp author: Zach Mathis -date: 2023/05/24 +date: 2023-05-24 tags: - attack.reconnaissance - attack.t1590.002 diff --git a/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml b/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml index c54cc0c0e8a..3809a504b42 100644 --- a/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml +++ b/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml @@ -12,10 +12,10 @@ references: - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx - https://twitter.com/gentilkiwi/status/861641945944391680 author: Florian Roth (Nextron Systems) -date: 2017/05/08 -modified: 2023/02/05 +date: 2017-05-08 +modified: 2023-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml index 4fe4f122b18..d49dd6119bd 100644 --- a/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml +++ b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml @@ -6,10 +6,10 @@ references: - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ author: Florian Roth (Nextron Systems) -date: 2017/11/09 -modified: 2021/11/30 +date: 2017-11-09 +modified: 2021-11-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1200 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index 287e59bcc1c..b6c1d02021d 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -5,10 +5,10 @@ description: Detects when a rule has been added to the Windows Firewall exceptio references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 -date: 2022/02/19 -modified: 2024/05/10 +date: 2022-02-19 +modified: 2024-05-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index 35c316fe790..b031231fa7a 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/# author: frack113 -date: 2023/02/26 -modified: 2024/05/10 +date: 2023-02-26 +modified: 2024-05-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml index 74479a8ce2c..293aab409d7 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml @@ -9,9 +9,9 @@ references: - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index 1974b5ec6a6..c19cf42826b 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -5,10 +5,10 @@ description: Detects when a all the rules have been deleted from the Windows Def references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/17 -modified: 2024/01/22 +date: 2023-01-17 +modified: 2024-01-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index 38278e2d2a3..82539c5b44d 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -5,10 +5,10 @@ description: Detects when a single rules or all of the rules have been deleted f references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 -date: 2022/02/19 -modified: 2023/06/12 +date: 2022-02-19 +modified: 2023-06-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index 3735d8bae49..208954b53b4 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -5,10 +5,10 @@ description: Detects activity when The Windows Defender Firewall service failed references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 -date: 2022/02/19 -modified: 2023/01/17 +date: 2022-02-19 +modified: 2023-01-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml index 0893e06cbec..7ee0b2918ff 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -5,10 +5,10 @@ description: Detects activity when Windows Defender Firewall has been reset to i references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 -date: 2022/02/19 -modified: 2023/04/21 +date: 2022-02-19 +modified: 2023-04-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index 3b1f60be741..fd8ed1f8b06 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -5,10 +5,10 @@ description: Detects activity when the settings of the Windows firewall have bee references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/19 -modified: 2023/04/21 +date: 2022-02-19 +modified: 2023-04-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml index 202f234d8ae..a9687d3bdfd 100644 --- a/rules/windows/builtin/ldap/win_ldap_recon.yml +++ b/rules/windows/builtin/ldap/win_ldap_recon.yml @@ -9,8 +9,8 @@ references: - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427 author: Adeem Mawani -date: 2021/06/22 -modified: 2023/11/03 +date: 2021-06-22 +modified: 2023-11-03 tags: - attack.discovery - attack.t1069.002 diff --git a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml index cdc61fb3965..aed77195c35 100644 --- a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml +++ b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml @@ -7,11 +7,11 @@ references: - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml author: frack113 -date: 2023/01/13 -modified: 2023/05/05 +date: 2023-01-13 +modified: 2023-05-05 tags: - - attack.credential_access - - attack.privilege_escalation + - attack.credential-access + - attack.privilege-escalation logsource: product: windows service: lsa-server diff --git a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml index dbe4af2d6ed..24e905b04df 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml @@ -5,11 +5,11 @@ description: Detects specific patterns found after a successful ProxyLogon explo references: - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c author: Florian Roth (Nextron Systems) -date: 2021/08/09 -modified: 2023/01/23 +date: 2021-08-09 +modified: 2023-01-23 tags: - attack.t1587.001 - - attack.resource_development + - attack.resource-development logsource: product: windows service: msexchange-management diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml index 2de17e7a155..2c6ddf4dbe4 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml @@ -5,8 +5,8 @@ description: Detects a write of an Exchange CSR to an untypical directory or wit references: - https://twitter.com/GossiTheDog/status/1429175908905127938 author: Max Altgelt (Nextron Systems) -date: 2021/08/23 -modified: 2023/01/23 +date: 2021-08-23 +modified: 2023-01-23 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml index 77d53ea104b..99984a876ce 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml @@ -5,8 +5,8 @@ description: Detects a successful export of an Exchange mailbox to untypical dir references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems) -date: 2021/08/09 -modified: 2023/04/30 +date: 2021-08-09 +modified: 2023-04-30 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml index db7cb0a5469..a7ad1d02224 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml @@ -5,10 +5,10 @@ description: Detects removal of an exported Exchange mailbox which could be to c references: - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430 author: Christian Burkard (Nextron Systems) -date: 2021/08/27 -modified: 2023/01/23 +date: 2021-08-27 +modified: 2023-01-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: service: msexchange-management diff --git a/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml index 56824366bdd..7694a34aad3 100644 --- a/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml +++ b/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml @@ -5,8 +5,8 @@ description: Rule to detect an adversary setting OabVirtualDirectory External UR references: - https://twitter.com/OTR_Community/status/1371053369071132675 author: Jose Rodriguez @Cyb3rPandaH -date: 2021/03/15 -modified: 2023/01/23 +date: 2021-03-15 +modified: 2023-01-23 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/builtin/msexchange/win_exchange_transportagent.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml index 049794fa033..14d05c3b8e4 100644 --- a/rules/windows/builtin/msexchange/win_exchange_transportagent.yml +++ b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml @@ -8,8 +8,8 @@ description: Detects the Installation of a Exchange Transport Agent references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7 author: Tobias Michalski (Nextron Systems) -date: 2021/06/08 -modified: 2022/11/27 +date: 2021-06-08 +modified: 2022-11-27 tags: - attack.persistence - attack.t1505.002 diff --git a/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml index 376b5d0884b..d1d173bd706 100644 --- a/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml +++ b/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml @@ -5,8 +5,8 @@ description: Detects a failed installation of a Exchange Transport Agent references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8 author: Tobias Michalski (Nextron Systems) -date: 2021/06/08 -modified: 2022/07/12 +date: 2021-06-08 +modified: 2022-07-12 tags: - attack.persistence - attack.t1505.002 diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml index 92a842704ab..856952d4e05 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml @@ -5,10 +5,10 @@ description: Detects logons using NTLM, which could be caused by a legacy source references: - https://twitter.com/JohnLaTwC/status/1004895028995477505 author: Florian Roth (Nextron Systems) -date: 2018/06/08 -modified: 2024/07/22 +date: 2018-06-08 +modified: 2024-07-22 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml index 5a54cb841a2..07f321d3669 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml @@ -5,9 +5,9 @@ description: Detects common NTLM brute force device names references: - https://www.varonis.com/blog/investigate-ntlm-brute-force author: Jerry Shockley '@jsh0x' -date: 2022/02/02 +date: 2022-02-02 tags: - - attack.credential_access + - attack.credential-access - attack.t1110 logsource: product: windows diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml index 9ddc74de3cd..9fa708b59d8 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml @@ -5,10 +5,10 @@ description: Detects logons using NTLM to hosts that are potentially not part of references: - n/a author: James Pemberton -date: 2020/05/22 -modified: 2021/11/27 +date: 2020-05-22 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml b/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml index 3c7fabeeefd..c347b70ce68 100644 --- a/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml +++ b/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml @@ -9,9 +9,9 @@ references: - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: mdecrevoisier -date: 2022/10/25 +date: 2022-10-25 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.004 logsource: product: windows diff --git a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml index ad2d8a9d9fd..9d9da74b022 100644 --- a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml +++ b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml @@ -6,11 +6,11 @@ references: - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html author: Michaela Adams, Zach Mathis -date: 2022/11/06 -modified: 2023/04/26 +date: 2022-11-06 +modified: 2023-04-26 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1134.001 - stp.4u logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml index 64fdb30e213..6d5cdb1daa2 100644 --- a/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml @@ -5,10 +5,10 @@ description: Detect remote login by Administrator user (depending on internal pa references: - https://car.mitre.org/wiki/CAR-2016-04-005 author: juju4 -date: 2017/10/29 -modified: 2022/10/09 +date: 2017-10-29 +modified: 2022-10-09 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1078.001 - attack.t1078.002 - attack.t1078.003 diff --git a/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml b/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml index bd555e9f2c6..f82648724f0 100644 --- a/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml +++ b/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml @@ -5,9 +5,9 @@ description: Detects the default "UserName" used by the DiagTrackEoP POC references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/03 +date: 2022-08-03 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: security diff --git a/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml b/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml index 8f2c34367e2..49ab072e347 100644 --- a/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml +++ b/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml @@ -2,7 +2,7 @@ title: A Member Was Added to a Security-Enabled Global Group id: c43c26be-2e87-46c7-8661-284588c5a53e related: - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e - type: obsoletes + type: obsolete status: stable description: Detects activity when a member is added to a security-enabled global group references: @@ -12,7 +12,7 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632 author: Alexandr Yampolskyi, SOC Prime -date: 2023/04/26 +date: 2023-04-26 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml b/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml index f6a26ca420a..b19f83a08fc 100644 --- a/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml +++ b/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml @@ -2,7 +2,7 @@ title: A Member Was Removed From a Security-Enabled Global Group id: 02c39d30-02b5-45d2-b435-8aebfe5a8629 related: - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e - type: obsoletes + type: obsolete status: stable description: Detects activity when a member is removed from a security-enabled global group references: @@ -12,7 +12,7 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633 author: Alexandr Yampolskyi, SOC Prime -date: 2023/04/26 +date: 2023-04-26 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml b/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml index cce89e4f344..1983e0316d1 100644 --- a/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml +++ b/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml @@ -5,10 +5,10 @@ description: Detects successful logon with logon type 9 (NewCredentials) which m references: - https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html author: Roberto Rodriguez (source), Dominik Schaudel (rule) -date: 2018/02/12 -modified: 2021/11/27 +date: 2018-02-12 +modified: 2021-11-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.s0002 - attack.t1550.002 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml index df700d51dae..9a011cfe146 100644 --- a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml +++ b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml @@ -7,10 +7,10 @@ references: - https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/ author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) -date: 2019/06/14 -modified: 2022/10/05 +date: 2019-06-14 +modified: 2022-10-05 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml index 9bb8fc0c5a3..ce57e274c58 100644 --- a/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/AdamTheAnalyst/status/1134394070045003776 - https://github.com/zerosum0x0/CVE-2019-0708 author: Florian Roth (Nextron Systems), Adam Bradbury (idea) -date: 2019/06/02 -modified: 2022/12/25 +date: 2019-06-02 +modified: 2022-12-25 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - car.2013-07-002 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml b/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml index e70a0a8166c..f3fd14ef94b 100644 --- a/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml @@ -5,10 +5,10 @@ description: RDP login with localhost source address may be a tunnelled login references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html author: Thomas Patzke -date: 2019/01/28 -modified: 2022/10/09 +date: 2019-01-28 +modified: 2022-10-09 tags: - - attack.lateral_movement + - attack.lateral-movement - car.2013-07-002 - attack.t1021.001 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml b/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml index 5a81b4aae36..0cbb18bb51a 100644 --- a/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml +++ b/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml @@ -5,11 +5,11 @@ description: Detect potential adversaries leveraging WMI ActiveScriptEventConsum references: - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/09/02 -modified: 2021/11/27 +date: 2020-09-02 +modified: 2021-11-27 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.persistence - attack.t1546.003 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml b/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml index 6cdded1b32e..99720325b99 100644 --- a/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml +++ b/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml @@ -2,7 +2,7 @@ title: A Security-Enabled Global Group Was Deleted id: b237c54b-0f15-4612-a819-44b735e0de27 related: - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e - type: obsoletes + type: obsolete status: stable description: Detects activity when a security-enabled global group is deleted references: @@ -12,7 +12,7 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634 author: Alexandr Yampolskyi, SOC Prime -date: 2023/04/26 +date: 2023-04-26 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml index 23e7bac365c..b55315b33b3 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml @@ -9,11 +9,11 @@ references: - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html - https://twitter.com/Purp1eW0lf/status/1616144561965002752 author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) -date: 2023/01/19 -modified: 2024/03/11 +date: 2023-01-19 +modified: 2024-03-11 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1133 - attack.t1078 - attack.t1110 diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml index 1221fd8ecdf..9457318f6d9 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml @@ -9,11 +9,11 @@ references: - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html - https://twitter.com/Purp1eW0lf/status/1616144561965002752 author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) -date: 2023/01/19 -modified: 2024/03/11 +date: 2023-01-19 +modified: 2024-03-11 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1133 - attack.t1078 - attack.t1110 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml index fa7e68301d2..25409436cab 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml @@ -5,10 +5,10 @@ description: Detects a failed logon attempt from a public IP. A login from a pub references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 author: NVISO -date: 2020/05/06 -modified: 2024/03/11 +date: 2020-05-06 +modified: 2024-03-11 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - attack.t1078 - attack.t1190 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml b/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml index 8f33d701164..4a95af66df3 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml @@ -5,10 +5,10 @@ description: Detects logon events that specify new credentials references: - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf author: Max Altgelt (Nextron Systems) -date: 2022/04/06 +date: 2022-04-06 tags: - - attack.defense_evasion - - attack.lateral_movement + - attack.defense-evasion + - attack.lateral-movement - attack.t1550 logsource: product: windows diff --git a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml index b8b3a0b4ba3..b40b4902dac 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml @@ -8,11 +8,11 @@ references: - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g - https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38 author: Elastic, @SBousseaden -date: 2022/04/27 -modified: 2024/07/02 +date: 2022-04-27 +modified: 2024-07-02 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access - attack.t1548 logsource: product: windows diff --git a/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml b/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml index 69a5295e1b4..e53c6f5fcae 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml @@ -5,11 +5,11 @@ description: Detects logon events that have characteristics of events generated references: - https://twitter.com/SBousseaden/status/1195284233729777665 author: '@SBousseaden, Florian Roth' -date: 2019/11/15 -modified: 2022/12/22 +date: 2019-11-15 +modified: 2022-12-22 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access - attack.t1557.001 logsource: product: windows diff --git a/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml b/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml index d96c2bc0751..8d42dd8fe54 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml @@ -5,8 +5,8 @@ description: Detects successful logon attempts performed with WMI references: - Internal Research author: Thomas Patzke -date: 2019/12/04 -modified: 2024/01/17 +date: 2019-12-04 +modified: 2024-01-17 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml b/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml index 4b285c08125..14b6344a2a2 100644 --- a/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml +++ b/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml @@ -9,9 +9,9 @@ references: - https://github.com/amjcyber/EDRNoiseMaker - https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983 author: '@gott_cyber' -date: 2024/01/08 +date: 2024-01-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml b/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml index 87c0b6e68dd..364703d638e 100644 --- a/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml +++ b/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml @@ -8,8 +8,8 @@ references: - https://o365blog.com/post/hybridhealthagent/ - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -modified: 2022/10/09 +date: 2021-08-26 +modified: 2022-10-09 tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml b/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml index 9ab2a239c01..244a01243d6 100644 --- a/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml +++ b/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml @@ -10,8 +10,8 @@ references: - https://o365blog.com/post/hybridhealthagent/ - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -modified: 2022/10/09 +date: 2021-08-26 +modified: 2022-10-09 tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml index ea8e3a2ded6..09362d1ba9e 100644 --- a/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/menasec1/status/1111556090137903104 - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat -date: 2019/04/03 -modified: 2022/08/16 +date: 2019-04-03 +modified: 2022-08-16 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_account_discovery.yml b/rules/windows/builtin/security/win_security_account_discovery.yml index da3c979636e..af11cfd8b49 100644 --- a/rules/windows/builtin/security/win_security_account_discovery.yml +++ b/rules/windows/builtin/security/win_security_account_discovery.yml @@ -5,8 +5,8 @@ description: Detect priv users or groups recon based on 4661 eventid and known p references: - https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html author: Samir Bousseaden -date: 2019/04/03 -modified: 2022/07/13 +date: 2019-04-03 +modified: 2022-07-13 tags: - attack.discovery - attack.t1087.002 diff --git a/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml b/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml index 80d06363faa..ed8afb06366 100644 --- a/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml +++ b/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml @@ -7,10 +7,10 @@ references: - https://threathunterplaybook.com/library/windows/active_directory_replication.html - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -modified: 2021/11/27 +date: 2019-09-12 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml b/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml index e8a492702e2..afe44408f50 100644 --- a/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml @@ -7,10 +7,10 @@ references: - https://threathunterplaybook.com/library/windows/active_directory_replication.html - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/07/26 -modified: 2021/11/27 +date: 2019-07-26 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.006 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_ad_user_enumeration.yml b/rules/windows/builtin/security/win_security_ad_user_enumeration.yml index 02d0d51d1b0..9345f98344f 100644 --- a/rules/windows/builtin/security/win_security_ad_user_enumeration.yml +++ b/rules/windows/builtin/security/win_security_ad_user_enumeration.yml @@ -8,8 +8,8 @@ references: - https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 author: Maxime Thiebaut (@0xThiebaut) -date: 2020/03/30 -modified: 2022/11/08 +date: 2020-03-30 +modified: 2022-11-08 tags: - attack.discovery - attack.t1087.002 diff --git a/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml b/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml index 1a981c5ef16..0c0eebd08e5 100644 --- a/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml +++ b/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml @@ -5,11 +5,11 @@ description: Detects certificate creation with template allowing risk permission references: - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf author: Orlinum , BlueDefenZer -date: 2021/11/17 -modified: 2022/12/25 +date: 2021-11-17 +modified: 2022-12-25 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml b/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml index 145e665788e..5ed1de3cd44 100644 --- a/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml +++ b/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml @@ -5,11 +5,11 @@ description: Detects certificate creation with template allowing risk permission references: - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf author: Orlinum , BlueDefenZer -date: 2021/11/17 -modified: 2022/12/25 +date: 2021-11-17 +modified: 2022-12-25 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_add_remove_computer.yml b/rules/windows/builtin/security/win_security_add_remove_computer.yml index 26021daf2a0..41dce43e694 100644 --- a/rules/windows/builtin/security/win_security_add_remove_computer.yml +++ b/rules/windows/builtin/security/win_security_add_remove_computer.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 author: frack113 -date: 2022/10/14 +date: 2022-10-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1207 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_admin_share_access.yml b/rules/windows/builtin/security/win_security_admin_share_access.yml index 43c6b024a29..a9031cc89ba 100644 --- a/rules/windows/builtin/security/win_security_admin_share_access.yml +++ b/rules/windows/builtin/security/win_security_admin_share_access.yml @@ -5,10 +5,10 @@ description: Detects access to ADMIN$ network share references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140 author: Florian Roth (Nextron Systems) -date: 2017/03/04 -modified: 2024/01/16 +date: 2017-03-04 +modified: 2024-01-16 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml b/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml index 208cfbfb4a4..1e3cb336565 100644 --- a/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml @@ -5,8 +5,8 @@ description: Detects scenario where if a user is assigned the SeEnableDelegation references: - https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' -date: 2017/07/30 -modified: 2021/12/02 +date: 2017-07-30 +modified: 2021-12-02 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml b/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml index adadace58ad..fb9a78d5f0c 100644 --- a/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml @@ -7,8 +7,8 @@ references: - https://adsecurity.org/?p=3466 - https://blog.harmj0y.net/redteaming/another-word-on-delegation/ author: '@neu5ron' -date: 2017/04/13 -modified: 2024/02/26 +date: 2017-04-13 +modified: 2024-02-26 tags: - attack.t1098 - attack.persistence diff --git a/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml b/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml index 98a8035d94e..1716d8ae95d 100644 --- a/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml @@ -6,10 +6,10 @@ references: - https://adsecurity.org/?p=2053 - https://blog.harmj0y.net/redteaming/another-word-on-delegation/ author: '@neu5ron' -date: 2017/07/30 -modified: 2021/11/27 +date: 2017-07-30 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_alert_ruler.yml b/rules/windows/builtin/security/win_security_alert_ruler.yml index 3565ff5a1cd..3c3ce3c84ed 100644 --- a/rules/windows/builtin/security/win_security_alert_ruler.yml +++ b/rules/windows/builtin/security/win_security_alert_ruler.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 author: Florian Roth (Nextron Systems) -date: 2017/05/31 -modified: 2022/10/09 +date: 2017-05-31 +modified: 2022-10-09 tags: - attack.discovery - attack.execution diff --git a/rules/windows/builtin/security/win_security_atsvc_task.yml b/rules/windows/builtin/security/win_security_atsvc_task.yml index 42b2bf7d604..4aaa0440edc 100644 --- a/rules/windows/builtin/security/win_security_atsvc_task.yml +++ b/rules/windows/builtin/security/win_security_atsvc_task.yml @@ -5,10 +5,10 @@ description: Detects remote task creation via at.exe or API interacting with ATS references: - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html author: Samir Bousseaden -date: 2019/04/03 -modified: 2024/08/01 +date: 2019-04-03 +modified: 2024-08-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.persistence - car.2013-05-004 - car.2015-04-001 diff --git a/rules/windows/builtin/security/win_security_audit_log_cleared.yml b/rules/windows/builtin/security/win_security_audit_log_cleared.yml index 402d2394cdf..4847955f7c8 100644 --- a/rules/windows/builtin/security/win_security_audit_log_cleared.yml +++ b/rules/windows/builtin/security/win_security_audit_log_cleared.yml @@ -2,9 +2,9 @@ title: Security Eventlog Cleared id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 related: - id: f2f01843-e7b8-4f95-a35a-d23584476423 - type: obsoletes + type: obsolete - id: a122ac13-daf8-4175-83a2-72c387be339d - type: obsoletes + type: obsolete status: test description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution references: @@ -12,10 +12,10 @@ references: - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml author: Florian Roth (Nextron Systems) -date: 2017/01/10 -modified: 2022/02/24 +date: 2017-01-10 +modified: 2022-02-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/security/win_security_camera_microphone_access.yml b/rules/windows/builtin/security/win_security_camera_microphone_access.yml index 735dd4dae68..cb774ef9415 100644 --- a/rules/windows/builtin/security/win_security_camera_microphone_access.yml +++ b/rules/windows/builtin/security/win_security_camera_microphone_access.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/duzvik/status/1269671601852813320 - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/07 -modified: 2021/11/27 +date: 2020-06-07 +modified: 2021-11-27 tags: - attack.collection - attack.t1123 diff --git a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml index 51617ab1ac6..9efcab107bc 100644 --- a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml @@ -10,12 +10,12 @@ references: - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Florian Roth (Nextron Systems), Wojciech Lesicki -date: 2021/05/26 -modified: 2022/11/27 +date: 2021-05-26 +modified: 2022-11-27 tags: - attack.execution - - attack.privilege_escalation - - attack.lateral_movement + - attack.privilege-escalation + - attack.lateral-movement - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 diff --git a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml index 8149598ef2e..3d6e2e99d70 100644 --- a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml @@ -7,10 +7,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 author: Thomas Patzke -date: 2019/12/03 -modified: 2023/12/13 +date: 2019-12-03 +modified: 2023-12-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml index c53e821f915..f00f6343cbb 100644 --- a/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml @@ -7,10 +7,10 @@ references: - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ - https://twitter.com/_dirkjan/status/1309214379003588608 author: OTR (Open Threat Research) -date: 2018/11/28 -modified: 2022/08/11 +date: 2018-11-28 +modified: 2022-08-11 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml b/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml index c04e22fc86b..a3e5886949b 100644 --- a/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml +++ b/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml @@ -5,10 +5,10 @@ description: Detects a threat actor creating a file named `iertutil.dll` in the references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/12 -modified: 2022/11/26 +date: 2020-10-12 +modified: 2022-11-26 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.t1021.003 logsource: diff --git a/rules/windows/builtin/security/win_security_dcsync.yml b/rules/windows/builtin/security/win_security_dcsync.yml index cffb472eaa3..2bff892a9f0 100644 --- a/rules/windows/builtin/security/win_security_dcsync.yml +++ b/rules/windows/builtin/security/win_security_dcsync.yml @@ -8,10 +8,10 @@ references: - https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 author: Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu -date: 2018/06/03 -modified: 2022/04/26 +date: 2018-06-03 +modified: 2022-04-26 tags: - - attack.credential_access + - attack.credential-access - attack.s0002 - attack.t1003.006 logsource: diff --git a/rules/windows/builtin/security/win_security_device_installation_blocked.yml b/rules/windows/builtin/security/win_security_device_installation_blocked.yml index 67132d91b2f..843b8c433a1 100644 --- a/rules/windows/builtin/security/win_security_device_installation_blocked.yml +++ b/rules/windows/builtin/security/win_security_device_installation_blocked.yml @@ -6,9 +6,9 @@ references: - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 author: frack113 -date: 2022/10/14 +date: 2022-10-14 tags: - - attack.initial_access + - attack.initial-access - attack.t1200 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_disable_event_auditing.yml b/rules/windows/builtin/security/win_security_disable_event_auditing.yml index b24436b4637..037f2e5f49b 100644 --- a/rules/windows/builtin/security/win_security_disable_event_auditing.yml +++ b/rules/windows/builtin/security/win_security_disable_event_auditing.yml @@ -12,10 +12,10 @@ description: | references: - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)' -date: 2017/11/19 -modified: 2023/11/15 +date: 2017-11-19 +modified: 2023-11-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml b/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml index 9b12184d2c9..9c33fe35d8a 100644 --- a/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml +++ b/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml @@ -9,10 +9,10 @@ references: - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit - https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/20 -modified: 2023/11/17 +date: 2023-06-20 +modified: 2023-11-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml index 8787ac6c4e8..5de777d3d31 100644 --- a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml +++ b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml @@ -17,10 +17,10 @@ references: - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/05 -modified: 2022/12/20 +date: 2020-06-05 +modified: 2022-12-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - attack.t1562 logsource: diff --git a/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml index 7589b9ba207..d63ac03c9d7 100644 --- a/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml @@ -5,10 +5,10 @@ description: Detects tools extracting LSA secret DPAPI domain backup key from Do references: - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/06/20 -modified: 2022/02/24 +date: 2019-06-20 +modified: 2022-02-24 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.004 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml index faf167c2f39..99e40eb3ced 100644 --- a/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml @@ -5,10 +5,10 @@ description: Detects anyone attempting a backup for the DPAPI Master Key. This e references: - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -modified: 2023/03/15 +date: 2019-08-10 +modified: 2023-03-15 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.004 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_external_device.yml b/rules/windows/builtin/security/win_security_external_device.yml index efb26ace039..b05dc01ab05 100644 --- a/rules/windows/builtin/security/win_security_external_device.yml +++ b/rules/windows/builtin/security/win_security_external_device.yml @@ -5,13 +5,13 @@ description: Detects external disk drives or plugged-in USB devices. references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416 author: Keith Wright -date: 2019/11/20 -modified: 2024/02/09 +date: 2019-11-20 +modified: 2024-02-09 tags: - attack.t1091 - attack.t1200 - - attack.lateral_movement - - attack.initial_access + - attack.lateral-movement + - attack.initial-access logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml index 612b78bced6..799759ea8b4 100644 --- a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/menasec1/status/1106899890377052160 - https://www.secureworks.com/blog/ransomware-as-a-distraction author: Samir Bousseaden -date: 2019/04/03 -modified: 2024/08/01 +date: 2019-04-03 +modified: 2024-08-01 tags: - attack.persistence - - attack.lateral_movement + - attack.lateral-movement - attack.t1053.005 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_hidden_user_creation.yml b/rules/windows/builtin/security/win_security_hidden_user_creation.yml index 227f3f32e08..27034718944 100644 --- a/rules/windows/builtin/security/win_security_hidden_user_creation.yml +++ b/rules/windows/builtin/security/win_security_hidden_user_creation.yml @@ -5,8 +5,8 @@ description: Detects the creation of a local hidden user account which should no references: - https://twitter.com/SBousseaden/status/1387743867663958021 author: Christian Burkard (Nextron Systems) -date: 2021/05/03 -modified: 2024/01/16 +date: 2021-05-03 +modified: 2024-01-16 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml b/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml index 8acae880d5c..b05e65f769a 100644 --- a/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml +++ b/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml @@ -6,10 +6,10 @@ description: | references: - https://github.com/netero1010/EDRSilencer author: Thodoris Polyzos (@SmoothDeploy) -date: 2024/01/29 -modified: 2024/01/30 +date: 2024-01-29 +modified: 2024-01-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_hktl_nofilter.yml b/rules/windows/builtin/security/win_security_hktl_nofilter.yml index 1e8bd099bad..b36699cc42c 100644 --- a/rules/windows/builtin/security/win_security_hktl_nofilter.yml +++ b/rules/windows/builtin/security/win_security_hktl_nofilter.yml @@ -9,9 +9,9 @@ references: - https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation - https://x.com/_st0pp3r_/status/1742203752361128162?s=20 author: Stamatis Chatzimangou (st0pp3r) -date: 2024/01/05 +date: 2024-01-05 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134 - attack.t1134.001 logsource: diff --git a/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml index b13d7677bc2..eec43ba867e 100644 --- a/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml @@ -5,8 +5,8 @@ description: Rule to detect the Hybrid Connection Manager service installation. references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -modified: 2022/10/09 +date: 2021-04-12 +modified: 2022-10-09 tags: - attack.persistence - attack.t1554 diff --git a/rules/windows/builtin/security/win_security_impacket_psexec.yml b/rules/windows/builtin/security/win_security_impacket_psexec.yml index 2916fea761a..955c6cc3774 100644 --- a/rules/windows/builtin/security/win_security_impacket_psexec.yml +++ b/rules/windows/builtin/security/win_security_impacket_psexec.yml @@ -5,10 +5,10 @@ description: Detects execution of Impacket's psexec.py. references: - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html author: Bhabesh Raj -date: 2020/12/14 -modified: 2022/09/22 +date: 2020-12-14 +modified: 2022-09-22 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_impacket_secretdump.yml b/rules/windows/builtin/security/win_security_impacket_secretdump.yml index 87bfc42cb64..c1f9be9e954 100644 --- a/rules/windows/builtin/security/win_security_impacket_secretdump.yml +++ b/rules/windows/builtin/security/win_security_impacket_secretdump.yml @@ -5,10 +5,10 @@ description: Detect AD credential dumping using impacket secretdump HKTL references: - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html author: Samir Bousseaden, wagga -date: 2019/04/03 -modified: 2022/08/11 +date: 2019-04-03 +modified: 2022-08-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml index 2286217e906..46458e5de4e 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community -date: 2020/10/13 -modified: 2022/11/27 +date: 2020-10-13 +modified: 2022-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml index 6df46a8012f..9b525d71548 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -8,10 +8,10 @@ description: Detects all variations of obfuscated powershell IEX invocation code references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -date: 2019/11/08 -modified: 2022/11/27 +date: 2019-11-08 +modified: 2022-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml index 53a723781a8..4af12b8efe6 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of stdin to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2022/11/29 +date: 2020-10-15 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml index 98c8fd885fa..60440bf5fde 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2022/11/29 +date: 2020-10-15 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml index 9e563fe6bb2..ec98587c5e8 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml index 2a4d21b38da..c06c13a9ac2 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml index 5141c4d910d..9be90685610 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via Stdin in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community -date: 2020/10/12 -modified: 2022/11/29 +date: 2020-10-12 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml index 25c235df63a..2458ab037f6 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml index 2353469ecd6..e9422f5bdc8 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml index 0b1742b9a14..fcbdcf8334e 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml index d9b7e017751..f1b060d275f 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -modified: 2022/11/29 +date: 2020-10-13 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_iso_mount.yml b/rules/windows/builtin/security/win_security_iso_mount.yml index 488a5ebcf6d..cedb6c41813 100644 --- a/rules/windows/builtin/security/win_security_iso_mount.yml +++ b/rules/windows/builtin/security/win_security_iso_mount.yml @@ -8,10 +8,10 @@ references: - https://twitter.com/MsftSecIntel/status/1257324139515269121 - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image author: Syed Hasan (@syedhasan009) -date: 2021/05/29 -modified: 2023/11/09 +date: 2021-05-29 +modified: 2023-11-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_lm_namedpipe.yml b/rules/windows/builtin/security/win_security_lm_namedpipe.yml index 373ba4c499f..e8bf899b0c3 100644 --- a/rules/windows/builtin/security/win_security_lm_namedpipe.yml +++ b/rules/windows/builtin/security/win_security_lm_namedpipe.yml @@ -5,10 +5,10 @@ description: This detection excludes known namped pipes accessible remotely and references: - https://twitter.com/menasec1/status/1104489274387451904 author: Samir Bousseaden -date: 2019/04/03 -modified: 2023/03/14 +date: 2019-04-03 +modified: 2023-03-14 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml b/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml index 6902384e35c..8d2d48cb7c0 100644 --- a/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml @@ -5,10 +5,10 @@ description: Detects potential mimikatz-like tools accessing LSASS from non syst references: - https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/06/20 -modified: 2023/12/11 +date: 2019-06-20 +modified: 2023-12-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index f5e9ec665e3..b582b697f91 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -8,10 +8,10 @@ description: Detects well-known credential dumping tools execution via service e references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2017/03/05 -modified: 2022/11/29 +date: 2017-03-05 +modified: 2022-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.execution - attack.t1003.001 - attack.t1003.002 diff --git a/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml b/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml index 35be952048b..eafca054913 100644 --- a/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml +++ b/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml @@ -6,10 +6,10 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke -date: 2017/06/14 -modified: 2021/11/27 +date: 2017-06-14 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.s0005 logsource: diff --git a/rules/windows/builtin/security/win_security_metasploit_authentication.yml b/rules/windows/builtin/security/win_security_metasploit_authentication.yml index 77fc9441327..856f7ab6c8c 100644 --- a/rules/windows/builtin/security/win_security_metasploit_authentication.yml +++ b/rules/windows/builtin/security/win_security_metasploit_authentication.yml @@ -5,10 +5,10 @@ description: Alerts on Metasploit host's authentications on the domain. references: - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb author: Chakib Gzenayi (@Chak092), Hosni Mribah -date: 2020/05/06 -modified: 2024/01/25 +date: 2020-05-06 +modified: 2024-01-25 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml index ddb7ac87512..d7a490fa6ba 100644 --- a/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -8,10 +8,10 @@ description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) references: - https://bczyz1.github.io/2021/01/30/psexec.html author: Bartlomiej Czyz, Relativity -date: 2021/01/21 -modified: 2022/10/05 +date: 2021-01-21 +modified: 2022-10-05 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.t1570 - attack.execution diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 9b245807d51..6611647728a 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -9,10 +9,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) -date: 2019/10/26 -modified: 2023/11/15 +date: 2019-10-26 +modified: 2023-11-15 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml index 47567df26b5..8f89ffb5c8e 100644 --- a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml @@ -8,10 +8,10 @@ description: Detects NetNTLM downgrade attack references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth (Nextron Systems), wagga -date: 2018/03/20 -modified: 2022/10/09 +date: 2018-03-20 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.t1112 # Windows Security Eventlog: Process Creation with Full Command Line diff --git a/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml b/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml index bb4ae39f9b4..5d72c067ad3 100755 --- a/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml +++ b/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml @@ -5,8 +5,8 @@ description: Detects unusual processes accessing desktop.ini remotely over netwo references: - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ author: Tim Shelton (HAWK.IO) -date: 2021/12/06 -modified: 2022/01/16 +date: 2021-12-06 +modified: 2022-01-16 tags: - attack.persistence - attack.t1547.009 diff --git a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml index aea6eff2f1f..1b985f45202 100644 --- a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml @@ -6,10 +6,10 @@ description: | references: - https://twitter.com/SBousseaden/status/1387743867663958021 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -modified: 2024/01/16 +date: 2019-10-25 +modified: 2024-01-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml b/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml index c7ff113fca3..ef4dbe90bf0 100644 --- a/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml +++ b/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml @@ -7,10 +7,10 @@ description: | references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825 author: Pushkarev Dmitry -date: 2020/06/27 -modified: 2021/11/27 +date: 2020-06-27 +modified: 2021-11-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml index 637684bca04..012d086c180 100644 --- a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml +++ b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml @@ -6,7 +6,7 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 - https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951 author: Zach Mathis -date: 2023/05/19 +date: 2023-05-19 tags: - attack.discovery - attack.t1201 diff --git a/rules/windows/builtin/security/win_security_pcap_drivers.yml b/rules/windows/builtin/security/win_security_pcap_drivers.yml index 3d0cd3caed6..b3af39b5645 100644 --- a/rules/windows/builtin/security/win_security_pcap_drivers.yml +++ b/rules/windows/builtin/security/win_security_pcap_drivers.yml @@ -5,11 +5,11 @@ description: Detects Windows Pcap driver installation based on a list of associa references: - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more author: Cian Heasley -date: 2020/06/10 -modified: 2023/04/14 +date: 2020-06-10 +modified: 2023-04-14 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1040 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_petitpotam_network_share.yml b/rules/windows/builtin/security/win_security_petitpotam_network_share.yml index 05372aa15e2..f40d555be23 100644 --- a/rules/windows/builtin/security/win_security_petitpotam_network_share.yml +++ b/rules/windows/builtin/security/win_security_petitpotam_network_share.yml @@ -6,10 +6,10 @@ references: - https://github.com/topotam/PetitPotam - https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml author: Mauricio Velazco, Michael Haag -date: 2021/09/02 -modified: 2022/08/11 +date: 2021-09-02 +modified: 2022-08-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1187 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml index ff7ff7288c2..82b42e1fc8d 100644 --- a/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml +++ b/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml @@ -12,10 +12,10 @@ references: - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ - https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml author: Mauricio Velazco, Michael Haag -date: 2021/09/02 -modified: 2022/10/05 +date: 2021-09-02 +modified: 2022-10-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1187 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_possible_dc_shadow.yml b/rules/windows/builtin/security/win_security_possible_dc_shadow.yml index 4e8e58d8440..fe739546f1e 100644 --- a/rules/windows/builtin/security/win_security_possible_dc_shadow.yml +++ b/rules/windows/builtin/security/win_security_possible_dc_shadow.yml @@ -10,10 +10,10 @@ references: - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 - https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah -date: 2019/10/25 -modified: 2022/10/17 +date: 2019-10-25 +modified: 2022-10-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1207 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml index fd4ec339fd4..bd8261a759b 100644 --- a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml @@ -8,8 +8,8 @@ description: Detects powershell script installed as a Service references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2022/11/29 +date: 2020-10-06 +modified: 2022-11-29 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/security/win_security_protected_storage_service_access.yml b/rules/windows/builtin/security/win_security_protected_storage_service_access.yml index 633f721e8d7..0a738aabd3a 100644 --- a/rules/windows/builtin/security/win_security_protected_storage_service_access.yml +++ b/rules/windows/builtin/security/win_security_protected_storage_service_access.yml @@ -5,10 +5,10 @@ description: Detects access to a protected_storage service over the network. Pot references: - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -modified: 2021/11/27 +date: 2019-08-10 +modified: 2021-11-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml index 0b39686b59d..9e00ce5c946 100644 --- a/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/SBousseaden/status/1096148422984384514 - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx author: Samir Bousseaden -date: 2019/02/16 -modified: 2022/09/02 +date: 2019-02-16 +modified: 2022-09-02 tags: - - attack.defense_evasion - - attack.command_and_control - - attack.lateral_movement + - attack.defense-evasion + - attack.command-and-control + - attack.lateral-movement - attack.t1090.001 - attack.t1090.002 - attack.t1021.001 diff --git a/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml index fe018796a61..12b6abebf09 100644 --- a/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml @@ -5,11 +5,11 @@ description: Detects potential use of Rubeus via registered new trusted logon pr references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community -date: 2019/10/24 -modified: 2022/10/09 +date: 2019-10-24 +modified: 2022-10-09 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml index 4e74565af40..5c0f306c97b 100644 --- a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml +++ b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml @@ -9,11 +9,11 @@ references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team -date: 2023/09/28 +date: 2023-09-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_remote_powershell_session.yml b/rules/windows/builtin/security/win_security_remote_powershell_session.yml index a3c06b2b154..00e84fcb322 100644 --- a/rules/windows/builtin/security/win_security_remote_powershell_session.yml +++ b/rules/windows/builtin/security/win_security_remote_powershell_session.yml @@ -5,8 +5,8 @@ description: Detects basic PowerShell Remoting (WinRM) by monitoring for network references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -modified: 2022/10/09 +date: 2019-09-12 +modified: 2022-10-09 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_replay_attack_detected.yml b/rules/windows/builtin/security/win_security_replay_attack_detected.yml index 47d992d631a..79eef53d90b 100644 --- a/rules/windows/builtin/security/win_security_replay_attack_detected.yml +++ b/rules/windows/builtin/security/win_security_replay_attack_detected.yml @@ -6,9 +6,9 @@ references: - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 author: frack113 -date: 2022/10/14 +date: 2022-10-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1558 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml b/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml index e0e039e56d6..b2b959289c3 100644 --- a/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml +++ b/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml @@ -5,12 +5,12 @@ description: Detects handles requested to SAM registry hive references: - https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -modified: 2021/11/27 +date: 2019-08-12 +modified: 2021-11-27 tags: - attack.discovery - attack.t1012 - - attack.credential_access + - attack.credential-access - attack.t1552.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml b/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml index 32e1d3cce86..819798bf43b 100644 --- a/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml +++ b/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml @@ -5,8 +5,8 @@ description: Detects non-system users failing to get a handle of the SCM databas references: - https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -modified: 2022/07/11 +date: 2019-08-12 +modified: 2022-07-11 tags: - attack.discovery - attack.t1010 diff --git a/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml index 33caeee2092..4fe9c2da3f6 100644 --- a/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml @@ -5,10 +5,10 @@ description: Detects non-system users performing privileged operation os the SCM references: - https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton -date: 2019/08/15 -modified: 2022/09/18 +date: 2019-08-15 +modified: 2022-09-18 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index af624d7e78d..a67b53e1302 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -8,8 +8,8 @@ description: Detects service installation of different remote access tools softw references: - https://redcanary.com/blog/misbehaving-rats/ author: Connor Martin, Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/23 -modified: 2023/11/15 +date: 2022-12-23 +modified: 2023-11-15 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index e9b47576efe..6b7dcfc1cd8 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -10,10 +10,10 @@ references: - https://www.x86matthew.com/view_post?id=create_svc_rpc - https://twitter.com/SBousseaden/status/1490608838701166596 author: Tim Rauch (Nextron Systems), Elastic (idea) -date: 2022/09/15 -modified: 2023/01/04 +date: 2022-09-15 +modified: 2023-01-04 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml b/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml index 7dcc955bc0e..014709cebb2 100644 --- a/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml +++ b/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml @@ -6,10 +6,10 @@ references: - https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml - https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) -date: 2020/08/06 -modified: 2021/11/27 +date: 2020-08-06 +modified: 2021-11-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml index 089b5483d29..4f5388a2a84 100644 --- a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml +++ b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml @@ -5,8 +5,8 @@ description: Addition of domains is seldom and should be verified for legitimacy references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 author: Thomas Patzke -date: 2019/12/03 -modified: 2024/01/16 +date: 2019-12-03 +modified: 2024-01-16 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_susp_add_sid_history.yml b/rules/windows/builtin/security/win_security_susp_add_sid_history.yml index 60d809e4426..9019ef076b7 100644 --- a/rules/windows/builtin/security/win_security_susp_add_sid_history.yml +++ b/rules/windows/builtin/security/win_security_susp_add_sid_history.yml @@ -5,10 +5,10 @@ description: An attacker can use the SID history attribute to gain additional pr references: - https://adsecurity.org/?p=1772 author: Thomas Patzke, @atc_project (improvements) -date: 2017/02/19 +date: 2017-02-19 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134.005 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_computer_name.yml b/rules/windows/builtin/security/win_security_susp_computer_name.yml index dd3ff20708c..70a0ecc6b20 100644 --- a/rules/windows/builtin/security/win_security_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_security_susp_computer_name.yml @@ -7,13 +7,13 @@ references: - https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py author: elhoim -date: 2022/09/09 -modified: 2023/01/04 +date: 2022-09-09 +modified: 2023-01-04 tags: - - cve.2021.42278 - - cve.2021.42287 + - cve.2021-42278 + - cve.2021-42287 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml b/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml index 1ee5e8e68be..6875253228c 100644 --- a/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml +++ b/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml @@ -12,8 +12,8 @@ references: - https://adsecurity.org/?p=1714 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 author: Thomas Patzke -date: 2017/02/19 -modified: 2020/08/23 +date: 2017-02-19 +modified: 2020-08-23 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml index db443a59835..00a5c062d41 100644 --- a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 - https://twitter.com/SBousseaden/status/1101431884540710913 author: Florian Roth (Nextron Systems) -date: 2017/02/19 -modified: 2022/06/29 +date: 2017-02-19 +modified: 2022-06-29 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access - attack.t1078 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml index b82c1100f83..8f8e1307007 100644 --- a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml @@ -5,10 +5,10 @@ description: Detects failed Kerberos TGT issue operation. This can be a sign of references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 author: Florian Roth (Nextron Systems) -date: 2017/02/10 -modified: 2024/01/16 +date: 2017-02-10 +modified: 2024-01-16 tags: - - attack.credential_access + - attack.credential-access - attack.t1212 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml b/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml index e4fc27fb3d6..68e73db122f 100644 --- a/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml +++ b/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml @@ -7,11 +7,11 @@ references: - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - https://github.com/fox-it/LDAPFragger author: xknow @xknow_infosec -date: 2019/03/24 -modified: 2022/10/05 +date: 2019-03-24 +modified: 2022-10-05 tags: - attack.t1001.003 - - attack.command_and_control + - attack.command-and-control logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml b/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml index a94bacbefe8..51f5630e50c 100644 --- a/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml +++ b/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml @@ -5,8 +5,8 @@ description: Detects the creation of suspicious accounts similar to ANONYMOUS LO references: - https://twitter.com/SBousseaden/status/1189469425482829824 author: James Pemberton / @4A616D6573 -date: 2019/10/31 -modified: 2022/10/09 +date: 2019-10-31 +modified: 2022-10-09 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml b/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml index a4ba750adb2..5e6a3c0dcfa 100644 --- a/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml @@ -5,11 +5,11 @@ description: Detects suspicious processes logging on with explicit credentials references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton -date: 2020/10/05 -modified: 2022/08/03 +date: 2020-10-05 +modified: 2022-08-03 tags: - attack.t1078 - - attack.lateral_movement + - attack.lateral-movement logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump.yml index c83f32e84c1..8591c8ad22d 100644 --- a/rules/windows/builtin/security/win_security_susp_lsass_dump.yml +++ b/rules/windows/builtin/security/win_security_susp_lsass_dump.yml @@ -5,10 +5,10 @@ description: Detects process handle on LSASS process with certain access mask an references: - https://twitter.com/jackcr/status/807385668833968128 author: sigma -date: 2017/02/12 -modified: 2022/10/09 +date: 2017-02-12 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml index f7d6edc4a9b..d612b07cbba 100644 --- a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml @@ -6,10 +6,10 @@ references: - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) -date: 2019/11/01 -modified: 2023/12/19 +date: 2019-11-01 +modified: 2023-12-19 tags: - - attack.credential_access + - attack.credential-access - car.2019-04-004 - attack.t1003.001 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml b/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml index 76d15c0f741..019d428a534 100644 --- a/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml +++ b/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml @@ -5,8 +5,8 @@ description: Detects activity as "net user administrator /domain" and "net group references: - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community -date: 2017/03/07 -modified: 2022/08/22 +date: 2017-03-07 +modified: 2022-08-22 tags: - attack.discovery - attack.t1087.002 diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml index a5e567bac8a..721a836380c 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml @@ -5,9 +5,9 @@ description: Detects the extraction of password protected ZIP archives. See the references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) -date: 2022/05/09 +date: 2022-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml index 7695bc707df..03c9c7ef69e 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml @@ -5,10 +5,10 @@ description: Detects the extraction of password protected ZIP archives with susp references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) -date: 2022/05/09 +date: 2022-05-09 tags: - - attack.command_and_control - - attack.defense_evasion + - attack.command-and-control + - attack.defense-evasion - attack.t1027 - attack.t1105 - attack.t1036 diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml index a56d17fbee7..e6b90b3f541 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml @@ -5,10 +5,10 @@ description: Detects the extraction of password protected ZIP archives. See the references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) -date: 2022/05/09 +date: 2022-05-09 tags: - - attack.defense_evasion - - attack.initial_access + - attack.defense-evasion + - attack.initial-access - attack.t1027 - attack.t1566.001 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml index 86e24c91880..b3f6f6f01d8 100644 --- a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml @@ -9,10 +9,10 @@ description: | references: - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community -date: 2019/10/24 -modified: 2024/03/15 +date: 2019-10-24 +modified: 2024-03-15 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml index e53c65d65c9..fe014d71341 100644 --- a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml +++ b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml @@ -7,9 +7,9 @@ references: - https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/ - https://twitter.com/SBousseaden/status/1581300963650187264? author: Nasreddine Bencherchali (Nextron Systems), Elastic (idea) -date: 2022/10/17 +date: 2022-10-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1556 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_psexec.yml b/rules/windows/builtin/security/win_security_susp_psexec.yml index a2ccfd7ae2e..30a0a7717e4 100644 --- a/rules/windows/builtin/security/win_security_susp_psexec.yml +++ b/rules/windows/builtin/security/win_security_susp_psexec.yml @@ -5,10 +5,10 @@ description: detects execution of psexec or paexec with renamed service name, th references: - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html author: Samir Bousseaden -date: 2019/04/03 -modified: 2022/08/11 +date: 2019-04-03 +modified: 2022-08-11 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml index 4d1fad92a16..c5df4fceba7 100644 --- a/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml @@ -8,8 +8,8 @@ description: Detects known sensitive file extensions accessed on a network share references: - Internal Research author: Samir Bousseaden -date: 2019/04/03 -modified: 2022/10/09 +date: 2019-04-03 +modified: 2022-10-09 tags: - attack.collection - attack.t1039 diff --git a/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml b/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml index edac915ee6d..c9f7b1201d6 100644 --- a/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml @@ -6,10 +6,10 @@ references: - https://adsecurity.org/?p=3458 - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity author: Florian Roth (Nextron Systems) -date: 2017/02/06 -modified: 2022/06/19 +date: 2017-02-06 +modified: 2022-06-19 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml index 74a1d121b32..e9baa258663 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -5,11 +5,11 @@ description: Detects suspicious scheduled task creation events. Based on attribu references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/05 -modified: 2022/12/07 +date: 2022-12-05 +modified: 2022-12-07 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml index ef2b2741681..852c3c3561d 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml @@ -13,11 +13,11 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/05 -modified: 2023/03/13 +date: 2022-12-05 +modified: 2023-03-13 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml index f4bfb19da79..7c02f0e1298 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml @@ -8,10 +8,10 @@ description: Detects update to a scheduled task event that contain suspicious ke references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/05 +date: 2022-12-05 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_sdelete.yml b/rules/windows/builtin/security/win_security_susp_sdelete.yml index 59e7648d973..4700f531631 100644 --- a/rules/windows/builtin/security/win_security_susp_sdelete.yml +++ b/rules/windows/builtin/security/win_security_susp_sdelete.yml @@ -7,11 +7,11 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete author: Thomas Patzke -date: 2017/06/14 -modified: 2021/11/27 +date: 2017-06-14 +modified: 2021-11-27 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 - attack.t1027.005 - attack.t1485 diff --git a/rules/windows/builtin/security/win_security_susp_time_modification.yml b/rules/windows/builtin/security/win_security_susp_time_modification.yml index aad7c7ab9d6..c166fde2d42 100644 --- a/rules/windows/builtin/security/win_security_susp_time_modification.yml +++ b/rules/windows/builtin/security/win_security_susp_time_modification.yml @@ -7,10 +7,10 @@ references: - Live environment caused by malware - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 author: '@neu5ron' -date: 2019/02/05 -modified: 2022/08/03 +date: 2019-02-05 +modified: 2022-08-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.006 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_svcctl_remote_service.yml b/rules/windows/builtin/security/win_security_svcctl_remote_service.yml index 7b980ffe534..218d5801568 100644 --- a/rules/windows/builtin/security/win_security_svcctl_remote_service.yml +++ b/rules/windows/builtin/security/win_security_svcctl_remote_service.yml @@ -5,10 +5,10 @@ description: Detects remote service activity via remote access to the svcctl nam references: - https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html author: Samir Bousseaden -date: 2019/04/03 -modified: 2024/08/01 +date: 2019-04-03 +modified: 2024-08-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.persistence - attack.t1021.002 logsource: diff --git a/rules/windows/builtin/security/win_security_syskey_registry_access.yml b/rules/windows/builtin/security/win_security_syskey_registry_access.yml index d8f4129d4d7..470e9e0837d 100644 --- a/rules/windows/builtin/security/win_security_syskey_registry_access.yml +++ b/rules/windows/builtin/security/win_security_syskey_registry_access.yml @@ -5,8 +5,8 @@ description: Detects handle requests and access operations to specific registry references: - https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -modified: 2021/11/27 +date: 2019-08-12 +modified: 2021-11-27 tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml index b47d83f3fdf..a1b3ecb9765 100644 --- a/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml +++ b/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml @@ -8,10 +8,10 @@ references: - https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html - https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/07/14 -modified: 2022/10/05 +date: 2020-07-14 +modified: 2022-10-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_tap_driver_installation.yml b/rules/windows/builtin/security/win_security_tap_driver_installation.yml index ff65a76a6c1..8fcc028fd86 100644 --- a/rules/windows/builtin/security/win_security_tap_driver_installation.yml +++ b/rules/windows/builtin/security/win_security_tap_driver_installation.yml @@ -9,8 +9,8 @@ description: | references: - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community -date: 2019/10/24 -modified: 2022/11/29 +date: 2019-10-24 +modified: 2022-11-29 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml b/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml index e4f35cbe9a6..5fda47dedc8 100644 --- a/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml +++ b/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml @@ -6,9 +6,9 @@ references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens author: '@SerkinValery' -date: 2022/09/16 +date: 2022-09-16 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml b/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml index 764c26f347c..a29d47668c6 100644 --- a/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml +++ b/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml @@ -8,10 +8,10 @@ description: Transferring files with well-known filenames (sensitive files with references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2021/11/30 +date: 2019-10-22 +modified: 2021-11-30 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 diff --git a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml index b0a7a7c6e9d..d570c0c0345 100644 --- a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers author: Florian Roth (Nextron Systems) -date: 2017/03/14 -modified: 2021/01/17 +date: 2017-03-14 +modified: 2021-01-17 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078 - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml index f94c8925333..922817af3b7 100644 --- a/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml @@ -5,11 +5,11 @@ description: The 'LsaRegisterLogonProcess' function verifies that the applicatio references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community -date: 2019/10/24 -modified: 2022/12/25 +date: 2019-10-24 +modified: 2022-12-25 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_user_creation.yml b/rules/windows/builtin/security/win_security_user_creation.yml index 78d7ba34d5e..9e88f7cc078 100644 --- a/rules/windows/builtin/security/win_security_user_creation.yml +++ b/rules/windows/builtin/security/win_security_user_creation.yml @@ -6,8 +6,8 @@ description: | references: - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ author: Patrick Bareiss -date: 2019/04/18 -modified: 2021/01/17 +date: 2019-04-18 +modified: 2021-01-17 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index 4da100b23b5..b136b45deac 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -11,10 +11,10 @@ references: - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) -date: 2019/04/08 -modified: 2023/01/20 +date: 2019-04-08 +modified: 2023-01-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_user_logoff.yml b/rules/windows/builtin/security/win_security_user_logoff.yml index 26b2506d593..d4a82efaa74 100644 --- a/rules/windows/builtin/security/win_security_user_logoff.yml +++ b/rules/windows/builtin/security/win_security_user_logoff.yml @@ -7,7 +7,7 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 author: frack113 -date: 2022/10/14 +date: 2022-10-14 tags: - attack.impact - attack.t1531 diff --git a/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml b/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml index aa7ac6d0922..0782981c61e 100644 --- a/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml +++ b/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml @@ -5,10 +5,10 @@ description: Detects the registration of the security event source VSSAudit. It references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/20 -modified: 2022/04/28 +date: 2020-10-20 +modified: 2022-04-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml index 7d4de724c2e..0ab0d4de076 100644 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml @@ -11,10 +11,10 @@ description: | references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' -date: 2019/10/26 -modified: 2023/11/11 +date: 2019-10-26 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml index b7dfbafedf0..b6f0cf9e63e 100644 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml @@ -11,10 +11,10 @@ description: | references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)' -date: 2019/10/26 -modified: 2023/11/11 +date: 2019-10-26 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml index b207c81b499..8eb1730c244 100644 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml @@ -11,10 +11,10 @@ description: | references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' -date: 2019/10/26 -modified: 2023/11/11 +date: 2019-10-26 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml index 6b22aa5111a..f62732b0e9e 100644 --- a/rules/windows/builtin/security/win_security_wmi_persistence.yml +++ b/rules/windows/builtin/security/win_security_wmi_persistence.yml @@ -9,11 +9,11 @@ references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community -date: 2017/08/22 -modified: 2022/11/29 +date: 2017-08-22 +modified: 2022-11-29 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml index f5513f12eb7..b7adcd807b7 100644 --- a/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml @@ -5,12 +5,12 @@ description: Detects a threat actor creating a file named `wbemcomn.dll` in the references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/12 -modified: 2022/02/24 +date: 2020-10-12 +modified: 2022-02-24 tags: - attack.execution - attack.t1047 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_workstation_was_locked.yml b/rules/windows/builtin/security/win_security_workstation_was_locked.yml index 228c87f6808..0c3c3f7f02f 100644 --- a/rules/windows/builtin/security/win_security_workstation_was_locked.yml +++ b/rules/windows/builtin/security/win_security_workstation_was_locked.yml @@ -8,8 +8,8 @@ references: - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800 author: Alexandr Yampolskyi, SOC Prime -date: 2019/03/26 -modified: 2023/12/11 +date: 2019-03-26 +modified: 2023-12-11 tags: - attack.impact # - CSC16 diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml index 7c6db1228e3..cd7efac763a 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml @@ -5,10 +5,10 @@ description: Detects Code Integrity (CI) engine blocking Microsoft Defender's pr references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj -date: 2022/08/02 -modified: 2022/09/28 +date: 2022-08-02 +modified: 2022-09-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml index 3a898b6c972..91d4c259068 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml @@ -5,10 +5,10 @@ description: Detects Code Integrity (CI) engine blocking processes from loading references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/03 -modified: 2022/09/28 +date: 2022-08-03 +modified: 2022-09-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml index b230cae6fd4..db01cceebd6 100644 --- a/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml +++ b/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml @@ -5,14 +5,14 @@ description: Rule to detect the Hybrid Connection Manager service running on an references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -modified: 2022/10/09 +date: 2021-04-12 +modified: 2024-08-05 tags: - attack.persistence - attack.t1554 logsource: product: windows - service: microsoft-servicebus-client + service: microsoft-servicebus-client # Change to servicebus-client once validators are up to date detection: selection: EventID: diff --git a/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml index c91228aeba2..300e42fa672 100644 --- a/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml +++ b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml @@ -5,7 +5,7 @@ description: Detects suspicious application installed by looking at the added sh references: - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 +date: 2022-08-14 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml b/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml index 7405115fe32..45318997bd6 100644 --- a/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml +++ b/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml @@ -7,10 +7,10 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w -date: 2021/06/30 -modified: 2023/01/02 +date: 2021-06-30 +modified: 2023-01-02 tags: - - attack.credential_access + - attack.credential-access - attack.t1110.001 logsource: product: windows diff --git a/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml b/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml index 65e23658907..b3e83bfc551 100644 --- a/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml +++ b/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml @@ -5,10 +5,10 @@ description: Detects application popup reporting a failure of the Sysmon service references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36 author: Tim Shelton -date: 2022/04/26 -modified: 2024/01/17 +date: 2022-04-26 +modified: 2024-01-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml index 9d36b3efb70..d5e0fa9099e 100644 --- a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml +++ b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml @@ -5,11 +5,11 @@ description: Detects the reporting of NTLMv1 being used between a client and ser references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2022/04/26 -modified: 2023/06/06 +date: 2022-04-26 +modified: 2023-06-06 tags: - - attack.defense_evasion - - attack.lateral_movement + - attack.defense-evasion + - attack.lateral-movement - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml index cbf709c134e..eebe651bf39 100644 --- a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml +++ b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) - https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ author: '@SerkinValery' -date: 2024/03/07 +date: 2024-03-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml index 8d519b33e29..e0f83b4a23b 100644 --- a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml +++ b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml @@ -7,10 +7,10 @@ references: - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx author: Dimitrios Slamaris -date: 2017/05/15 -modified: 2022/12/25 +date: 2017-05-15 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml index 13ac06e4174..6477e14caad 100644 --- a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml @@ -7,10 +7,10 @@ references: - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx author: 'Dimitrios Slamaris, @atc_project (fix)' -date: 2017/05/15 -modified: 2022/12/25 +date: 2017-05-15 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml b/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml index 4242b3e893d..b66746f39f0 100644 --- a/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml +++ b/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml @@ -11,10 +11,10 @@ description: | references: - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ author: frack113 -date: 2021/12/15 -modified: 2023/04/14 +date: 2021-12-15 +modified: 2023-04-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml index 2d0c1e5f30a..63dddc65fe5 100644 --- a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml +++ b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml @@ -5,8 +5,8 @@ description: Detects the invocation of TabTip via CLSID as seen when JuicyPotato references: - https://github.com/antonioCoco/JuicyPotatoNG author: Florian Roth (Nextron Systems) -date: 2022/10/07 -modified: 2023/04/14 +date: 2022-10-07 +modified: 2023-04-14 tags: - attack.execution - attack.t1557.001 diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml index d3e99b675c1..961484a1149 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml @@ -2,7 +2,7 @@ title: Eventlog Cleared id: a62b37e0-45d3-48d9-a517-90c1a1b0186b related: - id: f2f01843-e7b8-4f95-a35a-d23584476423 - type: obsoletes + type: obsolete - id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 type: derived - id: 100ef69e-3327-481c-8e5c-6d80d9507556 @@ -13,10 +13,10 @@ references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/01/10 -modified: 2023/11/15 +date: 2017-01-10 +modified: 2023-11-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml index b0ebfd71703..a52cbbdbb98 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/17 -modified: 2023/11/15 +date: 2022-05-17 +modified: 2023-11-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml index f1621267096..dcc6b71cd3b 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml @@ -8,9 +8,9 @@ description: | references: - https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 author: '@br4dy5' -date: 2023/10/09 +date: 2023-10-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: system diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml index 9b075ce61ee..9fd6f5b50e9 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml @@ -5,9 +5,9 @@ description: Detects the exploitation of a security bypass and elevation of priv references: - https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d author: Florian Roth (Nextron Systems) -date: 2022/11/09 +date: 2022-11-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: system diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml index 1d567589f0f..e87cd0f4fed 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10) - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled author: '@SerkinValery' -date: 2024/03/07 +date: 2024-03-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml index b102505ba2b..2f639342d68 100644 --- a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml @@ -2,7 +2,7 @@ title: Critical Hive In Suspicious Location Access Bits Cleared id: 39f919f3-980b-4e6f-a975-8af7e507ef2b related: - id: 839dd1e8-eda8-4834-8145-01beeee33acd - type: obsoletes + type: obsolete status: test description: | Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. @@ -11,10 +11,10 @@ description: | references: - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md author: Florian Roth (Nextron Systems) -date: 2017/05/15 -modified: 2024/01/18 +date: 2017-05-15 +modified: 2024-01-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml b/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml index 4b19beb712f..f32b7aa939c 100644 --- a/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml +++ b/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml @@ -5,10 +5,10 @@ description: Detects volume shadow copy mount via Windows event log references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/20 -modified: 2022/12/25 +date: 2020-10-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml index 770c1aaf58b..04fbf91e3eb 100644 --- a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml +++ b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml @@ -5,8 +5,8 @@ description: During exploitation of this vulnerability, two logs (Provider_Name: references: - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html author: Cybex -date: 2022/08/16 -modified: 2023/05/02 +date: 2022-08-16 +modified: 2023-05-02 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml b/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml index eab993b0d42..1df102e8e9a 100644 --- a/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml +++ b/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml @@ -6,11 +6,11 @@ description: | references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml author: frack113 -date: 2021/12/04 -modified: 2023/09/07 +date: 2021-12-04 +modified: 2023-09-07 tags: - attack.impact - - attack.resource_development + - attack.resource-development - attack.t1584 logsource: product: windows diff --git a/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml index 6896cf4c050..78beaf65e84 100644 --- a/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml +++ b/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -6,11 +6,11 @@ references: - https://www.secura.com/blog/zero-logon - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382 author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community' -date: 2020/10/13 -modified: 2021/05/30 +date: 2020-10-13 +modified: 2021-05-30 tags: - attack.t1210 - - attack.lateral_movement + - attack.lateral-movement logsource: service: system product: windows diff --git a/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml b/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml index e7863d86186..95c8eaecffd 100644 --- a/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml +++ b/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml @@ -5,10 +5,10 @@ description: Detects that a vulnerable Netlogon secure channel connection was al references: - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc author: NVISO -date: 2020/09/15 -modified: 2022/12/25 +date: 2020-09-15 +modified: 2022-12-25 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: product: windows diff --git a/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml b/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml index de52eb1c457..d4e12c42404 100644 --- a/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml +++ b/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml @@ -7,8 +7,8 @@ references: - https://twitter.com/wdormann/status/1347958161609809921 - https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/ author: Florian Roth (Nextron Systems) -date: 2021/01/11 -modified: 2022/12/25 +date: 2021-01-11 +modified: 2022-12-25 tags: - attack.impact - attack.t1499.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml b/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml index 6caf3310780..cfc58dc46bc 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml @@ -7,12 +7,12 @@ references: - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Florian Roth (Nextron Systems), Wojciech Lesicki -date: 2021/05/26 -modified: 2022/11/27 +date: 2021-05-26 +modified: 2022-11-27 tags: - attack.execution - - attack.privilege_escalation - - attack.lateral_movement + - attack.privilege-escalation + - attack.lateral-movement - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml index 070b17a6f6a..411f95eabf6 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 -date: 2020/07/28 -modified: 2024/07/02 +date: 2020-07-28 +modified: 2024-07-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml index 8a39f3357dd..b3f06d2b3e8 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml @@ -7,10 +7,10 @@ references: - https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296 - https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name author: Omer Faruk Celik -date: 2018/03/20 -modified: 2023/11/09 +date: 2018-03-20 +modified: 2023-11-09 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.execution - attack.t1021.002 - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml index 59e71979882..39b32fed475 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community -date: 2020/10/13 -modified: 2023/02/20 +date: 2020-10-13 +modified: 2023-02-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml index a5705e02761..e8027d7cc5b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml @@ -5,10 +5,10 @@ description: Detects all variations of obfuscated powershell IEX invocation code references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -date: 2019/11/08 -modified: 2022/11/27 +date: 2019-11-08 +modified: 2022-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml index cb8ed0b06ed..54dcd16fe50 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of stdin to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2022/11/29 +date: 2020-10-15 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml index 9093a4cd75c..e93da25ac9f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2022/11/29 +date: 2020-10-15 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml index 0ec20cf6bc5..62c23a05d13 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml index 0ba877ee09b..840afa85b0b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml index ddefd3987c7..2c8f22e3067 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via Stdin in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community -date: 2020/10/12 -modified: 2022/11/29 +date: 2020-10-12 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml index d56f13de0ac..d765a34e303 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml index 61226ef7134..3c651c983eb 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml index f5563464727..0cc6d9f9005 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml index a4079482785..36f4c36ec37 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -modified: 2022/11/29 +date: 2020-10-13 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml b/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml index f0034102c6b..b19f342ab5e 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml @@ -5,10 +5,10 @@ description: Detects service creation from KrbRelayUp tool used for privilege es references: - https://github.com/Dec0ne/KrbRelayUp author: Sittikorn S, Tim Shelton -date: 2022/05/11 -modified: 2022/10/05 +date: 2022-05-11 +modified: 2022-10-05 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml b/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml index 1d7d7ac4666..a99218ab336 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml @@ -5,10 +5,10 @@ description: Detects well-known credential dumping tools execution via service e references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2017/03/05 -modified: 2022/11/29 +date: 2017-03-05 +modified: 2022-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.execution - attack.t1003.001 - attack.t1003.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 265d3dd5e8e..6292f812565 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -6,10 +6,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) -date: 2019/10/26 -modified: 2023/11/15 +date: 2019-10-26 +modified: 2023-11-15 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml b/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml index 27d3ba47b7b..308b986d08a 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml @@ -5,11 +5,11 @@ description: Detects the use of Moriya rootkit as described in the securelist's references: - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 author: Bhabesh Raj -date: 2021/05/06 -modified: 2022/11/29 +date: 2021-05-06 +modified: 2022-11-29 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml b/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml index be4085f9c6b..6a3cafcb1d8 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml @@ -5,8 +5,8 @@ description: Detects powershell script installed as a Service references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2022/12/25 +date: 2020-10-06 +modified: 2022-12-25 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml index 4d537201809..b791bb29a23 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml @@ -5,7 +5,7 @@ description: Detects the installation of the anydesk software service. Which cou references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/11 +date: 2022-08-11 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml index baf83193713..45df915de3d 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml @@ -5,7 +5,7 @@ description: Detects CSExec service installation and execution events references: - https://github.com/malcomvetter/CSExec author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/07 +date: 2023-08-07 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml index 37789edc510..03db913f664 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml @@ -5,8 +5,8 @@ description: Detects installation or execution of services references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2022/03/21 -modified: 2023/08/07 +date: 2022-03-21 +modified: 2023-08-07 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml index b776def8618..e3e0c2f2bc8 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml @@ -5,9 +5,9 @@ description: Detects a Mesh Agent service installation. Mesh Agent is used to re references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/28 +date: 2022-11-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml index 6195191592d..a2b8196102a 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml @@ -5,7 +5,7 @@ description: Detects NetSupport Manager service installation on the target syste references: - http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/31 +date: 2022-10-31 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml index e8af235b938..16fb2a3d9b2 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml @@ -5,7 +5,7 @@ description: Detects PAExec service installation references: - https://www.poweradmin.com/paexec/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/26 +date: 2022-10-26 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml index 235d7bbf743..0297275ba7f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml @@ -7,9 +7,9 @@ description: | references: - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/22 +date: 2022-07-22 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml index e0fc962c66d..e73fdcdd425 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml @@ -7,9 +7,9 @@ description: | references: - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/22 +date: 2022-07-22 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml index 9abe07d8029..ca7f6c3bef3 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml @@ -5,11 +5,11 @@ description: Detects a ProcessHacker tool that elevated privileges to a very hig references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth (Nextron Systems) -date: 2021/05/27 -modified: 2022/12/25 +date: 2021-05-27 +modified: 2022-12-25 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1569.002 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml index 0cafdc5b2fc..9a9e3ff2026 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml @@ -5,7 +5,7 @@ description: Detects RemCom service installation and execution events references: - https://github.com/kavika13/RemCom/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/07 +date: 2023-08-07 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml index 547e49c51d6..5870fe312cb 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml @@ -8,8 +8,8 @@ description: Detects service installation of different remote access tools softw references: - https://redcanary.com/blog/misbehaving-rats/ author: Connor Martin, Nasreddine Bencherchali -date: 2022/12/23 -modified: 2023/06/22 +date: 2022-12-23 +modified: 2023-06-22 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml index 5df7a75d6c2..23b45d5b055 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml @@ -5,7 +5,7 @@ description: Detects Remote Utilities Host service installation on the target sy references: - https://www.remoteutilities.com/support/kb/host-service-won-t-start/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/31 +date: 2022-10-31 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml index 3ed1e197191..cfbdb8c8401 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml @@ -6,10 +6,10 @@ references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231 - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/25 +date: 2022-08-25 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1569.002 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml index f1f6aa13642..ad3fc9e5082 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml @@ -8,10 +8,10 @@ description: Detects a service installed by a client which has PID 0 or whose pa references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html author: Tim Rauch (Nextron Systems), Elastic (idea) -date: 2022/09/15 -modified: 2023/01/04 +date: 2022-09-15 +modified: 2023-01-04 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml index a945fed5ca1..c9304235a5b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml @@ -2,7 +2,7 @@ title: Suspicious Service Installation id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b related: - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 - type: obsoletes + type: obsolete - id: 26481afe-db26-4228-b264-25a29fe6efc7 type: similar status: test @@ -10,11 +10,11 @@ description: Detects suspicious service installation commands references: - Internal Research author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/03/18 -modified: 2023/12/04 +date: 2022-03-18 +modified: 2023-12-04 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-09-005 - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml index bcd9b1bbcce..2b2493f8242 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml @@ -6,8 +6,8 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke -date: 2017/06/12 -modified: 2023/08/04 +date: 2017-06-12 +modified: 2023-08-04 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml index bb2a9e3e19a..246883fb086 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml @@ -5,9 +5,9 @@ description: Detects a TacticalRMM service installation. Tactical RMM is a remot references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/28 +date: 2022-11-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml index 940b6985013..8f382c76d1c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml @@ -5,8 +5,8 @@ description: Well-known TAP software installation. Possible preparation for data references: - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community -date: 2019/10/24 -modified: 2022/12/25 +date: 2019-10-24 +modified: 2022-12-25 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml index c2a70bee3f9..70611e84677 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml @@ -2,7 +2,7 @@ title: Uncommon Service Installation Image Path id: 26481afe-db26-4228-b264-25a29fe6efc7 related: - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 - type: obsoletes + type: obsolete - id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b type: derived status: test @@ -11,11 +11,11 @@ description: | references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2022/03/18 -modified: 2024/02/09 +date: 2022-03-18 +modified: 2024-02-09 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-09-005 - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml index 6eb9322bdbc..6115cacc49f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml @@ -8,9 +8,9 @@ description: Detects Windows services that got terminated for whatever reason references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/14 +date: 2023-04-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: system diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml index d3886e2626e..3eb452ea3d4 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml @@ -8,9 +8,9 @@ description: Detects important or interesting Windows services that got terminat references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/14 +date: 2023-04-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: system diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml index 24ffbd18c3c..e44829b323f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -5,9 +5,9 @@ description: Detects important or interesting Windows services that got terminat references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/14 +date: 2023-04-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: system diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml index 43297d00e09..8296b40e6ef 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml @@ -5,7 +5,7 @@ description: Detects the installation of RTCore service. Which could be an indic references: - https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/30 +date: 2022-08-30 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml index 1300592fcac..7ff5299df05 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml @@ -5,11 +5,11 @@ description: Detects service installation in suspicious folder appdata author: pH-T (Nextron Systems) references: - Internal Research -date: 2022/03/18 -modified: 2024/01/18 +date: 2022-03-18 +modified: 2024-01-18 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-09-005 - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml index 9f2a7684286..c4683863067 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml @@ -5,11 +5,11 @@ description: Detects service installation with suspicious folder patterns references: - Internal Research author: pH-T (Nextron Systems) -date: 2022/03/18 -modified: 2022/03/24 +date: 2022-03-18 +modified: 2022-03-24 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-09-005 - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml index 9ece1ae07c0..e859d107073 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml @@ -5,11 +5,11 @@ description: Detects suspicious service installation scripts references: - Internal Research author: pH-T (Nextron Systems) -date: 2022/03/18 -modified: 2024/03/05 +date: 2022-03-18 +modified: 2024-03-05 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-09-005 - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml b/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml index a0aa3002fd9..4abbd93921c 100644 --- a/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml +++ b/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml @@ -6,10 +6,10 @@ references: - https://github.com/zerosum0x0/CVE-2019-0708 - https://github.com/Ekultek/BlueKeep author: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)' -date: 2019/05/24 -modified: 2022/12/25 +date: 2019-05-24 +modified: 2022-12-25 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - car.2013-07-002 logsource: diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml index 0ab9f4d9ee2..247c55c6ec2 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml @@ -5,8 +5,8 @@ description: Detects the execution of Scheduled Tasks where the Program being ru references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/05 -modified: 2023/02/07 +date: 2022-12-05 +modified: 2023-02-07 tags: - attack.persistence - attack.t1053.005 diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml index 0a6712f81a1..98b48af795a 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml @@ -5,8 +5,8 @@ description: Detects the execution of Scheduled Tasks where the program being ru references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/05 -modified: 2023/02/07 +date: 2022-12-05 +modified: 2023-02-07 tags: - attack.persistence - attack.t1053.005 diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml index 95cd96d8e1f..013f2515707 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml @@ -11,8 +11,8 @@ description: | references: - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/ author: frack113 -date: 2023/01/13 -modified: 2023/02/07 +date: 2023-01-13 +modified: 2023-02-07 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml b/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml index 2a9acc56b0e..6667318a659 100644 --- a/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml +++ b/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg - https://ngrok.com/ author: Florian Roth (Nextron Systems) -date: 2022/04/29 +date: 2022-04-29 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 logsource: product: windows diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 5a985b573fd..99a8a9de0f0 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -5,12 +5,12 @@ description: This method detects mimikatz keywords in different Eventlogs (some references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) -date: 2017/01/10 -modified: 2022/01/05 +date: 2017-01-10 +modified: 2022-01-05 tags: - attack.s0002 - - attack.lateral_movement - - attack.credential_access + - attack.lateral-movement + - attack.credential-access - car.2013-07-001 - car.2019-04-004 - attack.t1003.002 diff --git a/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml b/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml index 75f040b4844..beba99457f5 100644 --- a/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml +++ b/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml @@ -2,7 +2,7 @@ title: Windows Defender Grace Period Expired id: 360a1340-398a-46b6-8d06-99b905dc69d2 related: - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + type: obsolete status: stable description: | Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled. @@ -11,10 +11,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 -date: 2020/07/28 -modified: 2023/11/22 +date: 2020-07-28 +modified: 2023-11-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml b/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml index 9db77659ac3..a6a1ba4298d 100644 --- a/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml +++ b/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml @@ -5,10 +5,10 @@ description: Detects Access to LSASS Process references: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction author: Markus Neis -date: 2018/08/26 -modified: 2022/08/13 +date: 2018-08-26 +modified: 2022-08-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml b/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml index 7561989329b..6abb9df5bb8 100644 --- a/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml +++ b/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml @@ -6,11 +6,11 @@ references: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands - https://twitter.com/duff22b/status/1280166329660497920 author: Bhabesh Raj -date: 2020/07/14 -modified: 2022/12/25 +date: 2020-07-14 +modified: 2022-12-25 tags: - attack.execution - - attack.lateral_movement + - attack.lateral-movement - attack.t1047 - attack.t1569.002 logsource: diff --git a/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml b/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml index 01079979e5d..9c8054db648 100644 --- a/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml +++ b/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml @@ -5,10 +5,10 @@ description: Detects the Setting of Windows Defender Exclusions references: - https://twitter.com/_nullbind/status/1204923340810543109 author: Christian Burkard (Nextron Systems) -date: 2021/07/06 -modified: 2022/12/06 +date: 2021-07-06 +modified: 2022-12-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml index bfcc7be3f8f..64df6be559f 100644 --- a/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml @@ -6,10 +6,10 @@ description: | references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2022/12/06 +date: 2022-08-05 +modified: 2022-12-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml b/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml index fddc68abb5f..06b7726751d 100644 --- a/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml +++ b/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml @@ -13,9 +13,9 @@ references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/06 +date: 2022-12-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml index 1898d982330..e035f90d5c1 100644 --- a/rules/windows/builtin/windefend/win_defender_history_delete.yml +++ b/rules/windows/builtin/windefend/win_defender_history_delete.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus - https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e author: Cian Heasley -date: 2020/08/13 -modified: 2023/11/24 +date: 2020-08-13 +modified: 2023-11-24 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml b/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml index b73bb5b51e0..9250b54aede 100644 --- a/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml @@ -2,7 +2,7 @@ title: Windows Defender Malware And PUA Scanning Disabled id: bc275be9-0bec-4d77-8c8f-281a2df6710f related: - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + type: obsolete status: stable description: Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software references: @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 -date: 2020/07/28 -modified: 2023/11/22 +date: 2020-07-28 +modified: 2023-11-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml b/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml index 2d3a914e8ae..e797742bbd6 100644 --- a/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml +++ b/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml @@ -5,8 +5,8 @@ description: Detects triggering of AMSI by Windows Defender. references: - https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps author: Bhabesh Raj -date: 2020/09/14 -modified: 2022/12/07 +date: 2020-09-14 +modified: 2022-12-07 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml b/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml index ac37b13c72c..65d7a385748 100644 --- a/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml @@ -2,7 +2,7 @@ title: Windows Defender Real-time Protection Disabled id: b28e58e4-2a72-4fae-bdee-0fbe904db642 related: - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + type: obsolete status: stable description: | Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a "medium" level if this occurs too many times in your environment @@ -11,10 +11,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 -date: 2020/07/28 -modified: 2023/11/22 +date: 2020-07-28 +modified: 2023-11-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml b/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml index 6154f8796c1..cf7a8b23109 100644 --- a/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml +++ b/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml @@ -7,10 +7,10 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ - https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 # Contains the list of Feature Names (use for filtering purposes) author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update) -date: 2023/03/28 -modified: 2023/05/05 +date: 2023-03-28 +modified: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml index bae44cbf7d7..71b80b1c47c 100644 --- a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -5,9 +5,9 @@ description: Detects the restoration of files from the defender quarantine references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/06 +date: 2022-12-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 4dbb69a59db..0f067419191 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -13,10 +13,10 @@ references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/06 -modified: 2023/11/24 +date: 2022-12-06 +modified: 2023-11-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index bde332ed922..eff4df1941e 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -6,10 +6,10 @@ references: - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide author: Bhabesh Raj, Nasreddine Bencherchali -date: 2021/07/05 -modified: 2022/12/06 +date: 2021-07-05 +modified: 2022-12-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml index 9740f112d14..cad13d4f4db 100644 --- a/rules/windows/builtin/windefend/win_defender_threat.yml +++ b/rules/windows/builtin/windefend/win_defender_threat.yml @@ -5,7 +5,7 @@ description: Detects actions taken by Windows Defender malware detection engines references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus author: Ján Trenčanský -date: 2020/07/28 +date: 2020-07-28 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml b/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml index 30ddbabaa66..e21d92c0934 100644 --- a/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml @@ -2,7 +2,7 @@ title: Windows Defender Virus Scanning Feature Disabled id: 686c0b4b-9dd3-4847-9077-d6c1bbe36fcb related: - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + type: obsolete status: stable description: Detects disabling of the Windows Defender virus scanning feature references: @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 -date: 2020/07/28 -modified: 2023/11/22 +date: 2020-07-28 +modified: 2023-11-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/wmi/win_wmi_persistence.yml b/rules/windows/builtin/wmi/win_wmi_persistence.yml index 50d6f96cbce..e48c4ca18a4 100644 --- a/rules/windows/builtin/wmi/win_wmi_persistence.yml +++ b/rules/windows/builtin/wmi/win_wmi_persistence.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community -date: 2017/08/22 -modified: 2022/02/10 +date: 2017-08-22 +modified: 2022-02-10 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml index 8c55c588245..1605c54ba0d 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted - https://github.com/mdsecactivebreach/CACTUSTORCH author: '@SBousseaden (detection), Thomas Patzke (rule)' -date: 2019/02/01 -modified: 2023/05/05 +date: 2019-02-01 +modified: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1055.012 - attack.t1059.005 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml index 65d3671a08b..06da54deb50 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml @@ -6,10 +6,10 @@ references: - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community -date: 2018/11/30 -modified: 2023/05/05 +date: 2018-11-30 +modified: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.001 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml index 566018fe94c..89899e23e55 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml @@ -7,10 +7,10 @@ references: - https://github.com/denandz/KeeFarce - https://github.com/GhostPack/KeeThief author: Timon Hackenjos -date: 2022/04/22 -modified: 2023/05/05 +date: 2022-04-22 +modified: 2023-05-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.005 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml index fce977a4f4f..8581ece3220 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/28 -modified: 2024/01/22 +date: 2023-07-28 +modified: 2024-01-22 tags: - - attack.credential_access + - attack.credential-access logsource: product: windows category: create_remote_thread diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml index f9ef4cef677..4dde50a9b52 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml @@ -2,7 +2,7 @@ title: Potential Credential Dumping Attempt Via PowerShell Remote Thread id: fb656378-f909-47c1-8747-278bf09f4f4f related: - id: 3f07b9d1-2082-4c56-9277-613a621983cc - type: obsoletes + type: obsolete - id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5 type: similar status: test @@ -10,10 +10,10 @@ description: Detects remote thread creation by PowerShell processes into "lsass. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2022/12/18 +date: 2020-10-06 +modified: 2022-12-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml index 1ebba8e8c49..1a1dfe74173 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml @@ -8,10 +8,10 @@ description: Detects the creation of a remote thread from a Powershell process i references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html author: Florian Roth (Nextron Systems) -date: 2018/06/25 -modified: 2023/11/10 +date: 2018-06-25 +modified: 2023-11-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.011 - attack.t1059.001 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml index 6a1cf6d94fb..c2e1e20aaa6 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml @@ -7,10 +7,10 @@ description: | references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm author: Thomas Patzke -date: 2017/02/19 -modified: 2021/06/21 +date: 2017-02-19 +modified: 2021-06-21 tags: - - attack.credential_access + - attack.credential-access - attack.s0005 - attack.t1003.001 logsource: diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml index 137f6792c5f..99cbf4cf945 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml @@ -9,11 +9,11 @@ references: - Personal research, statistical analysis - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community -date: 2019/10/27 -modified: 2024/07/15 +date: 2019-10-27 +modified: 2024-07-15 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1055 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml index a7b3226120c..64664432942 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml @@ -8,9 +8,9 @@ references: - https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ - https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ author: Splunk Research Team -date: 2024/07/29 +date: 2024-07-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml index ea7fc5d6654..ea5eeaeb666 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml @@ -9,11 +9,11 @@ references: - Personal research, statistical analysis - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community -date: 2019/10/27 -modified: 2024/07/15 +date: 2019-10-27 +modified: 2024-07-15 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1055 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml index af25b80ee5c..e822c90b848 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml @@ -2,17 +2,17 @@ title: Remote Thread Creation In Uncommon Target Image id: a1a144b7-5c9b-4853-a559-2172be8d4a03 related: - id: f016c716-754a-467f-a39e-63c06f773987 - type: obsoletes + type: obsolete status: experimental description: Detects uncommon target processes for remote thread creation references: - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth (Nextron Systems) -date: 2022/03/16 -modified: 2024/07/15 +date: 2022-03-16 +modified: 2024-07-15 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.003 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml b/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml index 2b310f84704..461eb0ae40a 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml @@ -5,10 +5,10 @@ description: Detects a remote thread creation of Ttdinject.exe used as proxy references: - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ author: frack113 -date: 2022/05/16 -modified: 2022/06/02 +date: 2022-05-16 +modified: 2022-06-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: product: windows diff --git a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml index adbd3dbb8ff..0b6669d9796 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml @@ -5,10 +5,10 @@ description: Detects the creation of an ADS (Alternate Data Stream) that contain references: - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 author: Florian Roth (Nextron Systems), @0xrawsec -date: 2018/06/03 -modified: 2023/02/10 +date: 2018-06-03 +modified: 2023-02-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml index 24da21b23d9..a23a650d3d6 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml @@ -5,10 +5,10 @@ description: Detects the creation of a suspicious ADS (Alternate Data Stream) fi references: - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/ author: frack113 -date: 2022/10/22 -modified: 2023/06/12 +date: 2022-10-22 +modified: 2023-06-12 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: create_stream_hash diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index a48002d98d6..158c9e898d7 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -11,10 +11,10 @@ references: - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) -date: 2022/08/24 -modified: 2024/02/09 +date: 2022-08-24 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index 3157d7de2ca..39a51f17d01 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -10,10 +10,10 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) -date: 2022/08/24 -modified: 2024/02/09 +date: 2022-08-24 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml index 08ac32bcb76..e6946ffeee5 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml @@ -15,10 +15,10 @@ references: - https://github.com/outflanknl/Dumpert - https://github.com/wavestone-cdt/EDRSandblast author: Florian Roth (Nextron Systems) -date: 2022/08/24 -modified: 2024/01/02 +date: 2022-08-24 +modified: 2024-01-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml b/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml index b53fff6b85a..d31e215fad2 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/07 -modified: 2021/11/27 +date: 2020-10-07 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index a2ccea6596c..608e8a12170 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -6,10 +6,10 @@ references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md - https://labs.withsecure.com/publications/detecting-onenote-abuse author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/09/07 -modified: 2023/02/10 +date: 2022-09-07 +modified: 2023-02-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml index 1792faecc26..2451eccd3c0 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml @@ -5,9 +5,9 @@ description: Detects potential suspicious winget package installation from a sus references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/18 +date: 2023-04-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence logsource: product: windows diff --git a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml index d7869180a02..b8187973a5d 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/cyb3rops/status/1659175181695287297 - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ author: Florian Roth (Nextron Systems) -date: 2023/05/18 +date: 2023-05-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: create_stream_hash diff --git a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml index 65ff6870d93..061c818930a 100644 --- a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml +++ b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml @@ -8,8 +8,8 @@ description: Detects DNS queries for "anonfiles.com", which is an anonymous file references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: pH-T (Nextron Systems) -date: 2022/07/15 -modified: 2023/01/16 +date: 2022-07-15 +modified: 2023-01-16 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/dns_query/dns_query_win_appinstaller.yml b/rules/windows/dns_query/dns_query_win_appinstaller.yml index 013d7b7e590..7f5a5350dc9 100644 --- a/rules/windows/dns_query/dns_query_win_appinstaller.yml +++ b/rules/windows/dns_query/dns_query_win_appinstaller.yml @@ -10,10 +10,10 @@ references: - https://twitter.com/notwhickey/status/1333900137232523264 - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ author: frack113 -date: 2021/11/24 -modified: 2023/11/09 +date: 2021-11-24 +modified: 2023-11-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml b/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml index 25e3335b897..60ab1f2d500 100644 --- a/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml +++ b/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml @@ -11,9 +11,9 @@ references: - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/12/20 +date: 2023-12-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: dns_query diff --git a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml index 54b62bfd967..23874013d64 100644 --- a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml +++ b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml @@ -15,10 +15,10 @@ references: - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security - https://cydefops.com/devtunnels-unleashed author: citron_ninja -date: 2023/10/25 -modified: 2023/11/20 +date: 2023-10-25 +modified: 2023-11-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: dns_query diff --git a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml index 160adb3f6f8..0c711beac22 100644 --- a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml +++ b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04 author: frack113 -date: 2022/08/20 -modified: 2023/09/18 +date: 2022-08-20 +modified: 2023-09-18 tags: - attack.discovery - attack.t1482 diff --git a/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml b/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml index 20e5eaa7131..314494a80c9 100644 --- a/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml +++ b/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml @@ -12,9 +12,9 @@ references: - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/24 +date: 2024-06-24 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml b/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml index 4529f5c21d2..ee02ba138c5 100644 --- a/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml +++ b/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml @@ -5,8 +5,8 @@ description: Detects Azure Hybrid Connection Manager services querying the Azure references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -modified: 2023/01/16 +date: 2021-04-12 +modified: 2023-01-16 tags: - attack.persistence - attack.t1554 diff --git a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml index d9acf4aea34..fbd1906e669 100644 --- a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml +++ b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml @@ -9,10 +9,10 @@ references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ author: Florian Roth (Nextron Systems) -date: 2021/11/09 -modified: 2023/01/16 +date: 2021-11-09 +modified: 2023-01-16 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_mega_nz.yml b/rules/windows/dns_query/dns_query_win_mega_nz.yml index 008d8766e4f..ef5fbb5bede 100644 --- a/rules/windows/dns_query/dns_query_win_mega_nz.yml +++ b/rules/windows/dns_query/dns_query_win_mega_nz.yml @@ -8,8 +8,8 @@ description: Detects DNS queries for subdomains related to MEGA sharing website references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ author: Aaron Greetham (@beardofbinary) - NCC Group -date: 2021/05/26 -modified: 2023/09/18 +date: 2021-05-26 +modified: 2023-09-18 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml index 80b1c3e4e80..ee5288b09c8 100644 --- a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml +++ b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml @@ -9,7 +9,7 @@ references: - https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ - https://malware.guide/browser-hijacker/remove-onelaunch-virus/ author: Josh Nickels -date: 2024/02/26 +date: 2024-02-26 tags: - attack.collection - attack.t1056 diff --git a/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml b/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml index 99c628e79c5..0cfff5a5316 100644 --- a/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml +++ b/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml @@ -9,12 +9,12 @@ references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ author: Dmitriy Lifanov, oscd.community -date: 2019/10/25 -modified: 2023/09/18 +date: 2019-10-25 +modified: 2023-09-18 tags: - attack.execution - attack.t1559.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: dns_query diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index 42656d7f212..6ada51a6f2f 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -2,11 +2,11 @@ title: DNS Query To Remote Access Software Domain From Non-Browser App id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 related: - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f - type: obsoletes + type: obsolete - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d - type: obsoletes + type: obsolete - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4 - type: obsoletes + type: obsolete status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. @@ -19,10 +19,10 @@ references: - https://redcanary.com/blog/misbehaving-rats/ - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093 author: frack113, Connor Martin -date: 2022/07/11 -modified: 2023/09/12 +date: 2022-07-11 +modified: 2023-09-12 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml b/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml index 1f83f76fcc8..4a0cf677a76 100644 --- a/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml +++ b/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml @@ -7,8 +7,8 @@ references: - https://twitter.com/neonprimetime/status/1436376497980428318 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html author: Brandon George (blog post), Thomas Patzke -date: 2021/07/08 -modified: 2024/03/22 +date: 2021-07-08 +modified: 2024-03-22 tags: - attack.reconnaissance - attack.t1590 diff --git a/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml b/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml index 08641bace06..6b1368c2c62 100644 --- a/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml +++ b/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml @@ -5,10 +5,10 @@ description: Detects DNS queries to a TeamViewer domain only resolved by a TeamV references: - https://www.teamviewer.com/en-us/ author: Florian Roth (Nextron Systems) -date: 2022/01/30 -modified: 2023/09/18 +date: 2022-01-30 +modified: 2023-09-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml b/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml index 046b352420f..491ae8541f8 100644 --- a/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml +++ b/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml @@ -8,10 +8,10 @@ description: Detects DNS queries to an ".onion" address related to Tor routing n references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: frack113 -date: 2022/02/20 -modified: 2023/09/18 +date: 2022-02-20 +modified: 2023-09-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.003 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml index 3890fad5025..195bc7ba231 100644 --- a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml +++ b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml @@ -8,8 +8,8 @@ description: Detects DNS queries to "ufile.io", which was seen abused by malware references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: yatinwad, TheDFIRReport -date: 2022/06/23 -modified: 2023/09/18 +date: 2022-06-23 +modified: 2023-09-18 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml index d03bca54df3..55bb4a6b457 100644 --- a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml +++ b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml @@ -15,10 +15,10 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://cydefops.com/vscode-data-exfiltration author: citron_ninja -date: 2023/10/25 -modified: 2023/11/20 +date: 2023-10-25 +modified: 2023-11-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: dns_query diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers.yml b/rules/windows/driver_load/driver_load_win_mal_drivers.yml index 22362077dd5..2562839bf56 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers.yml @@ -5,10 +5,10 @@ description: Detects loading of known malicious drivers via their hash. references: - https://loldrivers.io/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/18 -modified: 2023/12/02 +date: 2022-08-18 +modified: 2023-12-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1068 logsource: diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml index 4fbc90ee395..75976e61dc3 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml @@ -5,10 +5,10 @@ description: Detects loading of known malicious drivers via the file name of the references: - https://loldrivers.io/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/03 -modified: 2023/12/02 +date: 2022-10-03 +modified: 2023-12-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1068 logsource: diff --git a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml index 6524fba28a4..eccbd6cfe6d 100644 --- a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml @@ -8,11 +8,11 @@ description: Detects driver load of the Process Hacker tool references: - https://processhacker.sourceforge.io/ author: Florian Roth (Nextron Systems) -date: 2022/11/16 -modified: 2023/05/08 +date: 2022-11-16 +modified: 2023-05-08 tags: - - attack.privilege_escalation - - cve.2021.21551 + - attack.privilege-escalation + - cve.2021-21551 - attack.t1543 logsource: category: driver_load diff --git a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml index 8a220bffb07..10dfa7c4a5c 100644 --- a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml +++ b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml @@ -9,9 +9,9 @@ references: - https://systeminformer.sourceforge.io/ - https://github.com/winsiderss/systeminformer author: Florian Roth (Nextron Systems) -date: 2023/05/08 +date: 2023-05-08 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: category: driver_load diff --git a/rules/windows/driver_load/driver_load_win_susp_temp_use.yml b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml index 2e285226b16..034cb49bfee 100644 --- a/rules/windows/driver_load/driver_load_win_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml @@ -5,11 +5,11 @@ description: Detects a driver load from a temporary directory references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/02/12 -modified: 2021/11/27 +date: 2017-02-12 +modified: 2021-11-27 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: driver_load diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml index 3ee7abf3661..b883188fe72 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml @@ -5,10 +5,10 @@ description: Detects loading of known vulnerable drivers via their hash. references: - https://loldrivers.io/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/18 -modified: 2023/12/02 +date: 2022-08-18 +modified: 2023-12-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1068 logsource: diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml index fbf65d88d67..cf10371c7ec 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml @@ -5,10 +5,10 @@ description: Detects the load of known vulnerable drivers via the file name of t references: - https://loldrivers.io/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/03 -modified: 2023/12/02 +date: 2022-10-03 +modified: 2023-12-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1068 logsource: diff --git a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml index 3f46d363b6a..cd35b93aa20 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml @@ -5,10 +5,10 @@ description: Detects the load of HackSys Extreme Vulnerable Driver which is an i references: - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/18 -modified: 2022/11/19 +date: 2022-08-18 +modified: 2022-11-19 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: product: windows diff --git a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml index be896ddb78f..56aa9a0e0ec 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml @@ -6,10 +6,10 @@ references: - https://github.com/xmrig/xmrig/tree/master/bin/WinRing0 - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ author: Florian Roth (Nextron Systems) -date: 2022/07/26 -modified: 2022/11/19 +date: 2022-07-26 +modified: 2022-11-19 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: product: windows diff --git a/rules/windows/driver_load/driver_load_win_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml index 00e79a3d5c3..43a6d033500 100644 --- a/rules/windows/driver_load/driver_load_win_windivert.yml +++ b/rules/windows/driver_load/driver_load_win_windivert.yml @@ -6,11 +6,11 @@ references: - https://reqrypt.org/windivert-doc.html - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ author: Florian Roth (Nextron Systems) -date: 2021/07/30 -modified: 2022/11/19 +date: 2021-07-30 +modified: 2022-11-19 tags: - attack.collection - - attack.defense_evasion + - attack.defense-evasion - attack.t1599.001 - attack.t1557.001 logsource: diff --git a/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml b/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml index 8e4278128f3..2a4c3e495c9 100644 --- a/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml @@ -8,11 +8,11 @@ references: - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/11 -modified: 2024/07/29 +date: 2022-10-11 +modified: 2024-07-29 tags: - attack.t1003 - - attack.credential_access + - attack.credential-access logsource: category: file_access product: windows diff --git a/rules/windows/file/file_access/file_access_win_susp_credhist.yml b/rules/windows/file/file_access/file_access_win_susp_credhist.yml index d890dd9b1db..6f4f6cf954c 100644 --- a/rules/windows/file/file_access/file_access_win_susp_credhist.yml +++ b/rules/windows/file/file_access/file_access_win_susp_credhist.yml @@ -8,10 +8,10 @@ references: - https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist - https://www.passcape.com/windows_password_recovery_dpapi_credhist author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/17 -modified: 2024/07/29 +date: 2022-10-17 +modified: 2024-07-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.004 logsource: category: file_access diff --git a/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml b/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml index e11262253f5..cbb3fe64889 100644 --- a/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml +++ b/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml @@ -7,10 +7,10 @@ description: | references: - Internal Research author: X__Junior (Nextron Systems) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.t1003 - - attack.credential_access + - attack.credential-access logsource: category: file_access product: windows diff --git a/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml index b9973ce0a1f..13f0cc5877b 100644 --- a/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml @@ -8,10 +8,10 @@ references: - http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/ - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/17 -modified: 2024/07/29 +date: 2022-10-17 +modified: 2024-07-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.004 logsource: category: file_access diff --git a/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml b/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml index e555a558dff..c872d1b21f9 100644 --- a/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml +++ b/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml @@ -8,10 +8,10 @@ description: Detects file access requests to potentially sensitive files hosted references: - https://github.com/vletoux/pingcastle author: frack113 -date: 2023/12/21 -modified: 2024/07/29 +date: 2023-12-21 +modified: 2024-07-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 logsource: category: file_access diff --git a/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml b/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml index 21dcd47b2d2..0600f8ec852 100644 --- a/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml +++ b/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml @@ -7,9 +7,9 @@ references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens author: '@SerkinValery' -date: 2024/07/22 +date: 2024-07-22 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: windows diff --git a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml index 2104cca2241..e5630978c84 100644 --- a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml @@ -7,11 +7,11 @@ description: | references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth (Nextron Systems) -date: 2022/08/12 -modified: 2022/10/25 +date: 2022-08-12 +modified: 2022-10-25 tags: - attack.t1070.006 - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_change product: windows diff --git a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml index 46f01c03d63..31e14a9e7af 100644 --- a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml +++ b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml @@ -8,9 +8,9 @@ description: Detects an unexpected file being modified by dns.exe which my indic references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html author: Tim Rauch (Nextron Systems), Elastic (idea) -date: 2022/09/27 +date: 2022-09-27 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: file_change diff --git a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml b/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml index 9451c3f517b..faceed8596f 100644 --- a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml +++ b/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml @@ -6,14 +6,14 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 author: Bhabesh Raj -date: 2021/07/01 -modified: 2023/02/17 +date: 2021-07-01 +modified: 2023-02-17 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574 - - cve.2021.1675 + - cve.2021-1675 logsource: category: file_delete product: windows diff --git a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml index 413b8e13957..326436b307f 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml @@ -5,8 +5,8 @@ description: Detects deletion of files with extensions often used for backup fil references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files author: frack113 -date: 2022/01/02 -modified: 2023/02/15 +date: 2022-01-02 +modified: 2023-02-15 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml b/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml index 091244733aa..403a5e460f9 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml @@ -5,9 +5,9 @@ description: Detects the deletion of the event log files which may indicate an a references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 +date: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml index 37eea57687e..bb89e948a73 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml @@ -5,10 +5,10 @@ description: Detects the deletion of the Exchange PowerShell cmdlet History logs references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/26 -modified: 2022/12/30 +date: 2022-10-26 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml index 7ff51dd6fdc..91bb673ab68 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml @@ -5,10 +5,10 @@ description: Detects the deletion of IIS WebServer access logs which may indicat references: - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/16 -modified: 2023/02/15 +date: 2022-09-16 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml b/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml index 6daa4e9e3d0..0308f4c6a87 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml @@ -5,9 +5,9 @@ description: Detects the deletion of the PowerShell console History logs which m references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 +date: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml index 3e85e23c44f..04fb469d14d 100755 --- a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml @@ -6,10 +6,10 @@ references: - Internal Research - https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/ author: Cedric MAURUGEON -date: 2021/09/29 -modified: 2024/01/25 +date: 2021-09-29 +modified: 2024-01-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml index ddafa5e5953..85992dd16ad 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml @@ -5,10 +5,10 @@ description: Detects the deletion of the TeamViewer log files which may indicate references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md author: frack113 -date: 2022/01/16 -modified: 2023/02/15 +date: 2022-01-16 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml index fdea36cd77f..fe35182c278 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml @@ -6,9 +6,9 @@ references: - Internal Research - https://linuxhint.com/view-tomcat-logs-windows/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/16 +date: 2023-02-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index 026f340d59c..aa9fef98058 100644 --- a/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -6,10 +6,10 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/02/15 +date: 2020-05-02 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml index 07911961f8c..ff86977218e 100644 --- a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml +++ b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml @@ -8,10 +8,10 @@ description: Detects an unexpected file being deleted by dns.exe which my indica references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html author: Tim Rauch (Nextron Systems), Elastic (idea) -date: 2022/09/27 -modified: 2023/02/15 +date: 2022-09-27 +modified: 2023-02-15 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml index 896c6facffb..ee8646c095f 100644 --- a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml +++ b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml @@ -9,10 +9,10 @@ references: - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/04 -modified: 2024/04/26 +date: 2023-09-04 +modified: 2024-04-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml b/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml index d4f260a42a8..c96c2bedbb7 100644 --- a/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml +++ b/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml @@ -7,11 +7,11 @@ references: - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - https://github.com/fox-it/LDAPFragger author: xknow @xknow_infosec, Tim Shelton -date: 2019/03/24 -modified: 2023/10/18 +date: 2019-03-24 +modified: 2023-10-18 tags: - attack.t1001.003 - - attack.command_and_control + - attack.command-and-control logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml b/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml index 3b5545d298d..44ee10449aa 100644 --- a/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml +++ b/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml @@ -12,8 +12,8 @@ references: - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer author: '@ROxPinTeddy' -date: 2020/05/12 -modified: 2022/11/29 +date: 2020-05-12 +modified: 2022-11-29 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml index 6776f30fd08..d55071c51c7 100644 --- a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 -date: 2022/02/11 -modified: 2024/07/20 +date: 2022-02-11 +modified: 2024-07-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml index e03c4f5b2e5..e54370eee32 100644 --- a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml +++ b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -8,9 +8,9 @@ description: | references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/28 +date: 2022-09-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml b/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml index 2807616395c..4e98d7c32e0 100644 --- a/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml +++ b/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml @@ -13,7 +13,7 @@ description: | references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/14 +date: 2023-08-14 tags: - attack.execution logsource: diff --git a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml index ce90c0b34e3..b5c282e7038 100644 --- a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml +++ b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml @@ -5,8 +5,8 @@ description: Detects default file names outputted by the BloodHound collection t references: - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection author: C.J. May -date: 2022/08/09 -modified: 2023/03/29 +date: 2022-08-09 +modified: 2023-03-29 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 69659801c5e..0f9cfc8cb00 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -8,10 +8,10 @@ description: | references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key author: D3F7A5105 -date: 2023/01/02 -modified: 2024/03/26 +date: 2023-01-02 +modified: 2024-03-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 38a6bbd9ab3..62901dc2d14 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -15,12 +15,12 @@ references: - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc author: Nasreddine Bencherchali (Nextron Systems), fornotes -date: 2022/12/01 -modified: 2024/01/10 +date: 2022-12-01 +modified: 2024-01-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml index 330142a8dd1..6c030c135aa 100644 --- a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml +++ b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml @@ -10,8 +10,8 @@ references: - https://liberty-shell.com/sec/2020/02/25/shim-persistence/ - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/29 -modified: 2023/12/06 +date: 2021-12-29 +modified: 2023-12-06 tags: - attack.persistence - attack.t1547.009 diff --git a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml index 3d2619c84e9..6690529518c 100644 --- a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md author: frack113 -date: 2021/12/29 -modified: 2022/11/08 +date: 2021-12-29 +modified: 2022-11-08 tags: - attack.persistence - attack.t1546.002 diff --git a/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml b/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml index 501229ac92c..709ce43414b 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml @@ -7,9 +7,9 @@ description: | references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/24 +date: 2024-06-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index 2df5a2988f2..78ac9aa95d0 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -7,10 +7,10 @@ description: | references: - Internal Research author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2020/05/26 -modified: 2024/06/24 +date: 2020-05-26 +modified: 2024-06-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml index cf358894ddd..0ba1c9bcf14 100644 --- a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml +++ b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml @@ -7,7 +7,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md author: frack113 -date: 2021/12/30 +date: 2021-12-30 tags: - attack.persistence - attack.t1547.009 diff --git a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml index eaeb077ecc8..8be4b713349 100755 --- a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml @@ -5,10 +5,10 @@ description: Files with well-known filenames (parts of credential dump software references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/11/01 -modified: 2022/09/21 +date: 2019-11-01 +modified: 2022-09-21 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.t1003.002 - attack.t1003.003 diff --git a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml index 65eb05e8000..fa29af0b0ed 100644 --- a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml @@ -8,8 +8,8 @@ description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript. references: - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) author: Tim Shelton -date: 2022/01/10 -modified: 2022/12/02 +date: 2022-01-10 +modified: 2022-12-02 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/file/file_event/file_event_win_csexec_service.yml b/rules/windows/file/file_event/file_event_win_csexec_service.yml index 33f9fce2a26..50177ea10be 100644 --- a/rules/windows/file/file_event/file_event_win_csexec_service.yml +++ b/rules/windows/file/file_event/file_event_win_csexec_service.yml @@ -5,7 +5,7 @@ description: Detects default CSExec service filename which indicates CSExec serv references: - https://github.com/malcomvetter/CSExec author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/04 +date: 2023-08-04 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml index e2d5f5cddb1..210294d6661 100644 --- a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile author: frack113 -date: 2022/01/09 -modified: 2023/02/17 +date: 2022-01-09 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.004 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml index 3704cad9538..40ece2f14d9 100644 --- a/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml +++ b/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml @@ -2,7 +2,7 @@ title: Potential DCOM InternetExplorer.Application DLL Hijack id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa related: - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 - type: obsoletes + type: obsolete - id: f354eba5-623b-450f-b073-0b5b2773b6aa type: similar status: test @@ -10,10 +10,10 @@ description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM In references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga -date: 2020/10/12 -modified: 2022/12/18 +date: 2020-10-12 +modified: 2022-12-18 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.t1021.003 logsource: diff --git a/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml b/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml index f330ff51fe1..2b30a630567 100644 --- a/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml +++ b/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml @@ -8,11 +8,11 @@ references: - https://twitter.com/cyb3rops/status/1552932770464292864 - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/30 +date: 2022-07-30 tags: - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1574.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml index c689dba2dfd..c445dd4e748 100644 --- a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml @@ -8,9 +8,9 @@ description: Detects the creation of a file with the ".dmp"/".hdmp" extension by references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/07 +date: 2023-09-07 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml b/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml index 8ebc5922823..b82144c1ede 100644 --- a/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml @@ -8,8 +8,8 @@ references: - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ - https://github.com/last-byte/PersistenceSniper author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/09 -modified: 2022/12/19 +date: 2022-08-09 +modified: 2022-12-19 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml index 31e8d469090..3e2f5b73085 100644 --- a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml +++ b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml @@ -10,7 +10,7 @@ references: - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html author: Florian Roth (Nextron Systems), MSTI (query, idea) -date: 2022/10/01 +date: 2022-10-01 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml index be1e27bb1c8..32fd233972a 100644 --- a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml +++ b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml @@ -10,11 +10,11 @@ references: - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html author: Florian Roth (Nextron Systems) -date: 2022/10/04 +date: 2022-10-04 tags: - attack.persistence - attack.t1190 - - attack.initial_access + - attack.initial-access - attack.t1505.003 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml b/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml index 551b26f8f38..772a84e4de9 100644 --- a/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml @@ -8,9 +8,9 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows author: frack113 -date: 2022/02/13 +date: 2022-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml b/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml index 00d263a9011..fba06acf01b 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml @@ -2,16 +2,16 @@ title: HackTool - CrackMapExec File Indicators id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a related: - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489 - type: obsoletes + type: obsolete status: experimental description: Detects file creation events with filename patterns used by CrackMapExec. references: - https://github.com/byt3bl33d3r/CrackMapExec/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/03/11 -modified: 2024/06/27 +date: 2024-03-11 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml b/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml index 73b9219e1b0..3fdd0e46f6a 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml @@ -9,10 +9,10 @@ references: - https://github.com/outflanknl/Dumpert - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ author: Florian Roth (Nextron Systems) -date: 2020/02/04 -modified: 2023/05/09 +date: 2020-02-04 +modified: 2023-05-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml index 3102f97e7a2..1debbdd6844 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml @@ -8,12 +8,12 @@ references: - https://github.com/WiredPulse/Invoke-HiveNightmare - https://twitter.com/cube0x0/status/1418920190759378944 author: Florian Roth (Nextron Systems) -date: 2021/07/23 -modified: 2024/06/27 +date: 2021-07-23 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - - cve.2021.36934 + - cve.2021-36934 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml b/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml index d714a210328..f8fc0b1f978 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml @@ -7,10 +7,10 @@ references: - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/24 -modified: 2024/06/27 +date: 2022-10-24 +modified: 2024-06-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml b/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml index 280e069d796..0fe15d32850 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml @@ -5,9 +5,9 @@ description: Detects the creation of file with specific names used by RemoteKrbR references: - https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/27 +date: 2024-06-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml b/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml index 6fb8c2b1eee..b9015624ef5 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml @@ -2,17 +2,17 @@ title: HackTool - Mimikatz Kirbi File Creation id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 related: - id: 034affe8-6170-11ec-844f-0f78aa0c4d66 - type: obsoletes + type: obsolete status: test description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc. references: - https://cobalt.io/blog/kerberoast-attack-techniques - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ author: Florian Roth (Nextron Systems), David ANDRE -date: 2021/11/08 -modified: 2024/06/27 +date: 2021-11-08 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1558 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml index a9c4faf962b..5fbfb2199e1 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy - https://twitter.com/0gtweet/status/1465282548494487554 author: Florian Roth (Nextron Systems) -date: 2021/11/29 -modified: 2024/06/27 +date: 2021-11-29 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml b/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml index fa8217a5b9f..80560297257 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml @@ -8,12 +8,12 @@ description: | references: - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ author: Subhash Popuri (@pbssubhash) -date: 2021/08/21 -modified: 2024/06/27 +date: 2021-08-21 +modified: 2024-06-27 tags: - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1574.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml b/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml index 5d6f60319a8..4c1832e07ed 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml @@ -5,10 +5,10 @@ description: Detects a dump file written by QuarksPwDump password dumper references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm author: Florian Roth (Nextron Systems) -date: 2018/02/10 -modified: 2024/06/27 +date: 2018-02-10 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml index 43f2f90a07b..8d1db153977 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml @@ -6,10 +6,10 @@ references: - https://github.com/Porchetta-Industries/CrackMapExec - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py author: SecurityAura -date: 2022/11/16 -modified: 2024/06/27 +date: 2022-11-16 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml b/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml index f6950ba7f9e..5c2506edc00 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml @@ -6,10 +6,10 @@ references: - https://github.com/GhostPack/SafetyKatz - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63 author: Markus Neis -date: 2018/07/24 -modified: 2024/06/27 +date: 2018-07-24 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml index 544b2bb6fe0..a7f0f0d4877 100644 --- a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml @@ -6,14 +6,14 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc - https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0 author: Tim Rauch (rule), Elastic (idea) -date: 2022/10/21 +date: 2022-10-21 tags: - attack.t1566 - attack.t1566.001 - - attack.initial_access + - attack.initial-access - attack.t1574 - attack.t1574.001 - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml index d628950fc9e..f6b3b9f858e 100644 --- a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml +++ b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml @@ -5,9 +5,9 @@ description: TeamViewer_Desktop.exe is create during install references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows author: frack113 -date: 2022/01/28 +date: 2022-01-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml b/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml index b7cf3dd9e6d..8ef35047373 100644 --- a/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml +++ b/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml @@ -7,11 +7,11 @@ description: | references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ author: frack113 -date: 2022/08/12 +date: 2022-08-12 tags: - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1574.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_iso_file_mount.yml b/rules/windows/file/file_event/file_event_win_iso_file_mount.yml index 6b6bf0cabeb..10b4097ab7a 100644 --- a/rules/windows/file/file_event/file_event_win_iso_file_mount.yml +++ b/rules/windows/file/file_event/file_event_win_iso_file_mount.yml @@ -7,9 +7,9 @@ references: - https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image author: '@sam0x90' -date: 2022/07/30 +date: 2022-07-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml index 8a71f6b9781..e31805a3181 100644 --- a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml +++ b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml @@ -10,9 +10,9 @@ references: - https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/ - https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/ author: Florian Roth (Nextron Systems) -date: 2022/02/11 +date: 2022-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml b/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml index bac88772a98..0dbe32a0705 100644 --- a/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml +++ b/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml @@ -11,7 +11,7 @@ references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 +date: 2023-02-08 tags: - attack.discovery logsource: diff --git a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml index b113fd1fa94..53ac3955b2b 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml @@ -2,9 +2,9 @@ title: LSASS Process Memory Dump Files id: a5a2d357-1ab8-4675-a967-ef9990a59391 related: - id: db2110f3-479d-42a6-94fb-d35bc1e46492 - type: obsoletes + type: obsolete - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a - type: obsoletes + type: obsolete status: test description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. references: @@ -15,10 +15,10 @@ references: - https://github.com/helpsystems/nanodump - https://github.com/CCob/MirrorDump author: Florian Roth (Nextron Systems) -date: 2021/11/15 -modified: 2023/09/05 +date: 2021-11-15 +modified: 2023-09-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml index 8bb6ac9f944..a9b25e89449 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml @@ -6,9 +6,9 @@ references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' -date: 2022/12/08 +date: 2022-12-08 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml index 24cd5965a4c..6dd5d888011 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml @@ -5,9 +5,9 @@ description: Detects WerFault creating a dump file with a name that indicates th references: - https://github.com/helpsystems/nanodump author: Florian Roth (Nextron Systems) -date: 2022/06/27 +date: 2022-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_mal_adwind.yml b/rules/windows/file/file_event/file_event_win_mal_adwind.yml index ef9c47fe150..7f06143bcd9 100644 --- a/rules/windows/file/file_event/file_event_win_mal_adwind.yml +++ b/rules/windows/file/file_event/file_event_win_mal_adwind.yml @@ -9,8 +9,8 @@ references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community -date: 2017/11/10 -modified: 2022/12/02 +date: 2017-11-10 +modified: 2022-12-02 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml b/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml index 153e0f4d960..5e43a3a0a43 100644 --- a/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml +++ b/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml @@ -5,8 +5,8 @@ description: Detects Octopus Scanner Malware. references: - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain author: NVISO -date: 2020/06/09 -modified: 2021/11/27 +date: 2020-06-09 +modified: 2021-11-27 tags: - attack.t1195 - attack.t1195.001 diff --git a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml index 3d8359b3eea..e19e5061d7c 100644 --- a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml +++ b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml @@ -6,12 +6,12 @@ references: - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ author: Vadim Varganov, Florian Roth (Nextron Systems) -date: 2022/08/24 -modified: 2023/02/23 +date: 2022-08-24 +modified: 2023-02-23 tags: - attack.persistence - attack.t1547.001 - - cve.2022.30190 + - cve.2022-30190 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml b/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml index d60c5a3fcb8..ac9aeac179b 100644 --- a/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml @@ -8,9 +8,9 @@ references: - https://asec.ahnlab.com/en/58878/ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/ author: Joseph Kamau -date: 2024/05/27 +date: 2024-05-27 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml index 2cb7ce899d6..812acbba75b 100644 --- a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml @@ -4,7 +4,7 @@ related: - id: 4508a70e-97ef-4300-b62b-ff27992990ea type: derived - id: e4b63079-6198-405c-abd7-3fe8b0ce3263 - type: obsoletes + type: obsolete status: test description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context. references: @@ -13,10 +13,10 @@ references: - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008 - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html author: frack113, omkar72, oscd.community, Wojciech Lesicki -date: 2022/11/18 -modified: 2023/02/23 +date: 2022-11-18 +modified: 2023-02-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml index 2735b21588f..98b0334b470 100644 --- a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml +++ b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml @@ -5,10 +5,10 @@ description: Detects the creation of suspicious files and folders inside the use references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2023/02/23 +date: 2022-08-05 +modified: 2023-02-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_new_scr_file.yml b/rules/windows/file/file_event/file_event_win_new_scr_file.yml index ba8026ec718..1a10773327b 100644 --- a/rules/windows/file/file_event/file_event_win_new_scr_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_scr_file.yml @@ -5,10 +5,10 @@ description: Detects the creation of screensaver files (.scr) outside of system references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' -date: 2022/04/27 -modified: 2023/08/23 +date: 2022-04-27 +modified: 2023-08-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml index 4f2b40f7b63..d98038fb1f1 100644 --- a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -5,8 +5,8 @@ description: Detects creation of new ".dll" files inside the plugins directory o references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/10 -modified: 2023/01/05 +date: 2022-06-10 +modified: 2023-01-05 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml index 2828582d32d..76e0a90a910 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml @@ -5,9 +5,9 @@ description: Detects creation of a file named "ntds.dit" (Active Directory Datab references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml index 41820e8d21e..40754437b5b 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml @@ -11,10 +11,10 @@ references: - https://pentestlab.blog/tag/ntds-dit/ - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 author: Florian Roth (Nextron Systems) -date: 2022/03/11 -modified: 2023/01/05 +date: 2022-03-11 +modified: 2023-01-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml index 6bda3c05c91..109015562a2 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml @@ -9,10 +9,10 @@ references: - https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/ - https://adsecurity.org/?p=2398 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/11 -modified: 2022/07/14 +date: 2022-01-11 +modified: 2022-07-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.003 logsource: diff --git a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml index d33c027ce5a..c82677ba248 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml @@ -7,10 +7,10 @@ references: - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1 - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 author: Florian Roth (Nextron Systems) -date: 2022/03/11 -modified: 2023/05/05 +date: 2022-03-11 +modified: 2023-05-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml b/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml index c66e4c39797..baa9a77fdef 100644 --- a/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml @@ -7,8 +7,8 @@ references: - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md author: NVISO -date: 2020/05/11 -modified: 2023/02/08 +date: 2020-05-11 +modified: 2023-02-08 tags: - attack.persistence - attack.t1137.006 diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml index ab68814cf94..fd9cf1af079 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml @@ -9,9 +9,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/23 +date: 2022-01-23 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml index 6cbe5139c98..4608d041ff4 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -9,10 +9,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/23 -modified: 2023/04/18 +date: 2022-01-23 +modified: 2023-04-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml index 9012ab806bc..c65e1d494ea 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/23 -modified: 2023/02/22 +date: 2022-01-23 +modified: 2023-02-22 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml index dce7b494af3..993e86e2e79 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml @@ -6,10 +6,10 @@ references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/22 -modified: 2023/09/19 +date: 2023-01-22 +modified: 2023-09-19 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml index 00a6521a761..5d5c4dea3bf 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml @@ -10,10 +10,10 @@ references: - https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/ - https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/09 -modified: 2023/02/27 +date: 2023-02-09 +modified: 2023-02-27 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml index 6ae6bf4914e..8331239e983 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml @@ -8,11 +8,11 @@ description: Detects the creation of a macro file for Outlook. references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ author: '@ScoubiMtl' -date: 2021/04/05 -modified: 2023/02/08 +date: 2021-04-05 +modified: 2023-02-08 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml index 2ac2594b717..8f7fcc155ed 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml @@ -8,8 +8,8 @@ references: - https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form - https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/ author: Tobias Michalski (Nextron Systems) -date: 2021/06/10 -modified: 2023/02/22 +date: 2021-06-10 +modified: 2023-02-22 tags: - attack.persistence - attack.t1137.003 diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml index 80c349fe726..31b2b1cf19a 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml @@ -10,10 +10,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 +date: 2023-02-08 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml index 11ef28ccd3b..726a3c376bf 100644 --- a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml @@ -5,9 +5,9 @@ description: Detects creation of files with the ".pub" extension in suspicious o references: - https://twitter.com/EmericNasi/status/1623224526220804098 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 +date: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml b/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml index 8d413962b75..9ccb76b249f 100644 --- a/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml @@ -6,8 +6,8 @@ references: - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies - https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/02 -modified: 2023/06/22 +date: 2022-06-02 +modified: 2023-06-22 tags: - attack.persistence - attack.t1137 diff --git a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml index de271fcef41..26c7fcbbc03 100644 --- a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml +++ b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml @@ -6,8 +6,8 @@ references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) -date: 2021/08/23 -modified: 2023/06/22 +date: 2021-08-23 +modified: 2023-06-22 tags: - attack.t1204.002 - attack.execution diff --git a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml index 2ea9b34532e..7acf3d614fa 100644 --- a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml +++ b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml @@ -8,10 +8,10 @@ references: - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3 - https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/05 -modified: 2023/12/13 +date: 2022-06-05 +modified: 2023-12-13 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml b/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml index 1cefde763de..85c5eb6a904 100644 --- a/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml +++ b/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/rbmaslen/status/1321859647091970051 - https://twitter.com/tifkin_/status/1321916444557365248 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/29 -modified: 2022/10/09 +date: 2020-10-29 +modified: 2022-10-09 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml index dca8c2bb922..e1c758f21cd 100644 --- a/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml +++ b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml @@ -6,7 +6,7 @@ references: - Internal Research - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml b/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml index 265abe5dac9..821f391085e 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml @@ -5,8 +5,8 @@ description: Detects PowerShell creating a binary executable or a script file. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/17 -modified: 2023/05/09 +date: 2023-03-17 +modified: 2023-05-09 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml b/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml index 6bb60c37901..89aaacc7d23 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml @@ -5,7 +5,7 @@ description: Detects PowerShell creating a PowerShell file (.ps1). While often t references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: frack113 -date: 2023/05/09 +date: 2023-05-09 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index ab1167ac92c..66b18fd9a5c 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -27,8 +27,8 @@ references: - https://github.com/adrecon/ADRecon - https://github.com/adrecon/AzureADRecon author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein -date: 2018/04/07 -modified: 2024/01/25 +date: 2018-04-07 +modified: 2024-01-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml index 98cd38a339d..a808ce7553a 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml @@ -6,7 +6,7 @@ references: - Internal Research - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/09 +date: 2023-05-09 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml index e3ad338f545..f1dd94b1a7b 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml @@ -6,7 +6,7 @@ references: - Internal Research - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/09 +date: 2023-05-09 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml index 1495dbf22c1..bef429acffb 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml @@ -6,8 +6,8 @@ references: - Internal Research - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/09 -modified: 2023/10/18 +date: 2023-05-09 +modified: 2023-10-18 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml index fb01a98a154..a8b62397fbe 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -10,8 +10,8 @@ references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder author: Christopher Peacock '@securepeacock', SCYTHE -date: 2021/10/24 -modified: 2023/02/23 +date: 2021-10-24 +modified: 2023-02-23 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml index 6505f169c5f..7af6c490cad 100644 --- a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml +++ b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml @@ -5,10 +5,10 @@ description: Detects the creation of the "PSScriptPolicyTest" PowerShell script references: - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/01 -modified: 2023/12/11 +date: 2023-06-01 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_rclone_config_files.yml b/rules/windows/file/file_event/file_event_win_rclone_config_files.yml index 28abce2a4ef..2465646919d 100644 --- a/rules/windows/file/file_event/file_event_win_rclone_config_files.yml +++ b/rules/windows/file/file_event/file_event_win_rclone_config_files.yml @@ -5,8 +5,8 @@ description: Detects Rclone config files being created references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ author: Aaron Greetham (@beardofbinary) - NCC Group -date: 2021/05/26 -modified: 2023/05/09 +date: 2021-05-26 +modified: 2023-05-09 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml index 142f25529da..55ce57aa928 100644 --- a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml @@ -6,9 +6,9 @@ references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/18 +date: 2023-04-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml index 1e9b66a504b..afa4893ec73 100644 --- a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml +++ b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml @@ -5,10 +5,10 @@ description: Detects files dropped by Winnti as described in RedMimicry Winnti p references: - https://redmimicry.com/posts/redmimicry-winnti/#dropper author: Alexander Rausch -date: 2020/06/24 -modified: 2023/01/05 +date: 2020-06-24 +modified: 2023-01-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml b/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml index 424e070fc97..ee665d93975 100644 --- a/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml +++ b/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml @@ -7,9 +7,9 @@ description: | references: - https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/08 +date: 2024-07-08 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_remcom_service.yml b/rules/windows/file/file_event/file_event_win_remcom_service.yml index 7aee299ace5..d3381932da1 100644 --- a/rules/windows/file/file_event/file_event_win_remcom_service.yml +++ b/rules/windows/file/file_event/file_event_win_remcom_service.yml @@ -5,7 +5,7 @@ description: Detects default RemCom service filename which indicates RemCom serv references: - https://github.com/kavika13/RemCom/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/04 +date: 2023-08-04 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml index f65d305408b..42b2463acec 100644 --- a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml @@ -8,9 +8,9 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows author: frack113 -date: 2022/02/13 +date: 2022-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml index cef1d6a5da2..cfda56f4d67 100644 --- a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml +++ b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml @@ -10,7 +10,7 @@ description: | references: - https://github.com/SigmaHQ/sigma/pull/4467 author: Ali Alwashali -date: 2023/10/10 +date: 2023-10-10 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml index 96e93c58d01..e342ee952fd 100644 --- a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml @@ -8,8 +8,8 @@ description: | references: - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19 author: Greg (rule) -date: 2022/07/21 -modified: 2023/01/05 +date: 2022-07-21 +modified: 2023-01-05 tags: - attack.persistence - attack.t1547 diff --git a/rules/windows/file/file_event/file_event_win_sam_dump.yml b/rules/windows/file/file_event/file_event_win_sam_dump.yml index 0f8cc159d22..94d7c14a322 100644 --- a/rules/windows/file/file_event/file_event_win_sam_dump.yml +++ b/rules/windows/file/file_event/file_event_win_sam_dump.yml @@ -9,10 +9,10 @@ references: - https://github.com/HuskyHacks/ShadowSteal - https://github.com/FireFart/hivenightmare author: Florian Roth (Nextron Systems) -date: 2022/02/11 -modified: 2023/01/05 +date: 2022-02-11 +modified: 2023-01-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml index b84bc8b2b55..3f6c06274b4 100644 --- a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml @@ -13,9 +13,9 @@ references: - https://en.wikipedia.org/wiki/IExpress - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/02/05 +date: 2024-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml index bf7c085233e..a75146a5055 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml @@ -5,8 +5,8 @@ description: Detects Windows shells and scripting applications that write files references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2021/11/20 -modified: 2023/03/29 +date: 2021-11-20 +modified: 2023-03-29 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml index 549e7d54f84..f568846fae7 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml @@ -8,10 +8,10 @@ description: Detects Windows executables that write files with suspicious extens references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2024/04/15 +date: 2022-08-12 +modified: 2024-04-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml index 4bebae52976..b7a31674b2a 100644 --- a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml +++ b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml @@ -9,8 +9,8 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/12 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2022/10/07 +date: 2020-05-02 +modified: 2022-10-07 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml index 70a12e5a252..e1c77f71794 100644 --- a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml +++ b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml @@ -5,10 +5,10 @@ description: Once executed, colorcpl.exe will copy the arbitrary file to c:\wind references: - https://twitter.com/eral4m/status/1480468728324231172?s=20 author: frack113 -date: 2022/01/21 -modified: 2023/01/05 +date: 2022-01-21 +modified: 2023-01-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml index fb060b442fb..ce5a5563961 100644 --- a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml +++ b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml @@ -5,13 +5,13 @@ description: This rule detects suspicious files created by Microsoft Sync Center references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim -date: 2022/04/28 -modified: 2022/06/02 +date: 2022-04-28 +modified: 2022-06-02 tags: - attack.t1055 - attack.t1218 - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml b/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml index dfe23e0156d..b2f55b1e978 100644 --- a/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml @@ -5,10 +5,10 @@ description: Detects the creation of copy of suspicious files (EXE/DLL) to the d references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim -date: 2022/04/28 +date: 2022-04-28 tags: - attack.t1036.005 - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml index 25189fd01fc..1f52f96a14e 100755 --- a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml @@ -5,8 +5,8 @@ description: Detects unusual processes accessing desktop.ini, which can be lever references: - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) -date: 2020/03/19 -modified: 2022/10/07 +date: 2020-03-19 +modified: 2022-10-07 tags: - attack.persistence - attack.t1547.009 diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml b/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml index deb9a6d80a5..9d95f7b86ad 100644 --- a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml @@ -5,7 +5,7 @@ description: Ransomware create txt file in the user Desktop references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note author: frack113 -date: 2021/12/26 +date: 2021-12-26 tags: - attack.impact - attack.t1486 diff --git a/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml b/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml index 3813a80c33f..f0c261781f5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml @@ -6,10 +6,10 @@ references: - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - https://twitter.com/SBousseaden/status/1278977301745741825 author: Florian Roth (Nextron Systems) -date: 2020/07/03 -modified: 2022/06/02 +date: 2020-07-03 +modified: 2022-06-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_diagcab.yml b/rules/windows/file/file_event/file_event_win_susp_diagcab.yml index 54af6a3d40f..345e074a58c 100644 --- a/rules/windows/file/file_event/file_event_win_susp_diagcab.yml +++ b/rules/windows/file/file_event/file_event_win_susp_diagcab.yml @@ -5,9 +5,9 @@ description: Detects the creation of diagcab file, which could be caused by some references: - https://threadreaderapp.com/thread/1533879688141086720.html author: frack113 -date: 2022/06/08 +date: 2022-06-08 tags: - - attack.resource_development + - attack.resource-development logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml index ff9482d3aba..c277ee5d83a 100644 --- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml @@ -14,10 +14,10 @@ references: - https://twitter.com/malwrhunterteam/status/1235135745611960321 - https://twitter.com/luc4m/status/1073181154126254080 author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2022/06/19 -modified: 2022/11/07 +date: 2022-06-19 +modified: 2022-11-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.007 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml b/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml index 64e054283fc..25056016f08 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml @@ -7,7 +7,7 @@ references: - https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32 author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/26 +date: 2024-06-26 tags: - attack.t1555 - attack.t1552.004 diff --git a/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml b/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml index aea283dcfd3..31958dd35fc 100644 --- a/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml @@ -5,9 +5,9 @@ description: Detects suspicious activity in which the MSExchangeMailboxReplicati references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) -date: 2022/02/25 +date: 2022-02-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.persistence - attack.t1505.003 diff --git a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml index 756cc5f60c8..319abdc113e 100644 --- a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml @@ -8,10 +8,10 @@ references: - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/ author: frack113 -date: 2022/09/05 -modified: 2023/12/11 +date: 2022-09-05 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml index 43811dc4e2b..762cb5bb474 100644 --- a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml +++ b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml @@ -9,11 +9,11 @@ references: - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ - https://www.joesandbox.com/analysis/465533/0/html author: frack113 -date: 2022/04/23 +date: 2022-04-23 tags: - attack.persistence - attack.t1546 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml index 9c942db5f6b..e3380dffd59 100644 --- a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml @@ -13,9 +13,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 author: Scoubi (@ScoubiMtl) -date: 2023/10/09 +date: 2023-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml index c54c39906f7..8eadfa49d30 100644 --- a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml +++ b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml @@ -9,9 +9,9 @@ references: - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish - http://www.irongeek.com/homoglyph-attack-generator.php author: Micah Babinski, @micahbabinski -date: 2023/05/08 +date: 2023-05-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1036.003 # - attack.t1036.008 diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml index b46e109ea12..284457d6e5c 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml @@ -5,9 +5,9 @@ description: Detects programs on a Windows system that should not write an archi references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 author: frack113, Florian Roth -date: 2022/08/21 +date: 2022-08-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml index 03fc2f92ef7..75ee62d27b1 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml @@ -5,10 +5,10 @@ description: Detects programs on a Windows system that should not write executab references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 author: frack113, Florian Roth (Nextron Systems) -date: 2022/08/21 -modified: 2023/06/22 +date: 2022-08-21 +modified: 2023-06-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml index 3642c3a83e1..2dcdbb8a857 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml @@ -5,10 +5,10 @@ description: Detects programs on a Windows system that should not write scripts references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 author: frack113, Florian Roth (Nextron Systems) -date: 2022/08/21 -modified: 2023/06/22 +date: 2022-08-21 +modified: 2023-06-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml index a70fa7bfbb6..496898d7ff8 100644 --- a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -13,10 +13,10 @@ references: - https://twitter.com/malwrhunterteam/status/1235135745611960321 - https://twitter.com/luc4m/status/1073181154126254080 author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2022/11/07 -modified: 2023/10/18 +date: 2022-11-07 +modified: 2023-10-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.007 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml b/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml index 986e75981c9..8c07d9df094 100644 --- a/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml @@ -6,10 +6,10 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/14 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2022/07/07 +date: 2020-05-02 +modified: 2022-07-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.004 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml index a6960507e7d..2d6af15fe07 100644 --- a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml @@ -6,11 +6,11 @@ references: - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ - https://persistence-info.github.io/Data/powershellprofile.html author: HieuTT35, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/24 -modified: 2023/10/23 +date: 2019-10-24 +modified: 2023-10-23 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.013 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml index 326fdddf772..c2d2d3e83b8 100755 --- a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -7,11 +7,11 @@ description: | references: - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) -date: 2019/04/08 -modified: 2022/11/22 +date: 2019-04-08 +modified: 2022-11-22 tags: - attack.t1562.001 - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index 2e279f53348..7824a5de1ca 100644 --- a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -9,11 +9,11 @@ references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ author: X__Junior (Nextron Systems) -date: 2023/07/12 -modified: 2023/12/11 +date: 2023-07-12 +modified: 2023-12-11 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml index 266eef10295..2c7fb65699d 100644 --- a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml +++ b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml @@ -5,9 +5,9 @@ description: Detects the creation of suspcious binary files inside the "\windows references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml index 67b11b2ea71..b0a345cb259 100644 --- a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -8,8 +8,8 @@ description: Detects when a file with a suspicious extension is created in the s references: - https://github.com/last-byte/PersistenceSniper author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/10 -modified: 2023/01/06 +date: 2022-08-10 +modified: 2023-01-06 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml index 78de8ee6266..b08d13a1978 100644 --- a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml +++ b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml @@ -5,8 +5,8 @@ description: Detects the creation of files that indicator an interactive use of references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm author: Florian Roth (Nextron Systems) -date: 2021/12/07 -modified: 2022/08/13 +date: 2021-12-07 +modified: 2022-08-13 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/file/file_event/file_event_win_susp_task_write.yml b/rules/windows/file/file_event/file_event_win_susp_task_write.yml index d85c1b0d9e4..ac377be2935 100644 --- a/rules/windows/file/file_event/file_event_win_susp_task_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_task_write.yml @@ -5,8 +5,8 @@ description: Detects the creation of tasks from processes executed from suspicio references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2021/11/16 -modified: 2022/01/12 +date: 2021-11-16 +modified: 2022-01-12 tags: - attack.persistence - attack.execution diff --git a/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml b/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml index 7be47551bc6..3206efcd71a 100644 --- a/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml +++ b/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml @@ -5,9 +5,9 @@ description: Detects the creation of log files during a TeamViewer remote sessio references: - https://www.teamviewer.com/en-us/ author: Florian Roth (Nextron Systems) -date: 2022/01/30 +date: 2022-01-30 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml index ad2d7b3910a..04ce7421d4d 100644 --- a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -8,11 +8,11 @@ description: Detects the creation or modification of a vscode related powershell references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/24 -modified: 2023/01/06 +date: 2022-08-24 +modified: 2023-01-06 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.013 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml index 25dcc3ed117..d633343a48b 100644 --- a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile - https://twitter.com/nas_bench/status/1550836225652686848 author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/22 +date: 2023-07-22 tags: - attack.persistence - attack.t1547.015 diff --git a/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml b/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml index 3f54ec7bde7..34430131cce 100644 --- a/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml @@ -8,7 +8,7 @@ description: Detects the creation of binaries in the WinSxS folder by non-system references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/11 +date: 2023-05-11 tags: - attack.execution logsource: diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml index 7c1a3ac1e2e..353b2c5409d 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml @@ -5,10 +5,10 @@ description: Detects the creation of a file that has the same name as the defaul references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/16 +date: 2023-05-16 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml index 9a405099da1..01ffd9778b9 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml @@ -5,10 +5,10 @@ description: Detects the creation of the LiveKD driver, which is used for live k references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/16 +date: 2023-05-16 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml index e997ad9c53a..e37be4917c8 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml @@ -8,10 +8,10 @@ description: Detects the creation of the LiveKD driver by a process image other references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/16 +date: 2023-05-16 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml index 60e2e7816a3..9fc433bbfcf 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml @@ -10,10 +10,10 @@ references: - https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks - https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/ author: Florian Roth (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml index 8feed78794e..48a834cef7f 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml @@ -5,10 +5,10 @@ description: Detects creation of the Process Monitor driver by processes other t references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml index 70adaaad444..0ec3dfec3f2 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml @@ -9,8 +9,8 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke -date: 2017/06/12 -modified: 2022/10/26 +date: 2017-06-12 +modified: 2022-10-26 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml index 32facdcd8bd..f901ecaddad 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml @@ -6,11 +6,11 @@ references: - https://aboutdfir.com/the-key-to-identify-psexec/ - https://twitter.com/davisrichardg/status/1616518800584704028 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/21 -modified: 2023/02/23 +date: 2023-01-21 +modified: 2023-02-23 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1136.002 diff --git a/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml index 3d72231bf21..1516644dd7c 100644 --- a/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml +++ b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml @@ -6,12 +6,12 @@ references: - https://github.com/binderlabs/DirCreate2System - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) -date: 2022/12/16 -modified: 2022/12/19 +date: 2022-12-16 +modified: 2022-12-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml index 0fbc2c3c9a0..dd73e1b6929 100644 --- a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml @@ -3,11 +3,11 @@ id: 69ca12af-119d-44ed-b50f-a47af0ebc364 status: experimental description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. author: Swachchhanda Shrawan Poudel -date: 2023/10/19 +date: 2023-10-19 references: - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml index 7c28e374434..42bda88b129 100755 --- a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml +++ b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml @@ -5,10 +5,10 @@ description: Detects the usage of tsclient share to place a backdoor on the RDP author: Samir Bousseaden references: - Internal Research -date: 2019/02/21 -modified: 2021/11/27 +date: 2019-02-21 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml index 39aaedb0358..0e8445a1214 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dl references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml index 2253e434ebd..fe49cca4c1d 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc. references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml index 573219361a5..06269ac80a3 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml @@ -7,11 +7,11 @@ references: - https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) -date: 2022/04/27 -modified: 2022/11/22 +date: 2022-04-27 +modified: 2022-11-22 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml index d243bfd64a0..71c0c8144c6 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml @@ -5,11 +5,11 @@ description: Detects the creation of a file by "dllhost.exe" in System32 directo references: - https://github.com/Wh04m1001/IDiagnosticProfileUAC author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/03 +date: 2022-07-03 tags: - attack.execution - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml index 261a391c022..b78dbe3a44b 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml index 7c002dee7e2..f6377bb2820 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml index 842b6ed0e75..79aef3db6e3 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml index eb3cc9a6e9f..dbed70ecdea 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a path parsing issue in win references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml index cb58da9fa06..17f08dd10f5 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using Windows Media Player osksup references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml b/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml index 81a99698526..583a4be64f9 100644 --- a/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml +++ b/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml @@ -9,10 +9,10 @@ references: - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -date: 2021/10/25 -modified: 2023/05/05 +date: 2021-10-25 +modified: 2023-05-05 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml b/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml index 99ade0380b0..b514ffe6d52 100644 --- a/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml +++ b/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml @@ -6,9 +6,9 @@ description: | references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control + - attack.command-and-control logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml b/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml index 5bd3aeeb692..ceba72ef558 100644 --- a/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml +++ b/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml @@ -7,9 +7,9 @@ references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control + - attack.command-and-control logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml index 37bf4288b28..ecbe9131412 100755 --- a/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml +++ b/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml @@ -6,8 +6,8 @@ references: - PT ESC rule and personal experience - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo -date: 2019/10/22 -modified: 2023/10/15 +date: 2019-10-22 +modified: 2023-10-15 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml index fe80eca4388..b36b0b47bec 100644 --- a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml @@ -5,10 +5,10 @@ description: Detects WerFault copoed to a suspicious folder, which could be a si references: - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ author: frack113 -date: 2022/05/09 +date: 2022-05-09 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml index a6d2cf763fc..92562c9c03c 100644 --- a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml +++ b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml @@ -8,10 +8,10 @@ description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl v references: - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 author: Julia Fomina, oscd.community -date: 2020/10/06 -modified: 2022/11/28 +date: 2020-10-06 +modified: 2022-11-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml index a3bc9e87523..ca9c5ded3fe 100755 --- a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml @@ -5,8 +5,8 @@ description: Detects file writes of WMI script event consumer references: - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Thomas Patzke -date: 2018/03/07 -modified: 2021/11/27 +date: 2018-03-07 +modified: 2021-11-27 tags: - attack.t1546.003 - attack.persistence diff --git a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml index 3da63d7b03e..a7c4f5a4175 100644 --- a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml +++ b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml @@ -6,10 +6,10 @@ references: - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/ - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/02 -modified: 2023/03/08 +date: 2022-06-02 +modified: 2023-03-08 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1047 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml index ef8135a39f0..8366dbb92d9 100644 --- a/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml @@ -5,12 +5,12 @@ description: Detects a threat actor creating a file named `wbemcomn.dll` in the references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -modified: 2022/12/02 +date: 2020-10-12 +modified: 2022-12-02 tags: - attack.execution - attack.t1047 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml index 12eb069723a..4386c5a9fae 100644 --- a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml @@ -6,10 +6,10 @@ references: - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c - https://persistence-info.github.io/Data/wpbbin.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/18 +date: 2022-07-18 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1542.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml index 5925d660993..009f3dae58d 100644 --- a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml +++ b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share author: frack113 -date: 2022/01/01 -modified: 2022/08/13 +date: 2022-01-01 +modified: 2022-08-13 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1546.002 logsource: product: windows diff --git a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml index 121cf8c6f1f..4fa27be5355 100644 --- a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml +++ b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml @@ -14,9 +14,9 @@ references: - https://en.wikipedia.org/wiki/IExpress - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/02/05 +date: 2024-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index b1b6e9a28dc..b9e8dc70d11 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -6,8 +6,8 @@ references: - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/ - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 -date: 2022/07/16 -modified: 2023/11/11 +date: 2022-07-16 +modified: 2023-11-11 tags: - attack.impact - attack.t1486 diff --git a/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml b/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml index d29daeb85cb..4e29957bd47 100644 --- a/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml +++ b/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml @@ -5,10 +5,10 @@ description: Detects cmstp loading "dll" or "ocx" files from suspicious location references: - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/30 -modified: 2023/02/17 +date: 2022-08-30 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.003 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml index b8bb326b611..c86897f5b3d 100644 --- a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml +++ b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml @@ -6,10 +6,10 @@ references: - Internal Research - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/01 -modified: 2023/09/20 +date: 2023-06-01 +modified: 2023-09-20 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml index 6f55aa71c6a..7e744da202d 100644 --- a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml +++ b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml @@ -7,11 +7,11 @@ description: | references: - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30 author: Den Iuzvyk -date: 2020/07/15 -modified: 2023/04/18 +date: 2020-07-15 +modified: 2023-04-18 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.002 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml b/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml index 9449d14fcb9..7dc49b707ff 100644 --- a/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml +++ b/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml @@ -5,11 +5,11 @@ description: Detects rundll32 loading a renamed comsvcs.dll to dump process memo references: - https://twitter.com/sbousseaden/status/1555200155351228419 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 -modified: 2023/02/17 +date: 2022-08-14 +modified: 2023-02-17 tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml index 2ca18ef36de..63719049874 100644 --- a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml +++ b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml @@ -8,10 +8,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa - https://github.com/S12cybersecurity/RDPCredentialStealer author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/20 -modified: 2023/07/28 +date: 2020-10-20 +modified: 2023-07-28 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1056.002 logsource: diff --git a/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml b/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml index d547f1666ce..6f0e202d3b7 100644 --- a/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml +++ b/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml @@ -13,10 +13,10 @@ references: - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 author: Perez Diego (@darkquassar), oscd.community, Ecco -date: 2019/10/27 -modified: 2022/12/09 +date: 2019-10-27 +modified: 2022-12-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml b/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml index 8a5b65ec0d0..8f47fc7ccb2 100644 --- a/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml +++ b/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/rbmaslen/status/1321859647091970051 - https://twitter.com/tifkin_/status/1321916444557365248 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/29 -modified: 2022/10/09 +date: 2020-10-29 +modified: 2022-10-09 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml index ad640f5bc42..57b56ee490d 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml @@ -14,10 +14,10 @@ references: - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html author: Luc Génaux -date: 2023/11/28 +date: 2023-11-28 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1486 - attack.t1562.001 logsource: diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml index 62b11f22489..87094ee6545 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml @@ -14,10 +14,10 @@ references: - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html author: Luc Génaux -date: 2023/11/28 +date: 2023-11-28 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1486 - attack.t1562.001 logsource: diff --git a/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml b/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml index 57031a4c98b..6b550b274ca 100644 --- a/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml +++ b/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml @@ -5,12 +5,12 @@ description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilitie references: - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ author: Greg (rule) -date: 2022/06/17 -modified: 2023/02/17 +date: 2022-06-17 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 - - cve.2022.30190 + - cve.2022-30190 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml index f1af8ce06f0..d00f02f6fb4 100644 --- a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml @@ -2,9 +2,9 @@ title: PowerShell Core DLL Loaded By Non PowerShell Process id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f related: - id: 867613fb-fa60-4497-a017-a82df74a172c - type: obsoletes + type: obsolete - id: fe6e002f-f244-4278-9263-20e4b593827f - type: obsoletes + type: obsolete status: experimental description: | Detects loading of essential DLLs used by PowerShell by non-PowerShell process. @@ -13,8 +13,8 @@ references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2019/11/14 -modified: 2024/01/17 +date: 2019-11-14 +modified: 2024-01-17 tags: - attack.t1059.001 - attack.execution diff --git a/rules/windows/image_load/image_load_dll_tttracer_module_load.yml b/rules/windows/image_load/image_load_dll_tttracer_module_load.yml index a6f3981b7c6..b915e2ee9e0 100644 --- a/rules/windows/image_load/image_load_dll_tttracer_module_load.yml +++ b/rules/windows/image_load/image_load_dll_tttracer_module_load.yml @@ -7,11 +7,11 @@ references: - https://twitter.com/mattifestation/status/1196390321783025666 - https://twitter.com/oulusoyum/status/1191329746069655553 author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' -date: 2020/10/06 -modified: 2022/12/02 +date: 2020-10-06 +modified: 2022-12-02 tags: - - attack.defense_evasion - - attack.credential_access + - attack.defense-evasion + - attack.credential-access - attack.t1218 - attack.t1003.001 logsource: diff --git a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml index 2616ddd6d5b..2234e2a9c2b 100644 --- a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml @@ -11,10 +11,10 @@ references: - https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add - https://twitter.com/am0nsec/status/1412232114980982787 author: Markus Neis, @markus_neis -date: 2021/07/07 -modified: 2024/03/28 +date: 2021-07-07 +modified: 2024-03-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1490 logsource: diff --git a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml index 55b5afe0df1..6e51dafd670 100644 --- a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml @@ -10,10 +10,10 @@ description: Detects the image load of VSS DLL by uncommon executables references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 -date: 2022/10/31 -modified: 2023/05/03 +date: 2022-10-31 +modified: 2023-05-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1490 logsource: diff --git a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml index 00b1114d2bc..3afd9ff24ce 100644 --- a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml @@ -10,10 +10,10 @@ description: Detects the image load of VSS DLL by uncommon executables references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 -date: 2023/02/17 -modified: 2023/03/28 +date: 2023-02-17 +modified: 2023-03-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1490 logsource: diff --git a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml index 82bb13b6805..c105113960b 100644 --- a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml @@ -8,10 +8,10 @@ description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHoo references: - https://github.com/bats3c/EvtMute author: Florian Roth (Nextron Systems) -date: 2022/09/07 -modified: 2023/02/17 +date: 2022-09-07 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml b/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml index 6ffdc39357e..23b883130a9 100644 --- a/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml +++ b/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml @@ -8,10 +8,10 @@ description: Detects SILENTTRINITY stager dll loading activity references: - https://github.com/byt3bl33d3r/SILENTTRINITY author: Aleksey Potapov, oscd.community -date: 2019/10/22 -modified: 2023/02/17 +date: 2019-10-22 +modified: 2023-02-17 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml b/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml index 40dc3a5b32b..699a29ef17e 100644 --- a/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml +++ b/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml @@ -2,7 +2,7 @@ title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load id: f354eba5-623b-450f-b073-0b5b2773b6aa related: - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 - type: obsoletes + type: obsolete - id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa type: similar status: test @@ -10,10 +10,10 @@ description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM In references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga -date: 2020/10/12 -modified: 2022/12/18 +date: 2020-10-12 +modified: 2022-12-18 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.t1021.003 logsource: diff --git a/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml b/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml index 41e5508b069..848b25dc177 100644 --- a/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml +++ b/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml @@ -5,10 +5,10 @@ description: Loading unsigned image (DLL, EXE) into LSASS process references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2021/11/27 +date: 2019-10-22 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml index d8bd720c2db..d1a59a015e4 100644 --- a/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml @@ -5,8 +5,8 @@ description: Detects any assembly DLL being loaded by an Office Product references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/03/29 +date: 2020-02-19 +modified: 2023-03-29 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml index c4146d882dc..b87d418048a 100644 --- a/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml @@ -5,8 +5,8 @@ description: Detects CLR DLL being loaded by an Office Product references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/03/29 +date: 2020-02-19 +modified: 2023-03-29 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml index 609e80c54a9..88adfb4e1f2 100644 --- a/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml @@ -5,8 +5,8 @@ description: Detects any GAC DLL being loaded by an Office Product references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/02/10 +date: 2020-02-19 +modified: 2023-02-10 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_dsparse_dll_load.yml b/rules/windows/image_load/image_load_office_dsparse_dll_load.yml index a856ebb601f..de679c38dc0 100644 --- a/rules/windows/image_load/image_load_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dsparse_dll_load.yml @@ -5,8 +5,8 @@ description: Detects DSParse DLL being loaded by an Office Product references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/03/28 +date: 2020-02-19 +modified: 2023-03-28 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml b/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml index 148d0e35407..454bc4afaa3 100644 --- a/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml +++ b/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml @@ -9,7 +9,7 @@ references: - https://www.mandiant.com/resources/blog/lnk-between-browsers - https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/12 +date: 2023-05-12 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_kerberos_dll_load.yml b/rules/windows/image_load/image_load_office_kerberos_dll_load.yml index 76a84462649..84477d43c7b 100644 --- a/rules/windows/image_load/image_load_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/image_load_office_kerberos_dll_load.yml @@ -5,8 +5,8 @@ description: Detects Kerberos DLL being loaded by an Office Product references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/03/28 +date: 2020-02-19 +modified: 2023-03-28 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml b/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml index 5baba0a40a9..1b4d4a53583 100644 --- a/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml +++ b/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml @@ -5,8 +5,8 @@ description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 -modified: 2024/03/12 +date: 2023-02-08 +modified: 2024-03-12 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_powershell_dll_load.yml b/rules/windows/image_load/image_load_office_powershell_dll_load.yml index 3c2235cb8ad..dc079ebdf6f 100644 --- a/rules/windows/image_load/image_load_office_powershell_dll_load.yml +++ b/rules/windows/image_load/image_load_office_powershell_dll_load.yml @@ -5,9 +5,9 @@ description: Detects PowerShell core DLL being loaded by an Office Product references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/01 +date: 2023-06-01 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_office_vbadll_load.yml b/rules/windows/image_load/image_load_office_vbadll_load.yml index 79f9f7a336e..f0c5f557312 100644 --- a/rules/windows/image_load/image_load_office_vbadll_load.yml +++ b/rules/windows/image_load/image_load_office_vbadll_load.yml @@ -5,8 +5,8 @@ description: Detects VB DLL's loaded by an office application. Which could indic references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/02/10 +date: 2020-02-19 +modified: 2023-02-10 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_rundll32_remote_share_load.yml b/rules/windows/image_load/image_load_rundll32_remote_share_load.yml index e93b5aac5db..9baad06a019 100644 --- a/rules/windows/image_load/image_load_rundll32_remote_share_load.yml +++ b/rules/windows/image_load/image_load_rundll32_remote_share_load.yml @@ -6,7 +6,7 @@ references: - https://github.com/gabe-k/themebleed - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/18 +date: 2023-09-18 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml b/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml index dcccdb92636..071f91318a5 100644 --- a/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml +++ b/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml @@ -7,11 +7,11 @@ references: - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/09/02 -modified: 2023/02/22 +date: 2020-09-02 +modified: 2023-02-22 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.persistence - attack.t1546.003 logsource: diff --git a/rules/windows/image_load/image_load_side_load_7za.yml b/rules/windows/image_load/image_load_side_load_7za.yml index 739d1f9cfa9..4faf84a0dd5 100644 --- a/rules/windows/image_load/image_load_side_load_7za.yml +++ b/rules/windows/image_load/image_load_side_load_7za.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of "7za.dll" references: - https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d author: X__Junior -date: 2023/06/09 +date: 2023-06-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml index e9fcc62a14a..a2f892cc0c4 100644 --- a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml +++ b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml @@ -6,7 +6,7 @@ references: - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ author: X__Junior (Nextron Systems) -date: 2023/07/11 +date: 2023-07-11 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index b5b3a05f458..15226359ef4 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -5,12 +5,12 @@ description: Detects potential DLL sideloading of DLLs that are part of antiviru references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/08/17 -modified: 2023/03/13 +date: 2022-08-17 +modified: 2023-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_appverifui.yml b/rules/windows/image_load/image_load_side_load_appverifui.yml index 43932ba19da..b87a29a9575 100644 --- a/rules/windows/image_load/image_load_side_load_appverifui.yml +++ b/rules/windows/image_load/image_load_side_load_appverifui.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "appverifUI.dll" references: - https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ author: X__Junior (Nextron Systems) -date: 2023/06/20 +date: 2023-06-20 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml index 0cc29e9717f..f1def71c499 100644 --- a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml +++ b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading activity via the Aruba Networks V references: - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/22 -modified: 2023/03/15 +date: 2023-01-22 +modified: 2023-03-15 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1574.001 - attack.t1574.002 diff --git a/rules/windows/image_load/image_load_side_load_avkkid.yml b/rules/windows/image_load/image_load_side_load_avkkid.yml index 34f5dcc903e..346b5183393 100644 --- a/rules/windows/image_load/image_load_side_load_avkkid.yml +++ b/rules/windows/image_load/image_load_side_load_avkkid.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "AVKkid.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ author: X__Junior (Nextron Systems) -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml index aa4e08c8301..a5176e11898 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of "CCleanerDU.dll" references: - https://lab52.io/blog/2344-2/ author: X__Junior (Nextron Systems) -date: 2023/07/13 +date: 2023-07-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml index eac6adb4aee..ded2e6d5f42 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of "CCleanerReactivator.dll" references: - https://lab52.io/blog/2344-2/ author: X__Junior -date: 2023/07/13 +date: 2023-07-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml index 29a3c5e73eb..20339c6b009 100644 --- a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml +++ b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml @@ -5,12 +5,12 @@ description: Detects potential DLL sideloading of "chrome_frame_helper.dll" references: - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/08/17 -modified: 2023/05/15 +date: 2022-08-17 +modified: 2023-05-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml index 83cd1887958..11632562c8f 100644 --- a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml +++ b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml @@ -6,11 +6,11 @@ references: - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/ author: frack113 -date: 2022/12/13 +date: 2022-12-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_comctl32.yml b/rules/windows/image_load/image_load_side_load_comctl32.yml index 49127775f16..9a1b0163824 100644 --- a/rules/windows/image_load/image_load_side_load_comctl32.yml +++ b/rules/windows/image_load/image_load_side_load_comctl32.yml @@ -6,12 +6,12 @@ references: - https://github.com/binderlabs/DirCreate2System - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) -date: 2022/12/16 -modified: 2022/12/19 +date: 2022-12-16 +modified: 2022-12-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_coregen.yml b/rules/windows/image_load/image_load_side_load_coregen.yml index 454209dd137..dca2161600f 100644 --- a/rules/windows/image_load/image_load_side_load_coregen.yml +++ b/rules/windows/image_load/image_load_side_load_coregen.yml @@ -5,9 +5,9 @@ description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image G references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/ author: frack113 -date: 2022/12/31 +date: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1055 logsource: diff --git a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml index f39e67c66f1..d5423eff0f1 100644 --- a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml @@ -6,9 +6,9 @@ references: - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ author: Anish Bogati -date: 2024/01/09 +date: 2024-01-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_dbgcore.yml b/rules/windows/image_load/image_load_side_load_dbgcore.yml index c2f9fd7c7ea..bcdcc72dc61 100644 --- a/rules/windows/image_load/image_load_side_load_dbgcore.yml +++ b/rules/windows/image_load/image_load_side_load_dbgcore.yml @@ -5,12 +5,12 @@ description: Detects DLL sideloading of "dbgcore.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/10/25 -modified: 2023/05/05 +date: 2022-10-25 +modified: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_dbghelp.yml b/rules/windows/image_load/image_load_side_load_dbghelp.yml index 9857aa7b51e..d807b4d56ac 100644 --- a/rules/windows/image_load/image_load_side_load_dbghelp.yml +++ b/rules/windows/image_load/image_load_side_load_dbghelp.yml @@ -5,12 +5,12 @@ description: Detects potential DLL sideloading of "dbghelp.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/10/25 -modified: 2023/05/05 +date: 2022-10-25 +modified: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_dbgmodel.yml b/rules/windows/image_load/image_load_side_load_dbgmodel.yml index 6b772ead8d7..0f2e3ed3cc7 100644 --- a/rules/windows/image_load/image_load_side_load_dbgmodel.yml +++ b/rules/windows/image_load/image_load_side_load_dbgmodel.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "DbgModel.dll" references: - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html author: Gary Lobermier -date: 2024/07/11 -modified: 2024/08/06 +date: 2024-07-11 +modified: 2024-07-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows @@ -27,8 +27,6 @@ detection: ImageLoaded|startswith: - 'C:\Program Files (x86)\Windows Kits\' - 'C:\Program Files\Windows Kits\' - filter_optional_dell_instrumentation: - ImageLoaded|startswith: 'C:\Program Files\Dell\DTP\InstrumentationSubAgent\' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications loading their own versions of the DLL mentioned in this rule diff --git a/rules/windows/image_load/image_load_side_load_eacore.yml b/rules/windows/image_load/image_load_side_load_eacore.yml index 876836a5d49..9314e7fae18 100644 --- a/rules/windows/image_load/image_load_side_load_eacore.yml +++ b/rules/windows/image_load/image_load_side_load_eacore.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "EACore.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ author: X__Junior (Nextron Systems) -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_edputil.yml b/rules/windows/image_load/image_load_side_load_edputil.yml index 68731a236bc..a19fcf60c42 100644 --- a/rules/windows/image_load/image_load_side_load_edputil.yml +++ b/rules/windows/image_load/image_load_side_load_edputil.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "edputil.dll" references: - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/ author: X__Junior (Nextron Systems) -date: 2023/06/09 +date: 2023-06-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 3c8aec1b3ad..925ca00288b 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,12 +9,12 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex) - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 -modified: 2024/07/11 +date: 2022-08-14 +modified: 2024-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_goopdate.yml b/rules/windows/image_load/image_load_side_load_goopdate.yml index 9552d33e125..42e49f6e1cd 100644 --- a/rules/windows/image_load/image_load_side_load_goopdate.yml +++ b/rules/windows/image_load/image_load_side_load_goopdate.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2023/05/20 +date: 2023-05-15 +modified: 2023-05-20 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml index dbeeef9cdc0..834dd848ed5 100644 --- a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml +++ b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_iviewers.yml b/rules/windows/image_load/image_load_side_load_iviewers.yml index 15b734624fe..859d20d33f3 100644 --- a/rules/windows/image_load/image_load_side_load_iviewers.yml +++ b/rules/windows/image_load/image_load_side_load_iviewers.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object references: - https://www.secureworks.com/research/shadowpad-malware-analysis author: X__Junior (Nextron Systems) -date: 2023/03/21 +date: 2023-03-21 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_jsschhlp.yml b/rules/windows/image_load/image_load_side_load_jsschhlp.yml index 3137b1d31ec..7872dcc9e07 100644 --- a/rules/windows/image_load/image_load_side_load_jsschhlp.yml +++ b/rules/windows/image_load/image_load_side_load_jsschhlp.yml @@ -6,11 +6,11 @@ references: - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/ - http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp author: frack113 -date: 2022/12/14 +date: 2022-12-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_keyscrambler.yml b/rules/windows/image_load/image_load_side_load_keyscrambler.yml index 9b7edcbd4d1..b197ad7f42d 100644 --- a/rules/windows/image_load/image_load_side_load_keyscrambler.yml +++ b/rules/windows/image_load/image_load_side_load_keyscrambler.yml @@ -14,10 +14,10 @@ references: - https://twitter.com/Max_Mal_/status/1775222576639291859 - https://twitter.com/DTCERT/status/1712785426895839339 author: Swachchhanda Shrawan Poudel -date: 2024/04/15 +date: 2024-04-15 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_libvlc.yml b/rules/windows/image_load/image_load_side_load_libvlc.yml index e2c12979a55..ee3b425c378 100644 --- a/rules/windows/image_load/image_load_side_load_libvlc.yml +++ b/rules/windows/image_load/image_load_side_load_libvlc.yml @@ -6,11 +6,11 @@ references: - https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html - https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html author: X__Junior -date: 2023/04/17 +date: 2023-04-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_mfdetours.yml b/rules/windows/image_load/image_load_side_load_mfdetours.yml index 671b016a52d..fa986098ed5 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "mfdetours.dll". While using " references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml index fd2fb734c0d..660c57b4997 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml @@ -8,10 +8,10 @@ description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mft references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/11 +date: 2023-08-11 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_mpsvc.yml b/rules/windows/image_load/image_load_side_load_mpsvc.yml index 5f092c94c79..32c21d88b3b 100644 --- a/rules/windows/image_load/image_load_side_load_mpsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mpsvc.yml @@ -5,9 +5,9 @@ description: Detects potential DLL sideloading of "MpSvc.dll". references: - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_mscorsvc.yml b/rules/windows/image_load/image_load_side_load_mscorsvc.yml index 7ac8b8ee63b..f42eabb62e6 100644 --- a/rules/windows/image_load/image_load_side_load_mscorsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mscorsvc.yml @@ -5,9 +5,9 @@ description: Detects potential DLL sideloading of "mscorsvc.dll". references: - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html author: Wietze Beukema -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml index 13fa3f4902d..4377162937e 100644 --- a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -4,7 +4,7 @@ related: - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule type: similar - id: 602a1f13-c640-4d73-b053-be9a2fa58b77 - type: obsoletes + type: obsolete status: test description: | Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). @@ -17,12 +17,12 @@ references: - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html author: Nasreddine Bencherchali (Nextron Systems), SBousseaden -date: 2022/12/09 -modified: 2024/01/10 +date: 2022-12-09 +modified: 2024-01-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_office_dlls.yml b/rules/windows/image_load/image_load_side_load_office_dlls.yml index 494e9718fce..433fe897c48 100644 --- a/rules/windows/image_load/image_load_side_load_office_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_office_dlls.yml @@ -5,12 +5,12 @@ description: Detects DLL sideloading of DLLs that are part of Microsoft Office f references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/08/17 -modified: 2023/03/15 +date: 2022-08-17 +modified: 2023-03-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_rcdll.yml b/rules/windows/image_load/image_load_side_load_rcdll.yml index c7cd048a15a..18fe5ab030f 100644 --- a/rules/windows/image_load/image_load_side_load_rcdll.yml +++ b/rules/windows/image_load/image_load_side_load_rcdll.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of rcdll.dll references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html author: X__Junior (Nextron Systems) -date: 2023/03/13 -modified: 2023/03/15 +date: 2023-03-13 +modified: 2023-03-15 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml index 031f8a2564c..82a8348a9d2 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml @@ -5,10 +5,10 @@ description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.ex references: - https://twitter.com/0gtweet/status/1666716511988330499 author: X__Junior (Nextron Systems) -date: 2023/06/09 +date: 2023-06-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml index 9736f91c35f..62ee11ef89a 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemRe references: - https://twitter.com/0gtweet/status/1666716511988330499 author: X__Junior (Nextron Systems) -date: 2023/06/09 +date: 2023-06-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_robform.yml b/rules/windows/image_load/image_load_side_load_robform.yml index 59ae90ce250..cb21de68c9f 100644 --- a/rules/windows/image_load/image_load_side_load_robform.yml +++ b/rules/windows/image_load/image_load_side_load_robform.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/t3ft3lb/status/1656194831830401024 - https://www.roboform.com/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/14 +date: 2023-05-14 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml b/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml index 0c9ae6115aa..68dc08a1cb8 100644 --- a/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml +++ b/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml @@ -11,11 +11,11 @@ references: - https://mobile.twitter.com/0gtweet/status/1564131230941122561 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/01 +date: 2022-12-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_shelldispatch.yml b/rules/windows/image_load/image_load_side_load_shelldispatch.yml index 2893eaa8ece..c876bcecd73 100644 --- a/rules/windows/image_load/image_load_side_load_shelldispatch.yml +++ b/rules/windows/image_load/image_load_side_load_shelldispatch.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "ShellDispatch.dll" references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ author: X__Junior (Nextron Systems) -date: 2023/06/20 +date: 2023-06-20 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_smadhook.yml b/rules/windows/image_load/image_load_side_load_smadhook.yml index 5b658877606..802667860d2 100644 --- a/rules/windows/image_load/image_load_side_load_smadhook.yml +++ b/rules/windows/image_load/image_load_side_load_smadhook.yml @@ -6,10 +6,10 @@ references: - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/ - https://www.qurium.org/alerts/targeted-malware-against-crph/ author: X__Junior (Nextron Systems) -date: 2023/06/01 +date: 2023-06-01 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml index c0952513125..ad41e349926 100644 --- a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml +++ b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "SolidPDFCreator.dll" references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ author: X__Junior (Nextron Systems) -date: 2023/05/07 +date: 2023-05-07 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_third_party.yml b/rules/windows/image_load/image_load_side_load_third_party.yml index 9ab4d20ec0f..4df49fa4b57 100644 --- a/rules/windows/image_load/image_load_side_load_third_party.yml +++ b/rules/windows/image_load/image_load_side_load_third_party.yml @@ -5,11 +5,11 @@ description: Detects DLL sideloading of DLLs that are part of third party softwa references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/08/17 +date: 2022-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_ualapi.yml b/rules/windows/image_load/image_load_side_load_ualapi.yml index f5055f21849..78c049a4af1 100644 --- a/rules/windows/image_load/image_load_side_load_ualapi.yml +++ b/rules/windows/image_load/image_load_side_load_ualapi.yml @@ -5,11 +5,11 @@ description: The Fax service attempts to load ualapi.dll, which is non-existent. references: - https://windows-internals.com/faxing-your-way-to-system/ author: NVISO -date: 2020/05/04 -modified: 2022/06/02 +date: 2020-05-04 +modified: 2022-06-02 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml index 3baab600a52..56f9e2afaa9 100644 --- a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml +++ b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "vivaldi_elf.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ author: X__Junior (Nextron Systems) -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml index 5ec9b20647c..3d0e32d46c1 100644 --- a/rules/windows/image_load/image_load_side_load_vmguestlib.yml +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -5,11 +5,11 @@ description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service. references: - https://decoded.avast.io/martinchlumecky/png-steganography/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/01 +date: 2022-12-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml index 1be2d7b8515..78944169f8a 100644 --- a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml @@ -8,11 +8,11 @@ description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sy references: - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/05 +date: 2023-09-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml index 0135e93a9da..40e2b80ab6e 100644 --- a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml @@ -8,12 +8,12 @@ description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the references: - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/28 -modified: 2023/09/05 +date: 2023-07-28 +modified: 2023-09-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml index ce13045665c..75844eb559f 100644 --- a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml +++ b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml @@ -5,10 +5,10 @@ description: Detects loading of a DLL by the VMware Xfer utility from the non-de references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/02 -modified: 2023/02/17 +date: 2022-08-02 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_waveedit.yml b/rules/windows/image_load/image_load_side_load_waveedit.yml index 2caa069bee9..a73e81239ed 100644 --- a/rules/windows/image_load/image_load_side_load_waveedit.yml +++ b/rules/windows/image_load/image_load_side_load_waveedit.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "waveedit.dll", which is part references: - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html author: X__Junior (Nextron Systems) -date: 2023/06/14 +date: 2023-06-14 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_wazuh.yml b/rules/windows/image_load/image_load_side_load_wazuh.yml index 700461cc940..1974d30e718 100644 --- a/rules/windows/image_load/image_load_side_load_wazuh.yml +++ b/rules/windows/image_load/image_load_side_load_wazuh.yml @@ -5,12 +5,12 @@ description: Detects potential DLL side loading of DLLs that are part of the Waz references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html author: X__Junior (Nextron Systems) -date: 2023/03/13 -modified: 2023/05/12 +date: 2023-03-13 +modified: 2023-05-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_windows_defender.yml b/rules/windows/image_load/image_load_side_load_windows_defender.yml index d0d150a9f59..8b23344d3b6 100644 --- a/rules/windows/image_load/image_load_side_load_windows_defender.yml +++ b/rules/windows/image_load/image_load_side_load_windows_defender.yml @@ -8,10 +8,10 @@ description: Detects potential sideloading of "mpclient.dll" by Windows Defender references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj -date: 2022/08/02 -modified: 2023/08/04 +date: 2022-08-02 +modified: 2023-08-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_wwlib.yml b/rules/windows/image_load/image_load_side_load_wwlib.yml index 7de9b90e1d7..c4faf0d290b 100644 --- a/rules/windows/image_load/image_load_side_load_wwlib.yml +++ b/rules/windows/image_load/image_load_side_load_wwlib.yml @@ -7,10 +7,10 @@ references: - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ - https://securelist.com/apt-luminousmoth/103332/ author: X__Junior (Nextron Systems) -date: 2023/05/18 +date: 2023-05-18 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_spoolsv_dll_load.yml b/rules/windows/image_load/image_load_spoolsv_dll_load.yml index f5a521003bc..aefe1fa4d02 100644 --- a/rules/windows/image_load/image_load_spoolsv_dll_load.yml +++ b/rules/windows/image_load/image_load_spoolsv_dll_load.yml @@ -6,15 +6,15 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/ly4k/SpoolFool author: FPT.EagleEye, Thomas Patzke (improvements) -date: 2021/06/29 -modified: 2022/06/02 +date: 2021-06-29 +modified: 2022-06-02 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574 - - cve.2021.1675 - - cve.2021.34527 + - cve.2021-1675 + - cve.2021-34527 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml index 17cb4cb364a..6340e33d1b9 100644 --- a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml +++ b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml @@ -5,7 +5,7 @@ description: Detects unsigned module load by ClickOnce application. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: '@SerkinValery' -date: 2023/06/08 +date: 2023-06-08 tags: - attack.persistence - attack.t1574.002 diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index a1206b18ddb..0c7e23829de 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -5,10 +5,10 @@ description: Detects when a system process (i.e. located in system32, syswow64, references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/17 -modified: 2023/09/18 +date: 2022-07-17 +modified: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: product: windows diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index 0523dd935a0..16cac663694 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -6,10 +6,10 @@ references: - https://www.py2exe.org/ - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ author: Patrick St. John, OTR (Open Threat Research) -date: 2020/05/03 -modified: 2023/09/18 +date: 2020-05-03 +modified: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index c2614032082..81117a5f3e1 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -8,11 +8,11 @@ references: - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008 author: omkar72, oscd.community -date: 2020/10/14 -modified: 2023/02/23 +date: 2020-10-14 +modified: 2023-02-23 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1055 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_susp_unsigned_dll.yml b/rules/windows/image_load/image_load_susp_unsigned_dll.yml index ee8a11a737e..cce9bc1f3ba 100644 --- a/rules/windows/image_load/image_load_susp_unsigned_dll.yml +++ b/rules/windows/image_load/image_load_susp_unsigned_dll.yml @@ -9,12 +9,12 @@ references: - https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql - https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true author: Swachchhanda Shrawan Poudel -date: 2024/02/28 -modified: 2024/03/07 +date: 2024-02-28 +modified: 2024-03-07 tags: - attack.t1218.011 - attack.t1218.010 - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: image_load diff --git a/rules/windows/image_load/image_load_thor_unsigned_execution.yml b/rules/windows/image_load/image_load_thor_unsigned_execution.yml index ae14adc82ed..3ea1fd03338 100644 --- a/rules/windows/image_load/image_load_thor_unsigned_execution.yml +++ b/rules/windows/image_load/image_load_thor_unsigned_execution.yml @@ -5,9 +5,9 @@ description: Detects loading and execution of an unsigned thor scanner binary. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/29 +date: 2023-10-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml index 707f91f5bc3..e2537d28bda 100644 --- a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml +++ b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml @@ -6,11 +6,11 @@ references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC - https://twitter.com/wdormann/status/1547583317410607110 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/17 -modified: 2022/07/25 +date: 2022-07-17 +modified: 2022-07-25 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml index 5391b965c29..47fc585fa83 100644 --- a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml @@ -5,12 +5,12 @@ description: Attempts to load dismcore.dll after dropping it references: - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility author: oscd.community, Dmitry Uchakin -date: 2020/10/06 -modified: 2022/12/25 +date: 2020-10-06 +modified: 2022-12-25 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml index 112e85ffe4e..3f27a9f9625 100755 --- a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml @@ -5,8 +5,8 @@ description: Detects WMI command line event consumers references: - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Thomas Patzke -date: 2018/03/07 -modified: 2021/11/27 +date: 2018-03-07 +modified: 2021-11-27 tags: - attack.t1546.003 - attack.persistence diff --git a/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml b/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml index 8a234d11b38..b63428a62a3 100644 --- a/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml +++ b/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/dez_/status/986614411711442944 - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/17 -modified: 2022/10/13 +date: 2020-10-17 +modified: 2022-10-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1220 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml index dfa50af4b92..da018cc3c68 100644 --- a/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml @@ -5,12 +5,12 @@ description: Detects a threat actor creating a file named `wbemcomn.dll` in the references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -modified: 2022/10/09 +date: 2020-10-12 +modified: 2022-10-09 tags: - attack.execution - attack.t1047 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index 8327bffa06f..e8f4c1f1fd2 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -8,12 +8,12 @@ references: - https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture - https://github.com/bohops/WSMan-WinRM author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/24 -modified: 2022/10/07 +date: 2020-06-24 +modified: 2022-10-07 tags: - attack.execution - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.003 logsource: category: image_load diff --git a/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml b/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml index 3ddc1770a47..9b50abcc362 100644 --- a/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml +++ b/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml @@ -7,10 +7,10 @@ description: | references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -date: 2023/09/18 -modified: 2024/07/16 +date: 2023-09-18 +modified: 2024-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml index 92f2fed0d93..e60ba56af40 100644 --- a/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml +++ b/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml @@ -7,10 +7,10 @@ description: | references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil author: frack113, Florian Roth (Nextron Systems) -date: 2022/09/02 -modified: 2024/05/31 +date: 2022-09-02 +modified: 2024-05-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml index b61d4530736..a0dbaff1573 100644 --- a/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml +++ b/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml @@ -7,10 +7,10 @@ description: | references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/30 -modified: 2024/05/31 +date: 2022-08-30 +modified: 2024-05-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.003 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml index a3c3c3e6384..25a7e282785 100644 --- a/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml +++ b/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml @@ -11,7 +11,7 @@ references: - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html author: CertainlyP -date: 2024/04/26 +date: 2024-04-26 tags: - attack.execution - attack.t1071.001 diff --git a/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml b/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml index c098c9c5cc0..84e2304f990 100644 --- a/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml +++ b/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml @@ -12,10 +12,10 @@ references: - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/24 -modified: 2024/07/16 +date: 2024-06-24 +modified: 2024-07-16 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 - attack.t1102.001 logsource: diff --git a/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml b/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml index d4130bdaf6c..a524c3a52a7 100644 --- a/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml +++ b/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml @@ -12,10 +12,10 @@ references: - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ - Internal Research author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems) -date: 2024/05/27 +date: 2024-05-27 tags: - attack.exfiltration - - attack.command_and_control + - attack.command-and-control - attack.t1567.001 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml b/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml index f90c1ef96cf..d24349bd84e 100644 --- a/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml +++ b/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml @@ -7,8 +7,8 @@ references: - https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt - https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/10/26 -modified: 2024/01/19 +date: 2021-10-26 +modified: 2024-01-19 tags: - attack.impact - attack.t1496 diff --git a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml index 17d1e842eec..f40a7f06aff 100644 --- a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml @@ -2,7 +2,7 @@ title: Potential Dead Drop Resolvers id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7 related: - id: d7b09985-95a3-44be-8450-b6eadf49833e - type: obsoletes + type: obsolete status: test description: | Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. @@ -15,10 +15,10 @@ references: - https://twitter.com/kleiton0x7e/status/1600567316810551296 - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al author: Sorina Ionescu, X__Junior (Nextron Systems) -date: 2022/08/17 -modified: 2024/07/16 +date: 2022-08-17 +modified: 2024-07-16 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 - attack.t1102.001 logsource: diff --git a/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml b/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml index 33680cfd9a2..23efcc69ae1 100644 --- a/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml +++ b/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml @@ -15,7 +15,7 @@ references: - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security - https://cydefops.com/devtunnels-unleashed author: Kamran Saifullah -date: 2023/11/20 +date: 2023-11-20 tags: - attack.exfiltration - attack.t1567.001 diff --git a/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml b/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml index 99515f2c68f..3bc61cb9007 100644 --- a/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml +++ b/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml @@ -6,9 +6,9 @@ references: - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east author: Florian Roth (Nextron Systems) -date: 2022/04/20 +date: 2022-04-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml b/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml index 50b45d283b3..86927b8a05e 100644 --- a/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml +++ b/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml @@ -11,8 +11,8 @@ references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/24 -modified: 2024/03/22 +date: 2023-04-24 +modified: 2024-03-22 tags: - attack.discovery - attack.t1016 diff --git a/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml index 2e846b444f3..43339167966 100644 --- a/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml @@ -10,10 +10,10 @@ references: - https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/ - https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/ author: Gavin Knapp -date: 2023/05/01 -modified: 2024/07/16 +date: 2023-05-01 +modified: 2024-07-16 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 logsource: product: windows diff --git a/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml b/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml index 782baaf2aa2..cc682c73f40 100644 --- a/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml @@ -9,9 +9,9 @@ references: - https://localtonet.com/documents/supported-tunnels - https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications author: Andreas Braathen (mnemonic.io) -date: 2024/06/17 +date: 2024-06-17 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 - attack.t1090 - attack.t1102 diff --git a/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml b/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml index a9441f991c6..dcac5db849d 100644 --- a/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml +++ b/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml @@ -8,8 +8,8 @@ references: - https://megatools.megous.com/ - https://www.mandiant.com/resources/russian-targeting-gov-business author: Florian Roth (Nextron Systems) -date: 2021/12/06 -modified: 2024/05/31 +date: 2021-12-06 +modified: 2024-05-31 tags: - attack.exfiltration - attack.t1567.001 diff --git a/rules/windows/network_connection/net_connection_win_domain_ngrok.yml b/rules/windows/network_connection/net_connection_win_domain_ngrok.yml index 4f7be14ae42..83ba1695ad9 100644 --- a/rules/windows/network_connection/net_connection_win_domain_ngrok.yml +++ b/rules/windows/network_connection/net_connection_win_domain_ngrok.yml @@ -14,8 +14,8 @@ references: - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/ - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf author: Florian Roth (Nextron Systems) -date: 2022/07/16 -modified: 2023/11/17 +date: 2022-07-16 +modified: 2023-11-17 tags: - attack.exfiltration - attack.t1567.001 diff --git a/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml b/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml index cf0a21dc431..e5cbbf19c24 100644 --- a/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml @@ -12,11 +12,11 @@ references: - https://twitter.com/hakluke/status/1587733971814977537/photo/1 - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent author: Florian Roth (Nextron Systems) -date: 2022/11/03 -modified: 2024/02/02 +date: 2022-11-03 +modified: 2024-02-02 tags: - attack.exfiltration - - attack.command_and_control + - attack.command-and-control - attack.t1567 - attack.t1568.002 - attack.t1572 diff --git a/rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml b/rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml index 954d0a76361..c1d89c1abdd 100644 --- a/rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml +++ b/rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml @@ -6,9 +6,9 @@ references: - https://github.com/mttaggart/OffensiveNotion - https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332 author: Gavin Knapp -date: 2023/05/03 +date: 2023-05-03 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 logsource: product: windows diff --git a/rules/windows/network_connection/net_connection_win_domain_portmap.yml b/rules/windows/network_connection/net_connection_win_domain_portmap.yml index fe10804fd7a..b5650a472ab 100644 --- a/rules/windows/network_connection/net_connection_win_domain_portmap.yml +++ b/rules/windows/network_connection/net_connection_win_domain_portmap.yml @@ -7,10 +7,10 @@ references: - https://github.com/rapid7/metasploit-framework/issues/11337 - https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2 author: Florian Roth (Nextron Systems) -date: 2024/05/31 +date: 2024-05-31 tags: - attack.t1041 - - attack.command_and_control + - attack.command-and-control - attack.t1090.002 - attack.exfiltration logsource: diff --git a/rules/windows/network_connection/net_connection_win_domain_telegram_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_domain_telegram_api_non_browser_access.yml index 2a97eba532c..103832d2f5d 100644 --- a/rules/windows/network_connection/net_connection_win_domain_telegram_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_domain_telegram_api_non_browser_access.yml @@ -5,9 +5,9 @@ description: Detects an a non-browser process interacting with the Telegram API references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/19 +date: 2023-05-19 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 logsource: product: windows diff --git a/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml b/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml index 64c07283510..1c5a7826e81 100644 --- a/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml +++ b/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml @@ -15,7 +15,7 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://cydefops.com/vscode-data-exfiltration author: Kamran Saifullah -date: 2023/11/20 +date: 2023-11-20 tags: - attack.exfiltration - attack.t1567.001 diff --git a/rules/windows/network_connection/net_connection_win_eqnedt.yml b/rules/windows/network_connection/net_connection_win_eqnedt.yml index eaaa6135467..b5281ab49e1 100755 --- a/rules/windows/network_connection/net_connection_win_eqnedt.yml +++ b/rules/windows/network_connection/net_connection_win_eqnedt.yml @@ -7,8 +7,8 @@ references: - https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/ - https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/ author: Max Altgelt (Nextron Systems) -date: 2022/04/14 -modified: 2024/05/31 +date: 2022-04-14 +modified: 2024-05-31 tags: - attack.execution - attack.t1203 diff --git a/rules/windows/network_connection/net_connection_win_imewdbld.yml b/rules/windows/network_connection/net_connection_win_imewdbld.yml index 9fd3669665b..6da3034e262 100644 --- a/rules/windows/network_connection/net_connection_win_imewdbld.yml +++ b/rules/windows/network_connection/net_connection_win_imewdbld.yml @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ author: frack113 -date: 2022/01/22 -modified: 2023/11/09 +date: 2022-01-22 +modified: 2023-11-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_notepad.yml b/rules/windows/network_connection/net_connection_win_notepad.yml index e7c6138f752..eba8e4b2108 100644 --- a/rules/windows/network_connection/net_connection_win_notepad.yml +++ b/rules/windows/network_connection/net_connection_win_notepad.yml @@ -9,12 +9,12 @@ references: - https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf - https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet author: EagleEye Team -date: 2020/05/14 -modified: 2024/02/02 +date: 2020-05-14 +modified: 2024-02-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml index 267e3a11f02..5104cbdf952 100644 --- a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml +++ b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml @@ -9,8 +9,8 @@ references: - https://corelight.com/blog/detecting-cve-2021-42292 - https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2021/11/10 -modified: 2024/07/02 +date: 2021-11-10 +modified: 2024-07-02 tags: - attack.execution - attack.t1203 diff --git a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml index f4857d9c41e..17b78e6749f 100644 --- a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml @@ -5,11 +5,11 @@ description: Detects an office suit application (Word, Excel, PowerPoint, Outloo references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/12 -modified: 2024/07/02 +date: 2023-07-12 +modified: 2024-07-02 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index 5312bbe489c..6053c2409b3 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python - https://pypi.org/project/scapy/ author: frack113 -date: 2021/12/10 -modified: 2023/09/07 +date: 2021-12-10 +modified: 2023-09-07 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml index 9c7f596890b..d481ed71e37 100644 --- a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml @@ -7,10 +7,10 @@ description: | references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 author: Markus Neis -date: 2019/05/15 -modified: 2024/02/09 +date: 2019-05-15 +modified: 2024-02-09 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 - car.2013-07-002 logsource: diff --git a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml index b570a67a44c..d6880ddf085 100755 --- a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml @@ -5,12 +5,12 @@ description: Detects svchost hosting RDP termsvcs communicating with the loopbac references: - https://twitter.com/cyb3rops/status/1096842275437625346 author: Samir Bousseaden -date: 2019/02/16 -modified: 2024/03/12 +date: 2019-02-16 +modified: 2024-03-12 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 - car.2013-07-002 logsource: diff --git a/rules/windows/network_connection/net_connection_win_rdp_to_http.yml b/rules/windows/network_connection/net_connection_win_rdp_to_http.yml index 622013fd352..77e2fb64fd0 100644 --- a/rules/windows/network_connection/net_connection_win_rdp_to_http.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_to_http.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg - https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling author: Florian Roth (Nextron Systems) -date: 2022/04/29 -modified: 2022/07/14 +date: 2022-04-29 +modified: 2022-07-14 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 - car.2013-07-002 logsource: diff --git a/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml b/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml index d7ed1e67816..9e8f31ad41f 100644 --- a/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml +++ b/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml @@ -7,9 +7,9 @@ references: - https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ author: frack113 -date: 2024/04/25 +date: 2024-04-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.009 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml index 1a4c8601e37..5dbeb025249 100644 --- a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml @@ -6,12 +6,12 @@ references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ author: Dmitriy Lifanov, oscd.community -date: 2019/10/25 -modified: 2023/09/18 +date: 2019-10-25 +modified: 2023-09-18 tags: - attack.execution - attack.t1559.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index e5dbfcfbd49..d00b4686ae9 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -5,10 +5,10 @@ description: Detects a rundll32 that communicates with public IP addresses references: - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/11/04 -modified: 2024/03/13 +date: 2017-11-04 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - attack.execution logsource: diff --git a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml index 6e69126ad01..3899bdcfc14 100644 --- a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml @@ -5,8 +5,8 @@ description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ author: Kiran kumar s, oscd.community -date: 2020/10/11 -modified: 2022/10/05 +date: 2020-10-11 +modified: 2022-10-05 tags: - attack.execution - attack.t1127.001 diff --git a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml index 7705c88ce33..e262eb9d2a3 100644 --- a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml +++ b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml @@ -5,9 +5,9 @@ description: Detects suspicious network connections made by a well-known Windows references: - https://redcanary.com/blog/raspberry-robin/ author: Florian Roth (Nextron Systems) -date: 2022/07/03 +date: 2022-07-03 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml index f9377998510..5e44c393396 100644 --- a/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml +++ b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml @@ -2,7 +2,7 @@ title: Network Communication Initiated To File Sharing Domains From Process Loca id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 related: - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 - type: obsoletes + type: obsolete status: test description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains. references: @@ -12,10 +12,10 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2018/08/30 -modified: 2024/05/31 +date: 2018-08-30 +modified: 2024-05-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml b/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml index 3783590d96a..9de239a105c 100644 --- a/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml +++ b/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml @@ -6,10 +6,10 @@ description: | references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2017/03/19 -modified: 2024/05/31 +date: 2017-03-19 +modified: 2024-05-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml b/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml index 43f89f0cacf..c4ca683a0e0 100644 --- a/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml +++ b/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml @@ -9,11 +9,11 @@ description: | references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems) -date: 2017/03/19 -modified: 2024/03/12 +date: 2017-03-19 +modified: 2024-03-12 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1571 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml b/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml index 348cce37269..50c9e76f627 100644 --- a/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml +++ b/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml @@ -8,11 +8,11 @@ description: Detects programs that connect to uncommon destination ports references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems) -date: 2017/03/19 -modified: 2024/03/12 +date: 2017-03-19 +modified: 2024-03-12 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1571 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml index 59a4e0243cf..46380d22f7d 100755 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml @@ -9,12 +9,12 @@ description: | references: - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community -date: 2019/10/24 -modified: 2024/03/15 +date: 2019-10-24 +modified: 2024-03-15 tags: - - attack.credential_access + - attack.credential-access - attack.t1558 - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.003 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml index 6f32a2967a1..4297d9aa2b6 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml @@ -5,13 +5,13 @@ description: Detects suspicious connections from Microsoft Sync Center to non-pr references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim -date: 2022/04/28 -modified: 2024/03/12 +date: 2022-04-28 +modified: 2024-03-12 tags: - attack.t1055 - attack.t1218 - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml index 53fbd9b2542..b5ca6e43e58 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml @@ -8,8 +8,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp - https://www.ietf.org/rfc/rfc2821.txt author: frack113 -date: 2022/01/07 -modified: 2022/09/21 +date: 2022-01-07 +modified: 2022-09-21 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml b/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml index 82a8222e1c2..19300c97b11 100644 --- a/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml +++ b/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml @@ -7,12 +7,12 @@ description: | references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -modified: 2024/02/02 +date: 2019-09-12 +modified: 2024-02-02 tags: - attack.execution - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml index 763bdd2cd52..01839c496ed 100644 --- a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml @@ -5,12 +5,12 @@ description: Detects a "winlogon.exe" process that initiate network communicatio references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ author: Christopher Peacock @securepeacock, SCYTHE @scythe_io -date: 2023/04/28 -modified: 2024/03/12 +date: 2023-04-28 +modified: 2024-03-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - attack.command_and_control + - attack.command-and-control - attack.t1218.011 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml index cabee0abaac..1bf18ed773e 100644 --- a/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml @@ -7,11 +7,11 @@ description: | references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior (Nextron Systems) -date: 2023/07/12 -modified: 2023/12/15 +date: 2023-07-12 +modified: 2023-12-15 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml b/rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml index b1f4b436922..23f9a4f32c1 100644 --- a/rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml @@ -9,10 +9,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113 -date: 2022/08/28 -modified: 2024/05/31 +date: 2022-08-28 +modified: 2024-05-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml b/rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml index 6955acf7cb0..9117d6ba365 100644 --- a/rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml @@ -8,10 +8,10 @@ description: Detects a script interpreter wscript/cscript opening a network conn references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113, Florian Roth (Nextron Systems) -date: 2022/08/28 -modified: 2024/03/13 +date: 2022-08-28 +modified: 2024-03-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index 9f88256d418..523e8bff014 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -7,10 +7,10 @@ description: | references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -modified: 2024/03/12 +date: 2020-10-12 +modified: 2024-03-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: network_connection diff --git a/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml b/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml index e654198f32f..bcfb88b1f39 100644 --- a/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml +++ b/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml @@ -9,8 +9,8 @@ references: - https://o365blog.com/post/adfs/ - https://github.com/Azure/SimuLand author: Roberto Rodriguez @Cyb3rWard0g -date: 2021/10/08 -modified: 2023/11/30 +date: 2021-10-08 +modified: 2023-11-30 tags: - attack.collection - attack.t1005 diff --git a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml index 6648ba357de..4c9fb5a0ad7 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml @@ -14,11 +14,11 @@ references: - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/ - https://redcanary.com/threat-detection-report/threats/cobalt-strike/ author: Florian Roth (Nextron Systems), Wojciech Lesicki -date: 2021/05/25 -modified: 2022/10/31 +date: 2021-05-25 +modified: 2022-10-31 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml index 92d3ffa906a..696f89a8113 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml @@ -11,11 +11,11 @@ references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 author: Florian Roth (Nextron Systems) -date: 2021/07/30 -modified: 2022/12/31 +date: 2021-07-30 +modified: 2022-12-31 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml index 4fa8cf1a21f..25fa2b5eb5d 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml @@ -11,11 +11,11 @@ references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 author: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) -date: 2021/07/30 -modified: 2024/01/26 +date: 2021-07-30 +modified: 2024-01-26 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - stp.1k logsource: diff --git a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml index 950af41ab7f..9773510d21e 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml @@ -6,10 +6,10 @@ references: - https://blog.hackvens.fr/articles/CoercedPotato.html - https://github.com/hackvens/CoercedPotato author: Florian Roth (Nextron Systems) -date: 2023/10/11 +date: 2023-10-11 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml index aa9a5eec263..4f0eccd5293 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml @@ -5,10 +5,10 @@ description: Detects creation of default named pipe used by the DiagTrackEoP POC references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/03 -modified: 2023/08/07 +date: 2022-08-03 +modified: 2023-08-07 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows category: pipe_created diff --git a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml index 6cde19667ef..fd269f15d2e 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 - https://github.com/zcgonvh/EfsPotato author: Florian Roth (Nextron Systems) -date: 2021/08/23 -modified: 2023/12/21 +date: 2021-08-23 +modified: 2023-12-21 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml b/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml index abf6b6a52ba..43c21739758 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml @@ -6,10 +6,10 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799 author: Teymur Kheirkhabarov, oscd.community -date: 2019/11/01 -modified: 2023/08/07 +date: 2019-11-01 +modified: 2023-08-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 diff --git a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml index 59a901f45ce..d0e50988d39 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml @@ -5,11 +5,11 @@ description: Detects creation of default named pipes used by the Koh tool references: - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/08 -modified: 2023/08/07 +date: 2022-07-08 +modified: 2023-08-07 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access - attack.t1528 - attack.t1134.001 logsource: diff --git a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml index a94d7d66bfa..72e24f9b52d 100644 --- a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml @@ -9,8 +9,8 @@ references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton -date: 2019/09/12 -modified: 2023/10/18 +date: 2019-09-12 +modified: 2023-10-18 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml b/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml index bbaaa695242..79c3a26baf3 100644 --- a/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml @@ -9,8 +9,8 @@ references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2019/09/12 -modified: 2023/11/30 +date: 2019-09-12 +modified: 2023-11-30 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml index 0de5e667822..0a54de8d086 100644 --- a/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml @@ -2,17 +2,17 @@ title: PUA - CSExec Default Named Pipe id: f318b911-ea88-43f4-9281-0de23ede628e related: - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 - type: obsoletes + type: obsolete status: test description: Detects default CSExec pipe creation references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view - https://github.com/malcomvetter/CSExec author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/07 -modified: 2023/11/30 +date: 2023-08-07 +modified: 2023-11-30 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.execution - attack.t1569.002 diff --git a/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml index a892c04f1fc..eb71923d502 100644 --- a/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml @@ -6,7 +6,7 @@ references: - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md - https://github.com/poweradminllc/PAExec author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/26 +date: 2022-10-26 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml b/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml index f67e262027d..a443d1d35c0 100644 --- a/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml @@ -2,17 +2,17 @@ title: PUA - RemCom Default Named Pipe id: d36f87ea-c403-44d2-aa79-1a0ac7c24456 related: - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 - type: obsoletes + type: obsolete status: test description: Detects default RemCom pipe creation references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view - https://github.com/kavika13/RemCom author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/07 -modified: 2023/11/30 +date: 2023-08-07 +modified: 2023-11-30 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.execution - attack.t1569.002 diff --git a/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml index 0f67a0112c2..c6f56ca33e8 100644 --- a/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml +++ b/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml @@ -5,8 +5,8 @@ description: Detects the WMI Event Consumer service scrcons.exe creating a named references: - https://github.com/RiccardoAncarani/LiquidSnake author: Florian Roth (Nextron Systems) -date: 2021/09/01 -modified: 2023/11/30 +date: 2021-09-01 +modified: 2023-11-30 tags: - attack.t1047 - attack.execution diff --git a/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml b/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml index 0dbc9a1322b..5b59086a037 100644 --- a/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml +++ b/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml @@ -16,11 +16,11 @@ references: - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: Florian Roth (Nextron Systems), blueteam0ps, elhoim -date: 2017/11/06 -modified: 2023/08/07 +date: 2017-11-06 +modified: 2023-08-07 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml index f0c2647aa12..7283f7dc412 100644 --- a/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml +++ b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml @@ -9,8 +9,8 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/04 -modified: 2023/09/20 +date: 2022-08-04 +modified: 2023-09-20 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml index d9eca12c881..b932cc27792 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml @@ -8,8 +8,8 @@ description: Detects a powershell download cradle using nslookup. This cradle us references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam -date: 2022/12/10 -modified: 2023/10/27 +date: 2022-12-10 +modified: 2023-10-27 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml index bfa26c5d151..b56f9a71421 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods author: frack113 -date: 2021/06/03 -modified: 2023/10/27 +date: 2021-06-03 +modified: 2023-10-27 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index 64c6ba91956..5cdf48d1f25 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -5,10 +5,10 @@ description: Detects PowerShell downgrade attack by comparing the host versions references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements) -date: 2017/03/22 -modified: 2023/10/27 +date: 2017-03-22 +modified: 2023-10-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml index 33e8e6c726e..ff8dcf7b8d3 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml @@ -5,10 +5,10 @@ description: Detects PowerShell called from an executable by the version mismatc references: - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2023/10/27 +date: 2017-03-05 +modified: 2023-10-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml index 77bb134ef21..22f331217cd 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml @@ -10,10 +10,10 @@ references: - https://github.com/besimorhino/powercat - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md author: frack113 -date: 2021/07/21 -modified: 2023/10/27 +date: 2021-07-21 +modified: 2023-10-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1095 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml index fed0599dc0f..98d6a90b42e 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml @@ -8,12 +8,12 @@ description: Detects remote PowerShell sessions references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -modified: 2024/01/03 +date: 2019-08-10 +modified: 2024-01-03 tags: - attack.execution - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml index a3519da4bd6..3194b0bf0a5 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml @@ -13,10 +13,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/07/13 -modified: 2023/05/09 +date: 2021-07-13 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index b60b0031e9b..44700a9376b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -5,8 +5,8 @@ description: Detects renamed powershell references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Harish Segar, frack113 -date: 2020/06/29 -modified: 2023/10/27 +date: 2020-06-29 +modified: 2023-10-27 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml index fbda1dbb9c0..012d059f0b2 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml @@ -8,8 +8,8 @@ description: Detects suspicious PowerShell download command references: - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html author: Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2023/10/27 +date: 2017-03-05 +modified: 2023-10-27 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml index 8b92aee5190..983de0d924b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml @@ -5,8 +5,8 @@ description: Adversaries may attempt to get a listing of network connections to references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 -date: 2021/12/10 -modified: 2023/10/27 +date: 2021-12-10 +modified: 2023-10-27 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml index d2e570ff584..48299f21774 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml @@ -15,8 +15,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2021/07/20 -modified: 2023/12/18 +date: 2021-07-20 +modified: 2023-12-18 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml index 2738c82cd10..27851bd1bb5 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml @@ -8,10 +8,10 @@ description: Attempting to disable scheduled scanning and other parts of Windows references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/06/07 -modified: 2024/01/02 +date: 2021-06-07 +modified: 2024-01-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml index 46601476bdc..3ce5fb0c8eb 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml @@ -7,12 +7,12 @@ references: - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ - https://github.com/bohops/WSMan-WinRM author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/24 -modified: 2023/10/27 +date: 2020-06-24 +modified: 2023-10-27 tags: - attack.execution - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index 5049ca66997..c54a451470b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -5,8 +5,8 @@ description: Detects suspicious powershell process which includes bxor command, references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 author: Teymur Kheirkhabarov, Harish Segar (rule) -date: 2020/06/29 -modified: 2023/10/27 +date: 2020-06-29 +modified: 2023-10-27 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml index c3a3cb8ede5..4e0014adb9b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml @@ -12,7 +12,7 @@ references: - https://twitter.com/cyb3rops/status/1617108657166061568?s=20 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2023/01/22 +date: 2023-01-22 tags: - attack.reconnaissance - attack.discovery diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index c0168b529d2..e9463f1d93c 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -5,8 +5,8 @@ description: Detects alternate PowerShell hosts potentially bypassing detections references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/11 -modified: 2022/12/13 +date: 2019-08-11 +modified: 2022-12-13 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml index 5b57f422def..7b09772124e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml @@ -13,8 +13,8 @@ references: - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/ - https://www.mdeditor.tw/pl/pgRt author: 'ok @securonix invrep_de, oscd.community' -date: 2020/10/09 -modified: 2022/12/25 +date: 2020-10-09 +modified: 2022-12-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 6e5e09e3e20..9c3786d0f71 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -8,10 +8,10 @@ description: Detects keywords that could indicate clearing PowerShell history references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2019/10/25 -modified: 2022/12/02 +date: 2019-10-25 +modified: 2022-12-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml index 638b59f898a..d32d2da4344 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml @@ -9,10 +9,10 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/8 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2022/12/25 +date: 2020-05-02 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml index 091b8e453dd..d8f72dc8cde 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml @@ -4,7 +4,7 @@ related: - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb type: similar - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 - type: obsoletes + type: obsolete status: test description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance references: @@ -26,8 +26,8 @@ references: - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/23 -modified: 2024/01/25 +date: 2023-01-23 +modified: 2024-01-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml index 372a274b5a6..cf3587a59dd 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml @@ -6,9 +6,9 @@ references: - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md author: Florian Roth (Nextron Systems) -date: 2022/03/16 +date: 2022-03-16 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index 12c523d36c6..b522bfc412f 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -6,8 +6,8 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/01/04 +date: 2020-05-02 +modified: 2023-01-04 tags: - attack.collection - attack.t1115 diff --git a/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml b/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml index 26964ffb071..2a5248dfb6d 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml @@ -7,9 +7,9 @@ references: - https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb - https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.lateral_movement + - attack.lateral-movement logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 35f24e169b3..e98b232759a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community -date: 2020/10/13 -modified: 2024/04/05 +date: 2020-10-13 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index 9b235eb1ae2..c5e142a2048 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -8,10 +8,10 @@ description: Detects all variations of obfuscated powershell IEX invocation code references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -date: 2019/11/08 -modified: 2022/12/31 +date: 2019-11-08 +modified: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index 2c4daaf021b..e3e44252f63 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of stdin to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/05 +date: 2020-10-15 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index b0959c6e6c7..b6a26623b33 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/05 +date: 2020-10-15 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index e11e2faa124..9aee02152c9 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml index 1ec8d250718..bd9360ea69b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml index 53738e64656..c5347f19d05 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via Stdin in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community -date: 2020/10/12 -modified: 2024/04/05 +date: 2020-10-12 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml index e78c5e3a712..79bc122e438 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2024/04/05 +date: 2020-10-09 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index 5984513a787..940888d109f 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community -date: 2020/10/08 -modified: 2023/01/04 +date: 2020-10-08 +modified: 2023-01-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml index 9b2d8a2e093..158e22d3259 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 author: Nikita Nazarov, oscd.community -date: 2019/10/08 -modified: 2022/11/29 +date: 2019-10-08 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index b8c764d3a92..e6d4d3f880b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -modified: 2024/04/05 +date: 2020-10-13 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml index 03375b4ec88..45dddc69564 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml @@ -27,8 +27,8 @@ references: - https://github.com/adrecon/ADRecon - https://github.com/adrecon/AzureADRecon author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/20 -modified: 2024/01/25 +date: 2023-01-20 +modified: 2024-01-25 tags: - attack.execution - attack.discovery diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index ca747ba77c9..ddc9fe3a515 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -5,12 +5,12 @@ description: Detects remote PowerShell sessions references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton -date: 2019/08/10 -modified: 2023/01/20 +date: 2019-08-10 +modified: 2023-01-20 tags: - attack.execution - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml index c5b7cae9831..636653cc3ec 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml @@ -13,10 +13,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2021/07/13 -modified: 2023/05/09 +date: 2021-07-13 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml index 464b4218d17..b7554b77310 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 -date: 2021/12/15 -modified: 2023/01/20 +date: 2021-12-15 +modified: 2023-01-20 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index c9731f4b999..0c18c449a31 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0 - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0 author: Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2023/01/20 +date: 2017-03-05 +modified: 2023-01-20 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml index 356d6022033..11a53006dc8 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml @@ -5,8 +5,8 @@ description: Adversaries may attempt to get a listing of network connections to references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 -date: 2021/12/10 -modified: 2022/12/02 +date: 2021-12-10 +modified: 2022-12-02 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 9859cbf492a..20e1295f717 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -10,8 +10,8 @@ description: Detects suspicious PowerShell invocation command parameters references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/03/12 -modified: 2023/01/03 +date: 2017-03-12 +modified: 2023-01-03 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index 1d4efbe0458..43295b3fafa 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -2,7 +2,7 @@ title: Suspicious PowerShell Invocations - Specific - PowerShell Module id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: obsoletes + type: obsolete - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 @@ -12,8 +12,8 @@ description: Detects suspicious PowerShell invocation command parameters references: - Internal Research author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro -date: 2017/03/05 -modified: 2023/01/05 +date: 2017-03-05 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml index 4d8c034ea48..75ce90e6d12 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 -date: 2021/12/12 -modified: 2022/12/25 +date: 2021-12-12 +modified: 2022-12-25 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml index ae4146ecd9e..0bf434c52db 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: frack113 -date: 2022/02/21 +date: 2022-02-21 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml index 768222f8c23..274c237f43f 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 -date: 2021/12/15 -modified: 2022/12/02 +date: 2021-12-15 +modified: 2022-12-02 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml index 8ef177de6c4..0f2590b09ae 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml @@ -15,8 +15,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2021/07/20 -modified: 2023/12/18 +date: 2021-07-20 +modified: 2023-12-18 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml index f5ec9eb4f3a..055c015eb46 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml @@ -10,10 +10,10 @@ description: Detects SyncAppvPublishingServer process execution which usually ut references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' -date: 2020/10/05 -modified: 2022/12/02 +date: 2020-10-05 +modified: 2022-12-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml index df3893d2b41..1d100d37021 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -9,12 +9,12 @@ references: - https://o365blog.com/aadinternals/ - https://github.com/Gerenios/AADInternals author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/23 +date: 2022-12-23 tags: - attack.execution - attack.reconnaissance - attack.discovery - - attack.credential_access + - attack.credential-access - attack.impact logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index 8f8c411ef61..502c190eff9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -2,7 +2,7 @@ title: Access to Browser Login Data id: fc028194-969d-4122-8abe-0470d5b8f12f related: - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d - type: obsoletes + type: obsolete - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b type: similar status: test @@ -13,9 +13,9 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md author: frack113 -date: 2022/01/30 +date: 2022-01-30 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml b/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml index 25c9abb2ac6..5b9befc36b8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml @@ -12,7 +12,7 @@ references: - https://twitter.com/cyb3rops/status/1617108657166061568?s=20 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges author: frack113, Nasreddine Bencherchali -date: 2023/01/22 +date: 2023-01-22 tags: - attack.reconnaissance - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index 2cb5b6a8c42..1d5556964f6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -8,8 +8,8 @@ references: - https://twitter.com/NathanMcNulty/status/1569497348841287681 - https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps author: Borna Talebi -date: 2021/09/14 -modified: 2022/10/09 +date: 2021-09-14 +modified: 2022-10-09 tags: - attack.impact - attack.t1565 diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml index 58f21aee39d..d5dd3b75b01 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/22 -modified: 2023/05/09 +date: 2023-01-22 +modified: 2023-05-09 tags: - attack.execution logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml index 19ff119b495..2765eb5ff2b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml @@ -6,8 +6,8 @@ references: - https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1 - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319 author: Bhabesh Raj -date: 2021/07/16 -modified: 2022/09/06 +date: 2021-07-16 +modified: 2022-09-06 tags: - attack.discovery - attack.execution diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml index 88b5a7ee2cc..c9f3c473ad1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml @@ -6,9 +6,9 @@ references: - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ - https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA author: Florian Roth (Nextron Systems) -date: 2022/11/09 +date: 2022-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.execution logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml index 7973d890ca6..cd0093f3309 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml @@ -8,10 +8,10 @@ description: Detects usage of special strings/null bits in order to potentially references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/04 -modified: 2023/05/09 +date: 2023-01-04 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml index 4460862a957..1f6492137d1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml @@ -5,12 +5,12 @@ description: Detects Silence EmpireDNSAgent as described in the Group-IP report references: - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf author: Alina Stepchenkova, Group-IB, oscd.community -date: 2019/11/01 -modified: 2023/04/03 +date: 2019-11-01 +modified: 2023-04-03 tags: - attack.execution - attack.t1059.001 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - attack.t1572 - attack.impact diff --git a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml index f664d84bfb5..3f6ae24d2a8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting - https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/ author: frack113 -date: 2022/03/17 +date: 2022-03-17 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml index eddd5f9c470..44f2ee0c26e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml @@ -5,7 +5,7 @@ description: Detects potential exfiltration attempt via audio file using PowerSh references: - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 +date: 2023-01-16 tags: - attack.exfiltration logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml index f08297092d9..0b3358a8fec 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml @@ -5,8 +5,8 @@ description: Once established within a system or network, an adversary may use a references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md author: frack113 -date: 2021/07/28 -modified: 2022/12/25 +date: 2021-07-28 +modified: 2022-12-25 tags: - attack.collection - attack.t1119 diff --git a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml index c58fbaacea2..5edb0360f84 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen author: frack113 -date: 2021/12/28 -modified: 2022/07/07 +date: 2021-12-28 +modified: 2022-07-07 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index bcf979e40e3..508ec7b6de7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -8,10 +8,10 @@ description: Detects keywords that could indicate clearing PowerShell history references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2022/01/25 -modified: 2022/12/02 +date: 2022-01-25 +modified: 2022-12-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml index 1f131eaf9b3..ca0993df1bb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml @@ -7,10 +7,10 @@ references: - https://www.shellhacks.com/clear-history-powershell/ - https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics author: Austin Songer @austinsonger -date: 2021/11/25 -modified: 2022/12/25 +date: 2021-11-25 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1070.003 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml index 09a89d40e3a..8bf8d45ec6f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task author: frack113 -date: 2021/12/28 +date: 2021-12-28 tags: - attack.persistence - attack.t1053.005 diff --git a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml index 9d0735a99ca..256a31a2e5e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml @@ -10,7 +10,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/17 +date: 2022-11-17 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml index 3ef60efa8c2..7619adb069d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml @@ -5,10 +5,10 @@ description: Uses PowerShell to install/copy a file into a system directory such references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/27 -modified: 2024/01/22 +date: 2021-12-27 +modified: 2024-01-22 tags: - - attack.credential_access + - attack.credential-access - attack.t1556.002 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml index 4b77b059141..5698717009e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -10,7 +10,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler author: frack113 -date: 2021/12/30 +date: 2021-12-30 tags: - attack.persistence - attack.t1574.012 diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml index 1a61b9f010f..d4006e0c095 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml @@ -5,8 +5,8 @@ description: Detects creation of a local user via PowerShell references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md author: '@ROxPinTeddy' -date: 2020/04/11 -modified: 2022/12/25 +date: 2020-04-11 +modified: 2022-12-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml index a80a8b0c440..40ffef90be3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -6,9 +6,9 @@ references: - https://attack.mitre.org/datasources/DS0005/ - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 author: frack113 -date: 2022/01/12 +date: 2022-01-12 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 06e25930793..5969b4001f0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md - https://techgenix.com/malicious-powershell-scripts-evade-detection/ author: frack113, Duc.Le-GTSC -date: 2021/08/03 -modified: 2022/03/03 +date: 2021-08-03 +modified: 2022-03-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1497.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml index a5b94198be2..5e74c9db979 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml @@ -5,7 +5,7 @@ description: Enumerates Active Directory to determine computers that are joined references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher author: frack113 -date: 2022/02/12 +date: 2022-02-12 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml index a3b95a5ed7e..84c43caf4b4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell - https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 author: frack113 -date: 2021/12/28 +date: 2021-12-28 tags: - attack.persistence - attack.t1136.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml index 1c001b47cb5..16ef6d8a0ab 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml @@ -5,9 +5,9 @@ description: Detects scripts or commands that disabled the Powershell command hi references: - https://twitter.com/DissectMalware/status/1062879286749773824 author: Ali Alwashali -date: 2022/08/21 +date: 2022-08-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml index bac28693fab..549bdc9634f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml @@ -8,9 +8,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md - https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps author: frack113 -date: 2022/09/10 +date: 2022-09-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml index 5560c705ac6..42ff73e0159 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml @@ -5,9 +5,9 @@ description: Detects usage of "Reflection.Assembly" load functions to dynamicall references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 author: frack113 -date: 2022/12/25 +date: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1620 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml index 9b7fcf1e28e..33e7ff77b2a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml @@ -9,9 +9,9 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 author: frack113 -date: 2022/12/25 +date: 2022-12-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml index 79c8344b7a8..3e53dbe855e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml @@ -10,7 +10,7 @@ description: | references: - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/26 +date: 2024-06-26 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml index 182a9dd0702..f53ba1e5fe2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md author: frack113 -date: 2021/12/20 -modified: 2022/12/25 +date: 2021-12-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1555 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml index 69582d08a84..5155106b384 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 author: frack113 -date: 2022/01/07 +date: 2022-01-07 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml index 96cd0f46c81..f0d5f0203f5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml @@ -12,10 +12,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system - https://learn.microsoft.com/en-us/windows/wsl/install-on-server author: frack113 -date: 2022/09/10 -modified: 2022/12/29 +date: 2022-09-10 +modified: 2022-12-29 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml index 3217f716d81..50c81e0f6eb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md author: frack113 -date: 2021/12/20 -modified: 2022/12/25 +date: 2021-12-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1555 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml index 58c82cffef0..73a9f778e7c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml @@ -8,10 +8,10 @@ description: Detects usage of powershell cmdlets to disable or remove ETW trace references: - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2022/11/25 +date: 2022-06-28 +modified: 2022-11-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1562.006 - car.2016-04-002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml index c5db18fcb04..67c4f256669 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml @@ -5,7 +5,7 @@ description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMT references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/26 +date: 2022-10-26 tags: - attack.exfiltration logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml b/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml index b2c88e84a53..06664b1cdd1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Florian Roth (Nextron Systems) -date: 2021/04/23 -modified: 2023/05/18 +date: 2021-04-23 +modified: 2023-05-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml index d43feb7e115..7c3ad03b14b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml @@ -8,9 +8,9 @@ description: Detects attempts of decoding a base64 Gzip archive in a PowerShell references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 author: frack113 -date: 2022/12/23 +date: 2022-12-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1132.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index 59cfec8772d..fccff1d2fdc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 author: frack113 -date: 2021/12/30 +date: 2021-12-30 tags: - attack.persistence - attack.t1574.011 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml index c33ca7f3638..28aceb18ed9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml @@ -7,8 +7,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md author: frack113 -date: 2022/03/17 -modified: 2023/07/08 +date: 2022-03-17 +modified: 2023-07-08 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml index d0776b6d126..7f366216229 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml @@ -5,8 +5,8 @@ description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups withi references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: frack113 -date: 2022/03/17 -modified: 2022/11/17 +date: 2022-03-17 +modified: 2022-11-17 tags: - attack.discovery - attack.t1069.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml index df694491277..8e20acd0fd9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml @@ -8,9 +8,9 @@ references: - https://www.powershellgallery.com/packages/DSInternals - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount author: frack113 -date: 2022/02/06 +date: 2022-02-06 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml index 0b0acc4b2df..dd63a2504ef 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113 -date: 2021/12/13 -modified: 2022/12/25 +date: 2021-12-13 +modified: 2022-12-25 tags: - attack.discovery - attack.t1217 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml index ec9455f00fa..118cfd53206 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell author: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/16 -modified: 2023/10/24 +date: 2021-12-16 +modified: 2023-10-24 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml index 60528cd72c7..1c525bf0d5f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml @@ -10,12 +10,12 @@ references: - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html - https://github.com/GhostPack/Rubeus author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) -date: 2023/04/27 +date: 2023-04-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1558.003 - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml index 22994a2e658..b2ac4e5772d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml @@ -7,7 +7,7 @@ status: experimental description: | Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. author: Swachchhanda Shrawan Poudel -date: 2023/12/04 +date: 2023-12-04 references: - https://github.com/S3cur3Th1sSh1t/WinPwn - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841 @@ -15,11 +15,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.discovery - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1046 - attack.t1082 - attack.t1106 diff --git a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml index cd22c1aed0b..17de4eaa465 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml @@ -5,7 +5,7 @@ description: Detects call to "Win32_QuickFixEngineering" in order to enumerate i references: - https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/21 +date: 2022-06-21 tags: - attack.discovery logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml index 298c852d149..a07d5087dc3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml @@ -5,8 +5,8 @@ description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp author: 'Bartlomiej Czyz @bczyz1, oscd.community' -date: 2020/10/10 -modified: 2022/12/25 +date: 2020-10-10 +modified: 2022-12-25 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml index 2d4a229c484..c4bc3e0cdb0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml @@ -8,8 +8,8 @@ description: Detects powershell scripts that import modules from suspicious dire references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/07 -modified: 2023/01/10 +date: 2022-07-07 +modified: 2023-01-10 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml index 3a102abf4dc..01e1b815423 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package - https://twitter.com/WindowsDocs/status/1620078135080325122 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/31 +date: 2023-01-31 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml index 9171a83ae17..4b601118a25 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4 author: frack113 -date: 2022/01/07 +date: 2022-01-07 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml index d11c2be8798..bfafe53e6b5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh - https://github.com/Arno0x/DNSExfiltrator author: frack113 -date: 2022/01/07 +date: 2022-01-07 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index b948669e99b..426ffdf1dea 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community -date: 2020/10/13 -modified: 2024/04/05 +date: 2020-10-13 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index cb348064347..f0ab351d15d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -5,10 +5,10 @@ description: Detects all variations of obfuscated powershell IEX invocation code references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community' -date: 2019/11/08 -modified: 2022/12/31 +date: 2019-11-08 +modified: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index 7915effcca7..30647587e4a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of stdin to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/05 +date: 2020-10-15 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 5a76116cefe..89f2619860c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/05 +date: 2020-10-15 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index 045bc20c0a4..77c4fabb6ea 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml index c2bacdaebd5..afb1a74a41c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml index 3b39dfd4801..d2054c49759 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via Stdin in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community -date: 2020/10/12 -modified: 2024/04/05 +date: 2020-10-12 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml index 15d3e29c9dd..30be1457ee7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2024/04/15 +date: 2020-10-09 +modified: 2024-04-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml index 1a9c97915c3..d067fb3d352 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community -date: 2020/10/08 -modified: 2022/11/29 +date: 2020-10-08 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml index ffc3ba0e67e..eb45ff619d8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 author: Nikita Nazarov, oscd.community -date: 2019/10/08 -modified: 2022/11/29 +date: 2019-10-08 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 0f357ea7c60..ce008e13fad 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -modified: 2024/04/05 +date: 2020-10-13 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml index 695430b9d42..8a6ee575d1c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1 author: frack113 -date: 2021/07/30 -modified: 2022/07/11 +date: 2021-07-30 +modified: 2022-07-11 tags: - attack.collection - attack.t1056.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml index e5a1937eb25..daa33de6cd6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 author: frack113 -date: 2021/12/28 +date: 2021-12-28 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml index db9d14a311c..560b8df38b7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml @@ -11,7 +11,7 @@ references: - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/26 +date: 2022-10-26 tags: - attack.exfiltration logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index c09dd22f05f..c031ddeb6bd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -6,9 +6,9 @@ related: - id: 02030f2f-6199-49ec-b258-ea71b07e03dc type: similar - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf - type: obsoletes + type: obsolete - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e - type: obsoletes + type: obsolete status: test description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: @@ -31,8 +31,8 @@ references: - https://github.com/adrecon/ADRecon - https://github.com/adrecon/AzureADRecon author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer -date: 2017/03/05 -modified: 2024/01/25 +date: 2017-03-05 +modified: 2024-01-25 tags: - attack.execution - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index 5840887aa54..eb820aa7e5b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -5,8 +5,8 @@ description: Detects keywords from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2023/06/20 +date: 2017-03-05 +modified: 2023-06-20 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml index 17198668160..f1d50eef42e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml @@ -5,8 +5,8 @@ description: Detects usage of a PowerShell command to dump the live memory of a references: - https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps author: Max Altgelt (Nextron Systems) -date: 2021/09/21 -modified: 2022/12/25 +date: 2021-09-21 +modified: 2022-12-25 tags: - attack.t1003 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml index e4988d8d0b3..a9ec8b80fa9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml @@ -8,10 +8,10 @@ description: Detect malicious GPO modifications can be used to implement many ot references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md author: frack113 -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1484.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml index dada94543f8..7e5db6acd3c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) - https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html author: frack113, MatilJ -date: 2022/01/19 -modified: 2022/05/19 +date: 2022-01-19 +modified: 2022-05-19 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index e5656f1e924..eb95954f6a4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -5,8 +5,8 @@ description: Detects Commandlet names and arguments from the Nishang exploitatio references: - https://github.com/samratashok/nishang author: Alec Costello -date: 2019/05/16 -modified: 2023/01/16 +date: 2019-05-16 +modified: 2023-01-16 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index 577a2fa3d97..a711e434d6a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -6,10 +6,10 @@ references: - https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md author: Sami Ruohonen -date: 2018/07/24 -modified: 2022/12/25 +date: 2018-07-24 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml index fd7d866732f..ca3d9cb76ff 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml @@ -7,7 +7,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md author: frack113 -date: 2021/12/28 +date: 2021-12-28 tags: - attack.persistence - attack.t1137.006 diff --git a/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml b/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml index cb70c5b3b7e..c79bc329976 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml @@ -10,9 +10,9 @@ references: - https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md - https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 author: frack113 -date: 2024/05/12 +date: 2024-05-12 tags: - - attack.credential_access + - attack.credential-access - attack.discovery - attack.t1040 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml index bf32622be1a..a5ab8dde3f9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml @@ -5,9 +5,9 @@ description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a references: - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script author: Tim Rauch, Elastic (idea) -date: 2022/09/28 +date: 2022-09-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml index 6c8009e0f8a..cfecbf06f19 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml @@ -11,8 +11,8 @@ references: - https://thedfirreport.com/2020/10/08/ryuks-return - https://adsecurity.org/?p=2277 author: Bhabesh Raj -date: 2021/05/18 -modified: 2023/11/22 +date: 2021-05-18 +modified: 2023-11-22 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml index b8aa7b5980e..7514d977004 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/JohnLaTwC/status/850381440629981184 - https://t.co/ezOTGy1a1G author: John Lambert (idea), Florian Roth (Nextron Systems) -date: 2017/04/09 -modified: 2022/12/25 +date: 2017-04-09 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml index 2e9ee1d894f..ca870a18c56 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml @@ -5,7 +5,7 @@ description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell w references: - https://github.com/JoelGMSec/PSAsyncShell author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/04 +date: 2022-10-04 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml index d7d673c6b87..0c9a503d4da 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml @@ -5,8 +5,8 @@ description: Detects the use of PSAttack PowerShell hack tool references: - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2022/12/25 +date: 2017-03-05 +modified: 2022-12-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml index 65dba886070..2627fb5207d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -8,8 +8,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 author: frack113 -date: 2022/01/06 -modified: 2023/01/02 +date: 2022-01-06 +modified: 2023-01-02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml index cccdd23f261..4eaa754bdb3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml @@ -13,9 +13,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/09 +date: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml index ae14fb3c20a..5571476ac76 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml @@ -8,9 +8,9 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell author: frack113 -date: 2021/12/28 +date: 2021-12-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml index 6e40bbde91c..e940b8c6891 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml @@ -6,7 +6,7 @@ references: - https://www.fortypoundhead.com/showcontent.asp?artid=24022 - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - attack.exfiltration - attack.t1020 diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index cc64fc6d081..93133559664 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -5,10 +5,10 @@ description: Adversaries may install a root certificate on a compromised system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' -date: 2020/10/10 -modified: 2022/12/02 +date: 2020-10-10 +modified: 2022-12-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml index 7a8af323c0f..be52955d51a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps author: frack113 -date: 2022/02/01 +date: 2022-02-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml index f12cb087b47..db994e6be4e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml @@ -7,8 +7,8 @@ references: - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 author: frack113 -date: 2022/01/07 -modified: 2023/05/04 +date: 2022-01-07 +modified: 2023-05-04 tags: - attack.exfiltration - attack.t1020 diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml index 6ae6b02f854..0d9e4e175ab 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -9,7 +9,7 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 - https://www.ietf.org/rfc/rfc2821.txt author: frack113 -date: 2022/09/26 +date: 2022-09-26 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml index e99d4963bff..2bf49673951 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml @@ -8,7 +8,7 @@ description: Detect adversaries enumerate sensitive files references: - https://twitter.com/malmoeb/status/1570814999370801158 author: frack113 -date: 2022/09/16 +date: 2022-09-16 tags: - attack.discovery - attack.t1083 diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml index aca0db52632..f84e60065d0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml @@ -12,9 +12,9 @@ description: Detects PowerShell scripts set ACL to of a file or a folder references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/18 +date: 2023-07-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml index ff1923b702f..0634508bf77 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml @@ -13,9 +13,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/18 +date: 2023-07-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 2334290a1f9..68b7b35f975 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -14,8 +14,8 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 - https://adsecurity.org/?p=2604 author: frack113 -date: 2021/10/20 -modified: 2023/12/14 +date: 2021-10-20 +modified: 2023-12-14 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml index c0726ebd308..3e8d10bb12e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml @@ -5,11 +5,11 @@ description: Detects Base64 encoded Shellcode references: - https://twitter.com/cyb3rops/status/1063072865992523776 author: David Ledbetter (shellcode), Florian Roth (Nextron Systems) -date: 2018/11/17 -modified: 2024/01/25 +date: 2018-11-17 +modified: 2024-01-25 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml index 2bca32e4342..4f3df16022b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml @@ -5,8 +5,8 @@ description: Detects Commandlet names from ShellIntel exploitation scripts. references: - https://github.com/Shellntel/scripts/ author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -date: 2021/08/09 -modified: 2023/01/02 +date: 2021-08-09 +modified: 2023-01-02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml index 63206ed5316..d322b909de6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna author: Nikita Nazarov, oscd.community -date: 2020/10/16 -modified: 2022/12/02 +date: 2020-10-16 +modified: 2022-12-02 tags: - attack.discovery - attack.t1518 diff --git a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml index df055784638..27e19fa41b2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml @@ -5,10 +5,10 @@ description: Storing files in Alternate Data Stream (ADS) similar to Astaroth ma references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md author: frack113 -date: 2021/09/02 -modified: 2022/12/25 +date: 2021-09-02 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml index ca6e9f06485..d9dd0139a26 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml @@ -5,11 +5,11 @@ description: Detects usage of certain functions and keywords that are used to ma references: - https://github.com/HarmJ0y/DAMP author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/05 +date: 2023-01-05 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml index d3365ee8939..52799cf751f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 -date: 2021/12/15 -modified: 2022/12/25 +date: 2021-12-15 +modified: 2022-12-25 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml index 2e09e11bd8b..6e07be9999f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml @@ -8,9 +8,9 @@ description: Detects specific techniques often seen used inside of PowerShell sc references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/09 +date: 2023-01-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1027 - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml index d675dec70b7..dc82ea86f49 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -10,9 +10,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/12 +date: 2022-09-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml index cb51c1f3763..e338edd5500 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md - https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents author: frack113 -date: 2022/03/17 +date: 2022-03-17 tags: - attack.discovery - attack.t1083 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml index 9cfed3da8d1..cc0f92bf795 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0 - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0 author: Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2022/12/02 +date: 2017-03-05 +modified: 2022-12-02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml index 6720d4c95d3..eab7b12dcf8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml @@ -10,7 +10,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script author: frack113 -date: 2022/01/02 +date: 2022-01-02 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml index f2ebf2f61f4..393e8ff15d1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: frack113 -date: 2021/12/19 -modified: 2022/12/25 +date: 2021-12-19 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml index 9db17e0c8c1..332bb627c1f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/nas_bench/status/1537919885031772161 - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/21 +date: 2022-06-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml index a20c53e924c..96f84a70b1c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps author: frack113 -date: 2022/03/17 +date: 2022-03-17 tags: - attack.discovery - attack.t1201 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml index 34be6f290cf..9f941ab3605 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script author: frack113 -date: 2022/04/04 +date: 2022-04-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml index 8d4366eff43..6465f1ba549 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md - https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps author: frack113 -date: 2022/06/04 +date: 2022-06-04 tags: - attack.discovery - attack.t1615 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml index e2eade20fbe..5eb73535304 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 author: frack113 -date: 2022/03/17 +date: 2022-03-17 tags: - attack.discovery - attack.t1057 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml index af6de71d8d0..a3bbd10b823 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml @@ -5,10 +5,10 @@ description: Detects a Get-Process command on lsass process, which is in almost references: - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 author: Florian Roth (Nextron Systems) -date: 2021/04/23 -modified: 2022/12/25 +date: 2021-04-23 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml index 870104f2f79..c0c3b0969f3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml @@ -5,9 +5,9 @@ description: Detects suspicious Powershell code that execute COM Objects references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object author: frack113 -date: 2022/04/02 +date: 2022-04-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml index 61aaac7d187..887132e8d91 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine author: frack113 -date: 2022/04/09 +date: 2022-04-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml index cc2a63ed517..ef64da6697b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml @@ -10,8 +10,8 @@ description: Detects suspicious PowerShell invocation command parameters references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/03/12 -modified: 2023/01/03 +date: 2017-03-12 +modified: 2023-01-03 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml index 34266d9b0d5..06a092d4101 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml @@ -2,7 +2,7 @@ title: Suspicious PowerShell Invocations - Specific id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: obsoletes + type: obsolete - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 @@ -12,8 +12,8 @@ description: Detects suspicious PowerShell invocation command parameters references: - Internal Research author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro -date: 2017/03/05 -modified: 2023/01/05 +date: 2017-03-05 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index fcb2b047ab0..2bdf61bd4f4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols author: frack113 -date: 2022/01/23 -modified: 2023/01/02 +date: 2022-01-23 +modified: 2023-01-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml index bd2258ed6eb..d7bf33fc4f5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml @@ -5,10 +5,10 @@ description: Open a handle on the drive volume via the \\.\ DOS device path spec references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md author: frack113 -date: 2022/01/09 -modified: 2022/03/05 +date: 2022-01-09 +modified: 2022-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml index f794f04bdc0..aefed153495 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml @@ -8,10 +8,10 @@ references: - https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content - https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/04 +date: 2023-01-04 tags: - attack.collection - - attack.credential_access + - attack.credential-access - attack.t1056.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml index adf5411b289..2eae0679ea3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml @@ -8,8 +8,8 @@ references: - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1 - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7 author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup) -date: 2019/02/11 -modified: 2023/04/21 +date: 2019-02-11 +modified: 2023-04-21 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml index 030b8af3964..5f134bf6b03 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 -date: 2021/12/12 -modified: 2022/11/25 +date: 2021-12-12 +modified: 2022-11-25 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml index b9159bcbeb9..09ba6270cd8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md author: frack113 -date: 2021/07/21 -modified: 2022/12/25 +date: 2021-07-21 +modified: 2022-12-25 tags: - attack.collection - attack.t1114.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml index 4d88e77e01a..0e583178ab4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps author: frack113 -date: 2022/02/01 +date: 2022-02-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml index 9ccd81c1018..31925e6b91c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml @@ -5,10 +5,10 @@ description: Detects when when a mounted share is removed. Adversaries may remov references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' -date: 2020/10/08 -modified: 2022/12/25 +date: 2020-10-08 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml index 221bea012d1..78ec28c36f7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml @@ -7,9 +7,9 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos author: frack113 -date: 2021/12/27 +date: 2021-12-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1110.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml index 91fddbbdd5b..a17579ab427 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 author: frack113 -date: 2022/08/13 +date: 2022-08-13 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml index 87f8ce42180..36a4f4d3a8f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml @@ -5,9 +5,9 @@ description: Detects powershell scripts that creates sockets/listeners which cou references: - https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/08 +date: 2022-07-08 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml index 0478af77bb9..c5ec3b7f1f8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml @@ -5,8 +5,8 @@ description: Once established within a system or network, an adversary may use a references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md author: frack113 -date: 2021/07/30 -modified: 2022/12/25 +date: 2021-07-30 +modified: 2022-12-25 tags: - attack.collection - attack.t1119 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml index 3bfd4bef0e9..c069a19129a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml @@ -7,7 +7,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group author: frack113 -date: 2021/12/26 +date: 2021-12-26 tags: - attack.impact - attack.t1531 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml index a2dd9ddeab3..b1fc54d3799 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml @@ -9,11 +9,11 @@ references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/24 +date: 2022-10-24 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml index cffcb7dfaa3..e04bfd65d1c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml @@ -8,9 +8,9 @@ description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a references: - https://github.com/1337Rin/Swag-PSO author: frack113 -date: 2023/01/08 +date: 2023-01-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1027 - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml index f46c20b0813..25f9a78a5d4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 -date: 2021/12/15 -modified: 2022/12/25 +date: 2021-12-15 +modified: 2022-12-25 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml index cb59bdadee6..5a89b714d0f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2 - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 author: frack113 -date: 2022/01/23 +date: 2022-01-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1573 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml index 26025072284..8d786a3fe5b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 author: frack113 -date: 2022/01/15 +date: 2022-01-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml index 245a48799df..ecb92378064 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 author: frack113 -date: 2022/02/01 +date: 2022-02-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml index 39e937a11e5..74e82f481d7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml @@ -7,7 +7,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md author: frack113 -date: 2021/12/26 +date: 2021-12-26 tags: - attack.impact - attack.t1491.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml index 7dd77e5433c..c72ca7b6d20 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml @@ -5,8 +5,8 @@ description: Adversaries may attempt to gather information about attached periph references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md author: frack113 -date: 2021/08/23 -modified: 2022/12/25 +date: 2021-08-23 +modified: 2022-12-25 tags: - attack.discovery - attack.t1120 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml index d5631ed9fb7..77f58851cfe 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml @@ -5,8 +5,8 @@ description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-W references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell author: frack113 -date: 2021/12/26 -modified: 2022/12/02 +date: 2021-12-26 +modified: 2022-12-02 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml index ffc48d66386..353a02da625 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml @@ -11,8 +11,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html author: Tim Rauch -date: 2022/09/20 -modified: 2022/12/02 +date: 2022-09-20 +modified: 2022-12-02 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml index c18e3b00f35..c92d3e3d90c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md author: frack113, Tim Shelton (fp AWS) -date: 2021/10/20 -modified: 2023/01/03 +date: 2021-10-20 +modified: 2023-01-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml index d1fa4ef1fce..0fcb4965a8c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml @@ -5,9 +5,9 @@ description: Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. T references: - https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/16 +date: 2022-08-16 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml index 1023cd6ee10..a46f33410bd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -15,8 +15,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2021/07/20 -modified: 2023/12/18 +date: 2021-07-20 +modified: 2023-12-18 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml index 88486a63c14..0f9c662e676 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml @@ -10,10 +10,10 @@ description: Detects SyncAppvPublishingServer process execution which usually ut references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' -date: 2020/10/05 -modified: 2022/12/25 +date: 2020-10-05 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml index 92f900613ad..8b52a2f8fdf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml @@ -8,9 +8,9 @@ description: Detects attempts to remove Windows Defender configuration using the references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 +date: 2022-08-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index 5e897c20429..9cb659232b9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/16 -modified: 2024/01/02 +date: 2022-01-16 +modified: 2024-01-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml index cf9b793c3db..32c1a27d074 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -8,9 +8,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell - https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps author: frack113 -date: 2022/01/23 +date: 2022-01-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1571 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml index 915f754d8a3..9ee1b160328 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md - https://www.offensive-security.com/metasploit-unleashed/timestomp/ author: frack113 -date: 2021/08/03 -modified: 2022/12/25 +date: 2021-08-03 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index fe4cc6b8385..87fc5a937c3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -8,10 +8,10 @@ description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 -date: 2022/12/27 -modified: 2024/08/11 +date: 2022-12-27 +modified: 2023-03-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.009 logsource: product: windows @@ -23,13 +23,11 @@ detection: # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString + # ${e`Nv:pATh} - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]' # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting - # ${e`Nv:pATh} - - ScriptBlockText|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}' - filter_envpath: - ScriptBlockText|contains: '${env:path}' # TODO: Fix this. See https://github.com/SigmaHQ/sigma/pull/4964 + - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' filter_chocolatey: ScriptBlockText|contains: - 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey diff --git a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml index 95d5efe2466..f7faac2c2f3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml @@ -9,7 +9,7 @@ references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/17 +date: 2022-11-17 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml index ce3c334f7d6..e30da0ae3c5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml @@ -5,11 +5,11 @@ description: Detects calls to "Add-Content" cmdlet in order to modify the conten references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/08/18 -modified: 2023/05/04 +date: 2021-08-18 +modified: 2023-05-04 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.013 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml index e20dd9a2823..4d359a9ff6a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml @@ -9,11 +9,11 @@ references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/17 +date: 2022-10-17 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml index 91e7f0c9a75..eccd8d6d5c3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml @@ -6,9 +6,9 @@ references: - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/ - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - - attack.credential_access + - attack.credential-access logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml index 0ac2eb869f9..c978e406732 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml @@ -9,8 +9,8 @@ references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell author: James Pemberton / @4A616D6573 -date: 2019/10/24 -modified: 2023/01/10 +date: 2019-10-24 +modified: 2023-01-10 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml index f8547cc4191..e04378b01bc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml @@ -5,9 +5,9 @@ description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentia references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/13 +date: 2023-07-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: ps_script product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml index 68ee1f4e972..19f6887f7c2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml @@ -5,9 +5,9 @@ description: Detects the execution of an MSI file using PowerShell and the WMI W references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 -date: 2022/04/24 +date: 2022-04-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml index 51dd93bdc8b..0e7f21b905e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml @@ -8,8 +8,8 @@ description: Detects use of WinAPI functions in PowerShell scripts references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community -date: 2020/10/06 -modified: 2023/06/20 +date: 2020-10-06 +modified: 2023-06-20 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml index 7d65f5d126f..79fa2ee1d8b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml @@ -8,10 +8,10 @@ description: Detects modifications to the Windows Defender configuration setting references: - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html author: Tim Rauch, Elastic (idea) -date: 2022/09/16 -modified: 2022/11/26 +date: 2022-09-16 +modified: 2022-11-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 - attack.execution - attack.t1059 diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index 2c7295a0f18..beb48f1293c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -12,10 +12,10 @@ references: - http://woshub.com/manage-windows-firewall-powershell/ - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html author: Austin Songer @austinsonger -date: 2021/10/12 -modified: 2022/12/30 +date: 2021-10-12 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index 3e99e1e1e83..d27184e87ca 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -9,8 +9,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2022/07/07 +date: 2019-10-21 +modified: 2022-07-07 tags: - attack.persistence - attack.t1547.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml index 12e28077de1..65e4256eb98 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545 author: frack113 -date: 2021/08/19 -modified: 2022/12/25 +date: 2021-08-19 +modified: 2022-12-25 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml index 10b86b50462..6805a376cff 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml @@ -10,8 +10,8 @@ references: - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2022/11/25 +date: 2022-06-20 +modified: 2022-11-25 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml index 8bd67af54f5..758bcb49fdd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml @@ -5,8 +5,8 @@ description: Detects parameters used by WMImplant references: - https://github.com/FortyNorthSecurity/WMImplant author: NVISO -date: 2020/03/26 -modified: 2022/12/25 +date: 2020-03-26 +modified: 2022-12-25 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml index abefd5c8216..80bcb9136a9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -10,9 +10,9 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41 - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 author: frack113 -date: 2022/12/23 +date: 2022-12-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml index 12d6d22135e..c8f5b33265b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests author: frack113 -date: 2022/01/19 -modified: 2023/01/19 +date: 2022-01-19 +modified: 2023-01-19 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml index 6df45ed4253..7dc77b126a3 100755 --- a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml +++ b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml @@ -5,10 +5,10 @@ description: Detects various indicators of Microsoft Connection Manager Profile references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman -date: 2018/07/16 -modified: 2021/06/27 +date: 2018-07-16 +modified: 2021-06-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.003 - attack.execution - attack.t1559.001 diff --git a/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml index cdc017c600b..c200b011f9c 100644 --- a/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml +++ b/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml @@ -6,12 +6,12 @@ references: - https://github.com/boku7/injectAmsiBypass - https://github.com/boku7/spawn author: Christian Burkard (Nextron Systems) -date: 2021/08/04 -modified: 2023/11/28 +date: 2021-08-04 +modified: 2023-11-28 tags: - attack.execution - attack.t1106 - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_hktl_generic_access.yml b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml index fd21e20f157..d25f8ad0020 100644 --- a/rules/windows/process_access/proc_access_win_hktl_generic_access.yml +++ b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml @@ -6,9 +6,9 @@ references: - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158 - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -date: 2023/11/27 +date: 2023-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml b/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml index 63ee38f016b..d7c3559fcda 100644 --- a/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml @@ -5,12 +5,12 @@ description: Detects HandleKatz opening LSASS to duplicate its handle to later d references: - https://github.com/codewhitesec/HandleKatz author: Bhabesh Raj (rule), @thefLinkk -date: 2022/06/27 -modified: 2023/11/28 +date: 2022-06-27 +modified: 2023-11-28 tags: - attack.execution - attack.t1106 - - attack.defense_evasion + - attack.defense-evasion - attack.t1003.001 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml index 30ac5e826ea..a036b8fc347 100644 --- a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml +++ b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml @@ -5,8 +5,8 @@ description: Detects the process injection of a LittleCorporal generated Maldoc. references: - https://github.com/connormcgarr/LittleCorporal author: Christian Burkard (Nextron Systems) -date: 2021/08/09 -modified: 2023/11/28 +date: 2021-08-09 +modified: 2023-11-28 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml b/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml index d2a5f9bebef..7f498ae2166 100644 --- a/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml +++ b/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml @@ -7,10 +7,10 @@ references: - https://github.com/codewhitesec/SysmonEnte/ - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png author: Florian Roth (Nextron Systems) -date: 2022/09/07 -modified: 2023/11/28 +date: 2022-09-07 +modified: 2023-11-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml b/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml index 41bf35d0838..c94c97585bf 100755 --- a/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml +++ b/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/shantanukhande/status/1229348874298388484 - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/20 -modified: 2023/11/29 +date: 2020-10-20 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml b/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml index b3a870172e5..11e50bcc9c2 100644 --- a/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml +++ b/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz author: Florian Roth (Nextron Systems) -date: 2022/02/10 -modified: 2023/11/29 +date: 2022-02-10 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index c8d8aa0b7d6..bf8053d1212 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md - https://research.splunk.com/endpoint/windows_possible_credential_dumping/ author: Samir Bousseaden, Michael Haag -date: 2019/04/03 -modified: 2024/03/02 +date: 2019-04-03 +modified: 2024-03-02 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml b/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml index ff24d962c4e..bbf0f1dff02 100644 --- a/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml +++ b/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml @@ -2,19 +2,19 @@ title: Credential Dumping Activity By Python Based Tool id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9 related: - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0 - type: obsoletes + type: obsolete - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b - type: obsoletes + type: obsolete status: stable description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz. references: - https://twitter.com/bh4b3sh/status/1303674603819081728 - https://github.com/skelsec/pypykatz author: Bhabesh Raj, Jonhnathan Ribeiro -date: 2023/11/27 -modified: 2023/11/29 +date: 2023-11-27 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0349 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml b/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml index 7a3cc46c6a3..49bb3d20f05 100644 --- a/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml +++ b/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml @@ -5,14 +5,14 @@ description: Detects remote access to the LSASS process via WinRM. This could be references: - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ author: Patryk Prauze - ING Tech -date: 2019/05/20 -modified: 2023/11/29 +date: 2019-05-20 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.execution - attack.t1003.001 - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml b/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml index a7ee70a3324..909a3d46cf7 100644 --- a/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml +++ b/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml @@ -7,9 +7,9 @@ references: - https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/29 +date: 2022-06-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml index 7ab396f1e3f..6e8dd7f0083 100644 --- a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml +++ b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml @@ -12,10 +12,10 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community -date: 2021/11/22 -modified: 2023/11/29 +date: 2021-11-22 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_werfault.yml b/rules/windows/process_access/proc_access_win_lsass_werfault.yml index 882813b6d32..7d158814c8b 100644 --- a/rules/windows/process_access/proc_access_win_lsass_werfault.yml +++ b/rules/windows/process_access/proc_access_win_lsass_werfault.yml @@ -5,10 +5,10 @@ description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke- references: - https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507 author: Florian Roth (Nextron Systems) -date: 2012/06/27 -modified: 2023/11/29 +date: 2012-06-27 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml b/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml index 51e310eb74e..2bfc07d1773 100644 --- a/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml +++ b/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml @@ -8,10 +8,10 @@ references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz - https://twitter.com/mrd0x/status/1460597833917251595 author: Florian Roth (Nextron Systems) -date: 2022/02/10 -modified: 2023/11/29 +date: 2022-02-10 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml b/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml index a522dde7df5..8fbecdd5e78 100644 --- a/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml +++ b/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml @@ -6,10 +6,10 @@ description: | references: - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2024/05/27 +date: 2024-05-27 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.011 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml b/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml index 4308363af1c..c4d80b40f5f 100644 --- a/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml +++ b/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml @@ -5,8 +5,8 @@ description: Detects potential calls to NtOpenProcess directly from NTDLL. references: - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 author: Christian Burkard (Nextron Systems), Tim Shelton (FP) -date: 2021/07/28 -modified: 2023/12/13 +date: 2021-07-28 +modified: 2023-12-13 tags: - attack.execution - attack.t1106 diff --git a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml index 991906f4cea..d3ca01d426d 100644 --- a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml +++ b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml @@ -5,8 +5,8 @@ description: Detects when a process tries to access the memory of svchost to pot references: - Internal Research author: Florent Labouyrie -date: 2021/04/30 -modified: 2022/10/09 +date: 2021-04-30 +modified: 2022-10-09 tags: - attack.t1548 logsource: diff --git a/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml b/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml index 1fd357197cb..6c2323dcd27 100644 --- a/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml +++ b/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml @@ -6,10 +6,10 @@ references: - https://github.com/hlldz/Invoke-Phant0m - https://twitter.com/timbmsft/status/900724491076214784 author: Tim Burrell -date: 2020/01/02 -modified: 2023/01/30 +date: 2020-01-02 +modified: 2023-01-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml b/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml index 8d0246b6b22..987d861b36c 100644 --- a/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml +++ b/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml @@ -6,11 +6,11 @@ references: - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 author: oscd.community, Dmitry Uchakin -date: 2020/10/07 -modified: 2023/11/30 +date: 2020-10-07 +modified: 2023-11-30 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml b/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml index 4f845f93f72..9f7066aa1ca 100644 --- a/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml +++ b/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack ( references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_access diff --git a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml index 24a958d6409..1bf1f46831d 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml @@ -8,8 +8,8 @@ description: Detects execution of 7z in order to compress a file with a ".dmp"/" references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/27 -modified: 2023/09/12 +date: 2022-09-27 +modified: 2023-09-12 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml b/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml index a32f1a038db..79788510840 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml @@ -5,8 +5,8 @@ description: An adversary may compress or encrypt data that is collected prior t references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: frack113 -date: 2021/07/27 -modified: 2023/03/13 +date: 2021-07-27 +modified: 2023-03-13 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml index e1ff2063ddb..8450812a736 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml @@ -6,9 +6,9 @@ description: | references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -date: 2023/09/18 +date: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml index dbbe9071827..c70f6ce8086 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml @@ -6,9 +6,9 @@ description: | references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -date: 2023/09/18 +date: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml index 3f07b90bfe3..ae897ea9b18 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml @@ -6,9 +6,9 @@ description: | references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -date: 2023/09/18 +date: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml index 23bf8f40882..9ea4a0beaa3 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml @@ -5,9 +5,9 @@ description: Detects execution of the Add-In deployment cache updating utility ( references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -date: 2023/09/18 +date: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml index b8baf532dbd..6111dab76a0 100644 --- a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/nas_bench/status/1534916659676422152 - https://twitter.com/nas_bench/status/1534915321856917506 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/09 -modified: 2023/06/23 +date: 2022-06-09 +modified: 2023-06-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml index 13ec22dff46..182896e7d36 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension - https://twitter.com/jseerden/status/1247985304667066373/photo/1 -date: 2022/12/24 -modified: 2024/08/07 +date: 2022-12-24 +modified: 2024-08-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml index 3e0a1ff9bec..062ae65ff90 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension - https://twitter.com/jseerden/status/1247985304667066373/photo/1 -date: 2022/12/24 -modified: 2024/08/07 +date: 2022-12-24 +modified: 2024-08-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml index 51575fa0633..cbe99b2c055 100644 --- a/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml @@ -9,11 +9,11 @@ description: | references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ author: Sreeman -date: 2020/03/13 -modified: 2023/11/09 +date: 2020-03-13 +modified: 2023-11-09 tags: - attack.t1218 - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml index 1a5e35c469c..15924415e71 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml @@ -13,10 +13,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ author: frack113 -date: 2021/11/24 -modified: 2023/08/14 +date: 2021-11-24 +modified: 2023-08-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml index 24ce16161ba..b23cbc09355 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml @@ -13,9 +13,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/14 +date: 2023-08-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml index b886495a809..c26ac7019ad 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml @@ -13,9 +13,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/14 +date: 2023-08-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml b/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml index 17a6f805a65..ec59ed03d04 100644 --- a/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml b/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml index 47228e2a1d8..4bc4bd394d9 100644 --- a/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml @@ -6,10 +6,10 @@ references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ author: Mateusz Wydra, oscd.community -date: 2020/10/12 -modified: 2024/03/06 +date: 2020-10-12 +modified: 2024-03-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml index d94dbea8f45..269778d1b0d 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml @@ -6,10 +6,10 @@ references: - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/ - https://www.uptycs.com/blog/lolbins-are-no-laughing-matter author: Sami Ruohonen -date: 2019/01/16 -modified: 2023/03/14 +date: 2019-01-16 +modified: 2023-03-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml index f5999be8c19..ecdf6b7bdd2 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -11,10 +11,10 @@ references: - https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0 - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2023/03/14 +date: 2022-06-28 +modified: 2023-03-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml b/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml index 4cce466988e..42071ee0e47 100644 --- a/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml @@ -10,10 +10,10 @@ description: | references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol author: Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/18 -modified: 2023/02/21 +date: 2021-12-18 +modified: 2023-02-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml index 45b1d2d6a08..5a340da7e7f 100644 --- a/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml @@ -10,10 +10,10 @@ description: | references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Janantha Marasinghe (https://github.com/blueteam0ps) -date: 2021/02/02 -modified: 2023/02/22 +date: 2021-02-02 +modified: 2023-02-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml index a39005eaf96..0540e644d27 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml @@ -10,10 +10,10 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ author: frack113 -date: 2021/11/24 -modified: 2023/08/15 +date: 2021-11-24 +modified: 2023-08-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml index 378564506d5..e6df1d1bd00 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml @@ -12,9 +12,9 @@ references: - https://linux.die.net/man/1/bash - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/15 +date: 2023-08-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml b/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml index c0027a638b9..821fe1ccd7c 100644 --- a/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2023/02/15 +date: 2019-10-24 +modified: 2023-02-15 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml index 5b03cb5932d..51d43a13f40 100644 --- a/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set - https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2 author: '@neu5ron' -date: 2019/02/07 -modified: 2023/02/15 +date: 2019-02-07 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.persistence - attack.t1542.003 diff --git a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml index 8570b2fa38a..422d784fd49 100644 --- a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml @@ -9,11 +9,11 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/ - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/16 +date: 2023-08-16 tags: - attack.execution - attack.t1059.005 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml index 6bf4be7d413..4104b174c71 100644 --- a/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml @@ -9,12 +9,12 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/ - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community -date: 2019/10/26 -modified: 2023/08/16 +date: 2019-10-26 +modified: 2023-08-16 tags: - attack.execution - attack.t1059.005 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml b/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml index 84032ab2b30..11e43cab358 100644 --- a/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml @@ -12,9 +12,9 @@ references: - https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ - https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/ author: Josh Nickels, mttaggart -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml index ac01be01d95..8a1d6ac4a5b 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml @@ -7,10 +7,10 @@ references: - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ author: Michael Haag, FPT.EagleEye -date: 2017/03/09 -modified: 2023/02/15 +date: 2017-03-09 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml index 1ed2acbb914..abecda37809 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth (Nextron Systems) -date: 2022/06/28 -modified: 2023/02/15 +date: 2022-06-28 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml index 6404a63a664..007beb6bdac 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml @@ -10,10 +10,10 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) -date: 2022/06/28 -modified: 2024/02/09 +date: 2022-06-28 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml index d90c4f3d1e9..8ba27639a7d 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml @@ -7,10 +7,10 @@ references: - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2023/05/30 +date: 2022-06-28 +modified: 2023-05-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index 1938cbbd12d..7cc0cb97f97 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -8,10 +8,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2023/05/30 +date: 2022-06-28 +modified: 2023-05-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index 029d092f53d..bf3dcef7da8 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -8,10 +8,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2023/02/15 +date: 2022-06-28 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml index 00145c3f718..f450bd6d2fc 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml @@ -11,10 +11,10 @@ references: - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394 author: Sreeman -date: 2020/10/29 -modified: 2024/01/25 +date: 2020-10-29 +modified: 2024-01-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1197 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml index 557cdcec130..25650868ef4 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml @@ -11,9 +11,9 @@ references: - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/ - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/23 +date: 2022-12-23 tags: - - attack.credential_access + - attack.credential-access - attack.t1185 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml index 2c16c8aa48b..4290aad212c 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml @@ -9,9 +9,9 @@ references: - https://twitter.com/mrd0x/status/1478234484881436672?s=12 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/12 +date: 2023-09-12 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml index 1503072b3a3..a90052b9c25 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/mrd0x/status/1478234484881436672?s=12 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html author: Sreeman, Florian Roth (Nextron Systems) -date: 2022/01/04 -modified: 2023/05/12 +date: 2022-01-04 +modified: 2023-05-12 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml index 8319387bda8..0624aa3ebe6 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml @@ -10,8 +10,8 @@ references: - https://emkc.org/s/RJjuLa - https://www.mandiant.com/resources/blog/lnk-between-browsers author: Aedan Russell, frack113, X__Junior (Nextron Systems) -date: 2022/06/19 -modified: 2023/11/28 +date: 2022-06-19 +modified: 2023-11-28 tags: - attack.persistence - attack.t1176 diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml index d1331368d0c..9502bfcf2e1 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml @@ -5,7 +5,7 @@ description: Detects the execution of a Chromium based browser process with the references: - https://www.zscaler.com/blogs/security-research/steal-it-campaign author: X__Junior (Nextron Systems) -date: 2023/09/11 +date: 2023-09-11 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml index 3fbed6e5eaf..504d235589f 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml @@ -10,8 +10,8 @@ references: - https://emkc.org/s/RJjuLa - https://www.mandiant.com/resources/blog/lnk-between-browsers author: Aedan Russell, frack113, X__Junior (Nextron Systems) -date: 2022/06/19 -modified: 2023/11/28 +date: 2022-06-19 +modified: 2023-11-28 tags: - attack.persistence - attack.t1176 diff --git a/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml index a2c0f412229..b93a5b353b6 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/mrd0x/status/1478116126005641220 - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/11 -modified: 2023/11/09 +date: 2022-01-11 +modified: 2023-11-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml index 94c889d7f56..7199a169aab 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml @@ -11,10 +11,10 @@ references: - https://github.com/defaultnamehere/cookie_crimes/ - https://github.com/wunderwuzzi23/firefox-cookiemonster author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/27 -modified: 2022/12/23 +date: 2022-07-27 +modified: 2022-12-23 tags: - - attack.credential_access + - attack.credential-access - attack.t1185 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml b/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml index 952906e58e0..2584b566def 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml @@ -5,10 +5,10 @@ description: Detects the use of Tor or Tor-Browser to connect to onion routing n references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: frack113 -date: 2022/02/20 -modified: 2023/02/13 +date: 2022-02-20 +modified: 2023-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml b/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml index d0be2aabea7..8c264e6d5c8 100644 --- a/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml @@ -6,10 +6,10 @@ description: | references: - https://twitter.com/ItsReallyNick/status/1094080242686312448 author: Florian Roth (Nextron Systems) -date: 2019/02/09 -modified: 2023/11/09 +date: 2019-02-09 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml b/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml index d17f3dcfdaa..0de84472d0e 100644 --- a/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml @@ -7,12 +7,12 @@ references: - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html - https://twitter.com/nas_bench/status/1534957360032120833 author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/26 -modified: 2024/04/22 +date: 2019-10-26 +modified: 2024-04-22 tags: - attack.execution - attack.t1106 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1127 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml b/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml index 226bce9b770..ecadab35c3a 100644 --- a/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml +++ b/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml @@ -4,7 +4,7 @@ related: - id: 42821614-9264-4761-acfc-5772c3286f76 type: derived - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc - type: obsoletes + type: obsolete status: test description: | Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. @@ -13,9 +13,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md - https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/ author: oscd.community, @redcanary, Zach Stanford @svch0st -date: 2023/03/05 +date: 2023-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certoc_download.yml b/rules/windows/process_creation/proc_creation_win_certoc_download.yml index 4ae525bbdf0..64c7d57d60a 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_download.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_download.yml @@ -8,10 +8,10 @@ description: Detects when a user downloads a file by using CertOC.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/16 -modified: 2023/10/18 +date: 2022-05-16 +modified: 2023-10-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml index b0e8ea59898..c00e0f69406 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml @@ -8,9 +8,9 @@ description: Detects when a user downloads a file from an IP based URL using Cer references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/18 +date: 2023-10-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1105 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml index 20d92cafd92..a72bfabe946 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml @@ -10,10 +10,10 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2 - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Austin Songer @austinsonger -date: 2021/10/23 -modified: 2024/03/05 +date: 2021-10-23 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml index 0e1f850a60c..edc542a539d 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml @@ -10,10 +10,10 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2 - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 -modified: 2024/03/05 +date: 2023-02-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml index 00ae0c0b680..d97c7467fa2 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml @@ -4,7 +4,7 @@ related: - id: 42821614-9264-4761-acfc-5772c3286f76 type: derived - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc - type: obsoletes + type: obsolete status: test description: | Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. @@ -12,10 +12,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: oscd.community, @redcanary, Zach Stanford @svch0st -date: 2023/03/05 -modified: 2024/03/05 +date: 2023-03-05 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml index 17e40b7b614..9f6655c1d2c 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2023/02/15 -modified: 2024/03/05 +date: 2023-02-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download.yml b/rules/windows/process_creation/proc_creation_win_certutil_download.yml index b008ba1fd8f..d9e77b38cb2 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download.yml @@ -12,9 +12,9 @@ references: - https://twitter.com/egre55/status/1087685529016193025 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 +date: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml index 1ad97531b52..53f947fee9a 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -15,9 +15,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ - https://twitter.com/_JohnHammond/status/1708910264261980634 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 +date: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index 40be7869b40..afb604f263b 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -15,10 +15,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 -modified: 2024/02/09 +date: 2023-02-15 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml index 2b523b57567..2994f73f423 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml @@ -7,10 +7,10 @@ references: - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/02/24 -modified: 2024/03/05 +date: 2019-02-24 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index 7d1ea21b242..98edaf1a986 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -11,10 +11,10 @@ references: - https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2024/03/05 +date: 2023-05-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 3e9e09894ec..6f1fae87e99 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -11,10 +11,10 @@ references: - https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2024/03/05 +date: 2023-05-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml index f7121ebbbe1..37df08c3333 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml @@ -5,10 +5,10 @@ description: Detects the execution of the certutil with the "exportPFX" flag whi references: - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 -modified: 2024/03/05 +date: 2023-02-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml index 1e69c0c26db..0797a090dcc 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -5,10 +5,10 @@ description: Detects possible NTLM coercion via certutil using the 'syncwithWU' references: - https://github.com/LOLBAS-Project/LOLBAS/issues/243 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/01 -modified: 2023/02/14 +date: 2022-09-01 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml index b86bf5de7d6..d86cf13668d 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -6,8 +6,8 @@ references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp author: _pete_0, TheDFIRReport -date: 2022/02/21 -modified: 2024/03/05 +date: 2022-02-21 +modified: 2024-03-05 tags: - attack.discovery - attack.t1614.001 diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml index 8e9c366224f..d45645ffa3f 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml @@ -6,11 +6,11 @@ references: - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers - https://twitter.com/cglyer/status/1183756892952248325 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2019/10/14 -modified: 2023/03/07 +date: 2019-10-14 +modified: 2023-03-07 tags: - attack.t1036 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml index a47f891713a..fbcb5aa638b 100644 --- a/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml +++ b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive author: frack113 -date: 2021/12/26 -modified: 2023/02/21 +date: 2021-12-26 +modified: 2023-02-21 tags: - attack.impact - attack.t1485 diff --git a/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml b/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml index 7802fd26153..e5e5da84e84 100644 --- a/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.youtube.com/watch?v=Ie831jF0bb0 author: Florian Roth (Nextron Systems) -date: 2022/02/10 -modified: 2022/05/13 +date: 2022-02-10 +modified: 2022-05-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_clip_execution.yml b/rules/windows/process_creation/proc_creation_win_clip_execution.yml index 9c5faf4197e..cbfa3cbaea6 100644 --- a/rules/windows/process_creation/proc_creation_win_clip_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_clip_execution.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md author: frack113 -date: 2021/07/27 -modified: 2023/02/21 +date: 2021-07-27 +modified: 2023-02-21 tags: - attack.collection - attack.t1115 diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml index 5a7a1c1ff4c..e0a35f2da37 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml @@ -11,9 +11,9 @@ references: - https://github.com/cloudflare/cloudflared/releases author: Nasreddine Bencherchali (Nextron Systems) tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.001 -date: 2023/12/20 +date: 2023-12-20 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml index 12305388ebc..3c8194c9783 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml @@ -17,9 +17,9 @@ references: - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ author: Sajid Nawaz Khan tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.001 -date: 2023/12/20 +date: 2023-12-20 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml index 0d7fbad446f..3ebc4087d97 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml @@ -6,10 +6,10 @@ references: - https://github.com/cloudflare/cloudflared - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/17 -modified: 2023/12/21 +date: 2023-05-17 +modified: 2023-12-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 - attack.t1090 - attack.t1572 diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml index 633b1069bbe..f3661aa4b01 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml @@ -7,10 +7,10 @@ references: - https://github.com/cloudflare/cloudflared - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/17 -modified: 2023/12/20 +date: 2023-05-17 +modified: 2023-12-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 - attack.t1090 - attack.t1572 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml index 8504c8c0f5b..15f2e831274 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml @@ -10,8 +10,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/03/06 +date: 2019-10-21 +modified: 2023-03-06 tags: - attack.persistence - attack.t1546.001 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml index 09b8c38ac5e..b0ab2ab46e4 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml @@ -10,8 +10,8 @@ description: | references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2023/03/06 +date: 2022-06-28 +modified: 2023-03-06 tags: - attack.persistence - attack.t1546.001 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml b/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml index 1ca643dc6f6..6ef76af1cce 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml @@ -5,10 +5,10 @@ description: Detects usage of the copy builtin cmd command to copy files with th references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/27 -modified: 2023/09/12 +date: 2022-09-27 +modified: 2023-09-12 tags: - - attack.credential_access + - attack.credential-access logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml index 566d90709ec..4d0659da7c9 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml @@ -5,12 +5,12 @@ description: Adversaries can use curl to download payloads remotely and execute references: - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link author: Sreeman, Nasreddine Bencherchali (Nextron Systems) -date: 2020/01/13 -modified: 2024/03/05 +date: 2020-01-13 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml index 8f0dc1a1828..cd2fd267545 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase author: frack113 -date: 2022/01/15 -modified: 2024/03/05 +date: 2022-01-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml index fdde9d91f8a..3af2a401b3f 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml @@ -6,10 +6,10 @@ references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase author: frack113 , X__Junior (Nextron Systems) -date: 2021/12/02 -modified: 2023/09/11 +date: 2021-12-02 +modified: 2023-09-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml index 186f688a6cc..d655a8c8540 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml @@ -6,8 +6,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113 -date: 2021/12/13 -modified: 2024/04/14 +date: 2021-12-13 +modified: 2024-04-14 tags: - attack.discovery - attack.t1217 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml index f81862b0a67..10b14b51cab 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml @@ -6,8 +6,8 @@ references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf - https://github.com/danielbohannon/Invoke-DOSfuscation author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/15 -modified: 2023/03/06 +date: 2022-02-15 +modified: 2023-03-06 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml b/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml index 58ec2c6f1c3..b4c3ceb0c80 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml @@ -6,11 +6,11 @@ references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2019/01/16 -modified: 2021/11/27 +date: 2019-01-16 +modified: 2021-11-27 tags: - attack.execution - - attack.command_and_control + - attack.command-and-control - attack.t1059.003 - attack.t1059.001 - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml b/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml index 53266fba6ad..41a6959c29b 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md - https://ss64.com/nt/mklink.html author: frack113 -date: 2022/12/11 -modified: 2022/12/20 +date: 2022-12-11 +modified: 2022-12-20 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.008 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml b/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml index b8f367cbef6..1fc6e8164ab 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml @@ -5,10 +5,10 @@ description: Shadow Copies storage symbolic link creation using operating system references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2023/03/06 +date: 2019-10-22 +modified: 2023-03-06 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml index 79f44dfeffc..52f4ae19996 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/ShadowChasing1/status/1552595370961944576 - https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior author: pH-T (Nextron Systems) -date: 2022/09/01 -modified: 2023/02/21 +date: 2022-09-01 +modified: 2023-02-21 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml index 8af94c79549..8b8a40c7dd4 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml @@ -8,8 +8,8 @@ references: - https://twitter.com/cyb3rops/status/1562072617552678912 - https://ss64.com/nt/cmd.html author: Florian Roth (Nextron Systems) -date: 2022/08/23 -modified: 2023/03/06 +date: 2022-08-23 +modified: 2023-03-06 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml b/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml index b741b98d0c2..15c2ee23186 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml @@ -5,10 +5,10 @@ description: Detects command that type the content of ntdll.dll to a different f references: - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe author: Florian Roth (Nextron Systems) -date: 2022/03/05 -modified: 2023/03/07 +date: 2022-03-05 +modified: 2023-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml b/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml index c77506e5f2f..1241ffbace3 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml @@ -6,8 +6,8 @@ references: - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ - https://twitter.com/Oddvarmoe/status/1270633613449723905 author: xknow @xknow_infosec, Tim Shelton -date: 2020/06/11 -modified: 2023/03/06 +date: 2020-06-11 +modified: 2023-03-06 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index b1b53e96f05..abbed65b2dd 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -6,10 +6,10 @@ description: | references: - Internal Research author: X__Junior (Nextron Systems) -date: 2023/07/18 -modified: 2024/03/06 +date: 2023-07-18 +modified: 2024-03-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml index 23ab4e0eb20..717b4fd9249 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml @@ -8,10 +8,10 @@ references: - https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware author: Ilya Krestinichev -date: 2022/11/03 -modified: 2024/03/05 +date: 2022-11-03 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index 0f15e3a0b4d..baa9d935549 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -12,10 +12,10 @@ description: | references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 -modified: 2024/03/19 +date: 2022-07-12 +modified: 2024-03-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml index 13f0a14a4fa..6f297d0bbd0 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase author: frack113 -date: 2022/01/15 -modified: 2023/03/07 +date: 2022-01-15 +modified: 2023-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml b/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml index 48f0b7638a8..2987d6abfa4 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml @@ -7,8 +7,8 @@ references: - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -date: 2021/08/09 -modified: 2023/03/07 +date: 2021-08-09 +modified: 2023-03-07 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml b/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml index e90aba9a10c..e94cf40d716 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml @@ -2,14 +2,14 @@ title: Read Contents From Stdin Via Cmd.EXE id: 241e802a-b65e-484f-88cd-c2dc10f9206d related: - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003 - type: obsoletes + type: obsolete status: test description: Detect the use of "<" to read and potentially execute a file via cmd.exe references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/07 +date: 2023-03-07 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml index 4d70886e81b..f74847d3352 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml @@ -8,10 +8,10 @@ description: Detects the usage and installation of a backdoor that uses an optio references: - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -date: 2018/03/15 -modified: 2023/03/07 +date: 2018-03-15 +modified: 2023-03-07 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.008 - car.2014-11-003 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml index 850e973cafe..e838850bc4e 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml @@ -9,11 +9,11 @@ references: - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors author: Sreeman -date: 2020/02/18 -modified: 2023/03/07 +date: 2020-02-18 +modified: 2023-03-07 tags: - attack.t1546.008 - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_type_arbitrary_file_download.yml b/rules/windows/process_creation/proc_creation_win_cmd_type_arbitrary_file_download.yml index 267ab088b7d..3c72867d69a 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_type_arbitrary_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_type_arbitrary_file_download.yml @@ -5,9 +5,9 @@ description: Detects usage of the "type" command to download/upload data from We references: - https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/14 +date: 2022-12-14 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml index f08878e392c..322622e2f6b 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml @@ -5,8 +5,8 @@ description: Detects suspicious parent process for cmd.exe references: - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html author: Tim Rauch, Elastic (idea) -date: 2022/09/21 -modified: 2023/12/05 +date: 2022-09-21 +modified: 2023-12-05 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml index c215c1b2097..8dee296e292 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/03 -modified: 2024/03/05 +date: 2023-02-03 +modified: 2024-03-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml index 67582ff73b4..207afb47da5 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml @@ -7,10 +7,10 @@ references: - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/16 -modified: 2024/03/05 +date: 2019-01-16 +modified: 2024-03-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml b/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml index 50534593f68..744a4b5a390 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml @@ -10,11 +10,11 @@ references: - https://twitter.com/SwiftOnSecurity/status/1455897435063074824 - https://github.com/LOLBAS-Project/LOLBAS/pull/151 author: frack113 -date: 2021/11/03 -modified: 2024/04/22 +date: 2021-11-03 +modified: 2024-04-22 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml b/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml index 33e0a62f78f..85bf2196780 100644 --- a/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml @@ -5,10 +5,10 @@ description: Detects various indicators of Microsoft Connection Manager Profile references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman -date: 2018/07/16 -modified: 2020/12/23 +date: 2018-07-16 +modified: 2020-12-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.003 - attack.g0069 diff --git a/rules/windows/process_creation/proc_creation_win_configsecuritypolicy_download_file.yml b/rules/windows/process_creation/proc_creation_win_configsecuritypolicy_download_file.yml index cc5dd05fb39..08764ff140b 100644 --- a/rules/windows/process_creation/proc_creation_win_configsecuritypolicy_download_file.yml +++ b/rules/windows/process_creation/proc_creation_win_configsecuritypolicy_download_file.yml @@ -8,8 +8,8 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/ author: frack113 -date: 2021/11/26 -modified: 2022/05/16 +date: 2021-11-26 +modified: 2022-05-16 tags: - attack.exfiltration - attack.t1567 diff --git a/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml b/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml index e8481af00cf..d2705819e73 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml @@ -10,9 +10,9 @@ description: | references: - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: Matt Anderson (Huntress) -date: 2024/07/23 +date: 2024-07-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1059.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml b/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml index 13816ccf8ee..7e412b26610 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml @@ -7,9 +7,9 @@ references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control author: frack113 -date: 2022/12/09 +date: 2022-12-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml b/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml index c7b09d2bed0..2bc8b3ce857 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml @@ -5,7 +5,7 @@ description: detects the usage of path traversal in conhost.exe indicating possi references: - https://pentestlab.blog/2020/07/06/indirect-command-execution/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/14 +date: 2022-06-14 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml index 9b1a6c212bb..06b2331c2a8 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml @@ -5,10 +5,10 @@ description: Detects uncommon "conhost" child processes. This could be a sign of references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 -date: 2020/10/25 -modified: 2023/12/11 +date: 2020-10-25 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml index f1b546fa4d3..fa0de1e382a 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml @@ -5,8 +5,8 @@ description: Detects when the Console Window Host (conhost.exe) process is spawn references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html author: Tim Rauch, Elastic (idea) -date: 2022/09/28 -modified: 2023/03/29 +date: 2022-09-28 +modified: 2023-03-29 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml index f3948552cbd..fe73817dfcb 100644 --- a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml +++ b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml @@ -5,11 +5,11 @@ description: Detects the malicious use of a control panel item references: - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) -date: 2020/06/22 -modified: 2023/10/11 +date: 2020-06-22 +modified: 2023-10-11 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.002 - attack.persistence - attack.t1546 diff --git a/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml index ca97bd4f80e..41b18b34d4f 100644 --- a/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml @@ -9,10 +9,10 @@ references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - https://twitter.com/bopin2020/status/1366400799199272960 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/04 -modified: 2022/08/19 +date: 2022-01-04 +modified: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml index ee026d154f8..2db27cb340b 100644 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/gN3mes1s/status/1206874118282448897 - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) -date: 2019/08/24 -modified: 2024/05/27 +date: 2019-08-24 +modified: 2024-05-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml index 234b243c2a1..50c5dc8cc9b 100644 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml @@ -7,13 +7,13 @@ references: - https://reaqta.com/2017/11/short-journey-darkvnc/ - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2019/02/11 -modified: 2024/05/27 +date: 2019-02-11 +modified: 2024-05-27 tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.005 - attack.t1027.004 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_csi_execution.yml b/rules/windows/process_creation/proc_creation_win_csi_execution.yml index ef3010a15ad..a3f5e0697c3 100644 --- a/rules/windows/process_creation/proc_creation_win_csi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_csi_execution.yml @@ -8,12 +8,12 @@ references: - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ - https://twitter.com/Z3Jpa29z/status/1317545798981324801 author: Konstantin Grishchenko, oscd.community -date: 2020/10/17 -modified: 2022/07/11 +date: 2020-10-17 +modified: 2022-07-11 tags: - attack.execution - attack.t1072 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml b/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml index ed8be9d7b1a..ead6375ab6c 100644 --- a/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml +++ b/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml @@ -5,8 +5,8 @@ description: Detects the execution of CSharp interactive console by PowerShell references: - https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/ author: Michael R. (@nahamike01) -date: 2020/03/08 -modified: 2022/07/14 +date: 2020-03-08 +modified: 2022-07-14 tags: - attack.execution - attack.t1127 diff --git a/rules/windows/process_creation/proc_creation_win_csvde_export.yml b/rules/windows/process_creation/proc_creation_win_csvde_export.yml index 11d34cd80f0..b007a3dd8ed 100644 --- a/rules/windows/process_creation/proc_creation_win_csvde_export.yml +++ b/rules/windows/process_creation/proc_creation_win_csvde_export.yml @@ -8,7 +8,7 @@ references: - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit - https://redcanary.com/blog/msix-installers/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/14 +date: 2023-03-14 tags: - attack.exfiltration - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml index a993af3f72c..796cb83829b 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml @@ -5,7 +5,7 @@ description: Detects execution of "curl.exe" with the "-c" flag in order to save references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml index 10da8a72133..c47022bc2e8 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml @@ -6,7 +6,7 @@ references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml index 89f690ac354..7b0b7dce1fd 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -10,7 +10,7 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/18 +date: 2023-10-18 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml index dd2190a9aae..7a9688040a0 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml @@ -7,7 +7,7 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index 0a7cdcc02f9..dd57b6b9da2 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -6,8 +6,8 @@ references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 -modified: 2024/02/09 +date: 2023-05-05 +modified: 2024-02-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml index 5069b28e086..8c3360a749c 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -5,7 +5,7 @@ description: Detects execution of "curl.exe" with the "--insecure" flag. references: - https://curl.se/docs/manpage.html author: X__Junior (Nextron Systems) -date: 2023/06/30 +date: 2023-06-30 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml index 6082f5f5eca..eac8b3bf203 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml @@ -5,7 +5,7 @@ description: Detects execution of "curl.exe" with the "insecure" flag over proxy references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml index f9fefc3b6ad..257c0f0f795 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml @@ -5,7 +5,7 @@ description: Detects execution of "curl.exe" with the "file://" protocol handler references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml index d29a2bf73f1..13ff16ec549 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml @@ -14,10 +14,10 @@ references: - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2020/07/03 -modified: 2023/02/21 +date: 2020-07-03 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml index bac9b8e55b0..2fcbe4e8788 100644 --- a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/gN3mes1s/status/1222095963789111296 - https://twitter.com/gN3mes1s/status/1222095371175911424 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2020/01/28 -modified: 2024/04/22 +date: 2020-01-28 +modified: 2024-04-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml index 93d335e4d47..5d885ec0095 100644 --- a/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml @@ -6,11 +6,11 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/ - https://www.echotrail.io/insights/search/defaultpack.exe author: frack113 -date: 2022/12/31 -modified: 2024/04/22 +date: 2022-12-31 +modified: 2024-04-22 tags: - attack.t1218 - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml index 09aef9696e4..1ff0da2c88f 100644 --- a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml @@ -5,9 +5,9 @@ description: Detects the desktopimgdownldr utility being used to download a remo references: - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html author: Tim Rauch, Elastic (idea) -date: 2022/09/27 +date: 2022-09-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml index e3bd3dc0078..209d21b099a 100644 --- a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml @@ -6,10 +6,10 @@ references: - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - https://twitter.com/SBousseaden/status/1278977301745741825 author: Florian Roth (Nextron Systems) -date: 2020/07/03 -modified: 2021/11/27 +date: 2020-07-03 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml index 3fec8ca31c6..84ffa860a5b 100644 --- a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml +++ b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml @@ -11,10 +11,10 @@ references: - https://mobile.twitter.com/0gtweet/status/1564131230941122561 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html author: '@gott_cyber' -date: 2022/08/29 -modified: 2023/02/04 +date: 2022-08-29 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml b/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml index 94b671b3d76..63ce60c8acc 100644 --- a/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/mrd0x/status/1460815932402679809 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/ author: Florian Roth (Nextron Systems) -date: 2022/01/11 -modified: 2023/04/06 +date: 2022-01-11 +modified: 2023-04-06 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml index a801cacd0b7..7e91b656d16 100644 --- a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml @@ -5,10 +5,10 @@ description: Detects potentially suspicious child processes of a ClickOnce deplo references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/12 +date: 2023-06-12 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml index 1d197418c2a..047fd42fde1 100644 --- a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md - https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/ author: frack113 -date: 2022/08/20 -modified: 2023/02/04 +date: 2022-08-20 +modified: 2023-02-04 tags: - attack.discovery - attack.t1083 diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml index 4aa24565c43..0b50eabbbad 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml @@ -20,9 +20,9 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/15 +date: 2023-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml index 1253c0d2152..68c22c51fae 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml @@ -22,10 +22,10 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/15 -modified: 2024/03/05 +date: 2023-09-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml index 99993fcd70f..e551880bb51 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml @@ -20,10 +20,10 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/15 +date: 2023-09-15 modifier: 2024/03/05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml index 7cb6ce17e46..4d0bb87c1a9 100644 --- a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml +++ b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml @@ -5,9 +5,9 @@ description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/02 +date: 2022-08-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml index 09c74587a44..0caeaa9b743 100644 --- a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml @@ -7,10 +7,10 @@ references: - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/27 -modified: 2023/05/15 +date: 2022-06-27 +modified: 2023-05-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml index 70b5088455a..ca0d6d52c00 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml @@ -6,12 +6,12 @@ references: - https://github.com/iagox86/dnscat2 - https://github.com/yarrick/iodine author: Daniil Yugoslavskiy, oscd.community -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - attack.exfiltration - attack.t1048.001 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - attack.t1132.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml index 81d7c3cb93c..296b9029203 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml @@ -5,10 +5,10 @@ description: Detects an unexpected process spawning from dns.exe which may indic references: - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html author: Tim Rauch, Elastic (idea) -date: 2022/09/27 -modified: 2023/02/05 +date: 2022-09-27 +modified: 2023-02-05 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml index dde5693d0e0..e6783940844 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml @@ -7,8 +7,8 @@ references: - https://learn.microsoft.com/en-us/azure/dns/dns-zones-records - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/ author: '@gott_cyber' -date: 2022/07/31 -modified: 2023/02/04 +date: 2022-07-31 +modified: 2023-02-04 tags: - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml index 100c2b6f6a8..cc56541a032 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml @@ -11,10 +11,10 @@ references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html author: Florian Roth (Nextron Systems) -date: 2017/05/08 -modified: 2023/02/05 +date: 2017-05-08 +modified: 2023-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml b/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml index 33143a5f9a3..e4bc4b2dd4e 100644 --- a/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml +++ b/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml @@ -8,10 +8,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/ - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ author: Beyu Denis, oscd.community -date: 2019/10/26 -modified: 2024/04/24 +date: 2019-10-26 +modified: 2024-04-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1027.004 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml b/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml index 77030d5b11e..aeb4ed7cdb0 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/_felamos/status/1204705548668555264 - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ author: Beyu Denis, oscd.community -date: 2020/10/18 -modified: 2024/04/24 +date: 2020-10-18 +modified: 2024-04-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml index 89c798b1c14..816fc05d7dd 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml @@ -5,10 +5,10 @@ description: Detects commandline arguments for executing a child process via dot references: - https://twitter.com/bohops/status/1740022869198037480 author: Jimmy Bayne (@bohops) -date: 2024/01/02 +date: 2024-01-02 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml index cfda2a9a757..51eb013f8f0 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect - https://twitter.com/bohops/status/1635288066909966338 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/14 +date: 2023-03-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml index 324f94a53eb..81f65698a22 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml @@ -10,8 +10,8 @@ references: - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/ - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/19 -modified: 2023/09/29 +date: 2023-01-19 +modified: 2023-09-29 tags: - attack.discovery logsource: diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml index b64926ce257..67b75a3c734 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml @@ -10,8 +10,8 @@ references: - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/ - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/19 -modified: 2023/09/29 +date: 2023-01-19 +modified: 2023-09-29 tags: - attack.discovery logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml index 47e1ec620ef..df47bf12cff 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -6,10 +6,10 @@ references: - https://ss64.com/nt/dsacls.html - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2023/02/04 +date: 2022-06-20 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml index e9bdca041b0..0bba9c4ee43 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -7,10 +7,10 @@ references: - https://ss64.com/nt/dsacls.html - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2023/02/04 +date: 2022-06-20 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml b/rules/windows/process_creation/proc_creation_win_dsim_remove.yml index 435472c69ba..97cdc01e7a2 100644 --- a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml +++ b/rules/windows/process_creation/proc_creation_win_dsim_remove.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html author: frack113 -date: 2022/01/16 -modified: 2022/08/26 +date: 2022-01-16 +modified: 2022-08-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml b/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml index 575af9a806e..14f203af001 100644 --- a/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml @@ -4,15 +4,15 @@ related: - id: b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b type: similar - id: 77815820-246c-47b8-9741-e0def3f57308 - type: obsoletes + type: obsolete status: test description: Detects execution of "dsquery.exe" for domain trust discovery references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md - https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843 author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72 -date: 2019/10/24 -modified: 2023/02/02 +date: 2019-10-24 +modified: 2023-02-02 tags: - attack.discovery - attack.t1482 diff --git a/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml b/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml index 283c1167542..2af1bcea572 100644 --- a/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/0gtweet/status/1474899714290208777?s=12 - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace author: Florian Roth (Nextron Systems) -date: 2021/12/28 +date: 2021-12-28 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml b/rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml index 113588db5d1..104c0b40f58 100644 --- a/rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml +++ b/rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml @@ -7,10 +7,10 @@ description: | references: - https://twitter.com/mrd0x/status/1460597833917251595 author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/11/26 -modified: 2024/06/21 +date: 2021-11-26 +modified: 2024-06-21 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml index 4c370714e7d..497798d7a9d 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml @@ -8,10 +8,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/ - https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/04/06 -modified: 2023/04/12 +date: 2022-04-06 +modified: 2023-04-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml index aff50762f35..15534509ce7 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/mrd0x/status/1511489821247684615 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/ author: Florian Roth (Nextron Systems) -date: 2022/04/06 -modified: 2023/04/12 +date: 2022-04-06 +modified: 2023-04-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_params.yml b/rules/windows/process_creation/proc_creation_win_esentutl_params.yml index 3f2a5aab587..791025f543e 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_params.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_params.yml @@ -7,10 +7,10 @@ references: - https://attack.mitre.org/software/S0404/ - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ author: sam0x90 -date: 2021/08/06 -modified: 2022/10/09 +date: 2021-08-06 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1003.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml b/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml index 3f125fcd873..1a47a6aa81d 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml @@ -8,10 +8,10 @@ references: - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2019/10/22 -modified: 2024/06/04 +date: 2019-10-22 +modified: 2024-06-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.003 - car.2013-07-001 diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml index 1bd7d732f1a..577be195e0d 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml @@ -7,8 +7,8 @@ references: - https://redcanary.com/threat-detection-report/threats/qbot/ - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ author: frack113 -date: 2022/02/13 -modified: 2024/03/05 +date: 2022-02-13 +modified: 2024-03-05 tags: - attack.collection - attack.t1005 diff --git a/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml index ce5ff6c94c3..4d16403bf34 100644 --- a/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml @@ -9,11 +9,11 @@ references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/03/19 -modified: 2023/09/28 +date: 2017-03-19 +modified: 2023-09-28 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index c697a7e85c3..53a7bca6ac6 100644 --- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -6,10 +6,10 @@ references: - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ author: Bhabesh Raj, X__Junior (Nextron Systems) -date: 2021/07/30 -modified: 2024/03/05 +date: 2021-07-30 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml index 7e4717f2ed7..9e114355f86 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml @@ -10,10 +10,10 @@ references: - https://twitter.com/nas_bench/status/1535322450858233858 - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber -date: 2019/06/29 -modified: 2024/06/04 +date: 2019-06-29 +modified: 2024-06-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml b/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml index 789647d77b3..71ef80b1b5e 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml @@ -5,10 +5,10 @@ description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK references: - https://twitter.com/ORCA6665/status/1496478087244095491 author: Florian Roth (Nextron Systems) -date: 2022/02/23 -modified: 2022/04/21 +date: 2022-02-23 +modified: 2022-04-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml index f602c5230bb..6b74583968f 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_download.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -2,7 +2,7 @@ title: Remote File Download Via Findstr.EXE id: 587254ee-a24b-4335-b3cd-065c0f1f4baa related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes + type: obsolete status: experimental description: | Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. @@ -11,10 +11,10 @@ references: - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/05 -modified: 2024/03/05 +date: 2020-10-05 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1564.004 - attack.t1552.001 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 0da44623449..16078117426 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -5,10 +5,10 @@ description: Look for the encrypted cpassword value within Group Policy Preferen references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr author: frack113 -date: 2021/12/27 -modified: 2023/11/11 +date: 2021-12-27 +modified: 2023-11-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml index ff08d80a118..edae85ac7cc 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml @@ -5,10 +5,10 @@ description: Detects usage of findstr to identify and execute a lnk file as seen references: - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ author: Trent Liffick -date: 2020/05/01 -modified: 2024/01/15 +date: 2020-05-01 +modified: 2024-01-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1202 - attack.t1027.003 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index 05abffbc69b..511c660720d 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -5,10 +5,10 @@ description: Detects findstring commands that include the keyword lsass, which i references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) -date: 2022/08/12 -modified: 2024/06/04 +date: 2022-08-12 +modified: 2024-06-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index a7608c4c4e8..8cda1589441 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -7,10 +7,10 @@ description: | references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2023/11/11 +date: 2022-08-12 +modified: 2023-11-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 39b6bfabb67..0bef6f4db88 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -12,8 +12,8 @@ references: - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2023/07/06 -modified: 2024/06/27 +date: 2023-07-06 +modified: 2024-06-27 tags: - attack.discovery - attack.t1057 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index d4656b0d2fc..818da4f4ee6 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -12,8 +12,8 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2023/10/20 -modified: 2023/11/14 +date: 2023-10-20 +modified: 2023-11-14 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml index 741d35c9082..f584edbd743 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -2,7 +2,7 @@ title: Insensitive Subfolder Search Via Findstr.EXE id: 04936b66-3915-43ad-a8e5-809eadfd1141 related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes + type: obsolete status: experimental description: | Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. @@ -11,10 +11,10 @@ references: - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/05 -modified: 2024/03/05 +date: 2020-10-05 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1564.004 - attack.t1552.001 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml index 6ee265561e9..073f4670fa0 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml @@ -5,8 +5,8 @@ description: Detects usage of "findstr" with the argument "385201". Which could references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service author: frack113 -date: 2021/12/16 -modified: 2023/11/14 +date: 2021-12-16 +modified: 2023-11-14 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/windows/process_creation/proc_creation_win_finger_execution.yml b/rules/windows/process_creation/proc_creation_win_finger_execution.yml index 0643d3b328f..d2e22093a13 100644 --- a/rules/windows/process_creation/proc_creation_win_finger_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_finger_execution.yml @@ -10,10 +10,10 @@ references: - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/ - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt author: Florian Roth (Nextron Systems), omkar72, oscd.community -date: 2021/02/24 -modified: 2024/06/27 +date: 2021-02-24 +modified: 2024-06-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml index 4af9111064d..f5acdd95655 100644 --- a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml +++ b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml @@ -9,10 +9,10 @@ references: - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/13 -modified: 2024/06/24 +date: 2023-02-13 +modified: 2024-06-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1562 - attack.t1562.002 diff --git a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml index 343e3895812..dcf7818c2da 100644 --- a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml +++ b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml @@ -8,10 +8,10 @@ description: Detects possible Sysmon filter driver unloaded via fltmc.exe references: - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon author: Kirill Kiryanov, oscd.community -date: 2019/10/23 -modified: 2023/02/13 +date: 2019-10-23 +modified: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1562 - attack.t1562.002 diff --git a/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml index 7054dfbcb6c..dc0b6d50886 100644 --- a/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml @@ -6,9 +6,9 @@ description: | references: - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati -date: 2024/01/05 +date: 2024-01-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml b/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml index c3336eab401..f564e4e08ab 100644 --- a/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml +++ b/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml @@ -2,9 +2,9 @@ title: Forfiles Command Execution id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b related: - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 - type: obsoletes + type: obsolete - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 - type: obsoletes + type: obsolete status: test description: | Detects the execution of "forfiles" with the "/c" flag. @@ -14,8 +14,8 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2022/06/14 -modified: 2024/03/05 +date: 2022-06-14 +modified: 2024-03-05 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml b/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml index 63b21f5f1aa..72744875802 100644 --- a/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml +++ b/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/0gtweet/status/1477925112561209344 - https://twitter.com/wdormann/status/1478011052130459653?s=20 author: Florian Roth (Nextron Systems) -date: 2022/01/04 -modified: 2024/05/13 +date: 2022-01-04 +modified: 2024-05-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml b/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml index 98d753ae91e..8cebaf1e4a1 100644 --- a/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml @@ -10,8 +10,8 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/ author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -date: 2022/06/02 -modified: 2024/04/23 +date: 2022-06-02 +modified: 2024-04-23 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml index 887b4673f2f..20d69f6bc91 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml @@ -6,8 +6,8 @@ references: - Turla has used fsutil fsinfo drives to list connected drives. - https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -date: 2022/03/29 -modified: 2022/07/14 +date: 2022-03-29 +modified: 2022-07-14 tags: - attack.discovery - attack.t1120 diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml index 93e8d66c37c..35129d96059 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml @@ -8,8 +8,8 @@ references: - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware - https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior author: frack113 -date: 2022/03/02 -modified: 2023/01/19 +date: 2022-03-02 +modified: 2023-01-19 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml index 46f44207104..f085115075f 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml @@ -11,10 +11,10 @@ references: - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt author: Ecco, E.M. Anhaus, oscd.community -date: 2019/09/26 -modified: 2023/09/09 +date: 2019-09-26 +modified: 2023-09-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1070 - attack.t1485 diff --git a/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml b/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml index e38e71d3e29..e021183ff3c 100644 --- a/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml @@ -5,12 +5,12 @@ description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag an references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2024/04/23 +date: 2020-10-09 +modified: 2024-04-23 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml b/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml index 9e7b1738e04..a41238ad6d8 100644 --- a/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml @@ -5,10 +5,10 @@ description: Detects execution of GfxDownloadWrapper.exe with a URL as an argume references: - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/ author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2023/10/18 +date: 2020-10-09 +modified: 2023-10-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml index e74fcc261f8..8a454f7a653 100644 --- a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml @@ -5,8 +5,8 @@ description: Detects execution of "git" in order to clone a remote repository th references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/03 -modified: 2023/01/10 +date: 2023-01-03 +modified: 2023-01-10 tags: - attack.reconnaissance - attack.t1593.003 diff --git a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml index 4163f3cdb7e..a59b6e7046e 100644 --- a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml @@ -8,10 +8,10 @@ description: Detects potentially suspicious child processes of "GoogleUpdate.exe references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2023/05/22 +date: 2023-05-15 +modified: 2023-05-22 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml index 53ce96a32ce..a4e96b4d5bd 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml @@ -7,7 +7,7 @@ references: - https://www.gpg4win.de/documentation.html - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/09 +date: 2023-08-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml index 9366d857c7b..269720f17b7 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml @@ -7,7 +7,7 @@ references: - https://www.gpg4win.de/documentation.html - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/09 +date: 2023-08-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml index 1dbc87389db..f413b31b2a6 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -7,8 +7,8 @@ references: - https://securelist.com/locked-out/68960/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/06 -modified: 2023/11/10 +date: 2023-08-06 +modified: 2023-11-10 tags: - attack.impact - attack.t1486 diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml index fe700842659..5888fe767e6 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml @@ -6,8 +6,8 @@ references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2022/11/30 -modified: 2023/08/09 +date: 2022-11-30 +modified: 2023-08-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml b/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml index 3f702123bdd..358a4eb0471 100644 --- a/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml @@ -8,7 +8,7 @@ references: - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/ - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf author: frack113 -date: 2022/05/01 +date: 2022-05-01 tags: - attack.discovery - attack.t1615 diff --git a/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml b/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml index 02780e158e0..dae358dc6d9 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml @@ -5,8 +5,8 @@ description: Detects execution of the Notepad++ updater (gup) to launch other co references: - https://twitter.com/nas_bench/status/1535322445439180803 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/10 -modified: 2023/03/02 +date: 2022-06-10 +modified: 2023-03-02 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_gup_download.yml b/rules/windows/process_creation/proc_creation_win_gup_download.yml index 7c6a789e1f0..7fe50587727 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_download.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_download.yml @@ -5,10 +5,10 @@ description: Detects execution of the Notepad++ updater (gup) from a process oth references: - https://twitter.com/nas_bench/status/1535322182863179776 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/10 -modified: 2023/03/02 +date: 2022-06-10 +modified: 2023-03-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml b/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml index c7d027552f0..fbb48966611 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of the Notepad++ updater in a suspicious director references: - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html author: Florian Roth (Nextron Systems) -date: 2019/02/06 -modified: 2022/08/13 +date: 2019-02-06 +modified: 2022-08-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml index 0f224554a20..382358d0d0d 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml @@ -7,10 +7,10 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community -date: 2019/10/24 -modified: 2023/12/11 +date: 2019-10-24 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml index ce18c5800c9..efe011a66bc 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/29 -modified: 2024/01/31 +date: 2022-09-29 +modified: 2024-01-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml index 7ac22893eb1..14afcd59be8 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml @@ -8,12 +8,12 @@ references: - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) -date: 2020/04/01 -modified: 2023/04/12 +date: 2020-04-01 +modified: 2023-04-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - attack.initial_access + - attack.initial-access - attack.t1047 - attack.t1059.001 - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml index 33a2dccde15..af99a64095b 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml @@ -8,12 +8,12 @@ references: - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 author: Maxim Pavlunin -date: 2020/04/01 -modified: 2023/04/12 +date: 2020-04-01 +modified: 2023-04-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - attack.initial_access + - attack.initial-access - attack.t1047 - attack.t1059.001 - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml index 51d1b02f52b..c81e653fc50 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml @@ -5,10 +5,10 @@ description: Detects command line parameters used by ADCSPwn, a tool to escalate references: - https://github.com/bats3c/ADCSPwn author: Florian Roth (Nextron Systems) -date: 2021/07/31 -modified: 2023/02/04 +date: 2021-07-31 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1557.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml b/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml index b53d6d6157f..085829b5ec8 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml @@ -6,8 +6,8 @@ references: - https://github.com/BloodHoundAD/BloodHound - https://github.com/BloodHoundAD/SharpHound author: Florian Roth (Nextron Systems) -date: 2019/12/20 -modified: 2023/02/04 +date: 2019-12-20 +modified: 2023-02-04 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml b/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml index 04907e81320..c1b5e3c5dcd 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml @@ -5,10 +5,10 @@ description: F-Secure C3 produces DLLs with a default exported StartNodeRelay fu references: - https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12 author: Alfie Champion (ajpc500) -date: 2021/06/02 -modified: 2023/03/05 +date: 2021-06-02 +modified: 2023-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certify.yml b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml index 84a39e8dd30..a57729b7fdd 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_certify.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml @@ -5,11 +5,11 @@ description: Detects Certify a tool for Active Directory certificate abuse based references: - https://github.com/GhostPack/Certify author: pH-T (Nextron Systems) -date: 2023/04/17 -modified: 2023/04/25 +date: 2023-04-17 +modified: 2023-04-25 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1649 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml index caec8a5de72..de7bd5c6c80 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml @@ -5,10 +5,10 @@ description: Detects Certipy a tool for Active Directory Certificate Services en references: - https://github.com/ly4k/Certipy author: pH-T (Nextron Systems) -date: 2023/04/17 +date: 2023-04-17 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1649 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml index 29ddf26bb18..c601a3e5fd6 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml @@ -10,8 +10,8 @@ references: - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ author: _pete_0, TheDFIRReport -date: 2022/05/06 -modified: 2023/01/30 +date: 2022-05-06 +modified: 2023-01-30 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml index f9aed5927b5..298c43f123c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml @@ -10,8 +10,8 @@ references: - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ author: _pete_0, TheDFIRReport -date: 2022/05/06 -modified: 2023/01/30 +date: 2022-05-06 +modified: 2023-01-30 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml index 3b37c360902..3df521b9b84 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml @@ -7,10 +7,10 @@ references: - https://redcanary.com/threat-detection-report/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ author: Wojciech Lesicki -date: 2021/06/01 -modified: 2022/09/16 +date: 2021-06-01 +modified: 2022-09-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml index 694d519b72c..cc501c20fa8 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml @@ -6,8 +6,8 @@ references: - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/07/27 -modified: 2023/03/29 +date: 2021-07-27 +modified: 2023-03-29 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml index 096f53342db..d8e5173d0c1 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml @@ -6,11 +6,11 @@ references: - https://github.com/hackvens/CoercedPotato - https://blog.hackvens.fr/articles/CoercedPotato.html author: Florian Roth (Nextron Systems) -date: 2023/10/11 -modified: 2024/04/15 +date: 2023-10-11 +modified: 2024-04-15 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml b/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml index 5ec08dd588b..697cc70ef03 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml @@ -5,11 +5,11 @@ description: Detects suspicious command lines used in Covenant luanchers references: - https://posts.specterops.io/covenant-v0-5-eee0507b85ba author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2020/06/04 -modified: 2023/02/21 +date: 2020-06-04 +modified: 2023-02-21 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1564.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml index cca1a32265c..1717316306b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml @@ -8,13 +8,13 @@ references: - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject author: Florian Roth (Nextron Systems) -date: 2022/02/25 -modified: 2023/03/08 +date: 2022-02-25 +modified: 2023-03-08 tags: - attack.execution - attack.persistence - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access - attack.discovery - attack.t1047 - attack.t1053 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml index 4b26f2ea0c9..dbcd9463f8b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml @@ -5,8 +5,8 @@ description: Detects various execution patterns of the CrackMapExec pentesting f references: - https://github.com/byt3bl33d3r/CrackMapExec author: Thomas Patzke -date: 2020/05/22 -modified: 2023/11/06 +date: 2020-05-22 +modified: 2023-11-06 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml index 369687d9360..f2530cd417d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml @@ -5,10 +5,10 @@ description: Detects suspicious process patterns found in logs when CrackMapExec references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass author: Florian Roth (Nextron Systems) -date: 2022/03/12 -modified: 2023/02/13 +date: 2022-03-12 +modified: 2023-02-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml index 669167d038b..8c091513121 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml @@ -6,12 +6,12 @@ references: - https://github.com/byt3bl33d3r/CrackMapExec - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242 author: Thomas Patzke -date: 2020/05/22 -modified: 2023/02/21 +date: 2020-05-22 +modified: 2023-02-21 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml b/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml index 715c6debd96..843f4ac159d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml @@ -5,10 +5,10 @@ description: Detects the use of CreateMiniDump hack tool used to dump the LSASS references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass author: Florian Roth (Nextron Systems) -date: 2019/12/22 -modified: 2023/02/04 +date: 2019-12-22 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml index a69efe9cbe6..6acd285472e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml @@ -5,10 +5,10 @@ description: Detects the use of the Dinject PowerShell cradle based on the speci references: - https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork author: Florian Roth (Nextron Systems) -date: 2021/12/07 -modified: 2023/02/04 +date: 2021-12-07 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml b/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml index 14826a15a08..8f1ea5d8091 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml @@ -6,10 +6,10 @@ references: - https://github.com/outflanknl/Dumpert - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ author: Florian Roth (Nextron Systems) -date: 2020/02/04 -modified: 2023/02/04 +date: 2020-02-04 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml b/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml index ed84c742657..892d06cad45 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml @@ -6,9 +6,9 @@ description: | references: - https://github.com/netero1010/EDRSilencer author: '@gott_cyber' -date: 2024/01/02 +date: 2024-01-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml index dc3e5cb3932..33df633ea2f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml @@ -8,8 +8,8 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 author: Florian Roth (Nextron Systems) -date: 2019/04/20 -modified: 2023/02/21 +date: 2019-04-20 +modified: 2023-02-21 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml index 15dcf5b4bdf..f22779db308 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml @@ -6,11 +6,11 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64 author: Ecco -date: 2019/08/30 -modified: 2023/02/21 +date: 2019-08-30 +modified: 2023-02-21 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml b/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml index af091c58d2f..d9a966ac03f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm - https://github.com/Hackplayers/evil-winrm author: frack113 -date: 2022/01/07 -modified: 2023/02/13 +date: 2022-01-07 +modified: 2023-02-13 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index 81e75455eaa..a1d8ff8d8a4 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -5,10 +5,10 @@ description: Detects the execution of different Windows based hacktools via thei references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2022/03/04 -modified: 2024/02/07 +date: 2022-03-04 +modified: 2024-02-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1588.002 - attack.t1003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml index c004defeed7..b35264e67b7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml @@ -6,10 +6,10 @@ references: - https://github.com/cube0x0 - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files author: Florian Roth (Nextron Systems) -date: 2022/04/27 -modified: 2024/01/15 +date: 2022-04-27 +modified: 2024-01-15 tags: - - attack.credential_access + - attack.credential-access - attack.t1588.002 - attack.t1003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml index c38491eaa66..37472dfda27 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml @@ -5,10 +5,10 @@ description: Detects the execution GMER tool based on image and hash fields. references: - http://www.gmer.net/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/05 -modified: 2023/02/13 +date: 2022-10-05 +modified: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml index 23097cff214..96532d62d1c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml @@ -5,10 +5,10 @@ description: Detects the use of HandleKatz, a tool that demonstrates the usage o references: - https://github.com/codewhitesec/HandleKatz author: Florian Roth (Nextron Systems) -date: 2022/08/18 -modified: 2024/04/15 +date: 2022-08-18 +modified: 2024-04-15 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml b/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml index adda780a05b..615e6155846 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat - https://hashcat.net/wiki/doku.php?id=hashcat author: frack113 -date: 2021/12/27 -modified: 2023/02/04 +date: 2021-12-27 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1110.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml index d69f34f7fd6..947c546a759 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml @@ -6,10 +6,10 @@ references: - https://github.com/HiwinCN/HTran - https://github.com/cw1997/NATBypass author: Florian Roth (Nextron Systems) -date: 2022/12/27 -modified: 2023/02/04 +date: 2022-12-27 +modified: 2023-02-04 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 - attack.s0040 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml b/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml index 1af0c852d51..a9e1eabf682 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml @@ -5,10 +5,10 @@ description: Detects command line parameters used by Hydra password guessing hac references: - https://github.com/vanhauser-thc/thc-hydra author: Vasiliy Burov -date: 2020/10/05 -modified: 2023/02/04 +date: 2020-10-05 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1110 - attack.t1110.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml index 9dce5f86463..ec92357ae5f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml @@ -2,7 +2,7 @@ title: HackTool - Potential Impacket Lateral Movement Activity id: 10c14723-61c7-4c75-92ca-9af245723ad2 related: - id: e31f89f7-36fb-4697-8ab6-48823708353b - type: obsoletes + type: obsolete status: stable description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework references: @@ -12,12 +12,12 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch -date: 2019/09/03 -modified: 2023/02/21 +date: 2019-09-03 +modified: 2023-02-21 tags: - attack.execution - attack.t1047 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml index b61f064bf71..ba09a995122 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml @@ -5,8 +5,8 @@ description: Detects the execution of different compiled Windows binaries of the references: - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries author: Florian Roth (Nextron Systems) -date: 2021/07/24 -modified: 2023/02/07 +date: 2021-07-24 +modified: 2023-02-07 tags: - attack.execution - attack.t1557.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml index 5f1d7cf3b3c..6e60530eb8a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml @@ -6,11 +6,11 @@ references: - https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/ - https://github.com/sensepost/impersonate author: Sai Prashanth Pulisetti @pulisettis -date: 2022/12/21 -modified: 2023/02/08 +date: 2022-12-21 +modified: 2023-02-08 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1134.001 - attack.t1134.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml index a8fbcc37512..37c01a64ef0 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml @@ -6,10 +6,10 @@ references: - https://github.com/Kevin-Robertson/Inveigh - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/24 -modified: 2023/02/04 +date: 2022-10-24 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml index 24f14b03c1e..5d7bb7a5696 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community -date: 2020/10/13 -modified: 2022/11/17 +date: 2020-10-13 +modified: 2022-11-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml index fea743c8f95..eb1e4b8249b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -5,10 +5,10 @@ description: Detects all variations of obfuscated powershell IEX invocation code references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community' -date: 2019/11/08 -modified: 2022/12/31 +date: 2019-11-08 +modified: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml index 1b8b10d8852..18d7cd61216 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of stdin to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/15 +date: 2020-10-15 +modified: 2024-04-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml index ef47ac6d0d2..034cd19e5a7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/15 +date: 2020-10-15 +modified: 2024-04-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml index 4516306fbb9..47119154d05 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/12/29 +date: 2020-10-18 +modified: 2022-12-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml index 053957e01a6..bd09bdfeedf 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via Stdin in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community -date: 2020/10/12 -modified: 2024/04/16 +date: 2020-10-12 +modified: 2024-04-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml index 9fb519d45c9..369ecbeab21 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2024/04/15 +date: 2020-10-09 +modified: 2024-04-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml index 9d636d2ce41..1f5d9dd1d24 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community -date: 2020/10/08 -modified: 2022/03/08 +date: 2020-10-08 +modified: 2022-03-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml index d237f85aaae..da74b71d144 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -modified: 2022/11/16 +date: 2020-10-13 +modified: 2022-11-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml index d16f4c0f7ae..17c75eab564 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml @@ -6,8 +6,8 @@ references: - https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool - https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) -date: 2022/05/24 -modified: 2023/02/22 +date: 2022-05-24 +modified: 2023-02-22 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml b/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml index 1e1dde1afd7..1e2eefeb2b3 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml @@ -7,8 +7,8 @@ references: - https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/ author: wagga, Jonhnathan Ribeiro, oscd.community -date: 2020/01/12 -modified: 2023/02/11 +date: 2020-01-12 +modified: 2023-02-11 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml index 61164e308b6..09b7334ec5a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml @@ -5,10 +5,10 @@ description: Detects the use of KrbRelay, a Kerberos relaying tool references: - https://github.com/cube0x0/KrbRelay author: Florian Roth (Nextron Systems) -date: 2022/04/27 -modified: 2023/02/04 +date: 2022-04-27 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml index 78235d26c86..849d82957bc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml @@ -6,9 +6,9 @@ description: | references: - https://github.com/CICADA8-Research/RemoteKrbRelay author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/27 +date: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml index 9d9670d3277..46f3cb68ee5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml @@ -5,12 +5,12 @@ description: Detects KrbRelayUp used to perform a universal no-fix local privile references: - https://github.com/Dec0ne/KrbRelayUp author: Florian Roth (Nextron Systems) -date: 2022/04/26 -modified: 2023/02/04 +date: 2022-04-26 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml b/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml index 0f92953ea77..c12af326b95 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml @@ -11,9 +11,9 @@ references: - https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/24 +date: 2024-06-24 tags: - - attack.credential_access + - attack.credential-access logsource: product: windows service: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml index e99a0ef71f9..0562b0755b1 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml @@ -6,11 +6,11 @@ references: - https://www.localpotato.com/localpotato_html/LocalPotato.html - https://github.com/decoder-it/LocalPotato author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/14 +date: 2023-02-14 tags: - - attack.defense_evasion - - attack.privilege_escalation - - cve.2023.21746 + - attack.defense-evasion + - attack.privilege-escalation + - cve.2023-21746 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml b/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml index 98da1b85ee4..3594d11157a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml @@ -6,10 +6,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth -date: 2019/10/26 -modified: 2023/02/05 +date: 2019-10-26 +modified: 2023-02-05 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml b/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml index 9bc185ef3c5..a453891bfb0 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml @@ -6,10 +6,10 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://tools.thehacker.recipes/mimikatz/modules author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton -date: 2019/10/22 -modified: 2023/02/21 +date: 2019-10-22 +modified: 2023-02-21 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml index 0a4956b864a..73034df1690 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml @@ -7,8 +7,8 @@ references: - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali -date: 2022/10/10 -modified: 2023/02/13 +date: 2022-10-10 +modified: 2023-02-13 tags: - attack.execution - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml b/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml index e7146fa84d2..dfb6833e7a4 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml @@ -6,12 +6,12 @@ references: - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1 - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py author: Markus Neis, @Karneades -date: 2018/03/06 -modified: 2023/03/03 +date: 2018-03-06 +modified: 2023-03-03 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.s0111 - attack.g0022 - attack.g0060 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml index b5a73187499..bb0e9d6bf37 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml @@ -8,10 +8,10 @@ references: - https://twitter.com/gbti_sa/status/1249653895900602375?lang=en - https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/29 -modified: 2023/02/04 +date: 2022-11-29 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml b/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml index e8d60b70ae1..19015d3d236 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml @@ -5,11 +5,11 @@ description: Detects the execution of the PurpleSharp adversary simulation tool references: - https://github.com/mvelazc0/PurpleSharp author: Florian Roth (Nextron Systems) -date: 2021/06/18 -modified: 2023/02/05 +date: 2021-06-18 +modified: 2023-02-05 tags: - attack.t1587 - - attack.resource_development + - attack.resource-development logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml index 6f2c3af10b9..bde4bd34d2a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml @@ -6,10 +6,10 @@ references: - https://github.com/skelsec/pypykatz - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz author: frack113 -date: 2022/01/05 -modified: 2023/02/05 +date: 2022-01-05 +modified: 2023-02-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml b/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml index 24ffc8da4d6..5bdf4d969eb 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml @@ -6,10 +6,10 @@ references: - https://github.com/quarkslab/quarkspwdump - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/05 -modified: 2023/02/05 +date: 2022-09-05 +modified: 2023-02-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml b/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml index b7f7a45d017..133f60fe959 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml @@ -5,11 +5,11 @@ description: Detects actions caused by the RedMimicry Winnti playbook a automate references: - https://redmimicry.com/posts/redmimicry-winnti/ author: Alexander Rausch -date: 2020/06/24 -modified: 2023/03/01 +date: 2020-06-24 +modified: 2023-03-01 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1106 - attack.t1059.003 - attack.t1218.011 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml index 7677ba59bad..73463a3fa8a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml @@ -10,8 +10,8 @@ references: - https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire - https://www.localpotato.com/ author: Florian Roth (Nextron Systems) -date: 2021/07/24 -modified: 2023/02/14 +date: 2021-07-24 +modified: 2023-02-14 tags: - attack.execution - attack.t1557.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml index 7d8d1f594b4..97f88c95311 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml @@ -10,13 +10,13 @@ references: - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html - https://github.com/GhostPack/Rubeus author: Florian Roth (Nextron Systems) -date: 2018/12/19 -modified: 2023/04/20 +date: 2018-12-19 +modified: 2023-04-20 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1558.003 - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml index e5518ac0ab9..6a2a9c3a745 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml @@ -5,10 +5,10 @@ description: Detects the execution of the hacktool SafetyKatz via PE information references: - https://github.com/GhostPack/SafetyKatz author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/20 -modified: 2023/02/04 +date: 2022-10-20 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml b/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml index a4dff503acb..7503d68108f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml @@ -6,10 +6,10 @@ references: - https://securityxploded.com/ - https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ author: Florian Roth (Nextron Systems) -date: 2018/12/19 -modified: 2023/02/04 +date: 2018-12-19 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1555 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml index 41e01b54413..3adbb501d27 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml @@ -8,10 +8,10 @@ references: - https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files author: Florian Roth (Nextron Systems) -date: 2022/07/23 -modified: 2023/03/07 +date: 2022-07-23 +modified: 2023-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1134.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml index 598e2f82cdf..097e9a5e76e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml @@ -9,10 +9,10 @@ references: - https://github.com/shantanu561993/SharpChisel - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/05 -modified: 2023/02/13 +date: 2022-09-05 +modified: 2023-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml index 99234e780d5..5694f244700 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/GhostPack/SharpDPAPI author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/26 +date: 2024-06-26 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1134.001 - attack.t1134.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml index edef0dfdd86..3ec2ca55f26 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml @@ -9,11 +9,11 @@ references: - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/ - https://github.com/S3cur3Th1sSh1t/SharpImpersonation author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/27 -modified: 2023/02/13 +date: 2022-12-27 +modified: 2023-02-13 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1134.001 - attack.t1134.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml index 2d3b65c8335..38f9a1c08a7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml @@ -5,8 +5,8 @@ description: Detects execution of the SharpLDAPmonitor. Which can monitor the cr references: - https://github.com/p0dalirius/LDAPmonitor author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/30 -modified: 2023/02/14 +date: 2022-12-30 +modified: 2023-02-14 tags: - attack.discovery logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml index 3058094de2d..c6d3e2565d5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml @@ -6,8 +6,8 @@ references: - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit - https://github.com/mandiant/SharPersist author: Florian Roth (Nextron Systems) -date: 2022/09/15 -modified: 2023/02/04 +date: 2022-09-15 +modified: 2023-02-04 tags: - attack.persistence - attack.t1053 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml index 65c57c13365..51a8b2457b2 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml @@ -8,10 +8,10 @@ description: Detects the use of SharpEvtHook, a tool that tampers with the Windo references: - https://github.com/bats3c/EvtMute author: Florian Roth (Nextron Systems) -date: 2022/09/07 -modified: 2023/02/14 +date: 2022-09-07 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml index 824ed63e4bb..f0fd347fc24 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml @@ -5,8 +5,8 @@ description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP references: - https://github.com/bugch3ck/SharpLdapWhoami author: Florian Roth (Nextron Systems) -date: 2022/08/29 -modified: 2023/02/04 +date: 2022-08-29 +modified: 2023-02-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml index eafe3b8e3d3..0c53139b34a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml @@ -7,9 +7,9 @@ references: - https://github.com/0xthirteen/SharpMove/ - https://pentestlab.blog/tag/sharpmove/ author: Luca Di Bartolomeo (CrimpSec) -date: 2024/01/29 +date: 2024-01-29 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml index 05f088c62e9..779e7103afc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml @@ -5,10 +5,10 @@ description: Detects the use of SharpUp, a tool for local privilege escalation references: - https://github.com/GhostPack/SharpUp author: Florian Roth (Nextron Systems) -date: 2022/08/20 -modified: 2023/02/13 +date: 2022-08-20 +modified: 2023-02-13 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1615 - attack.t1569.002 - attack.t1574.005 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml index 6a0ff8282ec..6df40b93e58 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml @@ -10,8 +10,8 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview author: frack113 -date: 2021/12/10 -modified: 2023/02/14 +date: 2021-12-10 +modified: 2023-02-14 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml b/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml index 2f5de1ba34e..7164b61805b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml @@ -8,10 +8,10 @@ description: Detects SILENTTRINITY stager use via PE metadata references: - https://github.com/byt3bl33d3r/SILENTTRINITY author: Aleksey Potapov, oscd.community -date: 2019/10/22 -modified: 2023/02/13 +date: 2019-10-22 +modified: 2023-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml b/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml index 20f72c3f3b9..80442b0841d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml @@ -6,8 +6,8 @@ references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36 - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/08/25 -modified: 2023/03/05 +date: 2022-08-25 +modified: 2023-03-05 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml index bd889915fe5..bf261ee3de5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml @@ -5,10 +5,10 @@ description: Detects Stracciatella which executes a Powershell runspace from wit references: - https://github.com/mgeeky/Stracciatella author: pH-T (Nextron Systems) -date: 2023/04/17 +date: 2023-04-17 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1059 - attack.t1562.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml index 64d5c70c834..479fd4e84a9 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml @@ -5,12 +5,12 @@ description: Detects the execution of the PoC that can be used to exploit Sysmon references: - https://github.com/Wh04m1001/SysmonEoP author: Florian Roth (Nextron Systems) -date: 2022/12/04 -modified: 2024/04/15 +date: 2022-12-04 +modified: 2024-04-15 tags: - - cve.2022.41120 + - cve.2022-41120 - attack.t1068 - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml b/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml index 4b5b5a13666..a16b00f714e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml @@ -7,8 +7,8 @@ references: - https://github.com/dsnezhkov/TruffleSnout - https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md author: frack113 -date: 2022/08/20 -modified: 2023/02/13 +date: 2022-08-20 +modified: 2023-02-13 tags: - attack.discovery - attack.t1482 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml index a733da1f19e..26f73345f5e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml @@ -5,11 +5,11 @@ description: Detects the execution of UACMe, a tool used for UAC bypasses, via d references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) -date: 2021/08/30 -modified: 2022/11/19 +date: 2021-08-30 +modified: 2022-11-19 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wce.yml b/rules/windows/process_creation/proc_creation_win_hktl_wce.yml index 4569bad6385..71036a587a1 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wce.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wce.yml @@ -5,10 +5,10 @@ description: Detects the use of Windows Credential Editor (WCE) references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ author: Florian Roth (Nextron Systems) -date: 2019/12/31 -modified: 2023/02/04 +date: 2019-12-31 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml index f79c47f9a2b..cef7490d15e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml @@ -6,10 +6,10 @@ references: - https://github.com/carlospolop/PEASS-ng - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation author: Georg Lauenstein (sure[secure]) -date: 2022/09/19 -modified: 2023/03/23 +date: 2022-09-19 +modified: 2023-03-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1082 - attack.t1087 - attack.t1046 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml index b71d35ca7dd..014da3783fc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml @@ -7,7 +7,7 @@ status: experimental description: | Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. author: Swachchhanda Shrawan Poudel -date: 2023/12/04 +date: 2023-12-04 references: - https://github.com/S3cur3Th1sSh1t/WinPwn - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841 @@ -15,11 +15,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.discovery - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1046 - attack.t1082 - attack.t1106 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml b/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml index 3b8781a7e32..267b359b16d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml @@ -5,10 +5,10 @@ description: Detects the execution of PowerShell with a specific flag sequence t references: - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/08 +date: 2023-03-08 tags: - - attack.defense_evasion - - attack.lateral_movement + - attack.defense-evasion + - attack.lateral-movement logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml b/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml index 260e07137e6..49a26e476e7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml @@ -5,10 +5,10 @@ description: Detects suspicious use of XORDump process memory dumping utility references: - https://github.com/audibleblink/xordump author: Florian Roth (Nextron Systems) -date: 2022/01/28 -modified: 2023/02/08 +date: 2022-01-28 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml b/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml index f5aa721f8f9..d020adfae86 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/SBousseaden/status/1451237393017839616 - https://github.com/Tylous/ZipExec author: frack113 -date: 2021/11/07 -modified: 2022/12/25 +date: 2021-11-07 +modified: 2022-12-25 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hostname_execution.yml b/rules/windows/process_creation/proc_creation_win_hostname_execution.yml index 182a603905c..20d7d441df0 100644 --- a/rules/windows/process_creation/proc_creation_win_hostname_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hostname_execution.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname author: frack113 -date: 2022/01/01 +date: 2022-01-01 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml b/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml index 6f0cf758d64..79678e699f2 100644 --- a/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml +++ b/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml @@ -9,10 +9,10 @@ references: - https://blog.alyac.co.kr/1901 - https://en.wikipedia.org/wiki/Hangul_(word_processor) author: Florian Roth (Nextron Systems) -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 - attack.execution - attack.t1203 diff --git a/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml index a6072c5551a..d1b20ab5055 100644 --- a/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml @@ -8,10 +8,10 @@ description: | references: - Internal Research author: Sreeman -date: 2020/04/17 -modified: 2024/02/08 +date: 2020-04-17 +modified: 2024-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_icacls_deny.yml b/rules/windows/process_creation/proc_creation_win_icacls_deny.yml index 6d091deae3a..65017d66361 100644 --- a/rules/windows/process_creation/proc_creation_win_icacls_deny.yml +++ b/rules/windows/process_creation/proc_creation_win_icacls_deny.yml @@ -5,10 +5,10 @@ description: Detect use of icacls to deny access for everyone in Users folder so references: - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/ author: frack113 -date: 2022/07/18 -modified: 2024/04/29 +date: 2022-07-18 +modified: 2024-04-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ieexec_download.yml b/rules/windows/process_creation/proc_creation_win_ieexec_download.yml index 0aa8f9912e9..afb569f1380 100644 --- a/rules/windows/process_creation/proc_creation_win_ieexec_download.yml +++ b/rules/windows/process_creation/proc_creation_win_ieexec_download.yml @@ -5,10 +5,10 @@ description: Detects execution of the IEExec utility to download and execute fil references: - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/16 -modified: 2023/11/09 +date: 2022-05-16 +modified: 2023-11-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml index 19330691b41..534723863ff 100644 --- a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml @@ -10,10 +10,10 @@ references: - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/05 -modified: 2024/06/04 +date: 2024-02-05 +modified: 2024-06-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml index 92411156ef5..70c84c48277 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml @@ -5,10 +5,10 @@ description: Disables HTTP logging on a Windows IIS web server as seen by Threat references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging author: frack113 -date: 2022/01/09 -modified: 2023/01/22 +date: 2022-01-09 +modified: 2023-01-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml index 386622722df..dae0d27fc6d 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ author: Tim Rauch, Janantha Marasinghe, Elastic (original idea) -date: 2022/11/08 -modified: 2023/01/22 +date: 2022-11-08 +modified: 2023-01-22 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml index 50d83973c0e..c96934fbf04 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml @@ -6,8 +6,8 @@ references: - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ author: Florian Roth (Nextron Systems) -date: 2019/12/11 -modified: 2024/03/13 +date: 2019-12-11 +modified: 2024-03-13 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml index d51a77ccfd2..602fd20a47c 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/malmoeb/status/1616702107242971144 - https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/22 +date: 2023-01-22 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml index 2d7cff58fd4..ae313368e88 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml @@ -5,10 +5,10 @@ description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection st references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html author: Tim Rauch, Elastic (idea) -date: 2022/09/28 -modified: 2022/12/30 +date: 2022-09-28 +modified: 2022-12-30 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml b/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml index 713560145cf..8316657799c 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml @@ -5,8 +5,8 @@ description: Detects a suspicious IIS module registration as described in Micros references: - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ author: Florian Roth (Nextron Systems), Microsoft (idea) -date: 2022/08/04 -modified: 2023/01/23 +date: 2022-08-04 +modified: 2023-01-23 tags: - attack.persistence - attack.t1505.004 diff --git a/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml b/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml index 94c2f55b045..453ee74edaf 100644 --- a/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml +++ b/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Ilasm/ - https://www.echotrail.io/insights/search/ilasm.exe author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/07 -modified: 2022/05/16 +date: 2022-05-07 +modified: 2022-05-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml index fcd50fe5470..ffe2ad61af0 100644 --- a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml @@ -5,10 +5,10 @@ description: Detects unusual parent or children of the ImagingDevices.exe (Windo references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/27 -modified: 2022/12/29 +date: 2022-09-27 +modified: 2022-12-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml index b1865c6cb8b..487a9408181 100644 --- a/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml +++ b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml @@ -9,9 +9,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ author: Swachchhanda Shrawan Poudel -date: 2023/11/09 +date: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml b/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml index 3099148eb66..aa839f5864f 100644 --- a/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml +++ b/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution - https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/ author: frack113 -date: 2021/07/13 -modified: 2022/10/09 +date: 2021-07-13 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_installutil_download.yml b/rules/windows/process_creation/proc_creation_win_installutil_download.yml index 9c4d2823dc5..234c35b8d31 100644 --- a/rules/windows/process_creation/proc_creation_win_installutil_download.yml +++ b/rules/windows/process_creation/proc_creation_win_installutil_download.yml @@ -6,10 +6,10 @@ description: | references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 -modified: 2023/11/09 +date: 2022-08-19 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml b/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml index 29e4c231af1..e3857295ed1 100644 --- a/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml @@ -6,10 +6,10 @@ references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool author: frack113 -date: 2022/01/23 -modified: 2022/02/04 +date: 2022-01-23 +modified: 2022-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml index a5634bbe857..f9ee9171fa9 100644 --- a/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml @@ -6,12 +6,12 @@ references: - https://redcanary.com/blog/intelligence-insights-december-2021 - https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html author: Andreas Hunkeler (@Karneades) -date: 2021/12/22 -modified: 2023/01/21 +date: 2021-12-22 +modified: 2023-01-21 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml index ea60e620f0a..02502889f5e 100644 --- a/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml @@ -7,10 +7,10 @@ references: - https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py - https://blog.viettelcybersecurity.com/saml-show-stopper/ author: Florian Roth (Nextron Systems) -date: 2023/01/18 -modified: 2023/08/29 +date: 2023-01-18 +modified: 2023-08-29 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml index 673b6005c01..ad7eea041bf 100644 --- a/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml @@ -5,8 +5,8 @@ description: Detects a JAVA process running with remote debugging allowing more references: - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp author: Florian Roth (Nextron Systems) -date: 2019/01/16 -modified: 2023/02/01 +date: 2019-01-16 +modified: 2023-02-01 tags: - attack.t1203 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml index 9f367f33688..d6ca9e98ca7 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml @@ -8,12 +8,12 @@ description: Detects suspicious processes spawned from a Java host process which references: - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades), Florian Roth -date: 2021/12/17 -modified: 2024/01/18 +date: 2021-12-17 +modified: 2024-01-18 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml index 48cf1412e5b..bd942b127a5 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml @@ -8,12 +8,12 @@ description: Detects shell spawned from Java host process, which could be a sign references: - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali -date: 2021/12/17 -modified: 2024/01/18 +date: 2021-12-17 +modified: 2024-01-18 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml index 8fc96188a8f..75128c6d76b 100644 --- a/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml @@ -5,9 +5,9 @@ description: Detects suspicious child processes of SysAidServer (as seen in MERC references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ author: Florian Roth (Nextron Systems) -date: 2022/08/26 +date: 2022-08-26 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_jsc_execution.yml b/rules/windows/process_creation/proc_creation_win_jsc_execution.yml index d310c83412a..d99b3c5a7f7 100644 --- a/rules/windows/process_creation/proc_creation_win_jsc_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_jsc_execution.yml @@ -9,10 +9,10 @@ references: - https://www.phpied.com/make-your-javascript-a-windows-exe/ - https://twitter.com/DissectMalware/status/998797808907046913 author: frack113 -date: 2022/05/02 -modified: 2024/04/24 +date: 2022-05-02 +modified: 2024-04-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml b/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml index e50057175ea..39e4e22bad0 100644 --- a/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml @@ -5,9 +5,9 @@ description: Detects the execution of a signed binary dropped by Kaspersky Lab P references: - https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/01 +date: 2022-11-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_kd_execution.yml b/rules/windows/process_creation/proc_creation_win_kd_execution.yml index e9eb243792f..4f938bd587e 100644 --- a/rules/windows/process_creation/proc_creation_win_kd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_kd_execution.yml @@ -5,11 +5,11 @@ description: Detects execution of the Windows Kernel Debugger "kd.exe". references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2024/04/24 +date: 2023-05-15 +modified: 2024-04-24 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml index 1bea30ac95f..3a5577d3e2c 100644 --- a/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml @@ -8,11 +8,11 @@ description: Detects potentially suspicious child processes of KeyScrambler.exe references: - https://twitter.com/DTCERT/status/1712785421845790799 author: Swachchhanda Shrawan Poudel -date: 2024/05/13 +date: 2024-05-13 tags: - attack.execution - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1203 - attack.t1574.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml index a809225e211..3445660fb45 100644 --- a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml +++ b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/Oddvarmoe/status/1641712700605513729 - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/06 +date: 2023-04-06 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml index 1a38722e51a..3423b1848a0 100644 --- a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml +++ b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml @@ -5,7 +5,7 @@ description: Detects password change for the logged-on user's via "ksetup.exe" references: - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/06 +date: 2023-04-06 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_export.yml b/rules/windows/process_creation/proc_creation_win_ldifde_export.yml index ebdacd3efa2..52b382f9bec 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_export.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_export.yml @@ -7,7 +7,7 @@ references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/14 +date: 2023-03-14 tags: - attack.exfiltration logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml index 619b66d979f..fc6c065519c 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml @@ -8,11 +8,11 @@ references: - https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) author: '@gott_cyber' -date: 2022/09/02 -modified: 2023/03/14 +date: 2022-09-02 +modified: 2023-03-14 tags: - - attack.command_and_control - - attack.defense_evasion + - attack.command-and-control + - attack.defense-evasion - attack.t1218 - attack.t1105 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml b/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml index 27838ebb19b..87a13fdbf20 100644 --- a/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml @@ -10,10 +10,10 @@ description: | references: - https://twitter.com/0gtweet/status/1560732860935729152 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/22 -modified: 2024/06/27 +date: 2022-08-22 +modified: 2024-06-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml index 102dccd8140..cf707302bd3 100644 --- a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -5,8 +5,8 @@ description: Detects the execution of "lodctr.exe" to rebuild the performance co references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/15 -modified: 2024/03/05 +date: 2023-06-15 +modified: 2024-03-05 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml b/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml index 1f752593fd6..c93f334ae36 100644 --- a/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml +++ b/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/0gtweet/status/1359039665232306183?s=21 - https://ss64.com/nt/logman.html author: Florian Roth (Nextron Systems) -date: 2021/02/11 -modified: 2023/02/21 +date: 2021-02-11 +modified: 2023-02-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.t1070.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml b/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml index 35a10cbb6c8..e7d768dff7f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml @@ -6,9 +6,9 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/pull/180 - https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml index 8866f67c7ce..f9409743ad3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services - https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/ author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger -date: 2021/09/30 -modified: 2022/05/16 +date: 2021-09-30 +modified: 2022-05-16 tags: - attack.exfiltration - attack.t1567 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml b/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml index f96324b651b..ae571816884 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml @@ -5,9 +5,9 @@ description: Detects the execution of DeviceCredentialDeployment to hide a proce references: - https://github.com/LOLBAS-Project/LOLBAS/pull/147 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml b/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml index 66b8056efb5..4d0b0e1fc03 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/ - https://twitter.com/_felamos/status/1179811992841797632 author: Beyu Denis, oscd.community (rule), @_felamos (idea) -date: 2019/10/12 -modified: 2021/11/27 +date: 2019-10-12 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml index 81d56c4f807..c8465230776 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml @@ -5,10 +5,10 @@ description: Compress target file into a cab file stored in the Alternate Data S references: - https://lolbas-project.github.io/lolbas/Binaries/Diantz/ author: frack113 -date: 2021/11/26 -modified: 2022/12/31 +date: 2021-11-26 +modified: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml index f069de11737..5ca0d24b1fa 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml @@ -5,10 +5,10 @@ description: Download and compress a remote file and store it in a cab file on l references: - https://lolbas-project.github.io/lolbas/Binaries/Diantz/ author: frack113 -date: 2021/11/26 -modified: 2022/08/13 +date: 2021-11-26 +modified: 2022-08-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml index a34a4fe0ff8..5b42115a3d1 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml @@ -5,10 +5,10 @@ description: Extexport.exe loads dll and is execute from other folder the origin references: - https://lolbas-project.github.io/lolbas/Binaries/Extexport/ author: frack113 -date: 2021/11/26 -modified: 2022/05/16 +date: 2021-11-26 +modified: 2022-05-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml index 6bc1fda3c4d..2e049b2529e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml @@ -5,10 +5,10 @@ description: Download or Copy file with Extrac32 references: - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ author: frack113 -date: 2021/11/26 -modified: 2022/08/13 +date: 2021-11-26 +modified: 2022-08-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml index 002514356d2..ddbb6bf5894 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml @@ -5,10 +5,10 @@ description: Extract data from cab file and hide it in an alternate data stream references: - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ author: frack113 -date: 2021/11/26 -modified: 2022/12/30 +date: 2021-11-26 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml index 6578a7752bc..9eab8306a16 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml @@ -11,8 +11,8 @@ references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government author: blueteamer8699 -date: 2022/01/03 -modified: 2023/02/08 +date: 2022-01-03 +modified: 2023-02-08 tags: - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml index 36d81aad8ca..2b08fb5c514 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml @@ -6,10 +6,10 @@ references: - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ - https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ author: frack113 -date: 2022/05/16 -modified: 2023/06/14 +date: 2022-05-16 +modified: 2023-06-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml index 32f618ed4cf..1089ffa478d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ author: frack113 -date: 2022/05/07 -modified: 2022/05/16 +date: 2022-05-07 +modified: 2022-05-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml index 9bf994b6638..9422f3aa336 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml @@ -5,9 +5,9 @@ description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed scr references: - https://twitter.com/nas_bench/status/1535981653239255040 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml b/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml index b1e2177f901..f1e61b054e4 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/JohnLaTwC/status/1223292479270600706 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/13 -modified: 2023/02/03 +date: 2020-10-13 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml index dcfe256a568..bb2dd9fcd7c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml @@ -2,7 +2,7 @@ title: Mavinject Inject DLL Into Running Process id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66 related: - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 - type: obsoletes + type: obsolete status: test description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag references: @@ -15,11 +15,11 @@ references: - https://github.com/SigmaHQ/sigma/issues/3742 - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth -date: 2021/07/12 -modified: 2022/12/05 +date: 2021-07-12 +modified: 2022-12-05 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.001 - attack.t1218.013 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml index ca48e6aca6a..b68553abebc 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/mrd0x/status/1465058133303246867 - https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps author: Florian Roth (Nextron Systems) -date: 2022/01/11 -modified: 2022/03/04 +date: 2022-01-11 +modified: 2022-03-04 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml b/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml index 8ffd8631469..61db95b56ed 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/pabraeken/status/995837734379032576 - https://twitter.com/pabraeken/status/999090532839313408 author: Beyu Denis, oscd.community -date: 2020/10/18 -modified: 2021/11/27 +date: 2020-10-18 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml b/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml index af275a4a7b1..e43b66e5b56 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml @@ -5,9 +5,9 @@ description: Detects execution of "msdt.exe" using an answer file which is simul references: - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/13 +date: 2022-06-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml index 38d8ff3ec22..55f757d8069 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml @@ -5,7 +5,7 @@ description: Detects usage of OpenConsole binary as a LOLBIN to launch other bin references: - https://twitter.com/nas_bench/status/1537563834478645252 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/16 +date: 2022-06-16 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml b/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml index c5891bdb46a..cdeeb1e3261 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml @@ -6,10 +6,10 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml - https://twitter.com/harr0ey/status/991670870384021504 author: Beyu Denis, oscd.community (rule), @harr0ey (idea) -date: 2019/10/12 -modified: 2021/11/27 +date: 2019-10-12 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml index 0c064e3b462..7672ec751f0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml @@ -2,15 +2,15 @@ title: Use of Pcalua For Execution id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2 related: - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 - type: obsoletes + type: obsolete status: test description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2022/06/14 -modified: 2023/01/04 +date: 2022-06-14 +modified: 2023-01-04 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml index a316319da85..f407e528c6c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/pabraeken/status/991335019833708544 - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/ author: A. Sungurov , oscd.community -date: 2020/10/12 -modified: 2021/11/27 +date: 2020-10-12 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml index c4c3feed441..fc460b69d0e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml @@ -5,9 +5,9 @@ description: Detects indirect command execution via Program Compatibility Assist references: - https://twitter.com/nas_bench/status/1535663791362519040 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/13 +date: 2022-06-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml index 8d2e0f798f0..1ff177bbfb3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/ - https://twitter.com/harr0ey/status/989617817849876488 author: Julia Fomina, oscd.community -date: 2020/10/05 -modified: 2023/02/09 +date: 2020-10-05 +modified: 2023-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml index 84b3da532fe..45d45dce662 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml @@ -9,11 +9,11 @@ references: - https://twitter.com/Oddvarmoe/status/993383596244258816 - https://twitter.com/_st0pp3r_/status/1560072680887525378 author: frack113, Nasreddine Bencherchali -date: 2022/08/20 +date: 2022-08-20 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml index 903a3db4c19..0936900bf85 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/Oddvarmoe/status/993383596244258816 - https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md author: Julia Fomina, oscd.community -date: 2020/10/08 -modified: 2023/11/09 +date: 2020-10-08 +modified: 2023-11-09 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml index 75a14853519..32626fda306 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml @@ -5,11 +5,11 @@ description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used references: - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/ author: frack113 -date: 2022/05/02 +date: 2022-05-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml index 7482ebb8af6..b01127c96b4 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml @@ -5,9 +5,9 @@ description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to exec references: - https://lolbas-project.github.io/lolbas/Scripts/Pubprn/ author: frack113 -date: 2022/05/28 +date: 2022-05-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml index c69a8056145..823c273346c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml @@ -7,9 +7,9 @@ references: - https://github.com/fireeye/DueDLLigence - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html author: Julia Fomina, oscd.community -date: 2020/10/09 +date: 2020-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml index ed66cc41bc8..9a9a9894a73 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml @@ -5,9 +5,9 @@ description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to references: - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml b/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml index e98dae12d69..3dd81beb286 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml @@ -6,9 +6,9 @@ references: - https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/ author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2022/06/02 +date: 2022-06-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml b/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml index 3f9015e7918..07d8625e929 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Replace/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace author: frack113 -date: 2022/03/06 -modified: 2024/03/13 +date: 2022-03-06 +modified: 2024-03-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml index 5395baa2c04..993052cc999 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/0gtweet/status/1206692239839289344 - https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/ author: frack113 -date: 2022/12/29 +date: 2022-12-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml b/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml index 1c4a8fbb828..0d58f8f8fff 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml @@ -5,12 +5,12 @@ description: Detects execution of powershell scripts via Runscripthelper.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/ author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2022/07/11 +date: 2020-10-09 +modified: 2022-07-11 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml b/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml index 096b85628af..d9b945af398 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml @@ -5,9 +5,9 @@ description: The "ScriptRunner.exe" binary can be abused to proxy execution thro references: - https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/01 +date: 2022-07-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml b/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml index 409a4e45090..b19ba6b5a76 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml @@ -5,11 +5,11 @@ description: Detects using SettingSyncHost.exe to run hijacked binary references: - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin author: Anton Kutepov, oscd.community -date: 2020/02/05 -modified: 2021/11/27 +date: 2020-02-05 +modified: 2021-11-27 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml index 2b03f783530..b618302b132 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml @@ -5,9 +5,9 @@ description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing t references: - https://github.com/LOLBAS-Project/LOLBAS/pull/264 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/10 +date: 2022-11-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml b/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml index cba743b6f8a..ba2fcdbed99 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml @@ -6,9 +6,9 @@ references: - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ - https://twitter.com/0gtweet/status/1457676633809330184 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml index b0e2c0d1822..99ab0eff600 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml @@ -9,10 +9,10 @@ references: - https://man.openbsd.org/ssh_config#ProxyCommand - https://man.openbsd.org/ssh_config#LocalCommand author: frack113, Nasreddine Bencherchali -date: 2022/12/29 -modified: 2023/01/25 +date: 2022-12-29 +modified: 2023-01-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml index 83513b37df4..6f1aad9655a 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/bohops/status/1477717351017680899?s=12 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/ author: Florian Roth (Nextron Systems) -date: 2022/01/06 +date: 2022-01-06 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml index 97e4ac25766..804626a9450 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml @@ -5,10 +5,10 @@ description: Detects a suspicious certreq execution taken from the LOLBAS exampl references: - https://lolbas-project.github.io/lolbas/Binaries/Certreq/ author: Christian Burkard (Nextron Systems) -date: 2021/11/24 -modified: 2022/06/13 +date: 2021-11-24 +modified: 2022-06-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml index 257866ce323..17eade9ef38 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger -date: 2021/09/30 -modified: 2022/10/09 +date: 2021-09-30 +modified: 2022-10-09 tags: - attack.persistence - attack.t1547 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml index 449026a8353..786cc9065ea 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/ - https://twitter.com/harr0ey/status/992008180904419328 author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/26 -modified: 2022/06/09 +date: 2019-10-26 +modified: 2022-06-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml index 9428c8a7bfd..3710a87605f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml @@ -5,7 +5,7 @@ description: Detects the suspicious execution of a utility to convert Windows 3. references: - https://twitter.com/0gtweet/status/1526833181831200770 author: Florian Roth (Nextron Systems) -date: 2022/05/19 +date: 2022-05-19 tags: - attack.persistence - attack.t1547 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml index fe99ac17fd5..3606441aa46 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/countuponsec/status/910969424215232518 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/ author: Kirill Kiryanov, oscd.community -date: 2020/10/08 -modified: 2021/11/27 +date: 2020-10-08 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml index b4cfcc7e517..9efb7540d4f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml @@ -2,17 +2,17 @@ title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code id: fbd7c32d-db2a-4418-b92c-566eb8911133 related: - id: fde7929d-8beb-4a4c-b922-be9974671667 - type: obsoletes + type: obsolete status: test description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: frack113 -date: 2021/07/12 -modified: 2022/10/04 +date: 2021-07-12 +modified: 2022-10-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml index 1a6f0e7e716..79942ca93b3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: frack113 -date: 2021/07/16 -modified: 2022/06/22 +date: 2021-07-16 +modified: 2022-06-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1216 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml index 7d8d3807674..eb80b979d0f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml @@ -5,10 +5,10 @@ description: Detects potential DLL injection and execution using "Tracker.exe" references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/ author: 'Avneet Singh @v3t0_, oscd.community' -date: 2020/10/18 -modified: 2023/01/09 +date: 2020-10-18 +modified: 2023-01-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml index 659520143d1..c11d3d784a2 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml @@ -5,9 +5,9 @@ description: Detects the executiob of TTDInject.exe, which is used by Windows 10 references: - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ author: frack113 -date: 2022/05/16 +date: 2022-05-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml index 3b206cf3f60..c86c21d522f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml @@ -10,11 +10,11 @@ references: - https://twitter.com/mattifestation/status/1196390321783025666 - https://twitter.com/oulusoyum/status/1191329746069655553 author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' -date: 2020/10/06 -modified: 2022/10/09 +date: 2020-10-06 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.credential_access + - attack.defense-evasion + - attack.credential-access - attack.t1218 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml index 8a1aa6db6dd..d76cb25ba11 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml @@ -5,10 +5,10 @@ description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a cu references: - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/ author: frack113 -date: 2022/12/29 -modified: 2024/06/04 +date: 2022-12-29 +modified: 2024-06-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml b/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml index 8bfc89ccc89..7dce23df556 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml @@ -5,9 +5,9 @@ description: Detects the use of a Microsoft signed script executing a managed DL references: - https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/ author: frack113 -date: 2022/05/28 +date: 2022-05-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml b/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml index 22ff1da7f16..5b5667613a3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml @@ -5,10 +5,10 @@ description: Detects successful code compilation via Visual Basic Command Line C references: - https://lolbas-project.github.io/lolbas/Binaries/Vbc/ author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' -date: 2020/10/07 -modified: 2021/11/27 +date: 2020-10-07 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml b/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml index 966d6a89cc5..3561e084a58 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml @@ -8,9 +8,9 @@ references: - https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ - https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2022/06/01 +date: 2022-06-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml b/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml index 64e26318086..208d533c37b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml @@ -5,9 +5,9 @@ description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/09 +date: 2022-06-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml index 2332ab8ee3f..d1b36829814 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml @@ -6,9 +6,9 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/ - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2022/06/01 +date: 2022-06-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml b/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml index 20133500be0..e84763bbccd 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/ author: Nik Seetharaman, frack113 -date: 2019/01/16 -modified: 2023/02/03 +date: 2019-01-16 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1127 - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml index a2562faa01d..8e0c854fd47 100644 --- a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml +++ b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 - https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs author: Austin Songer @austinsonger -date: 2021/11/05 -modified: 2022/07/07 +date: 2021-11-05 +modified: 2022-07-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml b/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml index cd7757ee2f8..5ce833272f4 100644 --- a/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/Hexacorn/status/1420053502554951689 - https://twitter.com/SBousseaden/status/1464566846594691073?s=20 author: Florian Roth (Nextron Systems), Samir Bousseaden -date: 2021/11/27 -modified: 2023/03/02 +date: 2021-11-27 +modified: 2023-03-02 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml index ad226cb9e86..386842c8f43 100644 --- a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml @@ -5,10 +5,10 @@ description: Detects child processes of the "Trace log generation tool for Media references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/09 -modified: 2023/08/03 +date: 2022-06-09 +modified: 2023-08-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml index e7793c01e8f..0656acc4c50 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml @@ -6,8 +6,8 @@ references: - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)' -date: 2020/03/04 -modified: 2021/11/27 +date: 2020-03-04 +modified: 2021-11-27 tags: - attack.execution - attack.t1021.003 diff --git a/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml index 4e66d1338d1..73203887fa2 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml @@ -5,10 +5,10 @@ description: Detects a Windows command line executable started from MMC references: - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ author: Karneades, Swisscom CSIRT -date: 2019/08/05 -modified: 2022/07/14 +date: 2019-08-05 +modified: 2022-07-14 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml b/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml index 39590a6ad32..a20a99a86b1 100644 --- a/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml +++ b/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml @@ -13,9 +13,9 @@ references: - https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/01/17 +date: 2024-01-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml index 70f44c091c5..61e9dfbce82 100644 --- a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml @@ -10,10 +10,10 @@ references: - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml - https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 -modified: 2023/04/11 +date: 2022-07-12 +modified: 2023-04-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml index f52b0cd9d29..bab6f9fd3fe 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml @@ -8,10 +8,10 @@ description: Detects potential sideloading of "mpclient.dll" by Windows Defender references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj -date: 2022/08/01 -modified: 2023/08/04 +date: 2022-08-01 +modified: 2023-08-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml index f2bcb57760a..9ab70f25d78 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml @@ -6,12 +6,12 @@ references: - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866 - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ author: Matthew Matchen -date: 2020/09/04 -modified: 2023/11/09 +date: 2020-09-04 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml index b72143303be..1e2664c9436 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ author: frack113 -date: 2021/07/07 -modified: 2023/07/18 +date: 2021-07-07 +modified: 2023-07-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml b/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml index 0d8aae2ec27..2391af6cb8c 100644 --- a/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml @@ -6,9 +6,9 @@ references: - https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/ - https://www.echotrail.io/insights/search/msbuild.exe author: frack113 -date: 2022/11/17 +date: 2022-11-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml b/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml index 17e808f2320..15fbbe0d840 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml @@ -7,10 +7,10 @@ references: - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ - https://twitter.com/_JohnHammond/status/1531672601067675648 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/29 -modified: 2024/03/13 +date: 2022-05-29 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml index 12294470b03..90b0c670528 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml @@ -2,7 +2,7 @@ title: Suspicious Cabinet File Execution Via Msdt.EXE id: dc4576d4-7467-424f-9eee-fd2b02855fe0 related: - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 - type: obsoletes + type: obsolete status: test description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 references: @@ -11,10 +11,10 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0 - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 -date: 2022/06/21 -modified: 2024/03/13 +date: 2022-06-21 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml index 26dd9b3173b..b86d8cbd068 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/nao_sec/status/1530196847679401984 - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ author: Nextron Systems -date: 2022/06/01 -modified: 2023/02/06 +date: 2022-06-01 +modified: 2023-02-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml index c3368ab67cc..abbb5ac3ccf 100644 --- a/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml +++ b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml @@ -5,9 +5,9 @@ description: Detects usage of "msedge_proxy.exe" to download arbitrary files references: - https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/ author: Swachchhanda Shrawan Poudel -date: 2023/11/09 +date: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_mshta_http.yml b/rules/windows/process_creation/proc_creation_win_mshta_http.yml index 4616880dbcb..9f5cbf0a426 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_http.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_http.yml @@ -5,10 +5,10 @@ description: Detects execution of the "mshta" utility with an argument containin references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/08 -modified: 2023/02/06 +date: 2022-08-08 +modified: 2023-02-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml b/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml index 590edb8d363..7b01c2897b7 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml @@ -6,8 +6,8 @@ references: - https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html - https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/31 -modified: 2023/05/15 +date: 2022-08-31 +modified: 2023-05-15 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml b/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml index c04a0e71c8b..c71f0e03d42 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml @@ -6,10 +6,10 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2023/02/07 +date: 2019-10-24 +modified: 2023-02-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml b/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml index 28d43eb82c6..ab4307a3130 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml @@ -5,10 +5,10 @@ description: Detects potential LethalHTA technique where the "mshta.exe" is spaw references: - https://codewhitesec.blogspot.com/2018/07/lethalhta.html author: Markus Neis -date: 2018/06/07 -modified: 2023/02/07 +date: 2018-06-07 +modified: 2023-02-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml index bc95ac45d92..2b690e821e3 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml @@ -5,10 +5,10 @@ description: Detects a suspicious process spawning from an "mshta.exe" process, references: - https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag -date: 2019/01/16 -modified: 2023/02/06 +date: 2019-01-16 +modified: 2023-02-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.005 - car.2013-02-003 - car.2013-03-001 diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml index c2f33a804be..4aeed34dd32 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml @@ -9,15 +9,15 @@ references: - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997 - https://twitter.com/mattifestation/status/1326228491302563846 author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) -date: 2019/02/22 -modified: 2022/11/07 +date: 2019-02-22 +modified: 2022-11-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - attack.t1218.005 - attack.execution - attack.t1059.007 - - cve.2020.1599 + - cve.2020-1599 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml index 1f3c6e7fe16..dfd8053f66f 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml @@ -7,8 +7,8 @@ references: - https://www.echotrail.io/insights/search/mshta.exe - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/07/17 -modified: 2023/02/21 +date: 2021-07-17 +modified: 2023-02-21 tags: - attack.execution - attack.t1106 diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml index f686fbd7830..56df948f2c9 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml @@ -7,10 +7,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Msiexec/ - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 -date: 2022/04/24 -modified: 2024/03/13 +date: 2022-04-24 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml b/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml index e2734a46c12..2dab5452441 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml @@ -5,11 +5,11 @@ description: Adversaries may abuse msiexec.exe to proxy the execution of malicio references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 -date: 2022/04/16 -modified: 2022/07/14 +date: 2022-04-16 +modified: 2022-07-14 tags: - attack.t1218.007 - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index fe957298f40..3f7b78db416 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -9,10 +9,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 -date: 2022/01/16 -modified: 2024/03/13 +date: 2022-01-16 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml index 66abbe28c9f..fdf292ae355 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -9,10 +9,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md - https://twitter.com/_st0pp3r_/status/1583914244344799235 author: frack113 -date: 2022/01/16 -modified: 2024/03/13 +date: 2022-01-16 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml index 62efc5c5114..2d07f2368cc 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml @@ -8,10 +8,10 @@ description: Detects usage of Msiexec.exe to install packages hosted remotely qu references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/28 -modified: 2024/03/13 +date: 2022-10-28 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml b/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml index 719db6d434d..d8d71c1f098 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml @@ -5,10 +5,10 @@ description: Detects the execution of msiexec.exe from an uncommon directory references: - https://twitter.com/200_okay_/status/1194765831911215104 author: Florian Roth (Nextron Systems) -date: 2019/11/14 -modified: 2023/02/21 +date: 2019-11-14 +modified: 2023-02-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml b/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml index 9c6b54d1048..2b42219f6d1 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml @@ -8,12 +8,12 @@ description: Detects suspicious msiexec process starts with web addresses as par references: - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ author: Florian Roth (Nextron Systems) -date: 2018/02/09 -modified: 2022/01/07 +date: 2018-02-09 +modified: 2022-01-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml b/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml index eda88d25774..05cecbce78b 100644 --- a/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml +++ b/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml @@ -5,10 +5,10 @@ description: Detects usage of "MSOHTMED" to download arbitrary files references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 -modified: 2023/11/09 +date: 2022-08-19 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_mspub_download.yml b/rules/windows/process_creation/proc_creation_win_mspub_download.yml index 196ffa009f0..f698ea1ac2d 100644 --- a/rules/windows/process_creation/proc_creation_win_mspub_download.yml +++ b/rules/windows/process_creation/proc_creation_win_mspub_download.yml @@ -5,10 +5,10 @@ description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrar references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 -modified: 2023/02/08 +date: 2022-08-19 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml index 958be5ee45e..d6f3c55de6e 100644 --- a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -6,10 +6,10 @@ references: - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/ - https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf author: Alexander McDonald -date: 2022/06/24 -modified: 2023/02/03 +date: 2022-06-24 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml index 00e841f285a..0500cb38ffc 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml @@ -9,12 +9,12 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ - https://twitter.com/bryon_/status/975835709587075072 author: 'Agro (@agro_sev) oscd.community' -date: 2020/10/10 -modified: 2022/12/09 +date: 2020-10-10 +modified: 2022-12-09 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml index 0ee8748bb94..1cad374ae62 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml @@ -8,12 +8,12 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml - https://twitter.com/pabraeken/status/993298228840992768 author: 'Agro (@agro_sev) oscd.communitly' -date: 2020/10/13 -modified: 2022/02/25 +date: 2020-10-13 +modified: 2022-02-25 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml index 8b5fcb0cea9..571a66a831d 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml @@ -2,20 +2,20 @@ title: Suspicious Child Process Of SQL Server id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 related: - id: 344482e4-a477-436c-aa70-7536d18a48c7 - type: obsoletes + type: obsolete status: test description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. references: - Internal Research author: FPT.EagleEye Team, wagga -date: 2020/12/11 -modified: 2023/05/04 +date: 2020-12-11 +modified: 2023-05-04 tags: - attack.t1505.003 - attack.t1190 - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml index 6b1139af9f2..1d700067047 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml @@ -8,11 +8,11 @@ description: Detects suspicious child processes of the Veeam service process. Th references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml b/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml index c3943d2e6a5..ea640b8b9eb 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/kmkz_security/status/1220694202301976576 - https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet author: Florian Roth (Nextron Systems) -date: 2020/01/24 -modified: 2023/02/05 +date: 2020-01-24 +modified: 2023-02-05 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1563.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml index a8d9af11a21..906d740421b 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc author: frack113 -date: 2022/01/07 -modified: 2024/06/04 +date: 2022-01-07 +modified: 2024-06-04 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml index baa0a0a74f9..ee950308e27 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml @@ -6,10 +6,10 @@ references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock -date: 2023/04/18 -modified: 2023/04/30 +date: 2023-04-18 +modified: 2023-04-30 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml index 4c4dd59c728..46924362e32 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml @@ -6,9 +6,9 @@ references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/18 +date: 2023-04-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml index 4f694938e7c..92bb477f2ab 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml @@ -6,10 +6,10 @@ references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/18 -modified: 2023/04/18 +date: 2023-04-18 +modified: 2023-04-18 tags: - - attack.lateral_movement + - attack.lateral-movement logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml b/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml index 7eed7a1696f..3617cfd7778 100644 --- a/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/11/09 +date: 2019-10-21 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1220 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml index 8a0af8241dd..696d8d25d80 100644 --- a/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ author: Swachchhanda Shrawan Poudel -date: 2023/11/09 +date: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1220 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml index c2d348136cd..98d75ebfcf5 100644 --- a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml @@ -9,8 +9,8 @@ references: - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/16 -modified: 2023/03/02 +date: 2019-01-16 +modified: 2023-03-02 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml b/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml index d1622ff5d09..34fa64866c8 100644 --- a/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml +++ b/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml @@ -5,10 +5,10 @@ description: Detects when when a mounted share is removed. Adversaries may remov references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md author: oscd.community, @redcanary, Zach Stanford @svch0st -date: 2020/10/08 -modified: 2023/02/21 +date: 2020-10-08 +modified: 2023-02-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_start_service.yml b/rules/windows/process_creation/proc_creation_win_net_start_service.yml index febcf673910..cf36f28400b 100644 --- a/rules/windows/process_creation/proc_creation_win_net_start_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_start_service.yml @@ -5,8 +5,8 @@ description: Detects the usage of the "net.exe" command to start a service using references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -date: 2019/10/21 -modified: 2023/03/05 +date: 2019-10-21 +modified: 2023-03-05 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml index 9c77946d9d1..1a2ef922497 100644 --- a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml @@ -2,13 +2,13 @@ title: Stop Windows Service Via Net.EXE id: 88872991-7445-4a22-90b2-a3adadb0e827 related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + type: obsolete status: test description: Detects the stopping of a Windows service via the "net" utility. references: - https://ss64.com/nt/net-service.html author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/05 +date: 2023-03-05 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml index cea23a01c3a..c99fc209a1c 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml @@ -8,10 +8,10 @@ description: Detects when an admin share is mounted using net.exe references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga -date: 2020/10/05 -modified: 2023/02/21 +date: 2020-10-05 +modified: 2023-02-21 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml index b352bf0463b..71d4ce167ef 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml @@ -5,10 +5,10 @@ description: Detects when an internet hosted webdav share is mounted using the " references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/21 -modified: 2023/07/25 +date: 2023-02-21 +modified: 2023-07-25 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml index 2e72dfd99f8..5938a14a93d 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml @@ -8,10 +8,10 @@ description: Detects when a share is mounted using the "net.exe" utility references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/02 -modified: 2023/02/21 +date: 2023-02-02 +modified: 2023-02-21 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml b/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml index acf870c8266..abad8b80222 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml @@ -5,8 +5,8 @@ description: Adversaries may attempt to get a listing of network connections to references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery author: frack113 -date: 2021/12/10 -modified: 2023/02/21 +date: 2021-12-10 +modified: 2023-02-21 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml index e3f13067586..57a5ca9d3e8 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml @@ -5,14 +5,14 @@ description: Detects a when net.exe is called with a password in the command lin references: - Internal Research author: Tim Shelton (HAWK.IO) -date: 2021/12/09 -modified: 2023/02/21 +date: 2021-12-09 +modified: 2023-02-21 tags: - - attack.defense_evasion - - attack.initial_access + - attack.defense-evasion + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.lateral_movement + - attack.privilege-escalation + - attack.lateral-movement - attack.t1021.002 - attack.t1078 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_net_user_add.yml b/rules/windows/process_creation/proc_creation_win_net_user_add.yml index 35a4b809285..d12bc6f2b37 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_add.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_add.yml @@ -9,8 +9,8 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md author: Endgame, JHasenbusch (adapted to Sigma for oscd.community) -date: 2018/10/30 -modified: 2023/02/21 +date: 2018-10-30 +modified: 2023-02-21 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml index ecfc1a481df..73b30e9c54d 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml @@ -8,8 +8,8 @@ description: Detects creation of local users via the net.exe command with the op references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 -modified: 2023/02/21 +date: 2022-07-12 +modified: 2023-02-21 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml index 0404696f9d5..c55fa61836c 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml @@ -7,8 +7,8 @@ references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/01 -modified: 2023/02/21 +date: 2022-09-01 +modified: 2023-02-21 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml b/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml index e82b3014e88..c1eb268dbf7 100644 --- a/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml +++ b/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml @@ -6,8 +6,8 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: Endgame, JHasenbusch (ported for oscd.community) -date: 2018/10/30 -modified: 2023/02/21 +date: 2018-10-30 +modified: 2023-02-21 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml index 0a903d4187e..1c95471b135 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml @@ -5,10 +5,10 @@ description: Detects the addition of a new rule to the Windows firewall via nets references: - https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf author: Markus Neis, Sander Wiebing -date: 2019/01/29 -modified: 2023/02/10 +date: 2019-01-29 +modified: 2023-02-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 - attack.s0246 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml index 81d851b9c5e..7f530d906af 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml @@ -6,10 +6,10 @@ references: - https://www.virusradar.com/en/Win32_Kasidet.AD/description - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100 author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2020/05/25 -modified: 2023/12/11 +date: 2020-05-25 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml index bbae0e43d99..609378f7200 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml @@ -5,10 +5,10 @@ description: Detects usage of the netsh command to open and allow connections to references: - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ author: Sander Wiebing -date: 2020/05/23 -modified: 2023/12/11 +date: 2020-05-23 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml index b59893cd01e..bb57f97961d 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml @@ -5,10 +5,10 @@ description: Detects the removal of a port or application rule in the Windows Fi references: - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ author: frack113 -date: 2022/08/14 -modified: 2023/02/10 +date: 2022-08-14 +modified: 2023-02-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml index 4e067198361..b4a46526e0b 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml @@ -7,10 +7,10 @@ references: - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall author: Fatih Sirin -date: 2019/11/01 -modified: 2023/02/13 +date: 2019-11-01 +modified: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 - attack.s0108 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml index 9efa732a745..fc550cf84dd 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior author: frack113 -date: 2022/01/09 -modified: 2023/02/14 +date: 2022-01-09 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml index 1fe4dff9bac..d3622d65893 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules - https://ss64.com/nt/netsh.html author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -date: 2021/12/07 -modified: 2023/12/11 +date: 2021-12-07 +modified: 2023-12-11 tags: - attack.discovery - attack.t1016 diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml index 67a5768993f..4bb6dbe26fd 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml @@ -5,9 +5,9 @@ description: Detects execution of netsh with the "advfirewall" and the "set" opt references: - https://ss64.com/nt/netsh.html author: X__Junior (Nextron Systems) -date: 2023/07/18 +date: 2023-07-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml b/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml index a44246c3489..e3e4408e95d 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml @@ -13,10 +13,10 @@ references: - https://github.com/outflanknl/NetshHelperBeacon - https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/ author: Victor Sergeev, oscd.community -date: 2019/10/25 -modified: 2023/11/28 +date: 2019-10-25 +modified: 2023-11-28 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.007 - attack.s0108 diff --git a/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml b/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml index b0975d4ebea..86f3333ea91 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml @@ -6,11 +6,11 @@ references: - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ - https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/ author: Kutepov Anton, oscd.community -date: 2019/10/24 -modified: 2023/02/13 +date: 2019-10-24 +modified: 2023-02-13 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1040 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml index c246111f639..a08da2ed025 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml @@ -7,12 +7,12 @@ references: - https://adepts.of0x.cc/netsh-portproxy-code/ - https://www.dfirnotes.net/portproxy_detection/ author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel -date: 2019/01/29 -modified: 2023/09/01 +date: 2019-01-29 +modified: 2023-09-01 tags: - - attack.lateral_movement - - attack.defense_evasion - - attack.command_and_control + - attack.lateral-movement + - attack.defense-evasion + - attack.command-and-control - attack.t1090 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml index 1e024fb7ac2..2dcd586770d 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml @@ -5,12 +5,12 @@ description: Detects the execution of netsh to configure a port forwarding of po references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html author: Florian Roth (Nextron Systems), oscd.community -date: 2019/01/29 -modified: 2023/02/13 +date: 2019-01-29 +modified: 2023-02-13 tags: - - attack.lateral_movement - - attack.defense_evasion - - attack.command_and_control + - attack.lateral-movement + - attack.defense-evasion + - attack.command-and-control - attack.t1090 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml b/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml index 916e6c6fb24..536ecc6cfd4 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml @@ -5,11 +5,11 @@ description: Detect the harvesting of wifi credentials using netsh.exe references: - https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/ author: Andreas Hunkeler (@Karneades), oscd.community -date: 2020/04/20 -modified: 2023/02/13 +date: 2020-04-20 +modified: 2023-02-13 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1040 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_nltest_execution.yml b/rules/windows/process_creation/proc_creation_win_nltest_execution.yml index ab92fb09f73..7e89691109b 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_execution.yml @@ -4,13 +4,13 @@ related: - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 type: similar - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 - type: obsoletes + type: obsolete status: test description: Detects nltest commands that can be used for information discovery references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm author: Arun Chauhan -date: 2023/02/03 +date: 2023-02-03 tags: - attack.discovery - attack.t1016 diff --git a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml index 8a1677b39fe..440f86050ec 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml @@ -6,7 +6,7 @@ related: - id: 903076ff-f442-475a-b667-4f246bcc203b type: similar - id: 77815820-246c-47b8-9741-e0def3f57308 - type: obsoletes + type: obsolete status: test description: Detects nltest commands that can be used for information discovery references: @@ -19,8 +19,8 @@ references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest author: Craig Young, oscd.community, Georg Lauenstein -date: 2021/07/24 -modified: 2023/12/15 +date: 2021-07-24 +modified: 2023-12-15 tags: - attack.discovery - attack.t1016 diff --git a/rules/windows/process_creation/proc_creation_win_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_abuse.yml index e2dd472049d..61107b8341d 100644 --- a/rules/windows/process_creation/proc_creation_win_node_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_abuse.yml @@ -8,10 +8,10 @@ references: - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/ - https://nodejs.org/api/cli.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2023/02/03 +date: 2022-09-09 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml index 3f28e922d9e..a737bbef3f2 100644 --- a/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml @@ -5,9 +5,9 @@ description: Detects the execution of other scripts using the Node executable pa references: - https://twitter.com/mttaggart/status/1511804863293784064 author: Max Altgelt (Nextron Systems) -date: 2022/04/06 +date: 2022-04-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 - attack.t1059.007 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml b/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml index c23bc521ccb..bf2443b6ba0 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml @@ -5,7 +5,7 @@ description: Detects a set of suspicious network related commands often used in references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ author: Florian Roth (Nextron Systems) -date: 2022/02/07 +date: 2022-02-07 tags: - attack.discovery - attack.t1087 diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml index 9beca810ede..f5ee6c8b43d 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -2,7 +2,7 @@ title: Nslookup PowerShell Download Cradle - ProcessCreation id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 related: - id: 72671447-4352-4413-bb91-b85569687135 - type: obsoletes + type: obsolete - id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 type: similar status: test @@ -10,10 +10,10 @@ description: Detects suspicious powershell download cradle using nslookup. This references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/05 -modified: 2022/12/19 +date: 2022-09-05 +modified: 2022-12-19 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml index 0424f974361..488c5f0fab5 100644 --- a/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml @@ -9,9 +9,9 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/14 +date: 2022-09-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml index cfb63094796..035a1acce05 100644 --- a/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml @@ -5,10 +5,10 @@ description: Detects execution of ntdsutil.exe, which can be used for various at references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm author: Thomas Patzke -date: 2019/01/16 -modified: 2022/03/11 +date: 2019-01-16 +modified: 2022-03-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml index 21a46d9cee6..978badb807f 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml @@ -10,9 +10,9 @@ references: - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 +date: 2023-05-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml index 0cc790e45eb..39713e00ece 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml @@ -10,9 +10,9 @@ references: - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/23 +date: 2023-05-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml index 04cd26a89cd..4c679701da2 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml @@ -7,10 +7,10 @@ references: - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html - https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 -modified: 2023/05/26 +date: 2023-05-22 +modified: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml index 3e49b8e2975..d7f9a520677 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml @@ -13,9 +13,9 @@ references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 +date: 2023-05-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml index 37973aa0b86..7bc5ef90426 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml @@ -10,9 +10,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 +date: 2023-05-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml index ba064a43b2e..fc62df134c1 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -4,7 +4,7 @@ related: - id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 type: similar - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e - type: obsoletes + type: obsolete status: experimental description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. references: @@ -13,10 +13,10 @@ references: - https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 -modified: 2024/03/05 +date: 2023-05-22 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml index a38beefae4b..fe0adf15d0e 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml @@ -4,7 +4,7 @@ related: - id: 5f03babb-12db-4eec-8c82-7b4cb5580868 type: derived - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e - type: obsoletes + type: obsolete status: experimental description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. references: @@ -12,10 +12,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 -modified: 2024/03/13 +date: 2023-05-22 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml index 7259f168abc..00231805b16 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml @@ -7,9 +7,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac author: Harjot Singh @cyb3rjy0t -date: 2023/05/22 +date: 2023-05-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml index d903fa06b39..baa359dd9a8 100644 --- a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml +++ b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml @@ -2,7 +2,7 @@ title: Potential Arbitrary File Download Using Office Application id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed related: - id: 0c79148b-118e-472b-bdb7-9b57b444cc19 - type: obsoletes + type: obsolete status: test description: Detects potential arbitrary file download using a Microsoft Office application references: @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/ - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community -date: 2022/05/17 -modified: 2023/06/22 +date: 2022-05-17 +modified: 2023-06-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml index a6b29db2175..82c08071f3e 100644 --- a/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/grayhatkiller/SharpExShell - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication author: Aaron Stratton -date: 2023/11/13 +date: 2023-11-13 tags: - attack.t1021.003 - - attack.lateral_movement + - attack.lateral-movement logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index a8b2a2338ce..dc850edb394 100644 --- a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -8,10 +8,10 @@ references: - https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465 - https://twitter.com/_JohnHammond/status/1588155401752788994 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/21 -modified: 2023/10/18 +date: 2023-06-21 +modified: 2023-10-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml index 33e616656f6..6462627a9ba 100644 --- a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml @@ -9,12 +9,12 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18 - https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0 author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) -date: 2022/10/21 -modified: 2023/02/10 +date: 2022-10-21 +modified: 2023-02-10 tags: - attack.t1566 - attack.t1566.001 - - attack.initial_access + - attack.initial-access logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml index 1b47fe69783..79c699cba72 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml @@ -10,8 +10,8 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048 author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -date: 2018/12/27 -modified: 2023/02/09 +date: 2018-12-27 +modified: 2023-02-09 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml index 28f64366897..299f62a986f 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml @@ -5,10 +5,10 @@ description: Detects a suspicious program execution in Outlook temp folder author: Florian Roth (Nextron Systems) references: - Internal Research -date: 2019/10/01 -modified: 2022/10/09 +date: 2019-10-01 +modified: 2022-10-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml index efacc94fcca..5d682f21f59 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml @@ -11,8 +11,8 @@ references: - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team -date: 2022/02/28 -modified: 2023/02/04 +date: 2022-02-28 +modified: 2023-02-04 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml index abafb2abb16..a5e629bb425 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml @@ -10,8 +10,8 @@ references: - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49 author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -date: 2018/12/27 -modified: 2023/02/09 +date: 2018-12-27 +modified: 2023-02-09 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml index 0de29ed4b39..77d738f85c3 100644 --- a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml @@ -6,8 +6,8 @@ references: - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign - https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57 author: Jason Lynch -date: 2019/04/02 -modified: 2023/02/04 +date: 2019-04-02 +modified: 2023-02-04 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml index d9db7943d8c..2c1228b902a 100644 --- a/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml @@ -6,11 +6,11 @@ related: - id: e1693bc8-7168-4eab-8718-cdcaa68a1738 type: derived - id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 - type: obsoletes + type: obsolete - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a - type: obsoletes + type: obsolete - id: 04f5363a-6bca-42ff-be70-0d28bf629ead - type: obsoletes + type: obsolete status: test description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) references: @@ -26,10 +26,10 @@ references: - https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html - https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io -date: 2018/04/06 -modified: 2023/04/24 +date: 2018-04-06 +modified: 2023-04-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1047 - attack.t1204.002 diff --git a/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml b/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml index b22896ba55f..c823f0b7ddc 100644 --- a/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml @@ -2,16 +2,16 @@ title: Potential Arbitrary DLL Load Using Winword id: f7375e28-5c14-432f-b8d1-1db26c832df3 related: - id: 2621b3a6-3840-4810-ac14-a02426086171 - type: obsoletes + type: obsolete status: test description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag. references: - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2023/03/29 +date: 2020-10-09 +modified: 2023-03-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml b/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml index bc5067a80aa..2c251d8106c 100644 --- a/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml +++ b/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml @@ -7,10 +7,10 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ author: frack113 -date: 2022/03/06 -modified: 2023/08/03 +date: 2022-03-06 +modified: 2023-08-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml index f73876bf2b5..b6a37eca1fb 100644 --- a/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml @@ -9,11 +9,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md - https://www.pdq.com/pdq-deploy/ author: frack113 -date: 2022/10/01 -modified: 2023/01/30 +date: 2022-10-01 +modified: 2023-01-30 tags: - attack.execution - - attack.lateral_movement + - attack.lateral-movement - attack.t1072 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml index a42777cb04c..ffd63a5acca 100644 --- a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml @@ -8,8 +8,8 @@ description: Detects suspicious execution of "PDQDeployRunner" which is part of references: - https://twitter.com/malmoeb/status/1550483085472432128 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/22 -modified: 2024/05/02 +date: 2022-07-22 +modified: 2024-05-02 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml index 6c5a1cd82a5..0b492c04ba9 100644 --- a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml @@ -6,7 +6,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/02 +date: 2023-01-02 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml index a13cb74d93a..ebfc5979f03 100644 --- a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml @@ -7,7 +7,7 @@ references: - https://www.revshells.com/ - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/02 +date: 2023-01-02 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml b/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml index 1a0e4d894c7..d0a3c0c9923 100644 --- a/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml @@ -6,10 +6,10 @@ references: - https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna - https://twitter.com/vysecurity/status/977198418354491392 author: Florian Roth (Nextron Systems) -date: 2018/03/23 -modified: 2022/01/07 +date: 2018-03-23 +modified: 2022-01-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - attack.t1027 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml b/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml index d6afde716ff..f5c4db2b222 100644 --- a/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of PktMon, a tool that captures network packets. references: - https://lolbas-project.github.io/lolbas/Binaries/Pktmon/ author: frack113 -date: 2022/03/17 -modified: 2023/06/23 +date: 2022-03-17 +modified: 2023-06-23 tags: - - attack.credential_access + - attack.credential-access - attack.t1040 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml b/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml index aeeface9d55..cb49692b9c1 100644 --- a/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml +++ b/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml @@ -6,12 +6,12 @@ references: - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/ - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d author: Florian Roth (Nextron Systems) -date: 2021/01/19 -modified: 2022/10/09 +date: 2021-01-19 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml index 422a3938975..5b4ac1b4c22 100644 --- a/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml @@ -8,10 +8,10 @@ description: Execution of plink to perform data exfiltration and tunneling references: - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ author: Florian Roth (Nextron Systems) -date: 2022/08/04 -modified: 2023/01/27 +date: 2022-08-04 +modified: 2023-01-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml b/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml index 76ac6007425..9603d0bbe60 100644 --- a/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml @@ -6,9 +6,9 @@ references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options author: frack113 -date: 2022/11/18 +date: 2022-11-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml index 90041f38338..9fa62c36a02 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml @@ -9,12 +9,12 @@ references: - https://o365blog.com/aadinternals/ - https://github.com/Gerenios/AADInternals author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/23 +date: 2022-12-23 tags: - attack.execution - attack.reconnaissance - attack.discovery - - attack.credential_access + - attack.credential-access - attack.impact logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml index 5cbfd28a7ea..148bb70c926 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml @@ -12,7 +12,7 @@ references: - https://twitter.com/cyb3rops/status/1617108657166061568?s=20 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges author: frack113 -date: 2023/01/22 +date: 2023-01-22 tags: - attack.reconnaissance - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml index 473f05fa149..9f077664fa2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/22 -modified: 2023/05/09 +date: 2023-01-22 +modified: 2023-05-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml index f418a9eee19..fc5e7dbfa06 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml @@ -2,17 +2,17 @@ title: Potential AMSI Bypass Via .NET Reflection id: 30edb182-aa75-42c0-b0a9-e998bb29067c related: - id: 4f927692-68b5-4267-871b-073c45f4f6fe - type: obsoletes + type: obsolete status: test description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning references: - https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/ - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ author: Markus Neis, @Kostastsale -date: 2018/08/17 -modified: 2023/02/03 +date: 2018-08-17 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml index 2efc33ed96f..0c159f1df34 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml @@ -8,10 +8,10 @@ description: Detects usage of special strings/null bits in order to potentially references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/04 -modified: 2023/05/09 +date: 2023-01-04 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml b/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml index dcaa249561c..e920d212438 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml @@ -7,8 +7,8 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html - https://github.com/frgnca/AudioDeviceCmdlets author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/24 -modified: 2023/04/06 +date: 2019-10-24 +modified: 2023-04-06 tags: - attack.collection - attack.t1123 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml index 2f7e7e85858..4b05b35468a 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml @@ -5,8 +5,8 @@ description: Detects suspicious powershell process starts with base64 encoded co references: - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community -date: 2018/09/03 -modified: 2023/04/06 +date: 2018-09-03 +modified: 2023-04-06 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml index 6fe238666df..27d2c1589b5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml @@ -5,8 +5,8 @@ description: Detects PowerShell command line patterns in combincation with encod references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ author: Florian Roth (Nextron Systems) -date: 2022/05/24 -modified: 2023/01/05 +date: 2022-05-24 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml index d40b11730c7..3a908d007af 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml @@ -5,10 +5,10 @@ description: Detects suspicious UTF16 and base64 encoded and often obfuscated Po references: - https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/ author: Florian Roth (Nextron Systems) -date: 2022/07/11 -modified: 2023/02/14 +date: 2022-07-11 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml index 000c2b02392..f6094e19c84 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml @@ -5,10 +5,10 @@ description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a pr references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2019/08/24 -modified: 2023/04/06 +date: 2019-08-24 +modified: 2023-04-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml index 6d774ea98c4..d4f5fc04b9c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml @@ -5,8 +5,8 @@ description: Detects base64 encoded strings used in hidden malicious PowerShell references: - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ author: John Lambert (rule) -date: 2019/01/16 -modified: 2023/01/05 +date: 2019-01-16 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml index 98d0a5b692a..b6303328b77 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml @@ -5,8 +5,8 @@ description: Detects usage of a base64 encoded "IEX" cmdlet in a process command references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2019/08/23 -modified: 2023/04/06 +date: 2019-08-23 +modified: 2023-04-06 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml index 510a718c9a8..9681b6f0845 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml @@ -2,18 +2,18 @@ title: PowerShell Base64 Encoded Invoke Keyword id: 6385697e-9f1b-40bd-8817-f4a91f40508e related: - id: fd6e2919-3936-40c9-99db-0aa922c356f7 - type: obsoletes + type: obsolete status: test description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t -date: 2022/05/20 -modified: 2023/04/06 +date: 2022-05-20 +modified: 2023-04-06 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml index 443d39e730d..78bad83674b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://twitter.com/AdamTheAnalyst/status/1483497517119590403 author: Florian Roth (Nextron Systems) -date: 2022/03/04 -modified: 2023/01/30 +date: 2022-03-04 +modified: 2023-01-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml index d682bc63c0e..41b6af9ccda 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml @@ -9,12 +9,12 @@ references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems) -date: 2022/03/01 -modified: 2023/01/30 +date: 2022-03-01 +modified: 2023-01-30 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.t1620 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml index 00e8e7b6c14..38cb80cca04 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml @@ -10,11 +10,11 @@ references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ - https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0 author: pH-T (Nextron Systems) -date: 2022/03/01 -modified: 2023/04/06 +date: 2022-03-01 +modified: 2023-04-06 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1027 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index 9e4af468078..d655058c8c3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -2,17 +2,17 @@ title: PowerShell Base64 Encoded WMI Classes id: 1816994b-42e1-4fb1-afd2-134d88184f71 related: - id: 47688f1b-9f51-4656-b013-3cc49a166a36 - type: obsoletes + type: obsolete status: test description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/30 +date: 2023-01-30 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml index 6f11a1d6b06..1416a2da373 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/ - https://twitter.com/bohops/status/948061991012327424 author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2023/08/17 +date: 2020-10-14 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml index 06beed98a58..d9067f4b923 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml @@ -6,10 +6,10 @@ references: - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/21 -modified: 2023/08/17 +date: 2022-05-21 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml index 7fb441be922..cdea7db436f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml @@ -5,10 +5,10 @@ description: Detects the use of the Microsoft signed script "CL_mutexverifiers" references: - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 -date: 2022/05/21 -modified: 2023/08/17 +date: 2022-05-21 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml index 38cfa229aca..e7a0388af90 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml @@ -6,10 +6,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -date: 2020/10/11 -modified: 2023/02/01 +date: 2020-10-11 +modified: 2023-02-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml index 2e58e722cd6..cc533274cfb 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml @@ -6,10 +6,10 @@ references: - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -date: 2020/10/11 -modified: 2023/05/31 +date: 2020-10-11 +modified: 2023-05-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index ca41366fd98..1f1e2ea0095 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -5,11 +5,11 @@ description: Detects the PowerShell command lines with special characters references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) -date: 2020/10/15 -modified: 2024/04/15 +date: 2020-10-15 +modified: 2024-04-15 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.t1059.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml b/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml index 621e908a049..952f842b1a9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml @@ -10,8 +10,8 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/10 -modified: 2022/11/17 +date: 2022-11-10 +modified: 2022-11-17 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml index 90af18ddf87..7d2daed45bf 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml @@ -8,10 +8,10 @@ description: Detects the creation of a new service using powershell. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -date: 2023/02/20 +date: 2023-02-20 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml b/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml index 8d76e7d5548..e7c5bde7b69 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml @@ -5,9 +5,9 @@ description: Detects attempts of decoding encoded Gzip archives via PowerShell. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Hieu Tran -date: 2023/03/13 +date: 2023-03-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1132.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml index d4a23895abd..05c1df9440d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -5,8 +5,8 @@ description: Detects PowerShell commands that decrypt an ".LNK" "file to drop th references: - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/30 -modified: 2023/12/05 +date: 2023-06-30 +modified: 2023-12-05 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml index 929f7145720..9a1a536451e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml @@ -7,10 +7,10 @@ references: - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files author: Florian Roth (Nextron Systems) -date: 2022/03/03 -modified: 2024/01/02 +date: 2022-03-03 +modified: 2024-01-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml index e7f7aa037d7..8a0b3a33535 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://twitter.com/AdamTheAnalyst/status/1483497517119590403 author: Florian Roth (Nextron Systems) -date: 2021/04/29 -modified: 2022/05/12 +date: 2021-04-29 +modified: 2022-05-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml index 2f8e0938d08..85e540109ef 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml @@ -7,10 +7,10 @@ references: - https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: 'ok @securonix invrep-de, oscd.community, frack113' -date: 2020/10/12 -modified: 2022/11/18 +date: 2020-10-12 +modified: 2022-11-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml index 272d5d7d11c..2fe327847b2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml @@ -8,10 +8,10 @@ description: Detects attempts to disable the Windows Firewall using PowerShell references: - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html author: Tim Rauch, Elastic (idea) -date: 2022/09/14 -modified: 2023/02/13 +date: 2022-09-14 +modified: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml index 83137d0b90d..36fc38dee9b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml @@ -5,10 +5,10 @@ description: Detects command lines that indicate unwanted modifications to regis references: - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ author: Florian Roth (Nextron Systems) -date: 2020/06/19 -modified: 2021/11/27 +date: 2020-06-19 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml index e28e6189b43..26be469cee5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml @@ -9,10 +9,10 @@ references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade- author: Harish Segar (rule) -date: 2020/03/20 -modified: 2023/01/04 +date: 2020-03-20 +modified: 2023-01-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml index 685f4897c36..2c4f417dab3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml @@ -9,9 +9,9 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 author: frack113 -date: 2022/12/25 +date: 2022-12-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml index 030a7abc0f0..88d62daf89f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml @@ -5,10 +5,10 @@ description: Detects suspicious ways to download files or content using PowerShe references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd author: Florian Roth (Nextron Systems) -date: 2022/03/24 -modified: 2023/01/05 +date: 2022-03-24 +modified: 2023-01-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1059.001 - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml index a10e8c9e92a..1160979479c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml @@ -5,9 +5,9 @@ description: Detects potential DLL files being downloaded using the PowerShell I references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Florian Roth (Nextron Systems), Hieu Tran -date: 2023/03/13 +date: 2023-03-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1059.001 - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml index e129a0565af..5fb9dc6cf44 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml @@ -6,8 +6,8 @@ references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Florian Roth (Nextron Systems) -date: 2022/03/24 -modified: 2023/05/04 +date: 2022-03-24 +modified: 2023-05-04 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml index 195b3b0ea7f..3f74d50eb47 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml @@ -10,8 +10,8 @@ references: - https://lab52.io/blog/winter-vivern-all-summer/ - https://hatching.io/blog/powershell-analysis/ author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -date: 2019/01/16 -modified: 2023/01/26 +date: 2019-01-16 +modified: 2023-01-26 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml index 7c3d8e69a18..c6afa475dfa 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml @@ -8,7 +8,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 +date: 2024-02-23 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml index 8185eb5a4cd..277cda516ea 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml @@ -10,7 +10,7 @@ description: | references: - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri -date: 2024/06/26 +date: 2024-06-26 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml b/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml index 146ceadc21f..bf0fa52edcb 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ - https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea) -date: 2022/09/09 +date: 2022-09-09 tags: - attack.exfiltration logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml index e76ea4027f8..8969a822a78 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml @@ -12,9 +12,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system - https://learn.microsoft.com/en-us/windows/wsl/install-on-server author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/29 +date: 2022-12-29 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encode.yml b/rules/windows/process_creation/proc_creation_win_powershell_encode.yml index cdd82e75f6f..a72d1629a88 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encode.yml @@ -7,8 +7,8 @@ references: - https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/ - https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/ author: frack113 -date: 2022/01/02 -modified: 2023/01/05 +date: 2022-01-02 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml index f50886c9c1a..4f109282ffb 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml @@ -8,10 +8,10 @@ description: Detects specific combinations of encoding methods in PowerShell via references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -date: 2020/10/11 -modified: 2023/01/26 +date: 2020-10-11 +modified: 2023-01-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml index a3f8f4a2c52..0090e9f284b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml @@ -5,7 +5,7 @@ description: Detects inline execution of PowerShell code from a file references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 author: frack113 -date: 2022/12/25 +date: 2022-12-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml index 3a4500a1e9d..837a1bab90e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml @@ -10,9 +10,9 @@ references: - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/18 +date: 2023-05-18 tags: - - attack.credential_access + - attack.credential-access - attack.execution - attack.t1552.004 - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml index 6c245389803..ceb1d0587c6 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml @@ -5,11 +5,11 @@ description: Detects usage of the "FromBase64String" function in the commandline references: - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 author: Florian Roth (Nextron Systems) -date: 2020/01/29 -modified: 2023/01/26 +date: 2020-01-29 +modified: 2023-01-26 tags: - attack.t1027 - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - attack.t1059.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml index 2561e26815f..0e668e5714d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml @@ -8,9 +8,9 @@ description: Detects attempts of decoding a base64 Gzip archive via PowerShell. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 author: frack113 -date: 2022/12/23 +date: 2022-12-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1132.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml b/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml index 8b1aecec441..43992ef9f2b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml @@ -9,8 +9,8 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2020/05/02 -modified: 2022/12/25 +date: 2020-05-02 +modified: 2022-12-25 tags: - attack.collection - attack.t1115 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml b/rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml index 6c129bbc2d9..4e1a3164a54 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml @@ -8,7 +8,7 @@ description: Detects suspicious reconnaissance command line activity on Windows references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/10 +date: 2022-10-10 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml b/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml index 21de196ed0a..526f97c9e9b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml @@ -5,10 +5,10 @@ description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, w references: - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 author: Florian Roth (Nextron Systems) -date: 2021/04/23 -modified: 2023/01/05 +date: 2021-04-23 +modified: 2023-01-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml index 79d2fda906e..344bff202ef 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml @@ -11,11 +11,11 @@ references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/17 +date: 2022-10-17 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml index cd10df94704..bed05c1cfa9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/03/24 -modified: 2022/11/28 +date: 2022-03-24 +modified: 2022-11-28 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml index c817650d7a3..442667b7b89 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml @@ -6,10 +6,10 @@ references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ - https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2023/01/16 +date: 2022-09-09 +modified: 2023-01-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml index 329fecd6111..6ffe036a850 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml @@ -8,7 +8,7 @@ description: Detects powershell scripts that import modules from suspicious dire references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/10 +date: 2023-01-10 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml index 8525e42073b..bda94b9c170 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package - https://twitter.com/WindowsDocs/status/1620078135080325122 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/31 +date: 2023-01-31 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml index 8d71f2ac77f..db5ff82447c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml @@ -2,7 +2,7 @@ title: Suspicious PowerShell Invocations - Specific - ProcessCreation id: 536e2947-3729-478c-9903-745aaffe60d2 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: obsoletes + type: obsolete - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 type: similar - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 @@ -12,9 +12,9 @@ description: Detects suspicious PowerShell invocation command parameters references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/05 +date: 2023-01-05 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml index 1ba2ad95114..55ffdff939f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml @@ -5,9 +5,9 @@ description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using dir references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/21 +date: 2023-04-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index 437906dcde9..5e81fdb2abd 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -8,10 +8,10 @@ description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/02 -modified: 2024/02/23 +date: 2022-08-02 +modified: 2024-02-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml b/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml index 9d9e8294782..20fd255a8df 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml @@ -8,8 +8,8 @@ references: - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Florian Roth (Nextron Systems) -date: 2021/08/07 -modified: 2022/10/26 +date: 2021-08-07 +modified: 2022-10-26 tags: - attack.exfiltration logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml index 0c74b947205..8fa81a13d16 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml @@ -27,8 +27,8 @@ references: - https://github.com/adrecon/ADRecon - https://github.com/adrecon/AzureADRecon author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/02 -modified: 2024/01/25 +date: 2023-01-02 +modified: 2024-01-25 tags: - attack.execution - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml b/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml index 05cf509a3d7..72591f2ca8a 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml @@ -8,8 +8,8 @@ description: Detects the Installation of a Exchange Transport Agent references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7 author: Tobias Michalski (Nextron Systems) -date: 2021/06/08 -modified: 2022/10/09 +date: 2021-06-08 +modified: 2022-10-09 tags: - attack.persistence - attack.t1505.002 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml index 4920282f6d0..8634b9cf2af 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml @@ -5,8 +5,8 @@ description: Detects non-interactive PowerShell activity by looking at the "powe references: - https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) -date: 2019/09/12 -modified: 2023/09/07 +date: 2019-09-12 +modified: 2023-09-07 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml b/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml index db2d56c2701..70b1d779375 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml @@ -5,12 +5,12 @@ description: Detects suspicious encoded character syntax often used for defense references: - https://twitter.com/0gtweet/status/1281103918693482496 author: Florian Roth (Nextron Systems) -date: 2020/07/09 -modified: 2023/01/05 +date: 2020-07-09 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml b/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml index 3d1df4c9a0a..69908b7bcfc 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml @@ -5,8 +5,8 @@ description: This rule detects execution of PowerShell scripts located in the "C references: - https://www.mandiant.com/resources/evolution-of-fin7 author: Max Altgelt (Nextron Systems) -date: 2022/04/06 -modified: 2022/07/14 +date: 2022-04-06 +modified: 2022-07-14 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml b/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml index 0039fd05afe..ef01c0e95af 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml @@ -13,10 +13,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: frack113 -date: 2021/07/13 -modified: 2023/05/09 +date: 2021-07-13 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml index 6892f5bcb19..c056a2663d9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml @@ -8,9 +8,9 @@ description: Detects attempts to remove Windows Defender configurations using th references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 +date: 2022-08-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml index 4c0913b5c23..db6caa0e7ac 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml @@ -7,8 +7,8 @@ references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1 author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) -date: 2021/03/03 -modified: 2023/04/05 +date: 2021-03-03 +modified: 2023-04-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml index 3af5fcd354c..08a0188a756 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml @@ -5,10 +5,10 @@ description: Detects PowerShell script execution from Alternate Data Stream (ADS references: - https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1 author: Sergey Soldatov, Kaspersky Lab, oscd.community -date: 2019/10/30 -modified: 2022/07/14 +date: 2019-10-30 +modified: 2022-07-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml index adc8a96bcee..c9e429ead24 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml @@ -6,10 +6,10 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml - https://twitter.com/Moriarty_Meng/status/984380793383370752 author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community -date: 2020/10/17 -modified: 2021/11/27 +date: 2020-10-17 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml b/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml index d450ee18185..c48ba5e8361 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml @@ -5,10 +5,10 @@ description: Detects suspicious PowerShell scripts accessing SAM hives references: - https://twitter.com/splinter_code/status/1420546784250769408 author: Florian Roth (Nextron Systems) -date: 2021/07/29 -modified: 2023/01/06 +date: 2021-07-29 +modified: 2023-01-06 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml b/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml index c8b04c202f8..ebf05e498b7 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml @@ -5,8 +5,8 @@ description: Detects suspicious powershell invocations from interpreters or unus references: - https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ author: Florian Roth (Nextron Systems) -date: 2019/01/16 -modified: 2023/01/05 +date: 2019-01-16 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml index e27730d65ba..5f7cebbeaae 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml @@ -9,7 +9,7 @@ references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/18 +date: 2022-10-18 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml index 515cc7f0518..edd87ef7c6f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml @@ -13,9 +13,9 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/18 +date: 2022-10-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml index 7d1ea1f8b7d..1d1fe711c4e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml @@ -13,9 +13,9 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/18 +date: 2022-10-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml index 6feca9f49f2..df8d01e6508 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml @@ -15,8 +15,8 @@ references: - https://adsecurity.org/?p=2604 - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ author: frack113 -date: 2021/11/01 -modified: 2023/12/13 +date: 2021-11-01 +modified: 2023-12-13 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml index 5c2534ff00f..5bdfbc58a8b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml @@ -5,10 +5,10 @@ description: Detects the use of the PowerShell "Set-Service" cmdlet to change th references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/04 +date: 2023-03-04 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml index cdc762a4079..6108177b1f1 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml @@ -11,8 +11,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html author: Tim Rauch, Elastic (idea) -date: 2022/09/20 -modified: 2022/12/30 +date: 2022-09-20 +modified: 2022-12-30 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index 69225edada9..aacb1bbaa94 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -7,8 +7,8 @@ references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - https://www.intrinsec.com/apt27-analysis/ author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) -date: 2021/03/03 -modified: 2023/03/24 +date: 2021-03-03 +modified: 2023-03-24 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml index 5653001de63..2a5ffa784f3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml @@ -2,13 +2,13 @@ title: Stop Windows Service Via PowerShell Stop-Service id: c49c5062-0966-4170-9efd-9968c913a6cf related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + type: obsolete status: test description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/05 +date: 2023-03-05 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml index e292eff7779..2026bd226a3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml @@ -9,8 +9,8 @@ references: - https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70 - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html author: Florian Roth (Nextron Systems) -date: 2022/02/28 -modified: 2022/03/01 +date: 2022-02-28 +modified: 2022-03-01 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml index 4d3a29e6868..c3de98e4de2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml @@ -5,8 +5,8 @@ description: Detects suspicious PowerShell invocation with a parameter substring references: - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) -date: 2019/01/16 -modified: 2022/07/14 +date: 2019-01-16 +modified: 2022-07-14 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml index a11fa914fd4..720c0c1758f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml @@ -8,8 +8,8 @@ description: Detects a suspicious or uncommon parent processes of PowerShell references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26 author: Teymur Kheirkhabarov, Harish Segar -date: 2020/03/20 -modified: 2023/02/04 +date: 2020-03-20 +modified: 2023-02-04 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml index 162f157e0d8..ff5d961d512 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/JohnLaTwC/status/1082851155481288706 - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2019/01/09 -modified: 2022/07/14 +date: 2019-01-09 +modified: 2022-07-14 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml index d3bbeb15e72..f98b275d090 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml @@ -5,12 +5,12 @@ description: Detects the execution of powershell, a WebClient object creation an references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html author: Florian Roth (Nextron Systems) -date: 2020/08/28 -modified: 2021/11/27 +date: 2020-08-28 +modified: 2021-11-27 tags: - attack.execution - attack.t1059.001 - - attack.command_and_control + - attack.command-and-control - attack.t1104 - attack.t1105 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml index 6c88f8b51a0..4a96bcb139d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -8,10 +8,10 @@ description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 -date: 2022/12/27 -modified: 2024/08/11 +date: 2022-12-27 +modified: 2024-08-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.009 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml index c606d36f766..be4f0af06db 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml @@ -9,8 +9,8 @@ references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2022/11/17 +date: 2022-09-09 +modified: 2022-11-17 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml index be33964e4b1..8b4b003ec73 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml @@ -5,8 +5,8 @@ description: Detects PowerShell command line contents that include a suspicious references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ author: Florian Roth (Nextron Systems) -date: 2022/05/24 -modified: 2023/01/05 +date: 2022-05-24 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml index 7b47c7d7e4b..34aa33f22d4 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml @@ -10,9 +10,9 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41 - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 author: frack113 -date: 2022/12/23 +date: 2022-12-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index 8932afd0c59..95e2ed443d0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -2,7 +2,7 @@ title: Suspicious XOR Encoded PowerShell Command id: bb780e0c-16cf-4383-8383-1e5471db6cf9 related: - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 - type: obsoletes + type: obsolete status: test description: Detects presence of a potentially xor encoded powershell command references: @@ -11,10 +11,10 @@ references: - https://zero2auto.com/2020/05/19/netwalker-re/ - https://mez0.cc/posts/cobaltstrike-powershell-exec/ author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali -date: 2018/09/05 -modified: 2023/01/30 +date: 2018-09-05 +modified: 2023-01-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059.001 - attack.t1140 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml b/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml index d9795a0ebf0..4c69117420b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml @@ -15,8 +15,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2021/07/20 -modified: 2022/10/09 +date: 2021-07-20 +modified: 2022-10-09 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml b/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml index 9c4be72ddac..07b9b33875b 100644 --- a/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml +++ b/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml @@ -5,10 +5,10 @@ description: Detects usage of "PresentationHost" which is a utility that runs ". references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239/files author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 -modified: 2023/11/09 +date: 2022-08-19 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml b/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml index cfe575b762a..24d674c5e77 100644 --- a/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml @@ -6,10 +6,10 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/01 -modified: 2023/11/09 +date: 2022-07-01 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml index 5840e42fe20..aaff7ae7c2c 100644 --- a/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml @@ -9,11 +9,11 @@ references: - https://twitter.com/mrd0x/status/1463526834918854661 - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/11 -modified: 2023/04/11 +date: 2022-01-11 +modified: 2023-04-11 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml b/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml index 609e824786b..2425b4ea5fc 100644 --- a/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml +++ b/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Print/ - https://twitter.com/Oddvarmoe/status/985518877076541440 author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' -date: 2020/10/05 -modified: 2022/07/07 +date: 2020-10-05 +modified: 2022-07-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml b/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml index 25a584c82cd..497bffec3e2 100644 --- a/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml +++ b/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/ author: frack113 -date: 2021/07/13 -modified: 2023/11/09 +date: 2021-07-13 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml index a13ba06b803..1f65531f62d 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml @@ -13,9 +13,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -date: 2023/08/08 +date: 2023-08-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml index 9c01e150268..8acfb918732 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml @@ -13,9 +13,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/08 +date: 2023-08-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml b/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml index 7918c8fd696..63cbe4f6c1c 100644 --- a/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml +++ b/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml @@ -7,8 +7,8 @@ references: - https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: Beyu Denis, oscd.community -date: 2019/10/12 -modified: 2024/01/04 +date: 2019-10-12 +modified: 2024-01-04 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml index 04638f9f92c..8b4c8054956 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml @@ -6,10 +6,10 @@ references: - https://github.com/3proxy/3proxy - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Florian Roth (Nextron Systems) -date: 2022/09/13 -modified: 2023/02/21 +date: 2022-09-13 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml b/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml index 7a7a6952cde..0e99a9a83df 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml @@ -10,8 +10,8 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md author: frack113 -date: 2021/12/13 -modified: 2023/03/05 +date: 2021-12-13 +modified: 2023-03-05 tags: - attack.discovery - attack.t1087.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml index 0464748680d..063f0d8552f 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml @@ -4,7 +4,7 @@ related: - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b type: similar - id: 75df3b17-8bcc-4565-b89b-c9898acef911 - type: obsoletes + type: obsolete status: test description: Detects AdFind execution with common flags seen used during attacks references: @@ -16,8 +16,8 @@ references: - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community -date: 2021/02/02 -modified: 2023/03/05 +date: 2021-02-02 +modified: 2023-03-05 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml b/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml index d04c5ee1039..b83cc804738 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml @@ -10,8 +10,8 @@ references: - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy -date: 2020/05/12 -modified: 2023/02/07 +date: 2020-05-12 +modified: 2023-02-07 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml b/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml index a35ff4a83fb..c9e33cee5a1 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml @@ -5,8 +5,8 @@ description: Detects the use of Advanced Port Scanner. references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner author: Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/18 -modified: 2023/02/07 +date: 2021-12-18 +modified: 2023-02-07 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml index fc72e197338..1336ef27349 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml @@ -11,12 +11,12 @@ references: - https://www.elastic.co/security-labs/operation-bleeding-bear - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems) -date: 2022/01/20 -modified: 2023/02/21 +date: 2022-01-20 +modified: 2023-02-21 tags: - attack.execution - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1564.003 - attack.t1134.002 - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index 331d4a3e8dc..88046fe9c78 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -11,11 +11,11 @@ references: - https://www.elastic.co/security-labs/operation-bleeding-bear - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems) -date: 2022/01/20 -modified: 2023/02/21 +date: 2022-01-20 +modified: 2023-02-21 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1134.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_pua_chisel.yml b/rules/windows/process_creation/proc_creation_win_pua_chisel.yml index d4b04ca3177..d31aaeac706 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_chisel.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_chisel.yml @@ -10,10 +10,10 @@ references: - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/ author: Florian Roth (Nextron Systems) -date: 2022/09/13 -modified: 2023/02/13 +date: 2022-09-13 +modified: 2023-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml b/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml index d2289e8431d..724e5c03be8 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml @@ -5,10 +5,10 @@ description: Detects the use of CleanWipe a tool usually used to delete Symantec references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe author: Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/18 -modified: 2023/02/14 +date: 2021-12-18 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml index 5af7f9b90aa..d1ea956c704 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml @@ -5,7 +5,7 @@ description: Detects Crassus, a Windows privilege escalation discovery tool, bas references: - https://github.com/vu-ls/Crassus author: pH-T (Nextron Systems) -date: 2023/04/17 +date: 2023-04-17 tags: - attack.discovery - attack.t1590.001 diff --git a/rules/windows/process_creation/proc_creation_win_pua_csexec.yml b/rules/windows/process_creation/proc_creation_win_pua_csexec.yml index a9398da0fa9..3b732714fb2 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_csexec.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_csexec.yml @@ -6,10 +6,10 @@ references: - https://github.com/malcomvetter/CSExec - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ author: Florian Roth (Nextron Systems) -date: 2022/08/22 -modified: 2023/02/21 +date: 2022-08-22 +modified: 2023-02-21 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml index 5bed99cfbf5..74a3dd00850 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml @@ -5,10 +5,10 @@ description: Detects the use of DefenderCheck, a tool to evaluate the signatures references: - https://github.com/matterpreter/DefenderCheck author: Florian Roth (Nextron Systems) -date: 2022/08/30 -modified: 2023/02/04 +date: 2022-08-30 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml b/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml index 237a0f8b15a..246d82ca400 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml @@ -6,10 +6,10 @@ references: - https://thedfirreport.com/2020/06/21/snatch-ransomware/ - https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap author: Furkan Caliskan (@caliskanfurkan_) -date: 2020/07/04 -modified: 2023/02/21 +date: 2020-07-04 +modified: 2023-02-21 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_frp.yml b/rules/windows/process_creation/proc_creation_win_pua_frp.yml index 9b809012f8e..19b5098c00a 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_frp.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_frp.yml @@ -6,10 +6,10 @@ references: - https://asec.ahnlab.com/en/38156/ - https://github.com/fatedier/frp author: frack113, Florian Roth -date: 2022/09/02 -modified: 2023/02/04 +date: 2022-09-02 +modified: 2023-02-04 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_iox.yml b/rules/windows/process_creation/proc_creation_win_pua_iox.yml index 5fb2df51bd7..3c4738818ba 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_iox.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_iox.yml @@ -5,10 +5,10 @@ description: Detects the use of IOX - a tool for port forwarding and intranet pr references: - https://github.com/EddieIvan01/iox author: Florian Roth (Nextron Systems) -date: 2022/10/08 -modified: 2023/02/08 +date: 2022-10-08 +modified: 2023-02-08 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml index 3334eddd9ba..751cd62bd67 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml @@ -6,10 +6,10 @@ references: - https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf - https://sourceforge.net/projects/mouselock/ author: Cian Heasley -date: 2020/08/13 -modified: 2023/02/21 +date: 2020-08-13 +modified: 2023-02-21 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1056.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_pua_netcat.yml b/rules/windows/process_creation/proc_creation_win_pua_netcat.yml index dc857162653..da6274c486a 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_netcat.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_netcat.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md - https://www.revshells.com/ author: frack113, Florian Roth (Nextron Systems) -date: 2021/07/21 -modified: 2023/02/08 +date: 2021-07-21 +modified: 2023-02-08 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1095 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_netscan.yml b/rules/windows/process_creation/proc_creation_win_pua_netscan.yml index 606316aa612..4ff4df6216b 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_netscan.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_netscan.yml @@ -13,7 +13,7 @@ references: - https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ - https://www.softperfect.com/products/networkscanner/ author: '@d4ns4n_ (Wuerth-Phoenix)' -date: 2024/04/25 +date: 2024-04-25 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml b/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml index 0f5ec44081f..2c8f2d109f8 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml @@ -13,10 +13,10 @@ references: - https://twitter.com/xorJosh/status/1598646907802451969 - https://www.softwaretestinghelp.com/how-to-use-ngrok/ author: Florian Roth (Nextron Systems) -date: 2021/05/14 -modified: 2023/02/21 +date: 2021-05-14 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml index fd61809361f..3d3f0b8aa12 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml @@ -5,10 +5,10 @@ description: Detects the usage of nimgrab, a tool bundled with the Nim programmi references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113 -date: 2022/08/28 -modified: 2023/02/13 +date: 2022-08-28 +modified: 2023-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml b/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml index b4a321a2cf3..3ae74672848 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml @@ -7,8 +7,8 @@ references: - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ - https://www.nirsoft.net/utils/nircmd2.html#using author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/24 -modified: 2023/02/13 +date: 2022-01-24 +modified: 2023-02-13 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml b/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml index fc346f301f2..b37c3294432 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml @@ -7,8 +7,8 @@ references: - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ - https://www.nirsoft.net/utils/nircmd2.html#using author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/24 -modified: 2023/02/13 +date: 2022-01-24 +modified: 2023-02-13 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml b/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml index bed7471e106..44e1269ae52 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml @@ -6,8 +6,8 @@ references: - https://nmap.org/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows author: frack113 -date: 2021/12/10 -modified: 2023/12/11 +date: 2021-12-10 +modified: 2023-12-11 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/process_creation/proc_creation_win_pua_nps.yml b/rules/windows/process_creation/proc_creation_win_pua_nps.yml index 1a5550ff492..f696f7a32ce 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nps.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nps.yml @@ -5,10 +5,10 @@ description: Detects the use of NPS, a port forwarding and intranet penetration references: - https://github.com/ehang-io/nps author: Florian Roth (Nextron Systems) -date: 2022/10/08 -modified: 2023/02/04 +date: 2022-10-08 +modified: 2023-02-04 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml index 9da2bd8591b..8fc2458a28e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml @@ -6,8 +6,8 @@ references: - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali -date: 2022/01/24 -modified: 2023/02/13 +date: 2022-01-24 +modified: 2023-02-13 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml b/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml index 47e79e61075..da8445b7309 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml @@ -14,7 +14,7 @@ references: - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8 - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2024/01/11 +date: 2024-01-11 tags: - attack.reconnaissance - attack.t1595 diff --git a/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml b/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml index bad28cede13..7a56a9143e8 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml @@ -15,7 +15,7 @@ references: - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8 - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2024/01/11 +date: 2024-01-11 tags: - attack.reconnaissance - attack.t1595 diff --git a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml index 394c8a241de..d7ee73f3ad0 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml @@ -12,13 +12,13 @@ references: - https://processhacker.sourceforge.io/ - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ author: Florian Roth (Nextron Systems) -date: 2022/10/10 -modified: 2023/12/11 +date: 2022-10-10 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.discovery - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1622 - attack.t1564 - attack.t1543 diff --git a/rules/windows/process_creation/proc_creation_win_pua_radmin.yml b/rules/windows/process_creation/proc_creation_win_pua_radmin.yml index 89126a02849..fbfebd2dccf 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_radmin.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_radmin.yml @@ -6,11 +6,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md - https://www.radmin.fr/ author: frack113 -date: 2022/01/22 -modified: 2023/12/11 +date: 2022-01-22 +modified: 2023-12-11 tags: - attack.execution - - attack.lateral_movement + - attack.lateral-movement - attack.t1072 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml index c299fb6008e..bd2bd540f73 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml @@ -7,10 +7,10 @@ references: - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 - https://github.com/electron/rcedit author: Micah Babinski -date: 2022/12/11 -modified: 2023/03/05 +date: 2022-12-11 +modified: 2023-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 - attack.t1036 - attack.t1027.005 diff --git a/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml index b61912e1b91..226fc992d40 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml @@ -2,9 +2,9 @@ title: PUA - Rclone Execution id: e37db05d-d1f9-49c8-b464-cee1a4b11638 related: - id: a0d63692-a531-4912-ad39-4393325b2a9c - type: obsoletes + type: obsolete - id: cb7286ba-f207-44ab-b9e6-760d82b84253 - type: obsoletes + type: obsolete status: test description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc references: @@ -14,8 +14,8 @@ references: - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group -date: 2021/05/10 -modified: 2023/03/05 +date: 2021-05-10 +modified: 2023-03-05 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml b/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml index c3a58063ef3..86784bcfd4e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml @@ -6,8 +6,8 @@ references: - https://www.d7xtech.com/free-software/runx/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems) -date: 2022/01/24 -modified: 2023/02/14 +date: 2022-01-24 +modified: 2023-02-14 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml index 84559cbd2c8..42ec12cbd7f 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml @@ -6,8 +6,8 @@ references: - https://github.com/GhostPack/Seatbelt - https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/18 -modified: 2023/02/04 +date: 2022-10-18 +modified: 2023-02-04 tags: - attack.discovery - attack.t1526 diff --git a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml index 3aaa59f44c5..42420aa9b2e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml @@ -8,12 +8,12 @@ description: Detects the execution of System Informer, a task manager tool to vi references: - https://github.com/winsiderss/systeminformer author: Florian Roth (Nextron Systems) -date: 2023/05/08 +date: 2023-05-08 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.discovery - - attack.defense_evasion + - attack.defense-evasion - attack.t1082 - attack.t1564 - attack.t1543 diff --git a/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml index b08f5847cb4..c43183295e7 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml @@ -5,10 +5,10 @@ description: Detects the execution of WebBrowserPassView.exe. A password recover references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md author: frack113 -date: 2022/08/20 -modified: 2023/02/14 +date: 2022-08-20 +modified: 2023-02-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml index e42b3d26223..53c4bfc90ad 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml @@ -5,11 +5,11 @@ description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that references: - https://github.com/M2Team/Privexec/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/02 -modified: 2023/02/14 +date: 2022-12-02 +modified: 2023-02-14 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1059 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml b/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml index 8420fca22cd..ec4518f83a1 100644 --- a/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml +++ b/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump author: frack113 -date: 2022/01/01 -modified: 2023/02/21 +date: 2022-01-01 +modified: 2023-02-21 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml index 03929b66077..24463a9ab1f 100644 --- a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml @@ -7,8 +7,8 @@ references: - https://www.revshells.com/ - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/02 -modified: 2023/02/17 +date: 2023-01-02 +modified: 2023-02-17 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml b/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml index df5e0e7bcdf..0d93d94141e 100644 --- a/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml @@ -8,7 +8,7 @@ description: Detects python spawning a pretty tty references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ author: Nextron Systems -date: 2022/06/03 +date: 2022-06-03 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml b/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml index 5f2a4cdc761..64c86b01014 100644 --- a/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml @@ -8,9 +8,9 @@ references: - https://securelist.com/network-tunneling-with-qemu/111803/ - https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR) -date: 2024/06/03 +date: 2024-06-03 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 - attack.t1572 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml index e7928dd1f20..c730037aeba 100644 --- a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml +++ b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml @@ -5,8 +5,8 @@ description: Detects usage of "query.exe" a system binary to exfil information s references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/01/19 +date: 2022-08-01 +modified: 2023-01-19 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml b/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml index a47bab18da7..6b758af7539 100644 --- a/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml +++ b/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html author: Timur Zinniatullin, E.M. Anhaus, oscd.community -date: 2019/10/21 -modified: 2023/02/05 +date: 2019-10-21 +modified: 2023-02-05 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml b/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml index fd484bef4c4..547e171e5bc 100644 --- a/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml +++ b/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml @@ -7,8 +7,8 @@ references: - https://ss64.com/bash/rar.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: '@ROxPinTeddy' -date: 2020/05/12 -modified: 2022/03/16 +date: 2020-05-12 +modified: 2022-03-16 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml index e564b321303..1f352d1030a 100644 --- a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml @@ -5,8 +5,8 @@ description: Detects RAR usage that creates an archive from a suspicious folder, references: - https://decoded.avast.io/martinchlumecky/png-steganography author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/12/15 -modified: 2024/01/02 +date: 2022-12-15 +modified: 2024-01-02 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml b/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml index 7e919587e0f..276d8fb5c81 100644 --- a/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml @@ -5,10 +5,10 @@ description: Detects suspicious process related to rasdial.exe references: - https://twitter.com/subTee/status/891298217907830785 author: juju4 -date: 2019/01/16 -modified: 2021/11/27 +date: 2019-01-16 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml b/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml index 5fe7b539d3e..2a0e1ff9108 100644 --- a/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml +++ b/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml @@ -2,7 +2,7 @@ title: Process Memory Dump via RdrLeakDiag.EXE id: edadb1e5-5919-4e4c-8462-a9e643b02c4b related: - id: 6355a919-2e97-4285-a673-74645566340d - type: obsoletes + type: obsolete status: test description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory references: @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/ - https://twitter.com/0gtweet/status/1299071304805560321?s=21 author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2021/09/24 -modified: 2023/04/24 +date: 2021-09-24 +modified: 2023-04-24 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml index 633554ee7d2..6bb079cbf13 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml @@ -6,8 +6,8 @@ references: - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/ - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys author: Florian Roth (Nextron Systems) -date: 2021/06/28 -modified: 2023/01/30 +date: 2021-06-28 +modified: 2023-01-30 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml index d4775a8d0e3..84b26b8bfbc 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml @@ -8,10 +8,10 @@ description: Detects execution of "reg.exe" commands with the "add" or "copy" fl references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/02 -modified: 2024/03/19 +date: 2022-09-02 +modified: 2024-03-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml b/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml index aff12694e11..eba078581e9 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml @@ -5,8 +5,8 @@ description: Detects suspicious addition to BitLocker related registry keys via references: - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ author: frack113 -date: 2021/11/15 -modified: 2022/09/09 +date: 2021-11-15 +modified: 2022-09-09 tags: - attack.impact - attack.t1486 diff --git a/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml b/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml index e1b08e7a6d4..1af51441abb 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml @@ -6,10 +6,10 @@ references: - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/ - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter author: Sreeman -date: 2020/10/29 -modified: 2022/10/09 +date: 2020-10-29 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1556.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml index 8bbfb03d2fb..cf02453bef1 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -6,10 +6,10 @@ references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ - https://redcanary.com/threat-detection-report/threats/qbot/ author: frack113 -date: 2022/02/13 -modified: 2023/02/04 +date: 2022-02-13 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml index 2b45c02e98e..e869a89857d 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -8,10 +8,10 @@ description: Detects execution of "reg.exe" commands with the "delete" flag on s references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton -date: 2022/08/08 -modified: 2023/02/04 +date: 2022-08-08 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml index 6da47889b6c..b624d9c8505 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml @@ -5,10 +5,10 @@ description: Detects execution of "reg.exe" commands with the "delete" flag on s references: - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/02/04 +date: 2022-08-01 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml index 9bf476f1e9e..4ea1796db78 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml @@ -15,9 +15,9 @@ references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI author: Stephen Lincoln @slincoln-aiq (AttackIQ) -date: 2023/12/21 +date: 2023-12-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1112 - attack.t1491.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml b/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml index 3876c5ffd6a..8fa6f48ae74 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml @@ -5,8 +5,8 @@ description: Detects direct modification of autostart extensibility point (ASEP) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community -date: 2019/10/25 -modified: 2022/08/04 +date: 2019-10-25 +modified: 2022-08-04 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml b/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml index 3f13fb2a5ef..4af53ef910b 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml @@ -8,10 +8,10 @@ references: - https://vms.drweb.fr/virus/?i=24144899 - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim -date: 2021/07/14 -modified: 2023/06/05 +date: 2021-07-14 +modified: 2023-06-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml b/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml index aa7e4c8bc40..2106467abfc 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml @@ -2,9 +2,9 @@ title: Dumping of Sensitive Hives Via Reg.EXE id: fd877b94-9bb5-4191-bb25-d79cbd93c167 related: - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e - type: obsoletes + type: obsolete - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0 - type: obsoletes + type: obsolete status: test description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. references: @@ -14,10 +14,10 @@ references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 -date: 2019/10/22 -modified: 2023/12/13 +date: 2019-10-22 +modified: 2023-12-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 diff --git a/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml b/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml index 58cc58c8841..419d229d13c 100755 --- a/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml @@ -15,7 +15,7 @@ references: - https://learn.microsoft.com/en-us/windows/client-management/manage-recall - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis author: Sajid Nawaz Khan -date: 2024/06/02 +date: 2024-06-02 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml b/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml index 75cb8e25de1..ea0e764cdce 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md author: frack113 -date: 2021/12/20 -modified: 2022/12/25 +date: 2021-12-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index d344c053e4a..bd55d92cd84 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -8,11 +8,11 @@ description: Detects the import of '.reg' files from suspicious paths using the references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import author: frack113, Nasreddine Bencherchali -date: 2022/08/01 -modified: 2023/02/05 +date: 2022-08-01 +modified: 2023-02-05 tags: - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index b7d6ba43153..d07c8619071 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -12,10 +12,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx author: frack113 -date: 2023/01/13 -modified: 2023/12/15 +date: 2023-01-13 +modified: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml index c281521a14b..88aa62516a2 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml @@ -5,10 +5,10 @@ description: Detects the usage of the "reg.exe" utility to disable PPL protectio references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ author: Florian Roth (Nextron Systems) -date: 2022/03/22 -modified: 2023/03/26 +date: 2022-03-22 +modified: 2023-03-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml b/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml index 74ff0ae46e9..cebb669b616 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml @@ -5,7 +5,7 @@ description: Use of reg to get MachineGuid information references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery author: frack113 -date: 2022/01/01 +date: 2022-01-01 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml b/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml index e7f262969e5..45b66c49ee1 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml @@ -8,10 +8,10 @@ description: Detect malicious GPO modifications can be used to implement many ot references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md author: frack113 -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1484.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml index df5e689f83d..85b3c92b64a 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml @@ -12,10 +12,10 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/12/15 -modified: 2023/12/22 +date: 2023-12-15 +modified: 2023-12-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_open_command.yml b/rules/windows/process_creation/proc_creation_win_reg_open_command.yml index 2924a7eb6ee..680e38432b4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_open_command.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_open_command.yml @@ -5,10 +5,10 @@ description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registr references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: frack113 -date: 2021/12/20 -modified: 2022/12/25 +date: 2021-12-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml b/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml index fca6c1ed634..5acc5958978 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml @@ -5,8 +5,8 @@ description: Detects the usage of "reg.exe" in order to query reconnaissance inf references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/02/05 +date: 2019-10-21 +modified: 2023-02-05 tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml index f0832d4b268..80c6c555254 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml @@ -5,11 +5,11 @@ description: Detects the execution of "reg.exe" for enabling/disabling the RDP s references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport -date: 2022/02/12 -modified: 2023/02/05 +date: 2022-02-12 +modified: 2023-02-05 tags: - - attack.defense_evasion - - attack.lateral_movement + - attack.defense-evasion + - attack.lateral-movement - attack.t1021.001 - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml b/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml index 37589818048..b16ba1acd5a 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf author: frack113 -date: 2021/08/19 -modified: 2022/06/02 +date: 2021-08-19 +modified: 2022-06-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml index 069650e57e8..aa688ab7009 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe author: frack113 -date: 2021/12/30 -modified: 2024/03/13 +date: 2021-12-30 +modified: 2024-03-13 tags: - attack.persistence - attack.t1574.011 diff --git a/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml b/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml index 47394ec8c04..b7beb2ceb89 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml @@ -9,8 +9,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna author: Nikita Nazarov, oscd.community -date: 2020/10/16 -modified: 2022/10/09 +date: 2020-10-16 +modified: 2022-10-09 tags: - attack.discovery - attack.t1518 diff --git a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml index f5530768c25..f07bd00e776 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 -modified: 2022/10/10 +date: 2022-08-19 +modified: 2022-10-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - attack.t1562.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml b/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml index 0a26512174c..ce0555afae7 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml @@ -5,10 +5,10 @@ description: Detects commands that temporarily turn off Volume Snapshots references: - https://twitter.com/0gtweet/status/1354766164166115331 author: Florian Roth (Nextron Systems) -date: 2021/01/28 -modified: 2023/12/15 +date: 2021-01-28 +modified: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml index c0887bc7d13..0454906c711 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml @@ -7,10 +7,10 @@ references: - https://github.com/swagkarna/Defeat-Defender-V1.2.0 - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2 author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2022/03/22 -modified: 2023/06/05 +date: 2022-03-22 +modified: 2023-06-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml index 1ecfad9f274..495207ebd12 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml @@ -7,10 +7,10 @@ description: | references: - https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html author: Sreeman -date: 2021/06/11 -modified: 2024/01/18 +date: 2021-06-11 +modified: 2024-01-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml index fa1c2a5ea67..f57026d73ad 100644 --- a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml @@ -10,9 +10,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/13 +date: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.009 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml index 55e0dc86a27..6d05c27a462 100644 --- a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml @@ -10,10 +10,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/25 -modified: 2023/02/13 +date: 2022-08-25 +modified: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.009 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml index 8d370f3f18d..4efc9fe11b8 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml @@ -9,8 +9,8 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/12 -modified: 2024/03/13 +date: 2020-10-12 +modified: 2024-03-13 tags: - attack.exfiltration - attack.t1012 diff --git a/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml index b7ba692b4b2..4be669eb8cc 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml @@ -9,8 +9,8 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/07 -modified: 2024/03/13 +date: 2020-10-07 +modified: 2024-03-13 tags: - attack.exfiltration - attack.t1012 diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml index c8c2aad9590..3fdee181efe 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml @@ -9,11 +9,11 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/07 -modified: 2024/03/13 +date: 2020-10-07 +modified: 2024-03-13 tags: - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml index bf63c18f998..f7fa00e5e31 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml @@ -9,11 +9,11 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/12 -modified: 2024/03/13 +date: 2020-10-12 +modified: 2024-03-13 tags: - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml b/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml index 086e7d4e7e1..983759d1bb3 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml @@ -5,10 +5,10 @@ description: Detects a regedit started with TrustedInstaller privileges or by Pr references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth (Nextron Systems) -date: 2021/05/27 -modified: 2022/10/09 +date: 2021-05-27 +modified: 2022-10-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/rules/windows/process_creation/proc_creation_win_regini_ads.yml index ab6d822d948..8be1f4f7b2e 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -10,11 +10,11 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini author: Eli Salem, Sander Wiebing, oscd.community -date: 2020/10/12 -modified: 2023/02/08 +date: 2020-10-12 +modified: 2023-02-08 tags: - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regini_execution.yml b/rules/windows/process_creation/proc_creation_win_regini_execution.yml index 26f46d98f00..21b40aacf7b 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_execution.yml @@ -10,11 +10,11 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini author: Eli Salem, Sander Wiebing, oscd.community -date: 2020/10/08 -modified: 2023/02/08 +date: 2020-10-08 +modified: 2023-02-08 tags: - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml b/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml index 80444710316..4d37473fba9 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/PhilipTsukerman/status/992021361106268161 - https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/ author: Ivan Dyachkov, Yulia Fomina, oscd.community -date: 2020/10/07 -modified: 2021/11/27 +date: 2020-10-07 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml b/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml index 3e925557675..0ac71d47ef8 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml @@ -11,9 +11,9 @@ references: - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 +date: 2022-06-20 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml index 0a8231ab477..aea746113c8 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml @@ -12,10 +12,10 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/05 +date: 2023-09-05 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml index 95d4083ac3b..e7e4e72f0b7 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml @@ -6,11 +6,11 @@ references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -date: 2019/09/06 -modified: 2022/08/06 +date: 2019-09-06 +modified: 2022-08-06 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml index dd6ed188311..f194259c9f7 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml @@ -8,8 +8,8 @@ description: Detects the addition of a new LogonScript to the registry value "Us references: - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html author: Tom Ueltschi (@c_APT_ure) -date: 2019/01/12 -modified: 2023/06/09 +date: 2019-01-12 +modified: 2023-06-09 tags: - attack.persistence - attack.t1037.001 diff --git a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml index 8de386c8e15..053f0ef34ab 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/23 -modified: 2023/02/02 +date: 2022-08-23 +modified: 2023-02-02 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml index 995d61d3669..df0524ed9c2 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml @@ -6,10 +6,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ author: Teymur Kheirkhabarov -date: 2019/10/26 -modified: 2023/01/30 +date: 2019-10-26 +modified: 2023-01-30 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml index 761f9f9d8cd..69dd19d83a1 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml @@ -13,9 +13,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -date: 2023/08/08 +date: 2023-08-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml index e2ae3a66488..1ee3cd6dd4c 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml @@ -12,9 +12,9 @@ description: Detects changes to the PowerShell execution policy registry key in references: - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml b/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml index 3cfc73271b0..069efe2ceb3 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/dez_/status/1560101453150257154 - https://forensafe.com/blogs/typedpaths.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/22 +date: 2022-08-22 tags: - attack.persistence logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml index 593f9d0ec2e..e0a2546f48d 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml @@ -5,10 +5,10 @@ description: Detects a potential command line flag anomaly related to "regsvr32" references: - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 author: Florian Roth (Nextron Systems) -date: 2019/07/13 -modified: 2024/03/13 +date: 2019-07-13 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml index 397ae87bcd9..e68d4df0e74 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/tccontre18/status/1480950986650832903 - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ author: Florian Roth (Nextron Systems) -date: 2022/01/11 -modified: 2023/05/24 +date: 2022-01-11 +modified: 2023-05-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml index 2a99c64e6cd..af1bcb191d7 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -2,7 +2,7 @@ title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern id: 867356ee-9352-41c9-a8f2-1be690d78216 related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + type: obsolete status: test description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. references: @@ -10,10 +10,10 @@ references: - https://twitter.com/tccontre18/status/1480950986650832903 - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ author: Florian Roth (Nextron Systems) -date: 2023/05/24 -modified: 2023/05/26 +date: 2023-05-24 +modified: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml index 81bb6023c6d..c1626055721 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml @@ -5,9 +5,9 @@ description: Detects REGSVR32.exe to execute DLL hosted on remote shares references: - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/31 +date: 2022-10-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index 27463a9d971..ba846ced3b7 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -2,7 +2,7 @@ title: Potentially Suspicious Child Process Of Regsvr32 id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + type: obsolete status: test description: Detects potentially suspicious child processes of "regsvr32.exe". references: @@ -10,10 +10,10 @@ references: - https://www.echotrail.io/insights/search/regsvr32.exe - https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/05 -modified: 2023/05/26 +date: 2022-05-05 +modified: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml index 75dcf5b0a21..9c285592ff5 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -2,16 +2,16 @@ title: Regsvr32 Execution From Potential Suspicious Location id: 9525dc73-0327-438c-8c04-13c0e037e9da related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + type: obsolete status: test description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/26 +date: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index 7cf9cc245d8..2b4071b6314 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -5,9 +5,9 @@ description: Detects execution of regsvr32 where the DLL is located in a highly references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/26 +date: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index 30f7c594b67..60c5689e835 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -2,7 +2,7 @@ title: Regsvr32 DLL Execution With Suspicious File Extension id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + type: obsolete status: test description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files references: @@ -10,10 +10,10 @@ references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://guides.lib.umich.edu/c.php?g=282942&p=1885348 author: Florian Roth (Nextron Systems), frack113 -date: 2021/11/29 -modified: 2023/05/24 +date: 2021-11-29 +modified: 2023-05-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml index ccd0f9a82d5..b7021462fe7 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -2,16 +2,16 @@ title: Scripting/CommandLine Process Spawned Regsvr32 id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22 related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + type: obsolete status: test description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/26 +date: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml index bae2dcf8f27..85799d495e8 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -5,10 +5,10 @@ description: Detects a "regsvr32" execution where the DLL doesn't contain a comm references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems) -date: 2019/07/17 -modified: 2023/05/24 +date: 2019-07-17 +modified: 2023-05-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml index e7fbbab376c..6e2b3457b02 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml @@ -11,10 +11,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 -date: 2022/02/11 -modified: 2023/03/05 +date: 2022-02-11 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml index d68f2966146..8a870c0ebae 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml @@ -5,10 +5,10 @@ description: Detects piping the password to an anydesk instance via CMD and the references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/28 -modified: 2023/03/05 +date: 2022-09-28 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml index 4d59ef141e8..0234458bf40 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml @@ -10,10 +10,10 @@ references: - https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/ - https://anydesk.com/en/changelog/windows author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/08 +date: 2024-02-08 tags: - attack.execution - - attack.initial_access + - attack.initial-access logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml index c81e38b3197..07109aad8b3 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20 - https://support.anydesk.com/Automatic_Deployment author: Ján Trenčanský -date: 2021/08/06 -modified: 2023/03/05 +date: 2021-08-06 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml index a6b1a9e8979..f84a8528335 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml @@ -11,10 +11,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: Florian Roth (Nextron Systems) -date: 2022/05/20 -modified: 2023/03/05 +date: 2022-05-20 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml index b2f9584c5d4..c60e56527fd 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows author: frack113 -date: 2022/02/13 -modified: 2023/03/05 +date: 2022-02-13 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml index 9ceff0a9f1c..0e331ced803 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows author: frack113 -date: 2022/02/11 -modified: 2023/03/05 +date: 2022-02-11 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml index 841c1dbb3c2..5610ff2a304 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md author: frack113 -date: 2022/09/25 -modified: 2023/03/06 +date: 2022-09-25 +modified: 2023-03-06 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml index 16b03b2601b..88b2be2998d 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml @@ -5,10 +5,10 @@ description: Detects execution of client32.exe (NetSupport RAT) from an unusual references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/19 -modified: 2023/03/05 +date: 2022-09-19 +modified: 2023-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml index bc177acf66b..7ef274cfa8d 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml @@ -5,10 +5,10 @@ description: Detects execution of Remote Utilities RAT (RURAT) from an unusual l references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/19 -modified: 2023/03/05 +date: 2022-09-19 +modified: 2023-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml index ac346dceb7a..5837ee40a57 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows author: frack113 -date: 2022/02/13 -modified: 2023/03/05 +date: 2022-02-13 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml index 57e16a502c6..6a823017d89 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml @@ -5,10 +5,10 @@ description: Detects ScreenConnect program starts that establish a remote access references: - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies author: Florian Roth (Nextron Systems) -date: 2021/02/11 -modified: 2024/02/26 +date: 2021-02-11 +modified: 2024-02-26 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml index 51c9c4131ba..ebe5cec977c 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml @@ -5,8 +5,8 @@ description: Detects the execution of a system command via the ScreenConnect RMM references: - https://github.com/SigmaHQ/sigma/pull/4467 author: Ali Alwashali -date: 2023/10/10 -modified: 2024/02/26 +date: 2023-10-10 +modified: 2024-02-26 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml index 1c061482c80..1ffeab35c50 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml @@ -12,10 +12,10 @@ references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 - https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale -date: 2022/02/25 -modified: 2024/02/28 +date: 2022-02-25 +modified: 2024-02-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml index fc679f3c2a1..4c96eab5ac8 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml @@ -6,9 +6,9 @@ references: - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 author: Jason Rathbun (Blackpoint Cyber) -date: 2024/02/26 +date: 2024-02-26 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml index 97d5a7c1a1f..f5ae7a5751b 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml @@ -8,9 +8,9 @@ description: | references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 +date: 2024-02-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml index a7cd2f6c88c..4eb010662e1 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml @@ -12,9 +12,9 @@ description: | references: - Internal Research author: Josh Nickels, Qi Nan -date: 2024/03/11 +date: 2024-03-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml index 7f90c85f278..6ac2605033a 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md author: frack113 -date: 2022/09/25 -modified: 2024/03/14 +date: 2022-09-25 +modified: 2024-03-14 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml b/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml index 08ae7a4f517..db3c5946e40 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml @@ -6,8 +6,8 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2022/06/28 +date: 2019-10-24 +modified: 2022-06-28 tags: - attack.discovery - attack.t1124 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml index 32f9cacad26..ea6b2b07db3 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml @@ -10,8 +10,8 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md author: Florian Roth (Nextron Systems) -date: 2022/08/21 -modified: 2023/02/14 +date: 2022-08-21 +modified: 2023-02-14 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml b/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml index e068c073e06..7163fc610e1 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml @@ -6,9 +6,9 @@ references: - https://www.autohotkey.com/download/ - https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/ author: Nasreddine Bencherchali -date: 2023/02/07 +date: 2023-02-07 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml index 2d9869469d7..71266141e31 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w - https://www.autoitscript.com/site/ author: Florian Roth (Nextron Systems) -date: 2023/06/04 -modified: 2023/09/19 +date: 2023-06-04 +modified: 2023-09-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml index 34fcffbb018..41aa02ba41b 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml @@ -10,10 +10,10 @@ references: - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades) -date: 2019/06/15 -modified: 2023/01/18 +date: 2019-06-15 +modified: 2023-01-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml index a6b3309b97b..f433daa459e 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml @@ -6,11 +6,11 @@ related: - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific type: derived - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec - type: obsoletes + type: obsolete - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell - type: obsoletes + type: obsolete - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32 - type: obsoletes + type: obsolete status: test description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. references: @@ -20,10 +20,10 @@ references: - https://twitter.com/christophetd/status/1164506034720952320 - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/ author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 -date: 2019/06/15 -modified: 2023/08/23 +date: 2019-06-15 +modified: 2023-08-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 - car.2013-05-009 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml b/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml index 95f36cdf4fc..8cef6284752 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml @@ -7,9 +7,9 @@ references: - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: Matt Anderson (Huntress) -date: 2024/07/23 +date: 2024-07-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml index a0e5762c2b4..6e3be93cf67 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml @@ -5,8 +5,8 @@ description: Detects process creation with a renamed BrowserCore.exe (used to ex references: - https://twitter.com/mariuszbit/status/1531631015139102720 author: Max Altgelt (Nextron Systems) -date: 2022/06/02 -modified: 2023/02/03 +date: 2022-06-02 +modified: 2023-02-03 tags: - attack.t1528 - attack.t1036.003 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml b/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml index ed52ec7a261..90b12f0ee3a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml @@ -9,10 +9,10 @@ references: - https://www.intrinsec.com/akira_ransomware/ - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.001 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/12/20 +date: 2023-12-20 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml index 2b3be1eb6cc..99bbf9453bd 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml @@ -9,10 +9,10 @@ references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - https://twitter.com/bopin2020/status/1366400799199272960 author: Florian Roth (Nextron Systems) -date: 2022/09/20 -modified: 2023/02/14 +date: 2022-09-20 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml index 4690f440adb..6d964cf0fa6 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml @@ -5,12 +5,12 @@ description: Detects the execution of a renamed "CURL.exe" binary based on the P references: - https://twitter.com/Kostastsale/status/1700965142828290260 author: X__Junior (Nextron Systems) -date: 2023/09/11 -modified: 2023/10/12 +date: 2023-09-11 +modified: 2023-10-12 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml index ce446ab8b1e..f8d82f84a49 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/gN3mes1s/status/1222095963789111296 - https://twitter.com/gN3mes1s/status/1222095371175911424 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2020/01/28 -modified: 2024/04/22 +date: 2020-01-28 +modified: 2024-04-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1055.001 - attack.t1202 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml b/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml index edfda885f64..b670315e1ab 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml @@ -5,12 +5,12 @@ description: Detects the execution of a renamed "ftp.exe" binary based on the PE references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2023/02/03 +date: 2020-10-09 +modified: 2023-02-03 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml index 08b10c7459f..6bba496c088 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml @@ -5,7 +5,7 @@ description: Detects the execution of a renamed "gpg.exe". Often used by ransomw references: - https://securelist.com/locked-out/68960/ author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2023/08/09 +date: 2023-08-09 tags: - attack.impact - attack.t1486 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml index f1b4c61cb8a..7150ee30f8c 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml @@ -5,11 +5,11 @@ description: Detects the execution of a renamed "jusched.exe" as seen used by th references: - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf author: Markus Neis, Swisscom -date: 2019/06/04 -modified: 2023/02/03 +date: 2019-06-04 +modified: 2023-02-03 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml index c4c13d98d6d..858a13222b2 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -12,11 +12,11 @@ references: - https://github.com/SigmaHQ/sigma/issues/3742 - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth -date: 2022/12/05 -modified: 2023/02/03 +date: 2022-12-05 +modified: 2023-02-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.001 - attack.t1218.013 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml b/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml index 70520a07e0f..188232b830e 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml @@ -5,10 +5,10 @@ description: Detects the execution of a renamed MegaSync.exe as seen used by ran references: - https://redcanary.com/blog/rclone-mega-extortion/ author: Sittikorn S -date: 2021/06/22 -modified: 2023/02/03 +date: 2021-06-22 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml index 6a5c90b2890..9979e1358e4 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml @@ -5,10 +5,10 @@ description: Detects the execution of a renamed "Msdt.exe" binary references: - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ author: pH-T (Nextron Systems) -date: 2022/06/03 -modified: 2023/02/03 +date: 2022-06-03 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml b/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml index 79af7acae31..c72c7ddbcc6 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml @@ -5,9 +5,9 @@ description: Detects the execution of a renamed Microsoft Teams binary. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/12 +date: 2024-07-12 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml index 48ae4e590f3..b0ac2fd5ddf 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -5,10 +5,10 @@ description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/19 -modified: 2023/02/04 +date: 2022-09-19 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml b/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml index c37b5c87177..521f4e2b549 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml @@ -6,11 +6,11 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ - https://www.nirsoft.net/utils/nircmd.html author: X__Junior (Nextron Systems) -date: 2024/03/11 +date: 2024-03-11 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index 4189681c7e0..c14b35c2915 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -5,10 +5,10 @@ description: Detects the execution of a renamed office binary references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/20 -modified: 2023/11/13 +date: 2022-12-20 +modified: 2023-11-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml index f5c57dd4177..0866f475618 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml @@ -2,17 +2,17 @@ title: Renamed PAExec Execution id: c4e49831-1496-40cf-8ce1-b53f942b02f9 related: - id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b - type: obsoletes + type: obsolete status: test description: Detects execution of renamed version of PAExec. Often used by attackers references: - https://www.poweradmin.com/paexec/ - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf author: Florian Roth (Nextron Systems), Jason Lynch -date: 2021/05/22 -modified: 2023/02/14 +date: 2021-05-22 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml b/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml index 00d3989d232..b58cd356b22 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml @@ -6,11 +6,11 @@ references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ - https://www.pingcastle.com/documentation/scanner/ author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2024/01/11 +date: 2024-01-11 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml index 6a4d5a33ecc..500a515554a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml @@ -6,10 +6,10 @@ references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/06 -modified: 2023/02/03 +date: 2022-06-06 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml b/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml index 0523888adb5..721d9c4cfb8 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/mrd0x/status/1463526834918854661 - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5 author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2023/04/11 +date: 2023-04-11 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml index 6667dda49ca..cdf33910fb9 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml @@ -9,8 +9,8 @@ references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/22 -modified: 2023/02/03 +date: 2022-08-22 +modified: 2023-02-03 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml index f1e541c2eb4..218c4ae45bb 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -5,12 +5,12 @@ description: Detects execution of renamed Remote Utilities (RURAT) via Product P references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/19 -modified: 2023/02/03 +date: 2022-09-19 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.collection - - attack.command_and_control + - attack.command-and-control - attack.discovery - attack.s0592 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml index 230c1dcaff5..413a7c4bf47 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml @@ -5,10 +5,10 @@ description: Detects suspicious renamed SysInternals DebugView execution references: - https://www.epicturla.com/blog/sysinturla author: Florian Roth (Nextron Systems) -date: 2020/05/28 -modified: 2023/02/14 +date: 2020-05-28 +modified: 2023-02-14 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml index d7e4d89611c..0fca0d71ed6 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml @@ -2,7 +2,7 @@ title: Renamed ProcDump Execution id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 related: - id: 03795938-1387-481b-9f4c-3f6241e604fe - type: obsoletes + type: obsolete status: test description: | Detects the execution of a renamed ProcDump executable. @@ -10,10 +10,10 @@ description: | references: - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2019/11/18 -modified: 2024/06/25 +date: 2019-11-18 +modified: 2024-06-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml index e814035242e..15d669e03db 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml @@ -6,7 +6,7 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.youtube.com/watch?v=ro2QuZTIMBM author: Florian Roth (Nextron Systems) -date: 2022/07/21 +date: 2022-07-21 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml index 2b0f5e0e71a..fd5a4a37352 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md author: Florian Roth (Nextron Systems) -date: 2022/09/06 -modified: 2023/02/03 +date: 2022-09-06 +modified: 2023-02-03 tags: - attack.impact - attack.t1485 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index c598023335a..920651f3c29 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -5,10 +5,10 @@ description: Detects renamed vmnat.exe or portable version that can be used for references: - https://twitter.com/malmoeb/status/1525901219247845376 author: elhoim -date: 2022/09/09 -modified: 2023/02/03 +date: 2022-09-09 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml b/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml index 846719a0bab..df91c1b5b41 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml @@ -6,8 +6,8 @@ references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ author: Florian Roth (Nextron Systems) -date: 2021/08/12 -modified: 2022/10/09 +date: 2021-08-12 +modified: 2022-10-09 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml b/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml index d3b3c1f28ac..ba3c0d550cb 100644 --- a/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml +++ b/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml @@ -8,10 +8,10 @@ references: - https://twitter.com/vysecurity/status/873181705024266241 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) author: Julia Fomina, oscd.community -date: 2020/10/09 -modified: 2024/03/13 +date: 2020-10-09 +modified: 2024-03-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml index bed8d924152..8cd96803917 100644 --- a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml @@ -6,7 +6,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/02 +date: 2023-01-02 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml index 83308c35ac9..46057d26d57 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of rundll32 where the DLL being called is stored references: - https://lolbas-project.github.io/lolbas/Binaries/Rundll32 author: Harjot Singh, '@cyb3rjy0t' -date: 2023/01/21 -modified: 2023/02/08 +date: 2023-01-21 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml index 811448ab2b6..4b2b4647db0 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/Hexacorn/status/1224848930795552769 - http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/17 +date: 2023-05-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml b/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml index 2815cf47fe9..df306b41dfb 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml @@ -5,10 +5,10 @@ description: Detects suspicious process related to rundll32 based on command lin references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) -date: 2021/03/05 -modified: 2022/10/09 +date: 2021-03-05 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml b/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml index 5aec1b61aeb..a65e79cc426 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml @@ -6,11 +6,11 @@ references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec' -date: 2022/04/28 -modified: 2023/02/09 +date: 2022-04-28 +modified: 2023-02-09 tags: - attack.t1218.011 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml b/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml index d549c8c3505..e448d62af92 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml @@ -5,10 +5,10 @@ description: Detects the invocation of the Stored User Names and Passwords dialo references: - https://twitter.com/NinjaParanoid/status/1516442028963659777 author: Florian Roth (Nextron Systems) -date: 2022/04/21 -modified: 2023/02/09 +date: 2022-04-21 +modified: 2023-02-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml index 8463d845919..d2b0e789699 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml @@ -2,9 +2,9 @@ title: Mshtml.DLL RunHTMLApplication Suspicious Usage id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c related: - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 - type: obsoletes + type: obsolete - id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7 - type: obsoletes + type: obsolete status: test description: | Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) @@ -13,10 +13,10 @@ references: - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) -date: 2022/08/14 -modified: 2024/02/23 +date: 2022-08-14 +modified: 2024-02-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml index 39893387247..44da78da8ed 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml @@ -6,10 +6,10 @@ references: - https://www.cobaltstrike.com/help-opsec - https://twitter.com/ber_m1ng/status/1397948048135778309 author: Florian Roth (Nextron Systems) -date: 2021/05/27 -modified: 2023/08/31 +date: 2021-05-27 +modified: 2023-08-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml b/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml index 31db732deb7..3bbc732a204 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/med0x2e/status/1520402518685200384 - https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml author: Elastic (idea), Tobias Michalski (Nextron Systems) -date: 2022/05/04 -modified: 2023/02/09 +date: 2022-05-04 +modified: 2023-02-09 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access - attack.t1212 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml index 3209b188dd0..66bba5cd557 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml @@ -5,9 +5,9 @@ description: Detects execution of "rundll32" with potential obfuscated ordinal c references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/17 +date: 2023-05-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index ed28458bb19..0a3227f928a 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -6,10 +6,10 @@ references: - https://redcanary.com/blog/raspberry-robin/ - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: CD_ROM_ -date: 2022/05/21 -modified: 2023/08/31 +date: 2022-05-21 +modified: 2023-08-31 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml b/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml index ec88f600212..714815aae05 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml @@ -2,7 +2,7 @@ title: Process Memory Dump Via Comsvcs.DLL id: 646ea171-dded-4578-8a4d-65e9822892e3 related: - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c - type: obsoletes + type: obsolete status: test description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) references: @@ -14,11 +14,11 @@ references: - https://twitter.com/Wietze/status/1542107456507203586 - https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems) -date: 2020/02/18 -modified: 2023/05/16 +date: 2020-02-18 +modified: 2023-05-16 tags: - - attack.defense_evasion - - attack.credential_access + - attack.defense-evasion + - attack.credential-access - attack.t1036 - attack.t1003.001 - car.2013-05-009 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml b/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml index 1b11880b0bd..737d8f360cd 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml @@ -6,10 +6,10 @@ references: - https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md author: frack113 -date: 2022/02/13 -modified: 2023/02/09 +date: 2022-02-13 +modified: 2023-02-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml b/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml index a5779948770..2e19639032c 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml @@ -5,10 +5,10 @@ description: Detects suspicious process run from unusual locations references: - https://car.mitre.org/wiki/CAR-2013-05-002 author: juju4, Jonhnathan Ribeiro, oscd.community -date: 2019/01/16 -modified: 2022/01/07 +date: 2019-01-16 +modified: 2022-01-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - car.2013-05-002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml index e3c6d5a9d61..45842f26116 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml @@ -8,10 +8,10 @@ references: - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf - https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20 author: Konstantin Grishchenko, oscd.community -date: 2020/10/07 -modified: 2021/11/27 +date: 2020-10-07 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml index 9ea945925ab..fc7dfe938d1 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml @@ -5,10 +5,10 @@ description: Detects shell32.dll executing a DLL in a suspicious directory references: - https://www.group-ib.com/resources/threat-research/red-curl-2.html author: Christian Burkard (Nextron Systems) -date: 2021/11/24 -modified: 2023/02/09 +date: 2021-11-24 +modified: 2023-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.011 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml index cdec3852b05..e64616f6742 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml @@ -5,10 +5,10 @@ description: Detects potential "ShellDispatch.dll" functionality abuse to execut references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ author: X__Junior (Nextron Systems) -date: 2023/06/20 +date: 2023-06-20 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml index 9f195446fd8..d9a6b8cb895 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml @@ -5,10 +5,10 @@ description: Detects RunDLL32.exe spawning explorer.exe as child, which is very references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim, CD_ROM_ -date: 2022/04/27 -modified: 2022/05/25 +date: 2022-04-27 +modified: 2022-05-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml index 16a2909e886..6cfa9d4abfe 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml @@ -10,10 +10,10 @@ references: - https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib - https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/16 -modified: 2023/05/17 +date: 2019-01-16 +modified: 2023-05-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml index dbad3a4bbd0..03b843879d2 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/rikvduijn/status/853251879320662017 - https://twitter.com/felixw3000/status/853354851128025088 author: Florian Roth (Nextron Systems) -date: 2017/04/15 -modified: 2023/02/09 +date: 2017-04-15 +modified: 2023-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml index 84403e8320d..2795efa6d83 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml @@ -8,9 +8,9 @@ description: Detects the execution of Rundll32.exe with DLL files masquerading a references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Hieu Tran -date: 2023/03/13 +date: 2023-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml index 90b7cac650e..c71a44c8330 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml @@ -2,7 +2,7 @@ title: Suspicious Usage Of ShellExec_RunDLL id: d87bd452-6da1-456e-8155-7dc988157b7d related: - id: 36c5146c-d127-4f85-8e21-01bf62355d5a - type: obsoletes + type: obsolete status: test description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack references: @@ -10,10 +10,10 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ - https://github.com/SigmaHQ/sigma/issues/1009 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/01 -modified: 2022/12/30 +date: 2022-09-01 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml index 5976aefcbb7..5a0ec908dcf 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml @@ -5,9 +5,9 @@ description: Detects actions that clear the local ShimCache and remove forensic references: - https://medium.com/@blueteamops/shimcache-flush-89daff28d15e author: Florian Roth (Nextron Systems) -date: 2021/02/01 +date: 2021-02-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml b/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml index b3ca0324b89..7e27c3ab3f5 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml @@ -5,10 +5,10 @@ description: Detects suspicious process related to rundll32 based on command lin references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) -date: 2021/03/05 -modified: 2022/10/09 +date: 2021-03-05 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml index 82dad4c3730..de471832217 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml @@ -5,9 +5,9 @@ description: Detects rundll32 execution where the DLL is located on a remote loc references: - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/10 +date: 2022-08-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1021.002 - attack.t1218.011 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml index 26141b85ef4..a349f84d3a2 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml @@ -5,10 +5,10 @@ description: Detects the execution of rundll32 with a command line that doesn't references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou -date: 2022/01/13 -modified: 2024/04/04 +date: 2022-01-13 +modified: 2024-04-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml b/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml index 20439b6b8fa..87fd88589fc 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml @@ -5,10 +5,10 @@ description: Detects a suspicious call to the user32.dll function that locks the references: - https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/ author: frack113 -date: 2022/06/04 -modified: 2023/02/09 +date: 2022-06-04 +modified: 2023-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml index 3757fd550f9..ed71d8d6649 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml @@ -8,8 +8,8 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/17 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/09/18 +date: 2020-05-02 +modified: 2023-09-18 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml index 610c2e6f2e0..fe715de8131 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml @@ -10,12 +10,12 @@ references: - https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2023/03/16 -modified: 2023/09/18 +date: 2023-03-16 +modified: 2023-09-18 tags: - attack.exfiltration - attack.t1048.003 - - cve.2023.23397 + - cve.2023-23397 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml b/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml index 9cc95b794be..bd17411de6e 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml @@ -5,10 +5,10 @@ description: Detects rundll32 execution without parameters as observed when runn references: - https://bczyz1.github.io/2021/01/30/psexec.html author: Bartlomiej Czyz, Relativity -date: 2021/01/31 -modified: 2023/02/28 +date: 2021-01-31 +modified: 2023-02-28 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.t1570 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_runonce_execution.yml index 61195b186f1..06388ff4750 100644 --- a/rules/windows/process_creation/proc_creation_win_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_runonce_execution.yml @@ -7,10 +7,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Runonce/ - https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)' -date: 2020/10/18 -modified: 2022/12/13 +date: 2020-10-18 +modified: 2022-12-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml index 468c0e742ad..1d3ea3bd064 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml @@ -6,12 +6,12 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://pentestlab.blog/2017/03/30/weak-service-permissions/ author: Teymur Kheirkhabarov -date: 2019/10/26 -modified: 2022/07/14 +date: 2019-10-26 +modified: 2022-07-14 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_create_service.yml b/rules/windows/process_creation/proc_creation_win_sc_create_service.yml index 02ba32dc579..c17957472a9 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_create_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_create_service.yml @@ -8,10 +8,10 @@ description: Detects the creation of a new service using the "sc.exe" utility. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -date: 2023/02/20 +date: 2023-02-20 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml b/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml index f744201a645..df12c69966d 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml @@ -5,11 +5,11 @@ description: Detect the use of "sc.exe" to change the startup type of a service references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/03/04 +date: 2022-08-01 +modified: 2023-03-04 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml b/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml index 8aec61d5a9d..8715341d6fa 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml @@ -5,11 +5,11 @@ description: Detects creation of a new service (kernel driver) with the type "ke references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/14 -modified: 2022/08/08 +date: 2022-07-14 +modified: 2022-08-08 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml index 565e70fbe28..7ecfdb1441c 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml @@ -8,7 +8,7 @@ references: - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ - https://pentestlab.blog/tag/svchost/ author: Swachchhanda Shrawan Poudel -date: 2024/02/12 +date: 2024-02-12 tags: - attack.t1003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml index 6d13dddb245..f8d48321fd3 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml @@ -10,7 +10,7 @@ references: - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/28 +date: 2023-02-28 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml index 435c827bea6..d10b3de7cf2 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml @@ -12,8 +12,8 @@ references: - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings author: Jonhnathan Ribeiro, oscd.community -date: 2020/10/16 -modified: 2023/02/28 +date: 2020-10-16 +modified: 2023-02-28 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml index 55e2f88be8f..b1261f9c6a6 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml @@ -13,12 +13,12 @@ references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ author: Andreas Hunkeler (@Karneades) -date: 2021/12/20 -modified: 2022/08/08 +date: 2021-12-20 +modified: 2022-08-08 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml index a840e37eb96..08a56a06d45 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml @@ -14,11 +14,11 @@ references: - https://twitter.com/0gtweet/status/1628720819537936386 - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/28 +date: 2023-02-28 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml b/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml index 6d2a8dc5831..613afbacba9 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml @@ -6,11 +6,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/21 -modified: 2022/11/18 +date: 2019-10-21 +modified: 2022-11-18 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml index 8f47c4a0012..b2c29769fbb 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml @@ -5,8 +5,8 @@ description: Detects the modification of an existing service in order to execute references: - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/ author: Sreeman -date: 2020/09/29 -modified: 2023/02/04 +date: 2020-09-29 +modified: 2023-02-04 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml index 021b959aea8..0c541cb7237 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml @@ -2,14 +2,14 @@ title: Stop Windows Service Via Sc.EXE id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1 related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + type: obsolete status: test description: Detects the stopping of a Windows service via the "sc.exe" utility references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11) author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/05 -modified: 2024/01/18 +date: 2023-03-05 +modified: 2024-01-18 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml index 8809b4bc0b2..9ff4c256b44 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml @@ -5,8 +5,8 @@ description: 'Detects the creation of a schtask that executes a file from C:\Use references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/03/15 -modified: 2022/07/28 +date: 2022-03-15 +modified: 2022-07-28 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_change.yml b/rules/windows/process_creation/proc_creation_win_schtasks_change.yml index 23f81020098..d6ae42d41d1 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_change.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_change.yml @@ -12,8 +12,8 @@ references: - Internal Research - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/28 -modified: 2022/11/18 +date: 2022-07-28 +modified: 2022-11-18 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml b/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml index 34f3bcc072c..ffd4529fdd1 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml @@ -5,12 +5,12 @@ description: Detects the creation of scheduled tasks by user accounts via the "s references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create author: Florian Roth (Nextron Systems) -date: 2019/01/16 -modified: 2024/01/18 +date: 2019-01-16 +modified: 2024-01-18 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.005 - attack.s0111 - car.2013-08-001 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml index c0f71c2dec2..e79bc2c631a 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml @@ -5,8 +5,8 @@ description: Detects the creation of scheduled tasks that involves a temporary f references: - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 author: Florian Roth (Nextron Systems) -date: 2021/03/11 -modified: 2022/10/09 +date: 2021-03-11 +modified: 2022-10-09 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml index 332026d0eba..a559cb449ee 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml @@ -10,7 +10,7 @@ description: Detects when adversaries stop services or processes by deleting the references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 +date: 2022-09-09 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml b/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml index c26cf564570..c44f82ae6bf 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml @@ -5,7 +5,7 @@ description: Detects the usage of schtasks with the delete flag and the asterisk references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 +date: 2022-09-09 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml index 41d9ecf9db2..4fa4b178415 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml @@ -10,8 +10,8 @@ references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/26 -modified: 2022/09/02 +date: 2021-12-26 +modified: 2022-09-02 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml index cab01e54852..bd5dbaf9f16 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -9,8 +9,8 @@ references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 author: Florian Roth (Nextron Systems) -date: 2022/02/21 -modified: 2023/11/30 +date: 2022-02-21 +modified: 2023-11-30 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml b/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml index 20d0b3afbbd..bfe2883eef3 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml @@ -5,8 +5,8 @@ description: Detects scheduled task creations that have suspicious action comman references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical author: Florian Roth (Nextron Systems) -date: 2022/04/15 -modified: 2022/11/18 +date: 2022-04-15 +modified: 2022-11-18 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml b/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml index b160d5b9dad..f4b7ec16a7e 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml @@ -6,7 +6,7 @@ references: - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/31 +date: 2022-10-31 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml index b5e40bb6f96..03ad5717d8b 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml @@ -5,12 +5,12 @@ description: Detects scheduled task creation events that include suspicious acti references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: pH-T (Nextron Systems) -date: 2022/07/15 -modified: 2023/02/03 +date: 2022-07-15 +modified: 2023-02-03 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml index 6a3e317d26c..a65cee2b88e 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml @@ -10,8 +10,8 @@ description: | references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Sreeman -date: 2020/09/29 -modified: 2023/02/10 +date: 2020-09-29 +modified: 2023-02-10 tags: - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml index 14869fd6d54..87bb266a3e4 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml @@ -8,8 +8,8 @@ description: Detects suspicious powershell execution via a schedule task where t references: - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/04/08 -modified: 2023/02/03 +date: 2022-04-08 +modified: 2023-02-03 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index d2bea93c3f9..99163716862 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -8,7 +8,7 @@ description: Detects the creation of a schtasks that potentially executes a payl references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/18 +date: 2023-07-18 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml index b5af7a3d4d7..15c92888516 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml @@ -5,8 +5,8 @@ description: Detects the creation of a schtask that potentially executes a base6 references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/12 -modified: 2023/02/04 +date: 2022-02-12 +modified: 2023-02-04 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml index 8f54cd52973..26dd70113b2 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 +date: 2022-09-09 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml index 628579ef580..512b2356ddb 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml @@ -9,7 +9,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/31 +date: 2022-08-31 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index 2a7737600ad..a7d8db95a25 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml author: Swachchhanda Shrawan Poudel, Elastic (idea) -date: 2023/04/20 +date: 2023-04-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1036.005 - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml index 9f6d002f55e..d2470cf015b 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -7,8 +7,8 @@ references: - https://twitter.com/RedDrip7/status/1506480588827467785 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf author: Florian Roth (Nextron Systems) -date: 2022/02/23 -modified: 2024/03/19 +date: 2022-02-23 +modified: 2024-03-19 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml index a40a2ee44bb..d6eac695b55 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml @@ -6,8 +6,8 @@ references: - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/28 -modified: 2023/10/11 +date: 2022-07-28 +modified: 2023-10-11 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml index b790f018e33..736734943a4 100644 --- a/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml @@ -6,8 +6,8 @@ references: - https://redcanary.com/blog/child-processes/ - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html author: Sittikorn S -date: 2021/06/21 -modified: 2022/07/14 +date: 2021-06-21 +modified: 2022-07-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml index fc3401586a1..c0abc440402 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml @@ -10,11 +10,11 @@ description: | references: - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence author: Markus Neis -date: 2019/01/16 -modified: 2023/12/06 +date: 2019-01-16 +modified: 2023-12-06 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml index cf713c718fc..8c4508aad91 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -11,11 +11,11 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/01 -modified: 2024/01/10 +date: 2023-08-01 +modified: 2024-01-10 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml index 4765abf2dea..9863eb337ac 100644 --- a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml @@ -6,10 +6,10 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/6 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2021/11/27 +date: 2020-05-02 +modified: 2021-11-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml index fc46bb60f4e..d885bf0fbae 100644 --- a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml +++ b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml @@ -8,10 +8,10 @@ references: - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/ - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/ author: Nextron Systems -date: 2022/06/01 -modified: 2022/10/31 +date: 2022-06-01 +modified: 2022-10-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml index 1e15aaf74cf..bd6dba03349 100644 --- a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml @@ -6,14 +6,14 @@ references: - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit author: Janantha Marasinghe -date: 2022/11/18 -modified: 2022/12/30 +date: 2022-11-18 +modified: 2022-12-30 tags: - attack.discovery - attack.persistence - - attack.defense_evasion - - attack.credential_access - - attack.privilege_escalation + - attack.defense-evasion + - attack.credential-access + - attack.privilege-escalation - attack.t1562.002 - attack.t1547.001 - attack.t1505.005 diff --git a/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml index 9d7f2ac0bee..d38a5e4c5a3 100644 --- a/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml @@ -5,12 +5,12 @@ description: Detects a suspicious process pattern which could be a sign of an ex references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth (Nextron Systems) -date: 2021/07/14 -modified: 2022/07/14 +date: 2021-07-14 +modified: 2022-07-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1555 - - cve.2021.35211 + - cve.2021-35211 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml index c4fbfac5f27..b2471cb1cd0 100644 --- a/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml @@ -11,10 +11,10 @@ references: - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) author: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)' -date: 2022/12/11 -modified: 2024/06/26 +date: 2022-12-11 +modified: 2024-06-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml b/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml index 5ce2b50b94e..b8b4d6beabc 100644 --- a/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml @@ -6,10 +6,10 @@ references: - https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation - https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019 author: Markus Neis, keepwatch -date: 2018/11/14 -modified: 2023/10/23 +date: 2018-11-14 +modified: 2023-10-23 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml b/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml index 58514201319..d16f90c2644 100644 --- a/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown author: frack113 -date: 2022/01/01 +date: 2022-01-01 tags: - attack.impact - attack.t1529 diff --git a/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml b/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml index b9aa501c7a8..d950db6f452 100644 --- a/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml +++ b/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown author: frack113 -date: 2022/10/01 +date: 2022-10-01 tags: - attack.impact - attack.t1529 diff --git a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml index 991912bbd5a..adb98fa41ac 100644 --- a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml @@ -5,7 +5,7 @@ description: Detects potentially uncommon child processes of SndVol.exe (the Win references: - https://twitter.com/Max_Mal_/status/1661322732456353792 author: X__Junior (Nextron Systems) -date: 2023/06/09 +date: 2023-06-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml b/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml index 120d73412db..032905fd6d2 100644 --- a/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml +++ b/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - attack.collection - attack.t1123 diff --git a/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml b/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml index d2dfe75fc82..1f1cc3acc1f 100644 --- a/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml @@ -5,10 +5,10 @@ description: Detects suspicious Splwow64.exe process without any command line pa references: - https://twitter.com/sbousseaden/status/1429401053229891590?s=12 author: Florian Roth (Nextron Systems) -date: 2021/08/23 -modified: 2022/12/25 +date: 2021-08-23 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml index 14f4e809d4c..e34e32611c9 100644 --- a/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml @@ -5,12 +5,12 @@ description: Detects suspicious print spool service (spoolsv.exe) child processe references: - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) -date: 2021/07/11 -modified: 2023/02/09 +date: 2021-07-11 +modified: 2023-02-09 tags: - attack.execution - attack.t1203 - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml index 694df291501..4f4b6b1c8a5 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml @@ -5,7 +5,7 @@ description: Detects potentially suspicious SQL queries using SQLCmd targeting t references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.collection - attack.t1005 diff --git a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml index 78454ac43af..1323f023717 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml @@ -6,8 +6,8 @@ references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html author: frack113 -date: 2021/12/20 -modified: 2023/02/13 +date: 2021-12-20 +modified: 2023-02-13 tags: - attack.collection - attack.t1005 diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml index e9c72d99082..8de428d8e76 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/ author: TropChaud -date: 2022/12/19 -modified: 2023/01/19 +date: 2022-12-19 +modified: 2023-01-19 tags: - - attack.credential_access + - attack.credential-access - attack.t1539 - attack.t1555.003 - attack.collection diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml index 9192cf12fa2..cb9ec6c37b0 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/ author: frack113 -date: 2022/04/08 -modified: 2023/01/19 +date: 2022-04-08 +modified: 2023-01-19 tags: - - attack.credential_access + - attack.credential-access - attack.t1539 - attack.collection - attack.t1005 diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_download.yml b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml index f12306af17c..ae5d70dd089 100644 --- a/rules/windows/process_creation/proc_creation_win_squirrel_download.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml @@ -4,7 +4,7 @@ related: - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e type: similar - id: fa4b21c9-0057-4493-b289-2556416ae4d7 - type: obsoletes + type: obsolete status: experimental description: | Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) @@ -13,10 +13,10 @@ references: - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community -date: 2022/06/09 -modified: 2023/11/09 +date: 2022-06-09 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml index 706757b4ca3..69ea3ea2327 100644 --- a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml @@ -4,7 +4,7 @@ related: - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c type: similar - id: fa4b21c9-0057-4493-b289-2556416ae4d7 - type: obsoletes + type: obsolete status: experimental description: | Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) @@ -13,10 +13,10 @@ references: - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community -date: 2022/06/09 -modified: 2023/11/09 +date: 2022-06-09 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml index abd9994911f..0e5e79ac389 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml @@ -5,11 +5,11 @@ description: Detects port forwarding activity via SSH.exe references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/12 -modified: 2024/03/05 +date: 2022-10-12 +modified: 2024-03-05 tags: - - attack.command_and_control - - attack.lateral_movement + - attack.command-and-control + - attack.lateral-movement - attack.t1572 - attack.t1021.001 - attack.t1021.004 diff --git a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml index 1a707053986..0b7c2bcc182 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml @@ -8,10 +8,10 @@ description: Execution of ssh.exe to perform data exfiltration and tunneling thr references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/12 -modified: 2023/01/25 +date: 2022-10-12 +modified: 2023-01-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml index c10b673d119..026345ac200 100644 --- a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml @@ -7,9 +7,9 @@ references: - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ author: Muhammad Faisal -date: 2023/08/02 +date: 2023-08-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.persistence - attack.t1219 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml index 549753a3883..ca0bc2f5131 100644 --- a/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml @@ -6,10 +6,10 @@ references: - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html - https://twitter.com/eral4m/status/1451112385041911809 author: Austin Songer (@austinsonger) -date: 2021/10/21 -modified: 2022/12/25 +date: 2021-10-21 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml index 5dc67e47186..2be1fac6979 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml @@ -8,10 +8,10 @@ references: - https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/ - https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/ author: frack113 -date: 2022/07/16 -modified: 2022/07/16 +date: 2022-07-16 +modified: 2022-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml index a052d079963..2ab8fb6b9fa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml @@ -5,10 +5,10 @@ description: Detection of unusual child processes by different system processes references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg author: 'Semanur Guneysu @semanurtg, oscd.community' -date: 2020/10/28 -modified: 2022/11/11 +date: 2020-10-28 +modified: 2022-11-11 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml index ddbfed9d8a6..a76b7c779bd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml @@ -10,8 +10,8 @@ description: Detects addition of users to the local administrator group via "Net references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2023/03/02 +date: 2022-08-12 +modified: 2023-03-02 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml index 12d8156987b..c15579cb9b7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml @@ -10,7 +10,7 @@ description: Detects addition of users to highly privileged groups via "Net" or references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 +date: 2024-02-23 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml index f3be0334bd4..4ff9dcceb21 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml @@ -10,11 +10,11 @@ description: Detects addition of users to the local Remote Desktop Users group v references: - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/ author: Florian Roth (Nextron Systems) -date: 2021/12/06 -modified: 2022/09/09 +date: 2021-12-06 +modified: 2022-09-09 tags: - attack.persistence - - attack.lateral_movement + - attack.lateral-movement - attack.t1133 - attack.t1136.001 - attack.t1021.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml b/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml index 6425bd32d21..3f4165ee68c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml @@ -5,10 +5,10 @@ description: Detects execution from an Alternate Data Stream (ADS). Adversaries references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md author: frack113 -date: 2021/09/01 -modified: 2022/10/09 +date: 2021-09-01 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index 275ef218086..ef7734a59da 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -5,10 +5,10 @@ description: Detects Windows Installer service (msiexec.exe) trying to install M references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community -date: 2020/10/13 -modified: 2023/03/23 +date: 2020-10-13 +modified: 2023-03-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml index eb0cd776317..4b574bd377d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml @@ -6,10 +6,10 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/12 -modified: 2023/08/31 +date: 2023-01-12 +modified: 2023-08-31 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml index 70023c677d6..1d5c7af9d91 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml @@ -5,13 +5,13 @@ description: The .SettingContent-ms file type was introduced in Windows 10 and a references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 author: Sreeman -date: 2020/03/13 -modified: 2022/04/14 +date: 2020-03-13 +modified: 2022-04-14 tags: - attack.t1204 - attack.t1566.001 - attack.execution - - attack.initial_access + - attack.initial-access logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml b/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml index 27fadd50fe1..176bb756a42 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/1ZRR4H/status/1534259727059787783 - https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/ author: Florian Roth (Nextron Systems) -date: 2022/06/07 +date: 2022-06-07 tags: - - attack.initial_access + - attack.initial-access - attack.t1566 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml b/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml index ce56d7ceb45..c0bbaf65747 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml @@ -6,12 +6,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: frack113 -date: 2021/07/28 -modified: 2022/11/11 +date: 2021-07-28 +modified: 2022-11-11 tags: - attack.collection - attack.t1119 - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 1cea509263f..6c414fefcdd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -2,7 +2,7 @@ title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments id: a7c3d773-caef-227e-a7e7-c2f13c622329 related: - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add - type: obsoletes + type: obsolete status: experimental description: | Detects attackers using tooling with bad opsec defaults. @@ -17,10 +17,10 @@ references: - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) -date: 2020/10/23 -modified: 2023/12/02 +date: 2020-10-23 +modified: 2023-12-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml index 9235887ad2d..1c2fafbeb8c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document author: Joseph Kamau -date: 2024/05/27 +date: 2024-05-27 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml index 029ddf639aa..ca37a85689d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -8,10 +8,10 @@ references: - https://github.com/antonioCoco/RogueWinRM - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) -date: 2019/10/26 -modified: 2022/12/15 +date: 2019-10-26 +modified: 2022-12-15 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml index 58caabd5aeb..06783482721 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml @@ -9,10 +9,10 @@ references: - https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques - https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ author: juju4 -date: 2018/12/11 -modified: 2023/03/03 +date: 2018-12-11 +modified: 2023-03-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml index 2df73f9e4e9..5c4990d623b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml @@ -2,7 +2,7 @@ title: Potential Commandline Obfuscation Using Unicode Characters id: e0552b19-5a83-4222-b141-b36184bb8d79 related: - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 - type: obsoletes + type: obsolete status: test description: | Detects potential commandline obfuscation using unicode characters. @@ -11,10 +11,10 @@ references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http author: frack113, Florian Roth (Nextron Systems) -date: 2022/01/15 -modified: 2024/07/22 +date: 2022-01-15 +modified: 2024-07-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml index fca1f14b055..87b5c6e5890 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/hexacorn/status/1448037865435320323 - https://twitter.com/Gal_B1t/status/1062971006078345217 author: Christian Burkard (Nextron Systems) -date: 2021/10/26 -modified: 2023/03/29 +date: 2021-10-26 +modified: 2023-03-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml index 3ce4b2cb29d..2d4375d4db9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml @@ -11,10 +11,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/23 -modified: 2023/08/29 +date: 2022-12-23 +modified: 2023-08-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml index 0f6d34c5c92..41da47ed065 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali -date: 2019/12/30 -modified: 2023/11/15 +date: 2019-12-30 +modified: 2023-11-15 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.collection - attack.exfiltration - attack.t1039 diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml index b31a32e7488..8fd8668f5b6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml @@ -12,10 +12,10 @@ references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) -date: 2020/07/03 -modified: 2023/08/29 +date: 2020-07-03 +modified: 2023-08-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml index 49fb0c5537e..225f8b27a91 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml @@ -11,9 +11,9 @@ references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/29 +date: 2023-08-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml b/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml index 337b534e682..21e9c86b3a0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml @@ -5,8 +5,8 @@ description: Detects command line parameters or strings often used by crypto min references: - https://www.poolwatch.io/coin/monero author: Florian Roth (Nextron Systems) -date: 2021/10/26 -modified: 2023/02/13 +date: 2021-10-26 +modified: 2023-02-13 tags: - attack.impact - attack.t1496 diff --git a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml index d9a4141405c..e174a1b0374 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml @@ -5,8 +5,8 @@ description: Detects the use of various CLI utilities exfiltrating data via web references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/02 -modified: 2023/07/27 +date: 2022-08-02 +modified: 2023-07-27 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml b/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml index 74c40d55db5..9e0e26b5ae8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml @@ -5,10 +5,10 @@ description: Detects commands that indicate a Raccine removal from an end system references: - https://github.com/Neo23x0/Raccine author: Florian Roth (Nextron Systems) -date: 2021/01/21 -modified: 2022/10/09 +date: 2021-01-21 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml index 1c6d256504b..46b9ff3fb2f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml @@ -9,10 +9,10 @@ references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) -date: 2019/06/26 -modified: 2023/02/28 +date: 2019-06-26 +modified: 2023-02-28 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml index 0a14cd5bc0c..59572989ba8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml @@ -9,10 +9,10 @@ references: - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/06 -modified: 2023/02/28 +date: 2023-01-06 +modified: 2023-02-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml index 2c691f14ec3..015f43dbf31 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/an0n_r0/status/1474698356635193346?s=12 - https://twitter.com/mrd0x/status/1475085452784844803?s=12 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/27 -modified: 2022/08/02 +date: 2021-12-27 +modified: 2022-08-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 - attack.t1608 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml index 4d2075134ed..50ba43d5a04 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml @@ -5,10 +5,10 @@ description: Detects the use of the filename DumpStack.log to evade Microsoft De references: - https://twitter.com/mrd0x/status/1479094189048713219 author: Florian Roth (Nextron Systems) -date: 2022/01/06 -modified: 2022/06/17 +date: 2022-01-06 +modified: 2022-06-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml index 251d98467ae..db394807ff1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml @@ -5,10 +5,10 @@ description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or " references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community -date: 2020/10/13 -modified: 2022/10/20 +date: 2020-10-13 +modified: 2022-10-20 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml index 63d8d6ab173..2778575dbdd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml @@ -15,8 +15,8 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/ - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/21 -modified: 2024/07/12 +date: 2022-10-21 +modified: 2024-07-12 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml index ef096ea1cac..370e3dcc0d3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml @@ -13,8 +13,8 @@ references: - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf - https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/05 -modified: 2023/11/09 +date: 2023-09-05 +modified: 2023-11-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml index ef9da018271..271d8a99563 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml @@ -8,11 +8,11 @@ description: Detects when a shell program such as the Windows command prompt or references: - https://github.com/Wh04m1001/SysmonEoP author: frack113, Tim Shelton (update fp) -date: 2022/12/05 -modified: 2023/11/23 +date: 2022-12-05 +modified: 2023-11-23 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml b/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml index 1ee3dea9cfb..a1a84246a3d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml @@ -5,7 +5,7 @@ description: Detects events that appear when a user click on a link file with a references: - https://www.x86matthew.com/view_post?id=embed_exe_lnk author: frack113 -date: 2022/02/06 +date: 2022-02-06 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml index ff860de061d..ecd20aaa7e1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml @@ -16,10 +16,10 @@ references: - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2022/12/09 +date: 2020-05-02 +modified: 2022-12-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml index 3cd5ededa1a..64c7bf780b5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml @@ -8,10 +8,10 @@ references: - https://abuse.io/lockergoga.txt - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community' -date: 2019/03/22 -modified: 2022/06/28 +date: 2019-03-22 +modified: 2022-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1562.006 - car.2016-04-002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml index 3ca670aae69..21e5ba0bc85 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -11,10 +11,10 @@ references: - https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/ author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 -date: 2019/09/26 -modified: 2023/07/13 +date: 2019-09-26 +modified: 2023-07-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.001 - attack.t1562.002 - car.2016-04-002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml index abeef5c72ce..1fe8c0efe8f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml @@ -18,10 +18,10 @@ references: - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2022/09/09 -modified: 2024/07/12 +date: 2022-09-09 +modified: 2024-07-12 tags: - - attack.credential_access + - attack.credential-access - attack.discovery - attack.t1552 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml index 9775ea65ddd..380377348bb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml @@ -6,10 +6,10 @@ description: | references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/25 -modified: 2024/07/12 +date: 2022-02-25 +modified: 2024-07-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1564 - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml index 1edbf5b7969..7b0494fe52e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml @@ -8,10 +8,10 @@ references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ - https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md author: Florian Roth (Nextron Systems), Tim Shelton -date: 2019/01/16 -modified: 2024/07/12 +date: 2019-01-16 +modified: 2024-07-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml b/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml index a9e0d798566..2441df75522 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml @@ -6,8 +6,8 @@ references: - https://securelist.com/muddywater/88059/ - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection author: Markus Neis, Sander Wiebing -date: 2018/11/22 -modified: 2022/10/09 +date: 2018-11-22 +modified: 2022-10-09 tags: - attack.execution - attack.t1059.006 diff --git a/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml index 5c7470007c4..fc62c9d496d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml @@ -11,7 +11,7 @@ references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 +date: 2023-02-08 tags: - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml index f7e821ad2dd..8dbabf5e305 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml @@ -13,9 +13,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) -date: 2023/10/09 +date: 2023-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml index ac2f2302657..f769748cbaa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml @@ -5,12 +5,12 @@ description: Monitors for the hiding possible malicious files in the C:\Windows\ references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ author: Sreeman -date: 2020/04/21 -modified: 2022/03/08 +date: 2020-04-21 +modified: 2022-03-08 tags: - attack.t1211 - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.persistence logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml b/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml index 06788d19cae..c8ad77d27f5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml @@ -9,9 +9,9 @@ references: - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish - http://www.irongeek.com/homoglyph-attack-generator.php author: Micah Babinski, @micahbabinski -date: 2023/05/07 +date: 2023-05-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1036.003 # - attack.t1036.008 diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index 6b241e67f1a..7acb7a5f7e1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -5,10 +5,10 @@ description: Checks whether the image specified in a process creation event is n references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt (Nextron Systems) -date: 2021/12/09 -modified: 2022/12/14 +date: 2021-12-09 +modified: 2022-12-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml b/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml index 69c8dc3f65e..c95ec1d6f40 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml @@ -5,7 +5,7 @@ description: Detects encoded base64 MZ header in the commandline references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 +date: 2022-07-12 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml index c6473041487..8310c8fa0ff 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml @@ -8,8 +8,8 @@ description: Detects the use of WinAPI Functions via the commandline. As seen us references: - https://twitter.com/m417z/status/1566674631788007425 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/06 -modified: 2023/01/09 +date: 2022-09-06 +modified: 2023-01-09 tags: - attack.execution - attack.t1106 diff --git a/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml b/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml index bee5a6cc435..5f3d9798bc8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml @@ -5,8 +5,8 @@ description: Local accounts, System Owner/User discovery using operating systems references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -date: 2019/10/21 -modified: 2023/01/03 +date: 2019-10-21 +modified: 2023-01-03 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml index fde466c4ef6..b10f0d2e961 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml @@ -10,10 +10,10 @@ references: - https://www.scythe.io/library/threat-emulation-qakbot - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman -date: 2022/01/25 -modified: 2023/08/29 +date: 2022-01-25 +modified: 2023-08-29 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml b/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml index 501b012cb8b..a0383ed2184 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml @@ -14,10 +14,10 @@ references: - https://github.com/helpsystems/nanodump - https://github.com/CCob/MirrorDump author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/24 -modified: 2023/08/29 +date: 2019-10-24 +modified: 2023-08-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml index 98220bde896..a1f8d6ba804 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml @@ -10,9 +10,9 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -date: 2023/11/09 +date: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml index 1ed46c0c786..ed3b80e4a26 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml @@ -5,8 +5,8 @@ description: Adversaries may look for details about the network configuration an references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -date: 2021/12/07 -modified: 2022/04/11 +date: 2021-12-07 +modified: 2022-04-11 tags: - attack.discovery - attack.t1016 diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml b/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml index 3d4ca79a55b..9cca291a5c3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml @@ -7,7 +7,7 @@ references: - https://ss64.com/nt/for.html - https://ss64.com/ps/foreach-object.html author: frack113 -date: 2022/03/12 +date: 2022-03-12 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml b/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml index 891987e6065..59a570237af 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/21 -modified: 2023/02/20 +date: 2019-10-21 +modified: 2023-02-20 tags: - - attack.credential_access + - attack.credential-access - attack.discovery - attack.t1040 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml b/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml index 21badb8f46f..90915ed402a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml @@ -5,9 +5,9 @@ description: Detect the use of processes with no name (".exe"), which can be use references: - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: Matt Anderson (Huntress) -date: 2024/07/23 +date: 2024-07-23 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index 6e01e7f5d9c..647af0885be 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -7,10 +7,10 @@ description: | references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt (Nextron Systems) -date: 2021/12/09 -modified: 2023/11/23 +date: 2021-12-09 +modified: 2023-11-23 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml index 3af41bfb444..d4da3213073 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml @@ -5,10 +5,10 @@ description: Search for usage of reg or Powershell by non-privileged users to mo references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community -date: 2020/10/05 -modified: 2022/07/07 +date: 2020-10-05 +modified: 2022-07-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml index 4deb46e333c..a44d5c7a60b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml @@ -11,10 +11,10 @@ references: - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1 - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) -date: 2022/03/11 -modified: 2022/11/10 +date: 2022-03-11 +modified: 2022-11-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml index cbd83ab9f82..570b9477dc7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml @@ -8,9 +8,9 @@ description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentia references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/13 +date: 2023-07-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml index 28f7b355888..b339a6272d3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/frack113/status/1555830623633375232 author: frack113, Nasreddine Bencherchali -date: 2022/08/07 -modified: 2022/10/26 +date: 2022-08-07 +modified: 2022-10-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml index 8300c093c89..e5d620fc79b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/frack113/status/1555830623633375232 author: frack113, Nasreddine Bencherchali -date: 2022/08/07 -modified: 2023/03/21 +date: 2022-08-07 +modified: 2023-03-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml index 4643eadc130..0be94c50bbb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/jonasLyk/status/1555914501802921984 author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2022/09/21 +date: 2022-08-05 +modified: 2022-09-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index ac150106f67..50381e0259e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/jonasLyk/status/1555914501802921984 author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/06 -modified: 2023/07/20 +date: 2022-08-06 +modified: 2023-07-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml index b1969826838..89b66f3ce7e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml @@ -7,8 +7,8 @@ references: - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 - https://twitter.com/fr0s7_/status/1712780207105404948 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) -date: 2022/08/03 -modified: 2023/11/06 +date: 2022-08-03 +modified: 2023-11-06 tags: - attack.discovery logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml index 6b0cba323fc..5fd7eb597e9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml @@ -6,8 +6,8 @@ references: - https://h.43z.one/ipconverter/ - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2022/08/03 -modified: 2023/11/06 +date: 2022-08-03 +modified: 2023-11-06 tags: - attack.discovery logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml b/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml index 102e66c9c4a..2cde32de6a0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml @@ -5,9 +5,9 @@ description: Detects possible search for office tokens via CLI by looking for th references: - https://mrd0x.com/stealing-tokens-from-office-applications/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/25 +date: 2022-10-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_parents.yml b/rules/windows/process_creation/proc_creation_win_susp_parents.yml index 524bcbf3617..374b6a7c6aa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_parents.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/x86matthew/status/1505476263464607744?s=12 - https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b author: Florian Roth (Nextron Systems) -date: 2022/03/21 -modified: 2022/09/08 +date: 2022-03-21 +modified: 2022-09-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml index ec80abbcd16..37499cf9d07 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -date: 2018/08/25 -modified: 2024/03/07 +date: 2018-08-25 +modified: 2024-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml index a5fce186694..c2bb24c2c60 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml @@ -8,10 +8,10 @@ description: Detects a remote file copy attempt to a hidden network share. This references: - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html author: Tim Rauch, Elastic (idea) -date: 2022/09/27 -modified: 2022/12/30 +date: 2022-09-27 +modified: 2022-12-30 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml index 1bd577cc214..35765f997ba 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml @@ -5,10 +5,10 @@ description: Adversaries may search for private key certificate files on comprom references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/07/20 -modified: 2023/03/06 +date: 2021-07-20 +modified: 2023-03-06 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml index 4c7e40a27a8..08f4bf30151 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml @@ -5,9 +5,9 @@ description: Detects suspicious command line flags that let the user set a targe references: - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html author: Florian Roth (Nextron Systems) -date: 2022/11/11 +date: 2022-11-11 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml index f89f6fd2441..72b9c382f72 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml @@ -7,10 +7,10 @@ references: - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf author: vburov -date: 2019/02/23 -modified: 2022/02/14 +date: 2019-02-23 +modified: 2022-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 - attack.t1036.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_progname.yml b/rules/windows/process_creation/proc_creation_win_susp_progname.yml index 1e08522f56d..a0c91375671 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_progname.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_progname.yml @@ -5,8 +5,8 @@ description: Detects suspicious patterns in program names or folders that are of references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: Florian Roth (Nextron Systems) -date: 2022/02/11 -modified: 2023/03/22 +date: 2022-02-11 +modified: 2023-03-22 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_susp_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_recon.yml index 22e81ad1d41..4c7af53c19c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recon.yml @@ -8,8 +8,8 @@ description: Once established within a system or network, an adversary may use a references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md author: frack113 -date: 2021/07/30 -modified: 2022/09/13 +date: 2021-07-30 +modified: 2022-09-13 tags: - attack.collection - attack.t1119 diff --git a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml index 9e46bb09f4d..aee49b14846 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -9,11 +9,11 @@ references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ author: X__Junior (Nextron Systems) -date: 2023/07/12 -modified: 2023/12/11 +date: 2023-07-12 +modified: 2023-12-11 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml index 27545ea805c..81b697d24ae 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml @@ -6,8 +6,8 @@ references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Florian Roth (Nextron Systems) -date: 2022/01/16 -modified: 2023/12/28 +date: 2022-01-16 +modified: 2023-12-28 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml b/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml index b02f0a5e640..e84daaa8907 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml @@ -5,9 +5,9 @@ description: Detects potential use of an SSH utility to establish RDP over a rev references: - https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html author: Tim Rauch, Elastic (idea) -date: 2022/09/27 +date: 2022-09-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml index c6c597d9913..53583383428 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -9,9 +9,9 @@ references: - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method - https://unicode-explorer.com/c/202E author: Micah Babinski, @micahbabinski -date: 2023/02/15 +date: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml index b32fbc96f29..f4fcfc0afbd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml @@ -7,8 +7,8 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military - https://learn.microsoft.com/en-us/windows/win32/shell/csidl author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/08 -modified: 2023/06/16 +date: 2022-02-08 +modified: 2023-06-16 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml index a8bcecd8507..b50f53858ad 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml @@ -5,8 +5,8 @@ description: Detects a suspicious script executions from temporary folder references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton -date: 2021/07/14 -modified: 2022/10/05 +date: 2021-07-14 +modified: 2022-10-05 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml index 7534759ac0d..4b37fae90ee 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml @@ -8,8 +8,8 @@ references: - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -date: 2021/08/09 -modified: 2024/01/18 +date: 2021-08-09 +modified: 2024-01-18 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml b/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml index a425b2bba12..e5ee1060bcf 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml @@ -9,11 +9,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/14 -modified: 2022/11/18 +date: 2022-07-14 +modified: 2022-11-18 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml index 8601274f1f9..3606e7ab0a5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml @@ -5,10 +5,10 @@ description: Detects a service binary running in a suspicious directory references: - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ author: Florian Roth (Nextron Systems) -date: 2021/03/09 -modified: 2022/10/09 +date: 2021-03-09 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index 98d3f570a16..acf23b465a8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -4,9 +4,9 @@ related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: derived - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b - type: obsoletes + type: obsolete - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b - type: obsoletes + type: obsolete status: test description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts references: @@ -16,10 +16,10 @@ references: - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2022/09/01 -modified: 2023/08/07 +date: 2022-09-01 +modified: 2023-08-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1489 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml index a370a435580..e1c7c86dad2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml @@ -6,10 +6,10 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/ author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2019/10/22 -modified: 2022/11/10 +date: 2019-10-22 +modified: 2022-11-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1003.002 - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml index de76a0a53be..563d6675588 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml @@ -13,10 +13,10 @@ references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) -date: 2019/10/22 -modified: 2022/11/03 +date: 2019-10-22 +modified: 2022-11-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1070 - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml index c840292b07a..ca1821f9def 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml @@ -5,11 +5,11 @@ description: Detects suspicious child processes of a Windows shell and scripting references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth (Nextron Systems), Tim Shelton -date: 2018/04/06 -modified: 2023/05/23 +date: 2018-04-06 +modified: 2023-05-23 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.005 - attack.t1059.001 - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml b/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml index 78f982c4160..f52a096b7d9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml @@ -5,11 +5,11 @@ description: Detects process creation events that use the Sysnative folder (comm references: - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Max Altgelt (Nextron Systems) -date: 2022/08/23 -modified: 2023/12/14 +date: 2022-08-23 +modified: 2023-12-14 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 4c461717db6..c1ac8bf19d6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -10,10 +10,10 @@ references: - https://twitter.com/GelosSnake/status/934900723426439170 - https://asec.ahnlab.com/en/39828/ author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2017/11/27 -modified: 2024/07/16 +date: 2017-11-27 +modified: 2024-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 5da3bba0f76..3996deda6cc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -6,12 +6,12 @@ references: - Internal Research - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) -date: 2021/12/20 -modified: 2024/07/22 +date: 2021-12-20 +modified: 2024-07-22 tags: - - attack.credential_access - - attack.defense_evasion - - attack.privilege_escalation + - attack.credential-access + - attack.defense-evasion + - attack.privilege-escalation - attack.t1134 - attack.t1003 - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml index bd095346e27..ec1e2cc4ba5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml @@ -6,10 +6,10 @@ references: - https://adsecurity.org/?p=2288 - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 author: Markus Neis, Jonhnathan Ribeiro, oscd.community -date: 2018/04/09 -modified: 2022/01/07 +date: 2018-04-09 +modified: 2022-01-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml index 13b18f88a63..a6965e2d603 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 author: Sreeman -date: 2020/01/13 -modified: 2022/12/25 +date: 2020-01-13 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.execution - attack.t1574.002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml index acd96a790aa..0803f12f59b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/pabraeken/status/993298228840992768 - https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/ author: 'Agro (@agro_sev) oscd.community' -date: 2020/10/13 -modified: 2021/11/27 +date: 2020-10-13 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml index ca8667658cf..b1717ae90bc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml @@ -10,11 +10,11 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/ - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community -date: 2020/10/14 -modified: 2022/10/09 +date: 2020-10-14 +modified: 2022-10-09 tags: - attack.t1218 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index 1b32046a1ac..bce7a82248e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -5,10 +5,10 @@ description: Detects a suspicious child process of userinit references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (Nextron Systems), Samir Bousseaden (idea) -date: 2019/06/17 -modified: 2022/12/09 +date: 2019-06-17 +modified: 2022-12-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml index 0eb7f92531d..a3542ba6152 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml @@ -10,10 +10,10 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/14 -modified: 2024/02/23 +date: 2022-09-14 +modified: 2024-02-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml index 125912e9b88..580a7accb42 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml @@ -4,9 +4,9 @@ related: - id: 1139d2e2-84b1-4226-b445-354492eba8ba type: similar - id: f67dbfce-93bc-440d-86ad-a95ae8858c90 - type: obsoletes + type: obsolete - id: cd5c8085-4070-4e22-908d-a5b3342deb74 - type: obsoletes + type: obsolete status: test description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine references: @@ -14,8 +14,8 @@ references: - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell - https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger -date: 2019/10/24 -modified: 2023/01/10 +date: 2019-10-24 +modified: 2023-01-10 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml index 4d47ad86843..add21fe4b30 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml @@ -5,8 +5,8 @@ description: Detects a suspicious process command line that uses whoami as first references: - https://twitter.com/blackarrowsec/status/1463805700602224645?s=12 author: Florian Roth (Nextron Systems) -date: 2021/11/29 -modified: 2022/12/25 +date: 2021-11-29 +modified: 2022-12-25 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml b/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml index 391a7983c87..65022b15d29 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml @@ -5,10 +5,10 @@ description: Detects using WorkFolders.exe to execute an arbitrary control.exe references: - https://twitter.com/elliotkillick/status/1449812843772227588 author: Maxime Thiebaut (@0xThiebaut) -date: 2021/10/21 -modified: 2022/12/25 +date: 2021-10-21 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml b/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml index 8c3c5f9be7d..002aacf4c10 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml @@ -5,11 +5,11 @@ description: It is extremely abnormal for svchost.exe to spawn without any CLI a references: - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 author: David Burkett, @signalblur -date: 2019/12/28 -modified: 2022/06/27 +date: 2019-12-28 +modified: 2022-06-27 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml b/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml index 1ef9b1642e0..3b93f8c0df3 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml @@ -13,9 +13,9 @@ references: - https://tria.ge/240731-jh4crsycnb/behavioral2 - https://redcanary.com/blog/threat-detection/process-masquerading/ author: Swachchhanda Shrawan Poudel -date: 2024/08/07 +date: 2024-08-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml b/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml index a80d45a3dd2..6a39a684aa0 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml @@ -5,12 +5,12 @@ description: Detects a process spawned by the terminal service server process (t references: - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ author: Florian Roth (Nextron Systems) -date: 2019/05/22 -modified: 2023/01/25 +date: 2019-05-22 +modified: 2023-01-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - car.2013-07-002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml index 7de9c1c0581..31eb6380f32 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml @@ -5,10 +5,10 @@ description: Detects an uncommon svchost parent process references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/08/15 -modified: 2022/06/28 +date: 2017-08-15 +modified: 2022-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml index a61b6d48fea..b744b889649 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml @@ -8,8 +8,8 @@ references: - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat - https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/13 -modified: 2023/02/20 +date: 2020-10-13 +modified: 2023-02-20 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml index a6cedbca262..72b8996bca0 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml @@ -8,9 +8,9 @@ description: Detects the execution of Sysinternals ADExplorer with the "-snapsho references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/14 +date: 2023-03-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - attack.t1003.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml index 53d1712a4c1..892499cbbb8 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml @@ -8,9 +8,9 @@ description: Detects the execution of Sysinternals ADExplorer with the "-snapsho references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/14 +date: 2023-03-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - attack.t1003.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml index ae302e8d6c2..6521fcd779a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml @@ -8,10 +8,10 @@ description: Detects command lines that contain the 'accepteula' flag which coul references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis -date: 2017/08/28 -modified: 2024/03/13 +date: 2017-08-28 +modified: 2024-03-13 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml index 3f5b5531501..14286ba5c75 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml @@ -5,9 +5,9 @@ description: Detects execution of LiveKD based on PE metadata or image name references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 +date: 2023-05-15 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml index 1dddf1f205c..7df179152bb 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml @@ -7,10 +7,10 @@ references: - https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/ - https://kb.acronis.com/content/60892 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/16 -modified: 2024/03/13 +date: 2023-05-16 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml index c8c9336129c..d67ee49d2c8 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml @@ -5,10 +5,10 @@ description: Detects usage of the SysInternals Procdump utility references: - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems) -date: 2021/08/16 -modified: 2023/02/28 +date: 2021-08-16 +modified: 2023-02-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml index 4f88b377721..c5d31f84ea7 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml @@ -5,10 +5,10 @@ description: Detects uses of the SysInternals ProcDump utility in which ProcDump references: - https://twitter.com/mrd0x/status/1480785527901204481 author: Florian Roth (Nextron Systems) -date: 2022/01/11 -modified: 2023/05/09 +date: 2022-01-11 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml index 25b3533b470..46d0f5ca4ba 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml @@ -7,12 +7,12 @@ description: | references: - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems) -date: 2018/10/30 -modified: 2024/03/13 +date: 2018-10-30 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - - attack.credential_access + - attack.credential-access - attack.t1003.001 - car.2013-05-009 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml index a7c0c80ba6a..e5a8278726a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml @@ -5,8 +5,8 @@ description: Detects user accept agreement execution in psexec commandline references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: omkar72 -date: 2020/10/30 -modified: 2023/02/28 +date: 2020-10-30 +modified: 2023-02-28 tags: - attack.execution - attack.t1569 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml index 42776d610f3..1d10dff6989 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml @@ -10,10 +10,10 @@ references: - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/11/23 -modified: 2024/03/05 +date: 2021-11-23 +modified: 2024-03-05 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml index 43742e69a96..cacb1c5f02a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml @@ -7,9 +7,9 @@ references: - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/28 +date: 2023-02-28 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml index c76f471df21..907cf1a8b9b 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml @@ -2,15 +2,15 @@ title: PsExec Service Execution id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5 related: - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba - type: obsoletes + type: obsolete status: test description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution references: - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.youtube.com/watch?v=ro2QuZTIMBM author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) -date: 2017/06/12 -modified: 2023/02/28 +date: 2017-06-12 +modified: 2023-02-28 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml index b00da4ce2a6..e012f9c3757 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml @@ -8,8 +8,8 @@ description: Detects suspicious launch of the PSEXESVC service on this system an references: - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec author: Florian Roth (Nextron Systems) -date: 2022/07/21 -modified: 2023/02/28 +date: 2022-07-21 +modified: 2023-02-28 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml index 04c6d140603..bf4e675a9eb 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml @@ -8,8 +8,8 @@ references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList - https://twitter.com/EricaZelic/status/1614075109827874817 author: Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/18 -modified: 2024/03/05 +date: 2021-12-18 +modified: 2024-03-05 tags: - attack.discovery - attack.t1087 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml index 8a6778afcd8..48348d71d68 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml @@ -5,8 +5,8 @@ description: Detects usage of Sysinternals PsService which can be abused for ser references: - https://learn.microsoft.com/en-us/sysinternals/downloads/psservice author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/16 -modified: 2023/02/24 +date: 2022-06-16 +modified: 2023-02-24 tags: - attack.discovery - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml index 98fa3c83d1c..92433b191c4 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml @@ -9,7 +9,7 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend - https://twitter.com/0gtweet/status/1638069413717975046 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/23 +date: 2023-03-23 tags: - attack.discovery - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml index 76ef6c2dc61..d7c5623619a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml @@ -9,9 +9,9 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend - https://twitter.com/0gtweet/status/1638069413717975046 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/23 +date: 2023-03-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml index 5a88207ac55..4e5eb701d79 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml @@ -5,8 +5,8 @@ description: Detects the use of SDelete to erase a file not the free space references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md author: frack113 -date: 2021/06/03 -modified: 2023/02/28 +date: 2021-06-03 +modified: 2023-02-28 tags: - attack.impact - attack.t1485 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml index 20ee3faada2..3aaba2c55d6 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml @@ -10,10 +10,10 @@ references: - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/05/22 -modified: 2024/03/05 +date: 2021-05-22 +modified: 2024-03-05 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml index 803db9abe85..1fb2a7d2c73 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml @@ -5,10 +5,10 @@ description: Detects updates to Sysmon's configuration. Attackers might update o references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/09 -modified: 2024/03/13 +date: 2023-03-09 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml index 7cf984404db..4690d9914ac 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml @@ -5,10 +5,10 @@ description: Detects the removal of Sysmon, which could be a potential attempt a references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon author: frack113 -date: 2022/01/12 -modified: 2024/03/13 +date: 2022-01-12 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml index daa94bb5bb3..7fad5eb500d 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml @@ -5,11 +5,11 @@ description: Detects binaries that use the same name as legitimate sysinternals references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite author: frack113 -date: 2021/12/20 -modified: 2022/12/08 +date: 2021-12-20 +modified: 2022-12-08 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml b/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml index 8cc79ea752f..41c310383a5 100644 --- a/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml @@ -6,8 +6,8 @@ references: - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b author: Florian Roth (Nextron Systems) -date: 2018/06/22 -modified: 2021/11/27 +date: 2018-06-22 +modified: 2021-11-27 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml b/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml index 324555a2695..fc2a8f6f0c1 100644 --- a/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo author: frack113 -date: 2022/01/01 -modified: 2022/07/14 +date: 2022-01-01 +modified: 2022-07-14 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml index a5f2f3b61fb..fc2464708d8 100644 --- a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml +++ b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml @@ -9,9 +9,9 @@ references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml b/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml index 351f2ed5feb..34415b94613 100644 --- a/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml +++ b/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility author: frack113 -date: 2022/01/30 -modified: 2022/11/21 +date: 2022-01-30 +modified: 2022-11-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml b/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml index df3f962ad5b..8ec4f4908ff 100644 --- a/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml @@ -5,8 +5,8 @@ description: Well-known TAP software installation. Possible preparation for data references: - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community -date: 2019/10/24 -modified: 2023/12/11 +date: 2019-10-24 +modified: 2023-12-11 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/process_creation/proc_creation_win_tar_compression.yml b/rules/windows/process_creation/proc_creation_win_tar_compression.yml index 873f9fc8607..3cf3fcfa076 100644 --- a/rules/windows/process_creation/proc_creation_win_tar_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_tar_compression.yml @@ -9,7 +9,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Tar/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage author: Nasreddine Bencherchali (Nextron Systems), AdmU3 -date: 2023/12/19 +date: 2023-12-19 tags: - attack.collection - attack.exfiltration diff --git a/rules/windows/process_creation/proc_creation_win_tar_extraction.yml b/rules/windows/process_creation/proc_creation_win_tar_extraction.yml index d9135d1b724..98298b3e9f4 100644 --- a/rules/windows/process_creation/proc_creation_win_tar_extraction.yml +++ b/rules/windows/process_creation/proc_creation_win_tar_extraction.yml @@ -9,7 +9,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Tar/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage author: AdmU3 -date: 2023/12/19 +date: 2023-12-19 tags: - attack.collection - attack.exfiltration diff --git a/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml index 4e76d7b48cc..b0b7fd4d3e9 100644 --- a/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml +++ b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml @@ -10,9 +10,9 @@ references: - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer author: Ilya Krestinichev, Florian Roth (Nextron Systems) -date: 2022/09/13 +date: 2022-09-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml index 1d8734dbf92..8fdc84c0681 100644 --- a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml @@ -9,8 +9,8 @@ references: - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ - https://pentestlab.blog/tag/svchost/ author: Swachchhanda Shrawan Poudel -date: 2024/02/12 -modified: 2024/03/13 +date: 2024-02-12 +modified: 2024-03-13 tags: - attack.t1003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml b/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml index a7826d46ad0..62fc346affb 100644 --- a/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml @@ -5,10 +5,10 @@ description: Detects the creation of taskmgr.exe process in context of LOCAL_SYS references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2018/03/18 -modified: 2022/05/27 +date: 2018-03-18 +modified: 2022-05-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml index a947261665c..24e8cb145f1 100644 --- a/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml @@ -5,10 +5,10 @@ description: Detects the creation of a process via the Windows task manager. Thi references: - https://twitter.com/ReneFreingruber/status/1172244989335810049 author: Florian Roth (Nextron Systems) -date: 2018/03/13 -modified: 2024/01/18 +date: 2018-03-13 +modified: 2024-01-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml index 8cda14f9e73..021da471ef2 100644 --- a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -8,10 +8,10 @@ references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens author: '@SerkinValery' -date: 2022/09/16 -modified: 2023/12/18 +date: 2022-09-16 +modified: 2023-12-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml index 78fb7387ad8..cc5cd405435 100644 --- a/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml +++ b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml @@ -5,7 +5,7 @@ description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/15 +date: 2023-06-15 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml b/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml index 58c0f9631c4..536b3175892 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml @@ -7,10 +7,10 @@ references: - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 - https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement author: Florian Roth (Nextron Systems) -date: 2018/03/17 -modified: 2022/05/27 +date: 2018-03-17 +modified: 2022-05-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml b/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml index af9ba4ac511..dda2f95d02c 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml @@ -7,10 +7,10 @@ references: - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 - https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/ author: Florian Roth (Nextron Systems) -date: 2018/03/17 -modified: 2023/05/16 +date: 2018-03-17 +modified: 2023-05-16 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1563.002 - attack.t1021.001 - car.2013-07-002 diff --git a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml index d98c795a7f8..da3c8b1ad66 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml @@ -5,7 +5,7 @@ description: Detects potential RDP Session Hijacking activity on Windows systems references: - https://twitter.com/Moti_B/status/909449115477659651 author: '@juju4' -date: 2022/12/27 +date: 2022-12-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml index 23e9805b092..e35de890eca 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml @@ -7,11 +7,11 @@ references: - https://github.com/hfiref0x/UACME - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml index 36a16b00244..54431028ce1 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using scheduled tasks and variabl references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml index c1415fabac6..6bd65d8b56e 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml @@ -7,11 +7,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md - https://lolbas-project.github.io/lolbas/Binaries/Cmstp/ author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2022/08/30 +date: 2019-10-24 +modified: 2022-08-30 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 - attack.t1218.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml index 188619e7914..e57df597952 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml @@ -8,12 +8,12 @@ references: - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf - https://github.com/hfiref0x/UACME author: Nik Seetharaman, Christian Burkard (Nextron Systems) -date: 2019/07/31 -modified: 2022/09/21 +date: 2019-07-31 +modified: 2022-09-21 tags: - attack.execution - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - attack.t1218.003 - attack.g0069 diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml index 4dfe578e0c4..0163e1ac983 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml @@ -5,11 +5,11 @@ description: Detects tools such as UACMe used to bypass UAC with computerdefault references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/31 -modified: 2022/10/09 +date: 2021-08-31 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml index 33b8c645419..e21dee1e9b0 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dl references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml index be3f6eb6e8a..8250a092d05 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UAC references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml index 3113412c597..3bf09474be4 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/orange_8361/status/1518970259868626944 - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/22 +date: 2022-11-22 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml index 3d889f30380..5ada3cce64f 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml @@ -6,10 +6,10 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml index f0b0f5ce4cb..c987fc15d3b 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml @@ -5,9 +5,9 @@ description: Detects attempts to bypass User Account Control (UAC) by hijacking references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack author: Tim Rauch, Elastic (idea) -date: 2022/09/27 +date: 2022-09-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml index 7934fc77b9d..db1ec4358e4 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM int references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html author: Florian Roth (Nextron Systems), Elastic (idea) -date: 2022/09/13 -modified: 2022/09/27 +date: 2022-09-13 +modified: 2022-09-27 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml index 6ff2df23c2e..05ecaa8ee28 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml @@ -5,11 +5,11 @@ description: Detects the "IDiagnosticProfileUAC" UAC bypass technique references: - https://github.com/Wh04m1001/IDiagnosticProfileUAC author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/03 +date: 2022-07-03 tags: - attack.execution - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml index dbf495ec24d..da0fa174b2a 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml index 1044386ef5d..52bec8124ed 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml index e343b03692c..dfe8b47398f 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml index 54f19503c5a..523d2be04ec 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UA references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml index a12ba436654..77976a2efbd 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml @@ -6,11 +6,11 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/6 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/02/14 +date: 2020-05-02 +modified: 2023-02-14 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml index 91dbe36f5be..ebdd7a29b7d 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml @@ -7,9 +7,9 @@ references: - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows - https://github.com/netero1010/TrustedPath-UACBypass-BOF author: Florian Roth (Nextron Systems) -date: 2021/08/27 +date: 2021-08-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml index 4c5a55613f3..c230f475e9a 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a path parsing issue in win references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml index 4e59df648a0..a365002b800 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using Windows Media Player osksup references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml index 7bef75dbd8c..c8188244f80 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml @@ -2,7 +2,7 @@ title: Bypass UAC via WSReset.exe id: d797268e-28a9-49a7-b9a8-2f5039011c5c related: - id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae - type: obsoletes + type: obsolete status: test description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. references: @@ -11,11 +11,11 @@ references: - https://www.activecyber.us/activelabs/windows-uac-bypass - https://twitter.com/ReaQta/status/1222548288731217921 author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth -date: 2019/10/24 -modified: 2022/05/13 +date: 2019-10-24 +modified: 2022-05-13 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml index bf66d4460b9..2e139752a3b 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml @@ -7,11 +7,11 @@ references: - https://github.com/hfiref0x/UACME - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ultravnc.yml b/rules/windows/process_creation/proc_creation_win_ultravnc.yml index 6d2fbc37b21..31c62dd9121 100644 --- a/rules/windows/process_creation/proc_creation_win_ultravnc.yml +++ b/rules/windows/process_creation/proc_creation_win_ultravnc.yml @@ -5,9 +5,9 @@ description: An adversary may use legitimate desktop support and remote access s references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md author: frack113 -date: 2022/10/02 +date: 2022-10-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml index dbe7e3fef4f..c7e91f5083c 100644 --- a/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml @@ -8,10 +8,10 @@ references: - https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution - https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html author: Bhabesh Raj -date: 2022/03/04 -modified: 2022/03/09 +date: 2022-03-04 +modified: 2022-03-09 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.g0047 - attack.t1021.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml b/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml index 67cbf260e5d..94699a6fe05 100644 --- a/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml +++ b/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml @@ -5,10 +5,10 @@ description: Adversaries may disable security tools to avoid possible detection references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113 -date: 2021/07/12 -modified: 2023/03/09 +date: 2021-07-12 +modified: 2023-03-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index 3e349b6f661..b7893d038b6 100644 --- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -9,8 +9,8 @@ references: - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core author: Tom Ueltschi (@c_APT_ure), Tim Shelton -date: 2019/01/12 -modified: 2023/11/14 +date: 2019-01-12 +modified: 2023-11-14 tags: - attack.t1037.001 - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml b/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml index 77c4d348db4..0d6faba44a5 100644 --- a/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml +++ b/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml @@ -5,10 +5,10 @@ description: List credentials currently stored in Windows Credential Manager via references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd author: frack113 -date: 2022/04/08 -modified: 2022/05/13 +date: 2022-04-08 +modified: 2022-05-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml b/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml index f5ad33c8206..f3d09f0015f 100644 --- a/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml +++ b/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml @@ -7,10 +7,10 @@ references: - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2022/07/11 +date: 2020-10-09 +modified: 2022-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml b/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml index 79208ee0163..66fe2e553a5 100644 --- a/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml @@ -6,10 +6,10 @@ references: - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ - https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/ author: Janantha Marasinghe -date: 2020/09/26 -modified: 2022/07/14 +date: 2020-09-26 +modified: 2022-07-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.006 - attack.t1564 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml b/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml index 75c245f39ad..edc4a660e91 100644 --- a/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml @@ -9,10 +9,10 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml - https://twitter.com/pabraeken/status/993497996179492864 author: Konstantin Grishchenko, oscd.community -date: 2020/10/06 -modified: 2021/11/27 +date: 2020-10-06 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml index 2a2c1446123..7dc7f4bfb2a 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml @@ -9,7 +9,7 @@ references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/14 +date: 2023-06-14 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml index 65225d628bf..ba4038987c0 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml @@ -8,7 +8,7 @@ description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" a references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/14 +date: 2023-06-14 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml index bc3751e4ec8..a21d370af59 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml @@ -7,8 +7,8 @@ references: - https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png - https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf author: bohops, Bhabesh Raj -date: 2021/10/08 -modified: 2023/07/25 +date: 2021-10-08 +modified: 2023-07-25 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml index 19360242f74..1538402e677 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/nas_bench/status/1618021838407495681 - https://twitter.com/nas_bench/status/1618021415852335105 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/26 -modified: 2023/10/25 +date: 2023-01-26 +modified: 2023-10-25 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml index e3607a306f9..33ab564561d 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml @@ -7,9 +7,9 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://code.visualstudio.com/docs/remote/tunnels author: Nasreddine Bencherchali (Nextron Systems), citron_ninja -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml index 177d912b9a1..c73c51207c6 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml @@ -7,9 +7,9 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://code.visualstudio.com/docs/remote/tunnels author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml index 42e75cd56e5..8c68972b65c 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml @@ -7,9 +7,9 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://code.visualstudio.com/docs/remote/tunnels author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/28 +date: 2023-09-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml index 8026d5d8d86..bb20a7ae017 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml @@ -7,9 +7,9 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://code.visualstudio.com/docs/remote/tunnels author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml index 0eb26551840..3eaf8a4b7a1 100644 --- a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml @@ -5,9 +5,9 @@ description: Detects execution of "VSDiagnostics.exe" with the "start" command i references: - https://twitter.com/0xBoku/status/1679200664013135872 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml b/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml index fe0dd2a581e..da01a1837bd 100644 --- a/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml +++ b/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml @@ -5,9 +5,9 @@ description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution wit references: - https://twitter.com/bohops/status/1583916360404729857 author: bohops -date: 2022/10/30 +date: 2022-10-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_w32tm.yml b/rules/windows/process_creation/proc_creation_win_w32tm.yml index 173f591942b..072e381d7a1 100644 --- a/rules/windows/process_creation/proc_creation_win_w32tm.yml +++ b/rules/windows/process_creation/proc_creation_win_w32tm.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains author: frack113 -date: 2022/09/25 +date: 2022-09-25 tags: - attack.discovery - attack.t1124 diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml index c08b6841a5a..3a698e48fe3 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -7,10 +7,10 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2022/09/27 +date: 2022-08-12 +modified: 2022-09-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml index 81787cc2840..c928adbf34b 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -7,10 +7,10 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2022/09/27 +date: 2022-08-12 +modified: 2022-09-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml index 45e01adadfe..3c8044028b5 100644 --- a/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml +++ b/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml @@ -16,8 +16,8 @@ references: - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/13 -modified: 2024/05/10 +date: 2021-12-13 +modified: 2024-05-10 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml index 36cd87e88dd..44c9037e5c8 100644 --- a/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml +++ b/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml @@ -16,8 +16,8 @@ references: - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/13 -modified: 2024/05/10 +date: 2021-12-13 +modified: 2024-05-10 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml index 28ad8635baf..c5e0ffd8166 100644 --- a/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml +++ b/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml @@ -10,9 +10,9 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml index 0cac4b39420..31310f503d2 100644 --- a/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml +++ b/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml @@ -11,7 +11,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2024/05/10 +date: 2024-05-10 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml index bc95f44c9c0..36f3ffa75ba 100644 --- a/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml +++ b/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml @@ -13,9 +13,9 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml b/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml index 991c86b7762..1e81f5f91f8 100644 --- a/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml @@ -9,7 +9,7 @@ references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 author: Micah Babinski -date: 2023/08/21 +date: 2023-08-21 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml index 3a87945a630..d7edb232fec 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml @@ -5,7 +5,7 @@ description: Detects patterns found in process executions cause by China Chopper references: - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ author: Florian Roth (Nextron Systems), MSTI (query) -date: 2022/10/01 +date: 2022-10-01 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml index 2b3dbc800d9..3de1c43d017 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml @@ -6,8 +6,8 @@ description: | references: - https://youtu.be/7aemGhaE9ds?t=641 author: Florian Roth (Nextron Systems) -date: 2022/03/17 -modified: 2023/11/09 +date: 2022-03-17 +modified: 2023-11-09 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml index 67e6d15358c..96feead4ecc 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml @@ -6,8 +6,8 @@ references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community -date: 2017/01/01 -modified: 2022/05/13 +date: 2017-01-01 +modified: 2022-05-13 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index d0822cbd413..476809f3cf0 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -6,8 +6,8 @@ description: | references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/16 -modified: 2023/11/11 +date: 2019-01-16 +modified: 2023-11-11 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml b/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml index 1358e328b79..e5031f62ae3 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml @@ -6,8 +6,8 @@ description: | references: - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html author: Cian Heasley, Florian Roth (Nextron Systems) -date: 2020/07/22 -modified: 2023/11/09 +date: 2020-07-22 +modified: 2023-11-09 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml index f8d4a40ebbb..0d17c692ab3 100644 --- a/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml @@ -6,10 +6,10 @@ references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash , Nasreddine Bencherchali' -date: 2022/12/08 -modified: 2022/12/09 +date: 2022-12-08 +modified: 2022-12-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml index 53acd9cfb71..75b4f985958 100644 --- a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -9,10 +9,10 @@ references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ author: X__Junior (Nextron Systems) -date: 2023/06/30 +date: 2023-06-30 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml index 7c49062e0e4..182b17941b3 100644 --- a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml @@ -10,11 +10,11 @@ references: - https://www.echotrail.io/insights/search/wermgr.exe - https://github.com/binderlabs/DirCreate2System author: Florian Roth (Nextron Systems) -date: 2022/10/14 -modified: 2024/06/20 +date: 2022-10-14 +modified: 2024-06-20 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - attack.t1036 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml index 1f6f63ff445..41638c10749 100644 --- a/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml @@ -10,8 +10,8 @@ references: - https://www.echotrail.io/insights/search/wermgr.exe - https://github.com/binderlabs/DirCreate2System author: Florian Roth (Nextron Systems) -date: 2022/10/14 -modified: 2023/08/23 +date: 2022-10-14 +modified: 2023-08-23 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml index 0645a1cb34b..e107572c0bc 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml @@ -5,7 +5,7 @@ description: Detects potentially suspicious file downloads directly from IP addr references: - https://www.gnu.org/software/wget/manual/wget.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index 005aef2c940..fd62eb5e093 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -7,8 +7,8 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 -modified: 2024/02/09 +date: 2023-05-05 +modified: 2024-02-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml index 1a62c2f6220..01636c4e67d 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml @@ -5,7 +5,7 @@ description: Detects potentially suspicious file downloads directly from IP addr references: - https://www.gnu.org/software/wget/manual/wget.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 +date: 2024-02-23 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml b/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml index 8407ef7f091..597f2619920 100644 --- a/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/13 -modified: 2022/06/29 +date: 2021-12-13 +modified: 2022-06-29 tags: - attack.discovery - attack.t1217 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml index 6115cc0f149..22817da9b36 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml @@ -7,8 +7,8 @@ references: - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/12/04 -modified: 2024/03/05 +date: 2023-12-04 +modified: 2024-03-05 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_execution.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution.yml index 531ac6e6da1..b497a81521c 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_execution.yml @@ -6,8 +6,8 @@ references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ author: Florian Roth (Nextron Systems) -date: 2018/08/13 -modified: 2023/11/30 +date: 2018-08-13 +modified: 2023-11-30 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml index 45e25fe47b4..daa294ce3b4 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml @@ -2,17 +2,17 @@ title: Whoami.EXE Execution From Privileged Process id: 79ce34ca-af29-4d0e-b832-fc1b377020db related: - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 - type: obsoletes + type: obsolete status: experimental description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov -date: 2022/01/28 -modified: 2023/12/04 +date: 2022-01-28 +modified: 2023-12-04 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.discovery - attack.t1033 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml index 229cf65c7ab..a64d3e5bf4d 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml @@ -5,7 +5,7 @@ description: Detects the execution of whoami.exe with the /group command line fl references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/28 +date: 2023-02-28 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_output.yml b/rules/windows/process_creation/proc_creation_win_whoami_output.yml index 2d74a28c74f..78d2919bc53 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_output.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_output.yml @@ -7,8 +7,8 @@ references: - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/28 -modified: 2023/12/04 +date: 2023-02-28 +modified: 2023-12-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml index ccdd36a49bb..37e64e0f036 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml @@ -7,8 +7,8 @@ references: - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s author: Florian Roth (Nextron Systems) -date: 2021/08/12 -modified: 2023/12/04 +date: 2021-08-12 +modified: 2023-12-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml index c60f3dc91b9..3d41d47e9f9 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml @@ -5,10 +5,10 @@ description: Detects a whoami.exe executed with the /priv command line flag inst references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth (Nextron Systems) -date: 2021/05/05 -modified: 2023/02/28 +date: 2021-05-05 +modified: 2023-02-28 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.discovery - attack.t1033 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml index c87f477284b..a31be8e93b0 100644 --- a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/windowsterminalprofile.html - https://twitter.com/nas_bench/status/1550836225652686848 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/25 -modified: 2023/02/14 +date: 2022-07-25 +modified: 2023-02-14 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml index 4efffd1d2ed..8aafaf81e29 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml @@ -11,9 +11,9 @@ references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/17 +date: 2023-04-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml index 33e3ddd4bbb..78c3065c613 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml @@ -13,9 +13,9 @@ references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/17 +date: 2023-04-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml index c1ac79f6754..ce4f11509fb 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml @@ -11,10 +11,10 @@ references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/17 -modified: 2023/12/04 +date: 2023-04-17 +modified: 2023-12-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml index 1bc59fa97d6..46900416b8f 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml @@ -10,10 +10,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Winget/ - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Sreeman, Florian Roth (Nextron Systems), frack113 -date: 2020/04/21 -modified: 2023/04/17 +date: 2020-04-21 +modified: 2023-04-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml index fa562799e67..634634ed7b1 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml @@ -8,8 +8,8 @@ description: Detects execution of WinRAR in order to compress a file with a ".dm references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ author: Florian Roth (Nextron Systems) -date: 2022/01/04 -modified: 2023/09/12 +date: 2022-01-04 +modified: 2023-09-12 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml index da37d2210aa..b8cb34fdcf4 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml @@ -9,7 +9,7 @@ references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/31 +date: 2023-08-31 tags: - attack.execution - attack.t1203 diff --git a/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml b/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml index bba0ae8a21c..97763878c01 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml @@ -5,8 +5,8 @@ description: Detects a suspicious winrar execution in a folder which is not the references: - https://twitter.com/cyb3rops/status/1460978167628406785 author: Florian Roth (Nextron Systems), Tigzy -date: 2021/11/17 -modified: 2023/08/31 +date: 2021-11-17 +modified: 2023-08-31 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml b/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml index 00c5f08b211..4ccfdff9161 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml @@ -5,10 +5,10 @@ description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl v references: - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 author: Julia Fomina, oscd.community -date: 2020/10/06 -modified: 2022/10/09 +date: 2020-10-06 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml b/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml index b51594406f1..cab7cf058c7 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml @@ -7,10 +7,10 @@ references: - https://redcanary.com/blog/lateral-movement-winrm-wmi/ - https://lolbas-project.github.io/lolbas/Scripts/Winrm/ author: Julia Fomina, oscd.community -date: 2020/10/07 -modified: 2023/03/03 +date: 2020-10-07 +modified: 2023-03-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml b/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml index 60b03962010..37921b6114f 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml @@ -5,8 +5,8 @@ description: Detects remote PowerShell sections by monitoring for wsmprovhost (W references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -modified: 2022/10/09 +date: 2019-09-12 +modified: 2022-10-09 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml index 67f29fe1ee0..326cd2f9587 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml @@ -5,13 +5,13 @@ description: Detects suspicious processes including shells spawnd from WinRM hos author: Andreas Hunkeler (@Karneades), Markus Neis references: - Internal Research -date: 2021/05/20 -modified: 2022/07/14 +date: 2021-05-20 +modified: 2022-07-14 tags: - attack.t1190 - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml b/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml index b136a6e8382..024b904062b 100644 --- a/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml @@ -5,8 +5,8 @@ description: An adversary may compress or encrypt data that is collected prior t references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: frack113 -date: 2021/07/27 -modified: 2022/12/25 +date: 2021-07-27 +modified: 2022-12-25 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml index c6bffc2e8ec..de065585c20 100644 --- a/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml @@ -8,10 +8,10 @@ references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ - https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/ author: frack113, manasmbellani -date: 2022/02/16 -modified: 2024/03/06 +date: 2022-02-16 +modified: 2024-03-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml index 2fae2a4af9a..7af9fb7cef0 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/cglyer/status/1182389676876980224 - https://twitter.com/cglyer/status/1182391019633029120 author: Florian Roth (Nextron Systems) -date: 2019/10/11 -modified: 2023/02/08 +date: 2019-10-11 +modified: 2023-02-08 tags: - attack.persistence - attack.t1546.003 diff --git a/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml index cb2f28e5bef..cb436fbfd7c 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml @@ -5,11 +5,11 @@ description: Detects WMI script event consumers references: - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Thomas Patzke -date: 2018/03/07 -modified: 2022/10/11 +date: 2018-03-07 +modified: 2022-10-11 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml b/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml index 208176a4150..ead1a4d821e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/johnlatwc/status/1408062131321270282?s=12 - https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf author: Florian Roth (Nextron Systems) -date: 2021/06/25 -modified: 2023/02/14 +date: 2021-06-25 +modified: 2023-02-14 tags: - attack.persistence - attack.t1546.003 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml b/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml index d6809887400..72c0d40ca0e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml @@ -7,10 +7,10 @@ references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ - https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/ author: frack113 -date: 2022/12/11 -modified: 2023/02/14 +date: 2022-12-11 +modified: 2023-02-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1546.008 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml b/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml index a242bd5fa47..2071ae8990b 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml @@ -9,8 +9,8 @@ references: - https://www.sans.org/blog/wmic-for-incident-response/ - https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community -date: 2019/01/16 -modified: 2023/02/14 +date: 2019-01-16 +modified: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml index fec41430b4a..43bc0832faf 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml @@ -5,8 +5,8 @@ description: Detects execution of wmic utility with the "computersystem" flag in references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/08 -modified: 2023/02/14 +date: 2022-09-08 +modified: 2023-02-14 tags: - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml index c3dd3482766..30706912ee9 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml @@ -6,7 +6,7 @@ references: - https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/ - https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks author: Florian Roth (Nextron Systems) -date: 2023/02/14 +date: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml index 375e35e1b4c..5eab2fe12e6 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml @@ -9,8 +9,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 -date: 2021/12/12 -modified: 2023/02/14 +date: 2021-12-12 +modified: 2023-02-14 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml index d1f8c41aef8..761022e21df 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml @@ -6,8 +6,8 @@ references: - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2023/02/14 +date: 2022-06-20 +modified: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml index 2899144ce41..a10ef6786d1 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: frack113 -date: 2022/01/01 -modified: 2023/02/14 +date: 2022-01-01 +modified: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml index 07db3fc47f2..65a3b3b510e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml @@ -7,7 +7,7 @@ references: - https://www.yeahhub.com/list-installed-programs-version-path-windows/ - https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product author: Nasreddine Bencherchali -date: 2023/02/14 +date: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml index 8c61e02a815..540ef9b989a 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml @@ -6,8 +6,8 @@ references: - https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community -date: 2023/02/14 -modified: 2023/03/07 +date: 2023-02-14 +modified: 2023-03-07 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml index 947bcaee73c..8ef1f0c7bbb 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml @@ -13,7 +13,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/14 +date: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml index de18684dca9..40460c76c12 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml @@ -17,8 +17,8 @@ references: - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/ - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior author: TropChaud -date: 2023/01/26 -modified: 2023/12/19 +date: 2023-01-26 +modified: 2023-12-19 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml index b3d54f81abf..8cd2e230098 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml @@ -12,8 +12,8 @@ references: - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2023/09/11 +date: 2022-06-20 +modified: 2023-09-11 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml index b5719fa3089..759f600328e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml @@ -12,7 +12,7 @@ references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: Stephen Lincoln `@slincoln-aiq`(AttackIQ) -date: 2024/02/02 +date: 2024-02-02 tags: - attack.execution - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml index b62dee19e30..43d49ac589a 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml @@ -2,16 +2,16 @@ title: WMIC Remote Command Execution id: 7773b877-5abb-4a3e-b9c9-fd0369b59b00 related: - id: e42af9df-d90b-4306-b7fb-05c863847ebd - type: obsoletes + type: obsolete - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf - type: obsoletes + type: obsolete status: test description: Detects the execution of WMIC to query information on a remote system references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/14 +date: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml b/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml index f1ca9fc45b9..7b5e0f2e7da 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml @@ -5,8 +5,8 @@ description: Detects usage of wmic to start or stop a service references: - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2023/02/14 +date: 2022-06-20 +modified: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml index 8c791759c00..305acaae6fb 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml @@ -8,10 +8,10 @@ references: - https://atomicredteam.io/defense-evasion/T1220/ - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ author: Markus Neis, Florian Roth -date: 2019/01/16 -modified: 2023/02/15 +date: 2019-01-16 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1047 - attack.t1220 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml index 2fa2054bd48..6233eff74e1 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml @@ -4,27 +4,27 @@ related: - id: 438025f9-5856-4663-83f7-52f878a70a50 type: derived - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a - type: obsoletes + type: obsolete - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 - type: obsoletes + type: obsolete - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 - type: obsoletes + type: obsolete - id: 04f5363a-6bca-42ff-be70-0d28bf629ead - type: obsoletes + type: obsolete status: test description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: Vadim Khrykov, Cyb3rEng -date: 2021/08/23 -modified: 2023/02/14 +date: 2021-08-23 +modified: 2023-02-14 tags: - attack.t1204.002 - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml b/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml index 9fc8a9d21ee..81b58894cca 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml @@ -9,8 +9,8 @@ references: - https://thedfirreport.com/2020/10/08/ryuks-return/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/12 -modified: 2023/02/14 +date: 2020-10-12 +modified: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml index 8dd0fe238a8..46b80ddbf2f 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml @@ -9,7 +9,7 @@ references: - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/ - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/11 +date: 2023-09-11 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml index 5484c51894a..6264814d961 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml @@ -8,8 +8,8 @@ description: Detects the removal or uninstallation of an application via "Wmic.E references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic author: frack113 -date: 2022/01/28 -modified: 2024/07/02 +date: 2022-01-28 +modified: 2024-07-02 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml index 590f7698eb1..3d0d1995a72 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml @@ -12,10 +12,10 @@ references: - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/01/30 -modified: 2023/02/14 +date: 2021-01-30 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml index eb4beb6bfb7..6cc520cca00 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel -date: 2019/10/21 -modified: 2024/03/05 +date: 2019-10-21 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1220 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml index 445dede4fee..6b9905c2c2d 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml @@ -10,8 +10,8 @@ description: Detects WmiPrvSE spawning a process references: - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/15 -modified: 2023/03/23 +date: 2019-08-15 +modified: 2023-03-23 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml index ab0a28a9b04..edeb4456c3d 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml @@ -10,8 +10,8 @@ description: Detects Powershell as a child of the WmiPrvSE process. Which could references: - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e author: Markus Neis @Karneades -date: 2019/04/03 -modified: 2023/03/29 +date: 2019-04-03 +modified: 2023-03-29 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml index d65e301e7bd..983b235d47f 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml @@ -6,7 +6,7 @@ related: - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d type: similar - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 - type: obsoletes + type: obsolete status: test description: Detects suspicious and uncommon child processes of WmiPrvSE references: @@ -15,11 +15,11 @@ references: - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ - https://twitter.com/ForensicITGuy/status/1334734244120309760 author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) -date: 2021/08/23 -modified: 2023/11/10 +date: 2021-08-23 +modified: 2023-11-10 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1047 - attack.t1204.002 - attack.t1218.010 diff --git a/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml b/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml index f0c69108697..f5315af5b1f 100644 --- a/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml @@ -6,10 +6,10 @@ references: - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c - https://persistence-info.github.io/Data/wpbbin.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/18 +date: 2022-07-18 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1542.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml index 91f3d93f2c6..166d3d3faef 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml @@ -9,8 +9,8 @@ references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ - https://redcanary.com/blog/gootloader/ author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/16 -modified: 2024/01/30 +date: 2019-01-16 +modified: 2024-01-30 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml index aefacd9afad..d0f0402e788 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml @@ -9,8 +9,8 @@ references: - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86') -date: 2023/05/15 -modified: 2024/01/02 +date: 2023-05-15 +modified: 2024-01-02 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml index 5f25f325917..8ce52637060 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml @@ -5,8 +5,8 @@ description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2023/06/19 +date: 2023-05-15 +modified: 2023-06-19 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml index 65491ff776b..f39edc3353a 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml @@ -9,11 +9,11 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://twitter.com/nas_bench/status/1535431474429808642 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/23 -modified: 2023/08/15 +date: 2023-01-23 +modified: 2023-08-15 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml index 6f38bca7b8d..304e23b3c20 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml @@ -9,11 +9,11 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://twitter.com/nas_bench/status/1535431474429808642 author: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/05 -modified: 2023/04/12 +date: 2020-10-05 +modified: 2023-04-12 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml index 23f5d26a727..1773330abf6 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml @@ -5,10 +5,10 @@ description: Detects the execution of Windows binaries from within a WSL instanc references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/14 +date: 2023-02-14 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml index 712d72f91e6..48af49ae59e 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml @@ -2,19 +2,19 @@ title: Proxy Execution Via Wuauclt.EXE id: af77cf95-c469-471c-b6a0-946c685c4798 related: - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 - type: obsoletes + type: obsolete - id: d7825193-b70a-48a4-b992-8b5b3015cc11 - type: obsoletes + type: obsolete status: test description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. references: - https://dtm.uk/wuauclt/ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team -date: 2020/10/12 -modified: 2023/11/11 +date: 2020-10-12 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index 8f29a67ea07..604f48f6a88 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -6,10 +6,10 @@ description: | references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) -date: 2022/02/26 -modified: 2023/11/11 +date: 2022-02-26 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml index 33a939c17ae..a1db4fe0ecb 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml +++ b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml @@ -5,7 +5,7 @@ description: Detects usage of the "wusa.exe" (Windows Update Standalone Installe references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/04 +date: 2022-08-04 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml index 46d3b7c1eb3..5e0fb0bd75c 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml @@ -6,8 +6,8 @@ references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://www.echotrail.io/insights/search/wusa.exe/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2023/11/28 +date: 2022-08-05 +modified: 2023-11-28 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml b/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml index a095bb9900b..73fc7c9d67a 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml @@ -6,7 +6,7 @@ description: | references: - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document author: X__Junior (Nextron Systems) -date: 2023/11/26 +date: 2023-11-26 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml index 83fdb5e2894..808d8e8ae64 100644 --- a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml @@ -8,10 +8,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ author: Christian Burkard (Nextron Systems) -date: 2021/09/20 -modified: 2024/04/22 +date: 2021-09-20 +modified: 2024-04-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml b/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml index 71b94a3492d..6297fac2214 100644 --- a/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml @@ -9,10 +9,10 @@ references: - https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html - https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/07 -modified: 2024/04/22 +date: 2020-10-07 +modified: 2024-04-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml index d1c2be162ee..c5c9b1e8a06 100644 --- a/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml +++ b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S -date: 2022/01/25 -modified: 2023/11/28 +date: 2022-01-25 +modified: 2023-11-28 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.012 logsource: product: windows diff --git a/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml b/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml index 137b29a8b25..3e7002b1321 100644 --- a/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml +++ b/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml @@ -5,10 +5,10 @@ description: Detects raw disk access using uncommon tools or tools that are loca references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2023/11/28 +date: 2019-10-22 +modified: 2023-11-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1006 logsource: product: windows diff --git a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml index f643eaff868..3bbb016b80b 100644 --- a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml @@ -9,10 +9,10 @@ references: - https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ author: Christopher Peacock -date: 2021/10/07 -modified: 2023/02/07 +date: 2021-10-07 +modified: 2023-02-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml index dad041dcaa7..50e86dc3406 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/amsi.html - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/02/07 +date: 2022-07-21 +modified: 2023-02-07 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml index 55f067b45ed..015af3461ca 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -5,8 +5,8 @@ description: Detects COM object hijacking via TreatAs subkey references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community -date: 2019/10/23 -modified: 2023/02/07 +date: 2019-10-23 +modified: 2023-02-07 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml index 0b5db516bed..42854def3fc 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml @@ -12,8 +12,8 @@ references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/02/07 +date: 2022-07-21 +modified: 2023-02-07 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml index c4a7a570477..d1374b97853 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml @@ -5,12 +5,12 @@ description: Detects creation of "UserInitMprLogonScript" registry value which c references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md author: Tom Ueltschi (@c_APT_ure) -date: 2019/01/12 -modified: 2023/06/09 +date: 2019-01-12 +modified: 2023-06-09 tags: - attack.t1037.001 - attack.persistence - - attack.lateral_movement + - attack.lateral-movement logsource: category: registry_add product: windows diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml index 96fe42dfa40..7266dd35216 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml @@ -5,10 +5,10 @@ description: Detects the execution of a Sysinternals Tool via the creation of th references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis -date: 2017/08/28 -modified: 2023/02/07 +date: 2017-08-28 +modified: 2023-02-07 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: product: windows diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml index d8cdebdedf8..5272fa58e96 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml @@ -10,10 +10,10 @@ description: Detects the creation of the "accepteula" key related to the Sysinte references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/24 -modified: 2023/02/07 +date: 2022-08-24 +modified: 2023-02-07 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: product: windows diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml index cf22352087b..0ab8b80cd6b 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml @@ -4,16 +4,16 @@ related: - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 type: derived - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 - type: obsoletes + type: obsolete status: test description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/24 -modified: 2023/02/07 +date: 2022-08-24 +modified: 2023-02-07 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml b/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml index 90724343fa8..1289711ad61 100755 --- a/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml +++ b/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml @@ -14,7 +14,7 @@ references: - https://learn.microsoft.com/en-us/windows/client-management/manage-recall - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis author: Sajid Nawaz Khan -date: 2024/06/02 +date: 2024-06-02 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml index fa66851298d..d62440d9720 100644 --- a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml +++ b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml @@ -5,10 +5,10 @@ description: Detects the removal of folders from the "ProtectedFolders" list of references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2023/02/08 +date: 2022-08-05 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_delete diff --git a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml index a84d29bd694..99588236826 100644 --- a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml +++ b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml @@ -7,10 +7,10 @@ references: - http://woshub.com/how-to-clear-rdp-connections-history/ - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html author: Christian Burkard (Nextron Systems) -date: 2021/10/19 -modified: 2023/02/08 +date: 2021-10-19 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index 84770ee4cdf..0d00f1589ae 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://seclists.org/fulldisclosure/2020/Mar/45 author: frack113 -date: 2021/06/07 -modified: 2023/02/08 +date: 2021-06-07 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index 3b9c723e6d1..7978818a263 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -11,10 +11,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/01/19 +date: 2020-05-02 +modified: 2023-01-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml index ec2b9d20cc0..d0c06457e91 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml @@ -10,10 +10,10 @@ description: Detects when the "index" value of a scheduled task is removed or de references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/26 -modified: 2023/02/08 +date: 2022-08-26 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml index 4272a303677..d33cc045d95 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml @@ -8,10 +8,10 @@ description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree r references: - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ author: Sittikorn S -date: 2022/04/15 -modified: 2023/02/08 +date: 2022-04-15 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml index ae9eb724605..27b24208b14 100644 --- a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml +++ b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml @@ -5,8 +5,8 @@ description: Sysmon registry detection of a local hidden user account. references: - https://twitter.com/SBousseaden/status/1387530414185664538 author: Christian Burkard (Nextron Systems) -date: 2021/05/03 -modified: 2022/08/05 +date: 2021-05-03 +modified: 2022-08-05 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml index 2a6c82476eb..2ef031e2a56 100755 --- a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml +++ b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml @@ -6,10 +6,10 @@ references: - https://wikileaks.org/vault7/#Pandemic - https://twitter.com/MalwareJake/status/870349480356454401 author: Florian Roth (Nextron Systems) -date: 2017/06/01 -modified: 2022/10/09 +date: 2017-06-01 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml index b2cc65feaf6..86fb0e9944d 100644 --- a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml +++ b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml @@ -6,11 +6,11 @@ references: - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly - https://lolbas-project.github.io/lolbas/Binaries/Wsreset author: oscd.community, Dmitry Uchakin -date: 2020/10/07 -modified: 2021/11/27 +date: 2020-10-07 +modified: 2021-11-27 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml b/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml index 74ce8d30a8e..d90563ee5fb 100755 --- a/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml @@ -5,10 +5,10 @@ description: Detects various indicators of Microsoft Connection Manager Profile references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman -date: 2018/07/16 -modified: 2020/12/23 +date: 2018-07-16 +modified: 2020-12-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.003 - attack.g0069 diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index daf5c3715b9..3c289fed49d 100755 --- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -5,10 +5,10 @@ description: Detects the addition of a key 'MiniNt' to the registry. Upon a rebo references: - https://twitter.com/0gtweet/status/1182516740955226112 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -modified: 2021/11/27 +date: 2019-10-25 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml index 4414184fd55..56a249bb1d2 100644 --- a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml @@ -8,10 +8,10 @@ description: | references: - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2019/08/25 -modified: 2021/11/27 +date: 2019-08-25 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml b/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml index 11f9c478e07..edcea9a7b0b 100644 --- a/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml +++ b/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml @@ -5,10 +5,10 @@ description: Detects the volume shadow copy service initialization and processin references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/20 -modified: 2022/12/25 +date: 2020-10-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml b/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml index 99265f73f42..8ed273e1ed0 100755 --- a/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml +++ b/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml @@ -5,10 +5,10 @@ description: Detects the use of Windows Credential Editor (WCE) references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ author: Florian Roth (Nextron Systems) -date: 2019/12/31 -modified: 2021/11/27 +date: 2019-12-31 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0005 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml b/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml index 950d2d30115..70c4224660c 100644 --- a/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml @@ -5,10 +5,10 @@ description: Detects the installation of the Azure Hybrid Connection Manager ser references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -modified: 2022/11/27 +date: 2021-04-12 +modified: 2022-11-27 tags: - - attack.resource_development + - attack.resource-development - attack.t1608 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml index b20358d3613..21e4fcd2cd1 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml @@ -5,8 +5,8 @@ description: Detects the presence of a registry key created during Azorult execu references: - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a author: Trent Liffick -date: 2020/05/08 -modified: 2021/11/27 +date: 2020-05-08 +modified: 2021-11-27 tags: - attack.execution - attack.t1112 diff --git a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml index d56a0e72245..52adb226f85 100644 --- a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml @@ -5,9 +5,9 @@ description: Detects a registry key used by IceID in a campaign that distributes references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Hieu Tran -date: 2023/03/13 +date: 2023-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml b/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml index 93125c35c93..7a8481464e6 100644 --- a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml +++ b/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml @@ -9,13 +9,13 @@ references: - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: Markus Neis, @markus_neis, Florian Roth -date: 2021/07/04 -modified: 2023/06/12 +date: 2021-07-04 +modified: 2023-06-12 tags: - attack.execution - attack.t1204 - - cve.2021.1675 - - cve.2021.34527 + - cve.2021-1675 + - cve.2021-34527 logsource: product: windows category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml b/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml index 06320c02f38..9188354d8f7 100644 --- a/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml +++ b/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml @@ -6,11 +6,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf author: Bartlomiej Czyz @bczyz1, oscd.community -date: 2020/10/11 -modified: 2021/11/27 +date: 2020-10-11 +modified: 2021-11-27 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.002 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml index 5920c1ab35a..c8ab8533915 100755 --- a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml +++ b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml @@ -5,8 +5,8 @@ description: Detects abusing Windows 10 Narrator's Feedback-Hub references: - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html author: Dmitriy Lifanov, oscd.community -date: 2019/10/25 -modified: 2022/03/26 +date: 2019-10-25 +modified: 2022-03-26 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index c5266767b62..d982ab65fd6 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -5,10 +5,10 @@ description: Detects NetNTLM downgrade attack references: - https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth (Nextron Systems), wagga -date: 2018/03/20 -modified: 2022/11/29 +date: 2018-03-20 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml index 982ed006601..93d902ac561 100755 --- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml @@ -8,8 +8,8 @@ references: - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -modified: 2021/11/27 +date: 2019-10-25 +modified: 2021-11-27 tags: - attack.persistence - attack.t1546.009 diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index e285d3b37b1..71bdd12881a 100755 --- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -5,8 +5,8 @@ description: DLLs that are specified in the AppInit_DLLs value in the Registry k references: - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html author: Ilyas Ochkov, oscd.community, Tim Shelton -date: 2019/10/25 -modified: 2022/12/25 +date: 2019-10-25 +modified: 2022-12-25 tags: - attack.persistence - attack.t1546.010 diff --git a/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml b/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml index 6ea18b6b1a5..81010fa9a06 100644 --- a/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml +++ b/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml @@ -5,8 +5,8 @@ description: Detects the addition of office test registry that allows a user to references: - https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/ author: omkar72 -date: 2020/10/25 -modified: 2023/11/08 +date: 2020-10-25 +modified: 2023-11-08 tags: - attack.persistence - attack.t1137.002 diff --git a/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml b/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml index a465f04249a..6125dd99c97 100644 --- a/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml +++ b/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml @@ -10,10 +10,10 @@ references: - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html - https://twitter.com/inversecos/status/1494174785621819397 author: Antonlovesdnb, Trent Liffick (@tliffick) -date: 2020/02/19 -modified: 2023/06/21 +date: 2020-02-19 +modified: 2023-06-21 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index 2653e50cb2a..4f6a06aef32 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -7,8 +7,8 @@ references: - https://persistence-info.github.io/Data/recyclebin.html - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ author: frack113 -date: 2021/11/18 -modified: 2022/12/06 +date: 2021-11-18 +modified: 2022-12-06 tags: - attack.persistence - attack.t1547 diff --git a/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml b/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml index f54722ecba6..bde71a2cb13 100644 --- a/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml @@ -7,12 +7,12 @@ references: - https://adepts.of0x.cc/netsh-portproxy-code/ - https://www.dfirnotes.net/portproxy_detection/ author: Andreas Hunkeler (@Karneades) -date: 2021/06/22 -modified: 2024/03/25 +date: 2021-06-22 +modified: 2024-03-25 tags: - - attack.lateral_movement - - attack.defense_evasion - - attack.command_and_control + - attack.lateral-movement + - attack.defense-evasion + - attack.command-and-control - attack.t1090 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml index 61dc1ff8091..c31f0ad855d 100644 --- a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml +++ b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml @@ -5,10 +5,10 @@ description: Detects actions caused by the RedMimicry Winnti playbook references: - https://redmimicry.com author: Alexander Rausch -date: 2020/06/24 -modified: 2021/11/27 +date: 2020-06-24 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml index 3a4efef7cb0..7819beef522 100644 --- a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml +++ b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml @@ -5,8 +5,8 @@ description: Detects potential malicious modification of run keys by winekey or references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: omkar72 -date: 2020/10/30 -modified: 2021/11/27 +date: 2020-10-30 +modified: 2021-11-27 tags: - attack.persistence - attack.t1547 diff --git a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml index c5bd35846a4..ece118bc42f 100644 --- a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml +++ b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/pabraeken/status/990717080805789697 - https://lolbas-project.github.io/lolbas/Binaries/Runonce/ author: 'Avneet Singh @v3t0_, oscd.community' -date: 2020/11/15 -modified: 2024/03/25 +date: 2020-11-15 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index b2e7385f6b6..e7a7cf01bcb 100644 --- a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -8,11 +8,11 @@ references: - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021] author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/01/13 +date: 2021-08-30 +modified: 2022-01-13 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - attack.t1546.001 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml index d5c90bbfcbd..9f8b1f2d6e8 100644 --- a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -9,10 +9,10 @@ references: - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ author: Florian Roth (Nextron Systems) -date: 2021/02/26 -modified: 2022/12/19 +date: 2021-02-26 +modified: 2022-12-19 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml index d0d081b30ba..45bf4bee00c 100755 --- a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml +++ b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml @@ -7,8 +7,8 @@ references: - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157 author: iwillkeepwatch -date: 2019/01/18 -modified: 2022/08/09 +date: 2019-01-18 +modified: 2022-08-09 tags: - attack.persistence - attack.t1547.005 diff --git a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml index fbc2081faf6..42d7350fcb3 100755 --- a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml @@ -6,10 +6,10 @@ references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -date: 2018/03/15 -modified: 2022/11/26 +date: 2018-03-15 +modified: 2022-11-26 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.008 - car.2014-11-003 diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index a30a328ef84..772eaf2fda3 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -6,10 +6,10 @@ references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ author: Mateusz Wydra, oscd.community -date: 2020/10/13 -modified: 2023/01/19 +date: 2020-10-13 +modified: 2023-01-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.persistence - attack.t1547 diff --git a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml index 59e7c09b9c4..2448e57ad95 100755 --- a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml @@ -5,8 +5,8 @@ description: Detects the suspicious RUN keys created by software located in Down references: - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ author: Florian Roth (Nextron Systems) -date: 2019/10/01 -modified: 2021/11/27 +date: 2019-10-01 +modified: 2021-11-27 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml index c29fea94cad..088f2c485e6 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml @@ -6,8 +6,8 @@ references: - https://blog.xpnsec.com/exploring-mimikatz-part-1/ - https://twitter.com/SBousseaden/status/1183745981189427200 author: Florian Roth (Nextron Systems) -date: 2019/10/16 -modified: 2022/04/21 +date: 2019-10-16 +modified: 2022-04-21 tags: - attack.execution - attack.persistence diff --git a/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml b/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml index 42e1bef7054..ae8eff655aa 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml @@ -5,8 +5,8 @@ description: Detects Processes accessing the camera and microphone from suspicio references: - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 author: Den Iuzvyk -date: 2020/06/07 -modified: 2022/10/09 +date: 2020-06-07 +modified: 2022-10-09 tags: - attack.collection - attack.t1125 diff --git a/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml b/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml index 900365dd141..9ed2f7e71f4 100644 --- a/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml +++ b/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml @@ -5,9 +5,9 @@ description: Detects enabling of the "AllowAnonymousCallback" registry value, wh references: - https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista author: X__Junior (Nextron Systems) -date: 2023/11/03 +date: 2023-11-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index 34c7ebc3734..8b3a681b329 100644 --- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network author: frack113 -date: 2022/04/04 -modified: 2024/03/25 +date: 2022-04-04 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index f758eae1ccd..9ab7067df90 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md author: frack113 -date: 2021/12/30 -modified: 2024/03/25 +date: 2021-12-30 +modified: 2024-03-25 tags: - attack.persistence - attack.t1547.010 diff --git a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml index eb34f8af837..bda1b66b8dc 100644 --- a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/aedebug.html - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index 3eda2311854..050a8bad631 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -5,10 +5,10 @@ description: Detect enable rdp feature to allow specific user to rdp connect on references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 -date: 2022/08/19 -modified: 2023/08/17 +date: 2022-08-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml index c78f4fe4eb0..3626597f335 100644 --- a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml @@ -6,10 +6,10 @@ references: - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/04 -modified: 2023/08/17 +date: 2023-01-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index fd8502fac03..b799dd05be2 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -2,7 +2,7 @@ title: Classes Autorun Keys Modification id: 9df5f547-c86a-433e-b533-f2794357e242 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index cb5ca3db38f..c7378498ede 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -2,7 +2,7 @@ title: Common Autorun Keys Modification id: f59c3faf-50f3-464b-9f4c-1b67ab512d99 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -11,8 +11,8 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index e279685e7fc..1e9344aa9bb 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -2,7 +2,7 @@ title: CurrentControlSet Autorun Keys Modification id: f674e36a-4b91-431e-8aef-f8a96c2aca35 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index c7e4ee004f4..7db2b8c697b 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -2,7 +2,7 @@ title: CurrentVersion Autorun Keys Modification id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -11,8 +11,8 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index be904f88746..1ca1eb9f8e7 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -2,7 +2,7 @@ title: CurrentVersion NT Autorun Keys Modification id: cbf93e5d-ca6c-4722-8bea-e9119007c248 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index b8c34acbf7a..9f57805778d 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -2,7 +2,7 @@ title: Internet Explorer Autorun Keys Modification id: a80f662f-022f-4429-9b8c-b1a41aaa6688 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index cf3d316acfc..cfbaa067c6c 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -2,7 +2,7 @@ title: Office Autorun Keys Modification id: baecf8fb-edbf-429f-9ade-31fc3f22b970 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 437353071dc..1bfaea456e9 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -2,7 +2,7 @@ title: Session Manager Autorun Keys Modification id: 046218bd-e0d8-4113-a3c3-895a12b2b298 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index e3764524400..20d89348b72 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -2,7 +2,7 @@ title: System Scripts Autorun Keys Modification id: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml index a8b8522fe73..0beedb07ebc 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 7f5aa44311a..d1f91723b5d 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -2,7 +2,7 @@ title: Wow6432Node CurrentVersion Autorun Keys Modification id: b29aed60-ebd1-442b-9cb5-16a1d0324adb related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -11,8 +11,8 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index b70ea092494..4cb70d032de 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -2,7 +2,7 @@ title: Wow6432Node Classes Autorun Keys Modification id: 18f2065c-d36c-464a-a748-bcf909acb2e3 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index b68db8e1245..d99258b0775 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -2,7 +2,7 @@ title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification id: 480421f9-417f-4d3b-9552-fd2728443ec8 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml index fb87c2fca27..fe95cd9b65c 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -5,9 +5,9 @@ description: Detects setting of a new registry database value related to BgInfo references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/16 +date: 2023-08-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index 49defb4a9f1..483a428f946 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -8,9 +8,9 @@ description: Detects setting of a new registry value related to BgInfo configura references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/16 +date: 2023-08-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index f3469c63fee..c68567d41b9 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -8,9 +8,9 @@ description: Detects setting of a new registry value related to BgInfo configura references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/16 +date: 2023-08-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml b/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml index 9bccc0fdbaf..0c401d10230 100644 --- a/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml +++ b/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml @@ -6,10 +6,10 @@ references: - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/ author: frack113 -date: 2022/01/24 -modified: 2023/08/17 +date: 2022-01-24 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml index ef628a4e68b..d502fa46eff 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml @@ -7,11 +7,11 @@ references: - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute author: frack113 -date: 2022/01/05 -modified: 2023/08/17 +date: 2022-01-05 +modified: 2023-08-17 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index 1566e450ffc..a229c550bdf 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -6,8 +6,8 @@ references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd author: frack113 -date: 2022/01/05 -modified: 2023/08/17 +date: 2022-01-05 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.010 diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml index 7e9b5f36158..e9082ba3b27 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml @@ -10,11 +10,11 @@ references: - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign author: frack113, Nextron Systems -date: 2022/01/06 -modified: 2024/01/30 +date: 2022-01-06 +modified: 2024-01-30 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml index 4dc1a98e8e7..8d36c147b1f 100644 --- a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml +++ b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller author: frack113 -date: 2022/01/01 -modified: 2024/03/25 +date: 2022-01-01 +modified: 2024-03-25 tags: - attack.persistence - attack.t1547.010 diff --git a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml index 09f677b8118..847597d5834 100644 --- a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml +++ b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml @@ -9,8 +9,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries author: frack113 -date: 2022/01/22 -modified: 2023/08/17 +date: 2022-01-22 +modified: 2023-08-17 tags: - attack.persistence - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml index 71a3c0b6b14..c7fd6a068c0 100644 --- a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml +++ b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml @@ -8,10 +8,10 @@ references: - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650 - https://youtu.be/zSihR3lTf7g author: B.Talebi -date: 2022/07/28 -modified: 2024/03/25 +date: 2022-07-28 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml index 2d472b0e919..02892198ec1 100644 --- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -7,10 +7,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/api/winevt/ - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ author: frack113 -date: 2022/09/17 -modified: 2024/03/25 +date: 2022-09-17 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml index 1f8f7810bd1..0771d6288f2 100644 --- a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml @@ -5,8 +5,8 @@ description: Running Chrome VPN Extensions via the Registry install 2 vpn extens references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension author: frack113 -date: 2021/12/28 -modified: 2023/08/17 +date: 2021-12-28 +modified: 2023-08-17 tags: - attack.persistence - attack.t1133 diff --git a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml index d04bfa4f3a3..32370ff286a 100644 --- a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml +++ b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml @@ -6,10 +6,10 @@ references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)' -date: 2023/06/12 -modified: 2023/08/17 +date: 2023-06-12 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml index e0f79a4fa10..a393bbf48cb 100644 --- a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml +++ b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml @@ -6,12 +6,12 @@ description: | references: - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395 author: Wojciech Lesicki -date: 2021/06/29 -modified: 2024/03/25 +date: 2021-06-29 +modified: 2024-03-25 tags: - attack.execution - - attack.privilege_escalation - - attack.lateral_movement + - attack.privilege-escalation + - attack.lateral-movement - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 diff --git a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml index 0fa6d6b4b48..9fd6561e0db 100644 --- a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml @@ -6,10 +6,10 @@ references: - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass - https://www.exploit-db.com/exploits/47696 author: Omkar Gudhate -date: 2020/09/27 -modified: 2023/09/28 +date: 2020-09-27 +modified: 2023-09-28 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546 - attack.t1548 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index a7c710e5be0..1770352e232 100644 --- a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -5,8 +5,8 @@ description: Detects disabling the CrashDump per registry (as used by HermeticWi references: - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ author: Tobias Michalski (Nextron Systems) -date: 2022/02/24 -modified: 2023/08/17 +date: 2022-02-24 +modified: 2023-08-17 tags: - attack.t1564 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 6ab02f4c16a..4049e8a8386 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -2,16 +2,16 @@ title: Service Binary in Suspicious Folder id: a07f0359-4c90-4dc4-a681-8ffea40b4f47 related: - id: c0abc838-36b0-47c9-b3b3-a90c39455382 - type: obsoletes + type: obsolete status: test description: Detect the creation of a service with a service binary located in a suspicious directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Florian Roth (Nextron Systems), frack113 -date: 2022/05/02 -modified: 2023/08/17 +date: 2022-05-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml index 17190aee47c..d5ea0d83ff3 100644 --- a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml @@ -5,10 +5,10 @@ description: Detects the abuse of custom file open handler, executing powershell references: - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728 author: CD_R0M_ -date: 2022/06/11 -modified: 2023/08/17 +date: 2022-06-11 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index 6ca04e90e11..4821a80b6ef 100644 --- a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -6,8 +6,8 @@ references: - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ - https://github.com/last-byte/PersistenceSniper author: frack113 -date: 2022/08/07 -modified: 2023/08/17 +date: 2022-08-07 +modified: 2023-08-17 tags: - attack.persistence - attack.t1574 diff --git a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml index 235ad8ab31a..5bfba1cb692 100644 --- a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml +++ b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml @@ -8,10 +8,10 @@ description: Detects the Setting of Windows Defender Exclusions references: - https://twitter.com/_nullbind/status/1204923340810543109 author: Christian Burkard (Nextron Systems) -date: 2021/07/06 -modified: 2023/08/17 +date: 2021-07-06 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml index 0200136f98b..6617d2e6ee4 100644 --- a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml +++ b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml @@ -15,9 +15,9 @@ references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) -date: 2023/12/21 +date: 2023-12-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1112 - attack.t1491.001 diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index 0b09702b07f..84efde879a6 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -7,10 +7,10 @@ references: - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati -date: 2023/03/14 -modified: 2024/07/05 +date: 2023-03-14 +modified: 2024-07-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml index a379a4e1cee..7aa766d20f1 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml @@ -7,9 +7,9 @@ references: - https://twitter.com/standa_t/status/1808868985678803222 - https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/05 +date: 2024-07-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml index 283d2a20be8..f48a1e31974 100755 --- a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml +++ b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml @@ -7,10 +7,10 @@ references: - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx author: Dimitrios Slamaris -date: 2017/05/15 -modified: 2023/08/17 +date: 2017-05-15 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml index 788d750e86e..7a5593f2d8f 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml @@ -5,10 +5,10 @@ description: Administrative shares are hidden network shares created by Microsof references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup author: frack113 -date: 2022/01/16 -modified: 2024/03/25 +date: 2022-01-16 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.005 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index a40b5f8410f..460b38b7ca5 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -7,10 +7,10 @@ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/08/17 +date: 2022-08-01 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml index cfdb97ff339..0f17d39055a 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml @@ -5,10 +5,10 @@ description: Adversaries may disable or modify system firewalls in order to bypa references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry author: frack113 -date: 2022/01/09 -modified: 2024/03/25 +date: 2022-01-09 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index 88a0ca6686e..f8d68d58bbf 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -9,10 +9,10 @@ references: - https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage - https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec -date: 2022/03/18 -modified: 2023/11/20 +date: 2022-03-18 +modified: 2023-11-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml index 8208a430d20..68ea1de2215 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml @@ -2,15 +2,15 @@ title: Disable Macro Runtime Scan Scope id: ab871450-37dc-4a3a-997f-6662aa8ae0f1 description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros status: test -date: 2022/10/25 -modified: 2023/08/17 +date: 2022-10-25 +modified: 2023-08-17 author: Nasreddine Bencherchali (Nextron Systems) references: - https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/ - https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope - https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml index 652eb65dfd1..055cc35148c 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml @@ -5,10 +5,10 @@ description: Detects registry modifications that disable Privacy Settings Experi references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md author: frack113 -date: 2022/10/02 -modified: 2023/08/17 +date: 2022-10-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index 2f2abbbd1cf..e69c0e5cc19 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -5,10 +5,10 @@ description: Detect set UseActionCenterExperience to 0 to disable the Windows se references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 -date: 2022/08/19 -modified: 2023/08/17 +date: 2022-08-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml index d002b7a5ae5..a59931d4d7f 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml @@ -5,8 +5,8 @@ description: Detects the modification of the registry to disable a system restor references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry author: frack113 -date: 2022/04/04 -modified: 2023/08/17 +date: 2022-04-04 +modified: 2023-08-17 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml index 561196ca8dc..011974d7f23 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml @@ -6,10 +6,10 @@ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali -date: 2022/08/01 -modified: 2024/03/25 +date: 2022-08-01 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml index 7a36346450e..a4951a7415d 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml @@ -5,10 +5,10 @@ description: Detect set EnableFirewall to 0 to disable the Windows firewall references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md author: frack113 -date: 2022/08/19 -modified: 2023/08/17 +date: 2022-08-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 7e9ea11df53..eab8aeb9540 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 - https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/04 -modified: 2024/03/25 +date: 2022-07-04 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml index cbf4d6474ef..ca48b994dd8 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml @@ -5,10 +5,10 @@ description: Detects disabling Windows Defender Exploit Guard Network Protection references: - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html author: Austin Songer @austinsonger -date: 2021/08/04 -modified: 2023/08/17 +date: 2021-08-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml index d6ed06a3389..275d92bd4cc 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -5,10 +5,10 @@ description: Detects the disabling of the Windows Defender eventlog as seen in r references: - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2 author: Florian Roth (Nextron Systems) -date: 2022/07/04 -modified: 2023/08/17 +date: 2022-07-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml index edae0b44863..366956027a5 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml @@ -5,10 +5,10 @@ description: Detects disabling Windows Defender PUA protection references: - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html author: Austin Songer @austinsonger -date: 2021/08/04 -modified: 2023/08/17 +date: 2021-08-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml index ab8b138eb5f..537d21a78e5 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml @@ -5,10 +5,10 @@ description: Detects disabling Windows Defender Tamper Protection references: - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html author: Austin Songer @austinsonger -date: 2021/08/04 -modified: 2023/08/17 +date: 2021-08-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml index 7f209fa3f23..241d0948a61 100644 --- a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml @@ -5,10 +5,10 @@ description: Detect set DisallowRun to 1 to prevent user running specific comput references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 -date: 2022/08/19 -modified: 2023/08/17 +date: 2022-08-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml index ccc7551f5b6..ee6e8e4867c 100644 --- a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml @@ -12,8 +12,8 @@ references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml index 6e65496389d..ae806c898a4 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml @@ -11,10 +11,10 @@ references: - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS author: Austin Songer -date: 2021/07/22 -modified: 2023/08/17 +date: 2021-07-22 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml index 85c35451d0c..bf25982333a 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml @@ -11,10 +11,10 @@ references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html author: Florian Roth (Nextron Systems) -date: 2017/05/08 -modified: 2023/08/17 +date: 2017-05-08 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index f125102ed94..b71ae4c380e 100644 --- a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -18,10 +18,10 @@ references: - https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/05 -modified: 2023/08/17 +date: 2020-06-05 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - attack.t1562 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml index 82ad89b43d2..2570713f843 100644 --- a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml @@ -16,7 +16,7 @@ references: - https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials author: Nischal Khadgi -date: 2024/07/11 +date: 2024-07-11 tags: - attack.persistence - attack.t1556 diff --git a/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml b/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml index 190e3e1d967..42186441636 100644 --- a/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml +++ b/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml @@ -7,7 +7,7 @@ description: | references: - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/01 +date: 2024-07-01 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml b/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml index f8efa5f921b..2091216de3e 100755 --- a/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml +++ b/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml @@ -14,7 +14,7 @@ references: - https://learn.microsoft.com/en-us/windows/client-management/manage-recall - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis author: Sajid Nawaz Khan -date: 2024/06/02 +date: 2024-06-02 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml index 2877af3245d..cb85fb1f8e7 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml @@ -8,12 +8,12 @@ references: - https://www.sans.org/cyber-security-summit/archives - https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops) -date: 2020/09/10 -modified: 2023/11/24 +date: 2020-09-10 +modified: 2023-11-24 tags: - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1574.012 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml index 4357c02879a..d718e8560e8 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -5,10 +5,10 @@ description: Detects enabling TurnOffCheck which can be used to bypass defense o references: - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' -date: 2022/06/15 -modified: 2023/08/17 +date: 2022-06-15 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml index d5fa767e55f..cb1fcfb5be1 100644 --- a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml @@ -5,10 +5,10 @@ description: Detects tampering with EventLog service "file" key. In order to cha references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key author: D3F7A5105 -date: 2023/01/02 -modified: 2023/08/17 +date: 2023-01-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml index ba3932f2c74..2adef7e9acf 100644 --- a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml +++ b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml @@ -5,10 +5,10 @@ description: Detects applications being added to the "allowed applications" list references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2023/08/17 +date: 2022-08-05 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml index a5e9ca1038a..f3ea04cf0b5 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/dottor_morte/status/1544652325570191361 - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf author: frack113 -date: 2022/07/17 -modified: 2022/12/30 +date: 2022-07-17 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index d3d44b9c6c3..74ea732a0c3 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/dottor_morte/status/1544652325570191361 - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf author: frack113 -date: 2022/07/17 -modified: 2022/12/30 +date: 2022-07-17 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml b/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml index 223526e6ed2..d2c844b4aaa 100644 --- a/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml +++ b/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml @@ -5,10 +5,10 @@ description: Detects the abuse of the exefile handler in new file association. U references: - https://twitter.com/mrd0x/status/1461041276514623491 author: Andreas Hunkeler (@Karneades) -date: 2021/11/19 -modified: 2023/08/17 +date: 2021-11-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml index 401a14e51bf..e16069030f0 100644 --- a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/wer_debugger.html - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml index 633e83856ca..6f342436c71 100644 --- a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/hhctrl.html - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml index ccee6a73c81..e991594e436 100644 --- a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml +++ b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml @@ -7,8 +7,8 @@ references: - https://unit42.paloaltonetworks.com/ransomware-families/ - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A author: frack113 -date: 2022/01/22 -modified: 2023/08/17 +date: 2022-01-22 +modified: 2023-08-17 tags: - attack.persistence - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_hide_file.yml b/rules/windows/registry/registry_set/registry_set_hide_file.yml index 99a2c1ebf09..c861b98a596 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_file.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_file.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry author: frack113 -date: 2022/04/02 -modified: 2024/03/26 +date: 2022-04-02 +modified: 2024-03-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml index 0cf0e73a454..f902886972b 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml @@ -5,10 +5,10 @@ description: Detects registry modifications that hide internal tools or function references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md author: frack113 -date: 2022/03/18 -modified: 2023/08/17 +date: 2022-03-18 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml index 76c1c3232b6..a1b72c79a96 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml @@ -12,10 +12,10 @@ description: | references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/26 -modified: 2023/08/17 +date: 2022-08-26 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml index fcb619000b7..952af7f01b4 100644 --- a/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml +++ b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml @@ -12,9 +12,9 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) -date: 2023/09/05 +date: 2023-09-05 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml b/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml index 8d8b5e9469f..8ef3bc865f8 100644 --- a/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml @@ -11,9 +11,9 @@ description: | references: - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/ author: X__Junior (Nextron Systems) -date: 2023/11/21 +date: 2023-11-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml b/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml index 83f6c752e75..cdfa2e9b7b8 100644 --- a/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml @@ -11,9 +11,9 @@ description: | references: - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/ author: X__Junior (Nextron Systems) -date: 2023/11/21 +date: 2023-11-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index e0297e85699..a460c837baf 100644 --- a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec author: frack113 -date: 2022/04/04 -modified: 2023/08/17 +date: 2022-04-04 +modified: 2023-08-17 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml index 219d8230b36..8f0d08d4e71 100644 --- a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml +++ b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml @@ -8,10 +8,10 @@ references: - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ - https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/16 -modified: 2023/08/17 +date: 2023-05-16 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml index 9a8cb300b5a..fb1045a6441 100644 --- a/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml +++ b/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml @@ -5,8 +5,8 @@ description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" reg references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md author: frack113 -date: 2022/12/11 -modified: 2023/08/17 +date: 2022-12-11 +modified: 2023-08-17 tags: - attack.impact - attack.t1491.001 diff --git a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml index a00b28cab11..24bc4ee297f 100644 --- a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml +++ b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml @@ -7,10 +7,10 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/ author: frack113 -date: 2022/05/28 -modified: 2023/08/17 +date: 2022-05-28 +modified: 2023-08-17 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index df75d08f2a6..db0023f6d26 100644 --- a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -12,10 +12,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx author: frack113 -date: 2023/01/13 -modified: 2023/12/15 +date: 2023-01-13 +modified: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index 5ec29f14783..53a5860e568 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -7,10 +7,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' -date: 2022/12/08 -modified: 2023/08/17 +date: 2022-12-08 +modified: 2023-08-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml index 2f8b0c8af9f..99c3642f9df 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -8,8 +8,8 @@ description: Attempts to detect system changes made by Blue Mockingbird references: - https://redcanary.com/blog/blue-mockingbird-cryptominer/ author: Trent Liffick (@tliffick) -date: 2020/05/14 -modified: 2023/08/17 +date: 2020-05-14 +modified: 2023-08-17 tags: - attack.execution - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml index bf347afaf4f..3df719ef0bf 100644 --- a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml +++ b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml @@ -8,10 +8,10 @@ description: | references: - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ author: frack113 -date: 2022/11/18 -modified: 2023/08/17 +date: 2022-11-18 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml index f6fa8daf7c4..e19b5f7b8d3 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml @@ -12,7 +12,7 @@ references: - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/28 +date: 2023-11-28 tags: - attack.persistence - attack.t1546.007 diff --git a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml index 61c0586bc77..58adbbad219 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml @@ -12,7 +12,7 @@ references: - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ author: Anish Bogati -date: 2023/11/28 +date: 2023-11-28 tags: - attack.persistence - attack.t1546.007 diff --git a/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml b/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml index 45bf656ff73..2c78c7d2310 100644 --- a/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml +++ b/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml @@ -6,8 +6,8 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/1 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/08/17 +date: 2020-05-02 +modified: 2023-08-17 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index 67adfa6bc60..93cc89fefa6 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/23 -modified: 2023/08/17 +date: 2022-08-23 +modified: 2023-08-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml index 5194a35d429..844b7568b2e 100644 --- a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml @@ -5,8 +5,8 @@ description: Detects the registration of a new ODBC driver. references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/23 -modified: 2023/08/17 +date: 2023-05-23 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml index b40cb96248e..5f21200068c 100644 --- a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml @@ -5,8 +5,8 @@ description: Detects the registration of a new ODBC driver where the driver is l references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/23 -modified: 2023/08/17 +date: 2023-05-23 +modified: 2023-08-17 tags: - attack.persistence - attack.t1003 diff --git a/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml index 424a37a547a..bf362b6220e 100644 --- a/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml @@ -2,7 +2,7 @@ title: Trust Access Disable For VBApplications id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf related: - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: obsoletes + type: obsolete status: test description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. references: @@ -10,10 +10,10 @@ references: - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) -date: 2020/05/22 -modified: 2023/08/17 +date: 2020-05-22 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml b/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml index f0bc6a6a599..11379e15c93 100644 --- a/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml +++ b/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml @@ -2,7 +2,7 @@ title: Microsoft Office Protected View Disabled id: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc related: - id: 7c637634-c95d-4bbf-b26c-a82510874b34 - type: obsoletes + type: obsolete status: test description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. references: @@ -11,10 +11,10 @@ references: - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ - https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/06/08 -modified: 2023/08/17 +date: 2021-06-08 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml index 5bf1c1e7305..efdb4df4c0c 100644 --- a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml +++ b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml @@ -5,8 +5,8 @@ description: Enable Dynamic Data Exchange protocol (DDE) in all supported editio references: - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021 author: frack113 -date: 2022/02/26 -modified: 2023/08/17 +date: 2022-02-26 +modified: 2023-08-17 tags: - attack.execution - attack.t1559.002 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml index 919485c555e..9865487ee21 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml @@ -6,11 +6,11 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2021/04/05 -modified: 2023/08/17 +date: 2021-04-05 +modified: 2023-08-17 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml index 8924a5e4696..264e7acf1a5 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml @@ -6,11 +6,11 @@ references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 author: '@ScoubiMtl' -date: 2021/04/05 -modified: 2023/08/17 +date: 2021-04-05 +modified: 2023-08-17 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index cba1062f071..fa2a2c5d48e 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -11,10 +11,10 @@ references: - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 -modified: 2023/08/17 +date: 2023-02-08 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml index c93c12d5081..6c36fdfc892 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml @@ -9,8 +9,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md - https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings author: frack113 -date: 2021/12/28 -modified: 2023/08/17 +date: 2021-12-28 +modified: 2023-08-17 tags: - attack.persistence - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml index ebcc2a7cb68..2ad8ad3f9a5 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/inversecos/status/1494174785621819397 - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/21 -modified: 2023/08/17 +date: 2023-06-21 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index c0f7b532125..a459bf57fc3 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -9,10 +9,10 @@ references: - Internal Research - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/21 -modified: 2023/09/29 +date: 2023-06-21 +modified: 2023-09-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml index bdf47246396..d9a2515c995 100644 --- a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml @@ -2,7 +2,7 @@ title: Office Macros Warning Disabled id: 91239011-fe3c-4b54-9f24-15c86bb65913 related: - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: obsoletes + type: obsolete status: test description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. references: @@ -10,10 +10,10 @@ references: - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) -date: 2020/05/22 -modified: 2024/03/19 +date: 2020-05-22 +modified: 2024-03-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml index af6864318e7..cdd2cdc28ae 100644 --- a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml +++ b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml @@ -11,9 +11,9 @@ references: - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/03/19 +date: 2024-03-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.005 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml index a9bed453b32..1880756efb7 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml @@ -8,7 +8,7 @@ description: | references: - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/01/01 +date: 2024-01-01 tags: - attack.persistence - attack.t1546.011 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml index 9348cc02430..3e047066a30 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml @@ -10,8 +10,8 @@ references: - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://learn.microsoft.com/en-us/windows/win32/shell/app-registration author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/10 -modified: 2023/08/17 +date: 2022-08-10 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.012 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml index 4c7af534f55..e864f47692a 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml @@ -6,8 +6,8 @@ references: - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ - https://github.com/rootm0s/WinPwnage author: frack113 -date: 2022/07/27 -modified: 2023/08/17 +date: 2022-07-27 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml index 9403fb0c822..c8af0fc53d3 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -6,8 +6,8 @@ references: - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ - https://persistence-info.github.io/Data/autodialdll.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/10 -modified: 2023/08/17 +date: 2022-08-10 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_chm.yml b/rules/windows/registry/registry_set/registry_set_persistence_chm.yml index 63480e3104f..3eec5f091bf 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_chm.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_chm.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/htmlhelpauthor.html - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index e38b095a58e..2830d87e085 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -5,7 +5,7 @@ description: Detects potential COM object hijacking via modification of default references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/16 +date: 2024-07-16 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml index 078b977cbf8..024ff90f1e7 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml @@ -8,8 +8,8 @@ references: - https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection - https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk -date: 2023/06/07 -modified: 2023/08/17 +date: 2023-06-07 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index 5cd432a87bd..1d13b5b9929 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -5,10 +5,10 @@ description: Detects potential persistence activity via the registering of a new references: - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/30 -modified: 2023/05/12 +date: 2022-05-30 +modified: 2023-05-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml b/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml index a79a3148a8f..af4f7c8c2ff 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml @@ -8,11 +8,11 @@ references: - https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/17 -modified: 2023/03/05 +date: 2023-02-17 +modified: 2023-03-05 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml b/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml index 4ed6fd8959c..baebcc278e8 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml @@ -2,19 +2,19 @@ title: Potential Persistence Via GlobalFlags id: 36803969-5421-41ec-b92f-8500f79c23b0 related: - id: c81fe886-cac0-4913-a511-2822d72ff505 - type: obsoletes + type: obsolete status: test description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ author: Karneades, Jonhnathan Ribeiro, Florian Roth -date: 2018/04/11 -modified: 2023/06/05 +date: 2018-04-11 +modified: 2023-06-05 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1546.012 - car.2013-01-002 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml index 70108639d40..7b3e46a5c64 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry author: frack113 -date: 2022/01/22 -modified: 2023/08/17 +date: 2022-01-22 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml index 82c205f8d24..2859ab5115e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml @@ -10,8 +10,8 @@ references: - https://github.com/gtworek/PSBits/tree/master/IFilter - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2024/03/26 +date: 2022-07-21 +modified: 2024-03-26 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml b/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml index 26c034ce8ae..c9289a7d1ff 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml @@ -8,8 +8,8 @@ references: - https://persistence-info.github.io/Data/lsaaextension.html - https://twitter.com/0gtweet/status/1476286368385019906 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml b/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml index 7155db954e0..c19c2acfe95 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/mpnotify.html - https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml index 37ed60e828d..5175d1fd3ef 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -5,8 +5,8 @@ description: Detects modification to the "Default" value of the "MyComputer" key references: - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/09 -modified: 2024/01/11 +date: 2022-08-09 +modified: 2024-01-11 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml b/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml index 55b80796bd6..12dcbeddd1d 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/naturallanguage6.html - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml index f6a5ec1fce0..fd2950617e0 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/_vivami/status/1347925307643355138 - https://vanmieghem.io/stealth-outlook-persistence/ author: Bhabesh Raj -date: 2021/01/10 -modified: 2023/08/28 +date: 2021-01-10 +modified: 2023-08-28 tags: - attack.t1137.006 - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml index 5ed2b5ae1d4..d3bfa4b7dfb 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml @@ -12,8 +12,8 @@ references: - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand -date: 2021/06/09 -modified: 2024/08/07 +date: 2021-06-09 +modified: 2024-08-07 tags: - attack.persistence - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index 63489638474..045fc46882c 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -11,8 +11,8 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74 - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand -date: 2021/06/10 -modified: 2024/08/07 +date: 2021-06-10 +modified: 2024-08-07 tags: - attack.persistence - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml index 0be6813dbf2..ea7048a8967 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -9,9 +9,9 @@ references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ author: X__Junior -date: 2023/05/18 +date: 2023-05-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml index 013622adfde..19605f38597 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml @@ -5,8 +5,8 @@ description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md author: frack113 -date: 2022/08/20 -modified: 2023/08/17 +date: 2022-08-20 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 9f0efd19884..9168883524f 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -5,8 +5,8 @@ description: Detects potential COM object hijacking leveraging the COM Search Or references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien -date: 2020/04/14 -modified: 2023/09/28 +date: 2020-04-14 +modified: 2023-09-28 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml index a533eeae8b6..0090b5367d3 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml @@ -9,8 +9,8 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ author: frack113 -date: 2021/12/30 -modified: 2023/08/17 +date: 2021-12-30 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.011 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml index b844fc617fa..18d5a0facdb 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -6,8 +6,8 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/01 -modified: 2023/12/06 +date: 2023-08-01 +modified: 2023-12-06 tags: - attack.persistence - attack.t1546.011 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml index e5ee4a4eeeb..febab1a54fd 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -7,8 +7,8 @@ references: - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ - https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/01 -modified: 2023/08/17 +date: 2023-08-01 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.011 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml index dc1f06d839f..f4d472a8e83 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/dez_/status/1560101453150257154 - https://forensafe.com/blogs/typedpaths.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/22 -modified: 2023/08/17 +date: 2022-08-22 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_xll.yml b/rules/windows/registry/registry_set/registry_set_persistence_xll.yml index d83a980835e..e8af311273b 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_xll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_xll.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence author: frack113 -date: 2023/01/15 -modified: 2023/08/17 +date: 2023-01-15 +modified: 2023-08-17 tags: - attack.persistence - attack.t1137.006 diff --git a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml index 12a299fc4f1..36bcae54611 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml @@ -6,10 +6,10 @@ references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/08/17 +date: 2022-08-01 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml index 9df32c117f1..cca70c730a4 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml @@ -6,10 +6,10 @@ references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/08/17 +date: 2022-08-01 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml index 5e908ca13ed..f0950c99397 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml @@ -5,8 +5,8 @@ description: Detects that a powershell code is written to the registry as a serv references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2023/08/17 +date: 2020-10-06 +modified: 2023-08-17 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml index 3a1e71bd1c1..d17f5d335a5 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml @@ -8,7 +8,7 @@ description: Detects the enabling of the PowerShell script execution policy. Onc references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -date: 2023/10/18 +date: 2023-10-18 tags: - attack.execution logsource: diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml index 7b887ab6506..b2ec4054504 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -12,10 +12,10 @@ description: Detects changes to the PowerShell execution policy in order to bypa references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 -modified: 2023/12/14 +date: 2023-01-11 +modified: 2023-12-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index 6ed5827916f..21e3fc81c71 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -6,8 +6,8 @@ references: - https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html author: frack113, Florian Roth (Nextron Systems) -date: 2022/03/17 -modified: 2023/08/17 +date: 2022-03-17 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml index ebab3cb5a81..b86391a832f 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -5,10 +5,10 @@ description: Detects changes to the registry for the currently logged-in user. I references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled author: frack113 -date: 2022/04/02 -modified: 2023/08/17 +date: 2022-04-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml index c59e88c8844..744dcee6a49 100644 --- a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml +++ b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml @@ -13,10 +13,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 author: Swachchhanda Shrawan Poudel -date: 2023/08/02 -modified: 2023/08/17 +date: 2023-08-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml index 7ab2871c752..eedd84d2b33 100644 --- a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml @@ -10,10 +10,10 @@ description: Detects non-sysinternals tools setting the "accepteula" key which n references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/24 -modified: 2023/08/17 +date: 2022-08-24 +modified: 2023-08-17 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index fa0f016169e..6fa1557bebc 100644 --- a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -5,10 +5,10 @@ description: Detects changes to the "ExtErrorInformation" key in order to disabl references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/09 -modified: 2023/08/17 +date: 2022-12-09 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - attack.t1562 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index 25dc01e4e00..198ffffda44 100644 --- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/pabraeken/status/998627081360695297 - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) -date: 2022/05/04 -modified: 2023/08/17 +date: 2022-05-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml b/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml index 45fe8e74fc7..6ab23312f4a 100644 --- a/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml @@ -5,7 +5,7 @@ description: Detects potentially suspicious changes to the SentinelOne context m references: - https://mrd0x.com/sentinelone-persistence-via-menu-context/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/03/06 +date: 2024-03-06 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index 785781e7a26..b4ccf276412 100644 --- a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -8,11 +8,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ author: frack113 -date: 2022/02/04 -modified: 2024/04/03 +date: 2022-02-04 +modified: 2024-04-03 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml index 1b78e5b1d1d..e466ab1ad4c 100644 --- a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -5,10 +5,10 @@ description: Detects changes to the "TracingDisabled" key in order to disable ET references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/09 -modified: 2023/08/17 +date: 2022-12-09 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - attack.t1562 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml index 1658eebba22..cdb33222ca3 100644 --- a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml +++ b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml @@ -5,10 +5,10 @@ description: Detects registry modifications that disable internal tools or funct references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md author: frack113 -date: 2022/03/18 -modified: 2023/08/17 +date: 2022-03-18 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml index 1b5539655d7..67bb2f14587 100644 --- a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml @@ -7,11 +7,11 @@ references: - https://github.com/gtworek/PSBits/tree/master/SIP - https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml index da9081de68a..c6a71beb755 100644 --- a/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml @@ -5,10 +5,10 @@ description: Detects tamper attempts to sophos av functionality via registry key references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/02 -modified: 2023/08/17 +date: 2022-09-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_special_accounts.yml b/rules/windows/registry/registry_set/registry_set_special_accounts.yml index e4ceacf627d..f9ed701d55c 100644 --- a/rules/windows/registry/registry_set/registry_set_special_accounts.yml +++ b/rules/windows/registry/registry_set/registry_set_special_accounts.yml @@ -2,17 +2,17 @@ title: Hiding User Account Via SpecialAccounts Registry Key id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd related: - id: 8a58209c-7ae6-4027-afb0-307a78e4589a - type: obsoletes + type: obsolete status: test description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2022/07/12 -modified: 2023/01/26 +date: 2022-07-12 +modified: 2023-01-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml index fe1029069e9..75aa70f2c11 100644 --- a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -5,10 +5,10 @@ description: Detect set Notification_Suppress to 1 to disable the Windows securi references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 -date: 2022/08/19 -modified: 2023/08/17 +date: 2022-08-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml b/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml index 2a19b695e9c..81998e0595f 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml @@ -6,10 +6,10 @@ references: - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files author: Florian Roth (Nextron Systems) -date: 2019/10/12 -modified: 2023/08/17 +date: 2019-10-12 +modified: 2023-08-17 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index 8b9eac659ba..77fb0505996 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -10,10 +10,10 @@ references: - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html author: frack113 -date: 2023/01/27 -modified: 2024/07/03 +date: 2023-01-27 +modified: 2024-07-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml index 0444c4c9968..a6f0d4deddd 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml @@ -5,12 +5,12 @@ description: Detects a suspicious printer driver installation with an empty Manu references: - https://twitter.com/SBousseaden/status/1410545674773467140 author: Florian Roth (Nextron Systems) -date: 2020/07/01 -modified: 2023/08/17 +date: 2020-07-01 +modified: 2023-08-17 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574 - - cve.2021.1675 + - cve.2021-1675 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index 9360fd0afc4..daaf3cef5e5 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -5,8 +5,8 @@ description: Detects a possible persistence mechanism using RUN key for Windows references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ author: Florian Roth (Nextron Systems), oscd.community -date: 2018/07/18 -modified: 2023/12/11 +date: 2018-07-18 +modified: 2023-12-11 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index d4efbf7c6af..ef023e64ad4 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -5,8 +5,8 @@ description: Detects suspicious new RUN key element pointing to an executable in references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing -date: 2018/08/25 -modified: 2024/07/16 +date: 2018-08-25 +modified: 2024-07-16 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml index 8cc43b1e8a0..d8e81e3e3c7 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml @@ -7,11 +7,11 @@ description: | references: - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) -date: 2019/04/08 -modified: 2023/08/17 +date: 2019-04-08 +modified: 2023-08-17 tags: - attack.t1562.001 - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml index e5bf14bd728..0de2f0ab74d 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml @@ -5,11 +5,11 @@ description: Detect modification of the startup key to a path where a payload co references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md author: frack113 -date: 2022/10/01 -modified: 2023/08/17 +date: 2022-10-01 +modified: 2023-08-17 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1547.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml index e6deae463e9..e28e40d7b70 100644 --- a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -5,10 +5,10 @@ description: Detects the creation of user-specific or system-wide environment va references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/20 -modified: 2023/08/17 +date: 2022-12-20 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml index 72a748c8d16..aecb6d1c2e2 100644 --- a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml +++ b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -12,9 +12,9 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/12/15 +date: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index 9a0e400605c..f9c39557fd0 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -6,8 +6,8 @@ references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ author: Syed Hasan (@syedhasan009) -date: 2021/06/18 -modified: 2023/08/17 +date: 2021-06-18 +modified: 2023-08-17 tags: - attack.persistence - attack.t1053 diff --git a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml index af6c27bd79e..c251bd1a849 100644 --- a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml @@ -2,7 +2,7 @@ title: Potential Registry Persistence Attempt Via Windows Telemetry id: 73a883d0-0348-4be4-a8d8-51031c2564f8 related: - id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 - type: obsoletes + type: obsolete status: test description: | Detects potential persistence behavior using the windows telemetry registry key. @@ -12,8 +12,8 @@ description: | references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Lednyov Alexey, oscd.community, Sreeman -date: 2020/10/16 -modified: 2023/08/17 +date: 2020-10-16 +modified: 2023-08-17 tags: - attack.persistence - attack.t1053.005 diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml index b1ad77fb237..8b60903e662 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml @@ -16,10 +16,10 @@ references: - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -date: 2022/09/29 -modified: 2022/11/26 +date: 2022-09-29 +modified: 2022-11-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml index e2130531b91..59d36524f78 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -2,9 +2,9 @@ title: RDP Sensitive Settings Changed id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c related: - id: 171b67e1-74b4-460e-8d55-b331f3e32d67 - type: obsoletes + type: obsolete - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 - type: obsoletes + type: obsolete - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b type: similar status: test @@ -23,10 +23,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -date: 2022/08/06 -modified: 2024/02/08 +date: 2022-08-06 +modified: 2024-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml index 9f68d3f7914..9e4e6b7c425 100644 --- a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml +++ b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml @@ -8,11 +8,11 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md author: frack113 -date: 2022/06/19 -modified: 2024/03/26 +date: 2022-06-19 +modified: 2024-03-26 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1547.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml index a558027d01d..fea51da0fa8 100644 --- a/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml @@ -5,9 +5,9 @@ description: Detects applications or users re-enabling old TLS versions by setti references: - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/05 +date: 2023-09-05 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml index 6cbb89226a4..07b0def0069 100644 --- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md - https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s author: frack113 -date: 2022/08/28 -modified: 2023/08/17 +date: 2022-08-28 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml index a02443607a7..2939bc7a54b 100644 --- a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml +++ b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/malmoeb/status/1560536653709598721 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/12 -modified: 2023/08/17 +date: 2023-01-12 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index e57b719f791..9bbbdeed403 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -6,11 +6,11 @@ references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/03/19 -modified: 2023/09/28 +date: 2017-03-19 +modified: 2023-09-28 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index f7bdc8b8567..947763b3aee 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -6,11 +6,11 @@ references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ - https://github.com/hfiref0x/UACME author: Omer Yampel, Christian Burkard (Nextron Systems) -date: 2017/03/17 -modified: 2023/08/17 +date: 2017-03-17 +modified: 2023-08-17 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml index 2998c77162e..3ee9a26d290 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a path parsing issue in win references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2023/08/17 +date: 2021-08-30 +modified: 2023-08-17 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml index 9427fadcf9d..d3deb306436 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using Windows Media Player osksup references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2023/08/17 +date: 2021-08-23 +modified: 2023-08-17 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable.yml b/rules/windows/registry/registry_set/registry_set_uac_disable.yml index 00b2609e377..568dd6b0093 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_disable.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_disable.yml @@ -11,11 +11,11 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md author: frack113 -date: 2022/01/05 -modified: 2024/05/10 +date: 2022-01-05 +modified: 2024-05-10 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml b/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml index a03d96d232d..f909085e397 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml @@ -14,10 +14,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml b/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml index 33007656a73..cbb253d4fa0 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml @@ -13,10 +13,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md author: frack113 -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 7d69e14ef76..52aeb3c5dc6 100644 --- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -5,8 +5,8 @@ description: Detects VBScript content stored into registry keys as seen being us references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) -date: 2021/03/05 -modified: 2023/08/17 +date: 2021-03-05 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml b/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml index 489caf7f28e..803ea44bc0f 100644 --- a/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml +++ b/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/Hexacorn/status/991447379864932352 - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ author: oscd.community, Natalia Shornikova -date: 2020/10/13 -modified: 2023/08/17 +date: 2020-10-13 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index f7ff9019e47..7781c7f092b 100644 --- a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -7,10 +7,10 @@ references: - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649 - https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2019/09/12 -modified: 2023/08/17 +date: 2019-09-12 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index 545fb2e9b45..4c1ac1db187 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -2,9 +2,9 @@ title: Disable Windows Defender Functionalities Via Registry Keys id: 0eb46774-f1ab-4a74-8238-1155855f2263 related: - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4 - type: obsoletes + type: obsolete - id: fd115e64-97c7-491f-951c-fc8da7e042fa - type: obsoletes + type: obsolete status: test description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry references: @@ -16,10 +16,10 @@ references: - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel -date: 2022/08/01 -modified: 2024/07/03 +date: 2022-08-01 +modified: 2024-07-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml b/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml index 22d667fe9ef..41834b28a75 100644 --- a/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml @@ -6,10 +6,10 @@ references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget - https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/17 -modified: 2023/08/17 +date: 2023-04-17 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml b/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml index 56aedbcd7d2..68035abbf16 100644 --- a/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml +++ b/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml @@ -5,10 +5,10 @@ description: Detects changes to the AppInstaller (winget) policy. Specifically t references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/17 -modified: 2023/08/17 +date: 2023-04-17 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml index 2434a5aa43c..4d054935dd2 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -8,11 +8,11 @@ description: | references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2023/08/17 +date: 2022-09-09 +modified: 2023-08-17 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml index 926c99621b6..f37acde0327 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell author: frack113 -date: 2021/12/30 -modified: 2023/08/17 +date: 2021-12-30 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.004 diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index f8101ba4676..5e190f95b61 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -5,9 +5,9 @@ description: Detects a Sysmon configuration change, which could be the result of references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon author: frack113 -date: 2022/01/12 +date: 2022-01-12 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_config_modification_error.yml b/rules/windows/sysmon/sysmon_config_modification_error.yml index 4ae36165807..e82d37bfe96 100644 --- a/rules/windows/sysmon/sysmon_config_modification_error.yml +++ b/rules/windows/sysmon/sysmon_config_modification_error.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html author: frack113 -date: 2021/06/04 -modified: 2022/07/07 +date: 2021-06-04 +modified: 2022-07-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_config_modification_status.yml b/rules/windows/sysmon/sysmon_config_modification_status.yml index aabad87fbf7..4b0de59e864 100644 --- a/rules/windows/sysmon/sysmon_config_modification_status.yml +++ b/rules/windows/sysmon/sysmon_config_modification_status.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html author: frack113 -date: 2021/06/04 -modified: 2022/08/02 +date: 2021-06-04 +modified: 2022-08-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_file_block_executable.yml b/rules/windows/sysmon/sysmon_file_block_executable.yml index 0768df81a14..44b06396f18 100644 --- a/rules/windows/sysmon/sysmon_file_block_executable.yml +++ b/rules/windows/sysmon/sysmon_file_block_executable.yml @@ -5,10 +5,10 @@ description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates references: - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/16 -modified: 2023/09/16 +date: 2022-08-16 +modified: 2023-09-16 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_file_block_shredding.yml b/rules/windows/sysmon/sysmon_file_block_shredding.yml index 65d8823c85f..52b01cba324 100644 --- a/rules/windows/sysmon/sysmon_file_block_shredding.yml +++ b/rules/windows/sysmon/sysmon_file_block_shredding.yml @@ -5,9 +5,9 @@ description: Triggers on any Sysmon "FileBlockShredding" event, which indicates references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon author: frack113 -date: 2023/07/20 +date: 2023-07-20 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_file_executable_detected.yml b/rules/windows/sysmon/sysmon_file_executable_detected.yml index 3d42f54130d..7263bc3b484 100644 --- a/rules/windows/sysmon/sysmon_file_executable_detected.yml +++ b/rules/windows/sysmon/sysmon_file_executable_detected.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon - https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36 author: frack113 -date: 2023/07/20 +date: 2023-07-20 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: sysmon diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index f49f503e833..173f03817e4 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -7,8 +7,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected author: Tom Ueltschi (@c_APT_ure) -date: 2019/01/12 -modified: 2021/11/27 +date: 2019-01-12 +modified: 2021-11-27 tags: - attack.persistence - attack.t1546.003 diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index 6d8b3d5588e..7bea92992e3 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -5,8 +5,8 @@ description: Detects suspicious encoded payloads in WMI Event Consumers references: - https://github.com/RiccardoAncarani/LiquidSnake author: Florian Roth (Nextron Systems) -date: 2021/09/01 -modified: 2022/10/09 +date: 2021-09-01 +modified: 2022-10-09 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index 23dfd17be25..2c9e0152bee 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -7,8 +7,8 @@ references: - https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19 - https://github.com/RiccardoAncarani/LiquidSnake author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro -date: 2019/04/15 -modified: 2023/09/09 +date: 2019-04-15 +modified: 2023-09-09 tags: - attack.execution - attack.t1059.005 diff --git a/tests/test_rules.py b/tests/test_rules.py index 07cb11a25bf..25c1014e298 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -1257,7 +1257,6 @@ def check_item_for_bad_escapes(item): faulty_rules, [], Fore.RED + "There are rules using illegal re-escapes" ) - # def test_confirm_extension_is_yml(self): # files_with_incorrect_extensions = [] @@ -1411,7 +1410,7 @@ def check_item_for_bad_escapes(item): # faulty_rules, # [], # Fore.RED - # + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019/01/14)", + # + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019-01-14)", # ) # sigma-cli error and validator status_existence status_unsupported @@ -1654,7 +1653,7 @@ def check_item_for_bad_escapes(item): # Fore.RED # + "There are rules with unknown value modifiers. Most often it is just a typo.", # ) - + # sigma error and validator attacktag,cartag,cvetag,detection_tag,stptag,tlptag # def test_optional_tags(self): # files_with_incorrect_tags = [] @@ -1783,7 +1782,7 @@ def check_item_for_bad_escapes(item): # faulty_rules, # [], # Fore.RED - # + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)", + # + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019-01-14)", # ) # sigma validators description_existence description_length @@ -1895,7 +1894,6 @@ def check_item_for_bad_escapes(item): # + "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)", # ) - # sigma error # # Upgrade Detection Rule License 1.1 # def test_optional_author(self): diff --git a/tests/thor.yml b/tests/thor.yml index 40525a1d5c9..4c4f97f1b22 100644 --- a/tests/thor.yml +++ b/tests/thor.yml @@ -478,7 +478,7 @@ logsources: - 'WinEventLog:OpenSSH/Operational' windows-ldap-debug: product: windows - service: ldap_debug + service: ldap sources: - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' windows-bitlocker: @@ -558,6 +558,12 @@ logsources: service: sense sources: - 'WinEventLog:Microsoft-Windows-SENSE/Operational' + windows-servicebus: + product: windows + service: servicebus-client + sources: + - 'WinEventLog:Microsoft-ServiceBus-Client/Admin' + - 'WinEventLog:Microsoft-ServiceBus-Client/Operational' apache: category: webserver sources: diff --git a/tests/validate-sigma-schema/sigma-schema.json b/tests/validate-sigma-schema/sigma-schema.json index 3faeeeae9a8..49dccd1ab66 100644 --- a/tests/validate-sigma-schema/sigma-schema.json +++ b/tests/validate-sigma-schema/sigma-schema.json @@ -1,6 +1,6 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Sigma rule specification V1.0.4 (2023/06/29)", + "$schema": "https://json-schema.org/draft/2020-12/schema#", + "title": "Sigma rule specification V2.0.0 (2024-08-08)", "type": "object", "required": ["title", "logsource", "detection"], "properties": { @@ -34,7 +34,7 @@ "description": "The rule was derived from the referred rule or rules, which may remain active" }, { - "const": "obsoletes", + "const": "obsolete", "description": "The rule obsoletes the referred rule or rules, which aren't used anymore" }, { @@ -54,6 +54,16 @@ } } }, + "name": { + "type": "string", + "maxLength": 256, + "description": "a unique human-readable name that can be used instead of the id as a reference in correlation rules" + }, + "taxonomy":{ + "type": "string", + "maxLength": 256, + "description": "Defines the taxonomy used in the Sigma rule" + }, "status": { "type": "string", "oneOf": [ @@ -102,13 +112,13 @@ }, "date": { "type": "string", - "description": "Creation date of the rule. Use the format YYYY/MM/DD", - "pattern": "^\\d{4}/(0[1-9]|1[012])/(0[1-9]|[12][0-9]|3[01])$" + "description": "Creation date of the rule. Use the ISO 8601 format YYYY-MM-DD", + "pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$" }, "modified": { "type": "string", - "description": "Last modification date of the rule. Use the format YYYY/MM/DD", - "pattern": "^\\d{4}/(0[1-9]|1[012])/(0[1-9]|[12][0-9]|3[01])$" + "description": "Last modification date of the rule. Use the ISO 8601 format YYYY-MM-DD", + "pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$" }, "logsource": { "type": "object", @@ -125,6 +135,10 @@ "service": { "description": "A subset of a product's logs, like sshd", "type": "string" + }, + "definition":{ + "description": "can be used to describe the log source", + "type": "string" } } }, @@ -228,6 +242,14 @@ "type": "string", "pattern": "^[a-z0-9_-]+\\.[a-z0-9._-]+$" } + }, + "scope":{ + "description": "A list of intended scope of the rule", + "type": "array", + "items": { + "type": "string", + "minLength": 2 + } } } -} \ No newline at end of file +}